Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 8b8d22c961413c1ae465719d8252bea50587ed3f / . / ssl / test / runner / runner.go
blob: dee1bb9f671f00e7c31be11d7e8d6c6e91f7edb6 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]25 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]26 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]27 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]28 "flag"
29 "fmt"
30 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]31 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]32 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]33 "net"
34 "os"
35 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]36 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]37 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]38 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]39 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]40 "strings"
41 "sync"
42 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]43 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]44)
45
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]46var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]47 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
48 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
49 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
50 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
51 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
52 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
53 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
54 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]55 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]56 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
57 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
58 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
59 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
60 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
61 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
62 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
63 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]64 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]65 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
66 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]67 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]68)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]69
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]70// ShimConfigurations is used with the “json” package and represents a shim
71// config file.
72type ShimConfiguration struct {
73 // DisabledTests maps from a glob-based pattern to a freeform string.
74 // The glob pattern is used to exclude tests from being run and the
75 // freeform string is unparsed but expected to explain why the test is
76 // disabled.
77 DisabledTests map[string]string
78
79 // ErrorMap maps from expected error strings to the correct error
80 // string for the shim in question. For example, it might map
81 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
82 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
83 ErrorMap map[string]string
84}
85
86var shimConfig ShimConfiguration
87
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]88type testCert int
89
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]90const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]91 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]92 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]93 testCertRSAChain
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]94 testCertECDSAP256
95 testCertECDSAP384
96 testCertECDSAP521
97)
98
99const (
100 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]101 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]102 rsaChainCertificateFile = "rsa_chain_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
104 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
105 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]106)
107
108const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]109 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]110 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]111 rsaChainKeyFile = "rsa_chain_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]112 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
113 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
114 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]115 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]116)
117
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]118var (
119 rsaCertificate Certificate
120 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]121 rsaChainCertificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 ecdsaP256Certificate Certificate
123 ecdsaP384Certificate Certificate
124 ecdsaP521Certificate Certificate
125)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]126
127var testCerts = []struct {
128 id testCert
129 certFile, keyFile string
130 cert *Certificate
131}{
132 {
133 id: testCertRSA,
134 certFile: rsaCertificateFile,
135 keyFile: rsaKeyFile,
136 cert: &rsaCertificate,
137 },
138 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]139 id: testCertRSA1024,
140 certFile: rsa1024CertificateFile,
141 keyFile: rsa1024KeyFile,
142 cert: &rsa1024Certificate,
143 },
144 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]145 id: testCertRSAChain,
146 certFile: rsaChainCertificateFile,
147 keyFile: rsaChainKeyFile,
148 cert: &rsaChainCertificate,
149 },
150 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]151 id: testCertECDSAP256,
152 certFile: ecdsaP256CertificateFile,
153 keyFile: ecdsaP256KeyFile,
154 cert: &ecdsaP256Certificate,
155 },
156 {
157 id: testCertECDSAP384,
158 certFile: ecdsaP384CertificateFile,
159 keyFile: ecdsaP384KeyFile,
160 cert: &ecdsaP384Certificate,
161 },
162 {
163 id: testCertECDSAP521,
164 certFile: ecdsaP521CertificateFile,
165 keyFile: ecdsaP521KeyFile,
166 cert: &ecdsaP521Certificate,
167 },
168}
169
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]170var channelIDKey *ecdsa.PrivateKey
171var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]172
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]173var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]174var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]175
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]176var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]177var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]178
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]179func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]180 for i := range testCerts {
181 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
182 if err != nil {
183 panic(err)
184 }
185 cert.OCSPStaple = testOCSPResponse
186 cert.SignedCertificateTimestampList = testSCTList
187 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]189
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]190 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]191 if err != nil {
192 panic(err)
193 }
194 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
195 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
196 panic("bad key type")
197 }
198 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
199 if err != nil {
200 panic(err)
201 }
202 if channelIDKey.Curve != elliptic.P256() {
203 panic("bad curve")
204 }
205
206 channelIDBytes = make([]byte, 64)
207 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
208 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]209}
210
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]211func getRunnerCertificate(t testCert) Certificate {
212 for _, cert := range testCerts {
213 if cert.id == t {
214 return *cert.cert
215 }
216 }
217 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]218}
219
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]220func getShimCertificate(t testCert) string {
221 for _, cert := range testCerts {
222 if cert.id == t {
223 return cert.certFile
224 }
225 }
226 panic("Unknown test certificate")
227}
228
229func getShimKey(t testCert) string {
230 for _, cert := range testCerts {
231 if cert.id == t {
232 return cert.keyFile
233 }
234 }
235 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]236}
237
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]238type testType int
239
240const (
241 clientTest testType = iota
242 serverTest
243)
244
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]245type protocol int
246
247const (
248 tls protocol = iota
249 dtls
250)
251
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]252const (
253 alpn = 1
254 npn = 2
255)
256
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]257type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]258 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]259 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]260 name string
261 config Config
262 shouldFail bool
263 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]264 // expectedLocalError, if not empty, contains a substring that must be
265 // found in the local error.
266 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]267 // expectedVersion, if non-zero, specifies the TLS version that must be
268 // negotiated.
269 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]270 // expectedResumeVersion, if non-zero, specifies the TLS version that
271 // must be negotiated on resumption. If zero, expectedVersion is used.
272 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]273 // expectedCipher, if non-zero, specifies the TLS cipher suite that
274 // should be negotiated.
275 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]276 // expectChannelID controls whether the connection should have
277 // negotiated a Channel ID with channelIDKey.
278 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]279 // expectedNextProto controls whether the connection should
280 // negotiate a next protocol via NPN or ALPN.
281 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]282 // expectNoNextProto, if true, means that no next protocol should be
283 // negotiated.
284 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]285 // expectedNextProtoType, if non-zero, is the expected next
286 // protocol negotiation mechanism.
287 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]288 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
289 // should be negotiated. If zero, none should be negotiated.
290 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]291 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
292 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]293 // expectedSCTList, if not nil, is the expected SCT list to be received.
294 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]295 // expectedPeerSignatureAlgorithm, if not zero, is the signature
296 // algorithm that the peer should have used in the handshake.
297 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]298 // expectedCurveID, if not zero, is the curve that the handshake should
299 // have used.
300 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]301 // messageLen is the length, in bytes, of the test message that will be
302 // sent.
303 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]304 // messageCount is the number of test messages that will be sent.
305 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]306 // certFile is the path to the certificate to use for the server.
307 certFile string
308 // keyFile is the path to the private key to use for the server.
309 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]310 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]312 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]313 // resumeRenewedSession controls whether a third connection should be
314 // tested which attempts to resume the second connection's session.
315 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]316 // expectResumeRejected, if true, specifies that the attempted
317 // resumption must be rejected by the client. This is only valid for a
318 // serverTest.
319 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]320 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]321 // resumption. Unless newSessionsOnResume is set,
322 // SessionTicketKey, ServerSessionCache, and
323 // ClientSessionCache are copied from the initial connection's
324 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]325 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]326 // newSessionsOnResume, if true, will cause resumeConfig to
327 // use a different session resumption context.
328 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]329 // noSessionCache, if true, will cause the server to run without a
330 // session cache.
331 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]332 // sendPrefix sends a prefix on the socket before actually performing a
333 // handshake.
334 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]335 // shimWritesFirst controls whether the shim sends an initial "hello"
336 // message before doing a roundtrip with the runner.
337 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]338 // shimShutsDown, if true, runs a test where the shim shuts down the
339 // connection immediately after the handshake rather than echoing
340 // messages from the runner.
341 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]342 // renegotiate indicates the number of times the connection should be
343 // renegotiated during the exchange.
344 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]345 // sendHalfHelloRequest, if true, causes the server to send half a
346 // HelloRequest when the handshake completes.
347 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]348 // renegotiateCiphers is a list of ciphersuite ids that will be
349 // switched in just before renegotiation.
350 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]351 // replayWrites, if true, configures the underlying transport
352 // to replay every write it makes in DTLS tests.
353 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]354 // damageFirstWrite, if true, configures the underlying transport to
355 // damage the final byte of the first application data write.
356 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]357 // exportKeyingMaterial, if non-zero, configures the test to exchange
358 // keying material and verify they match.
359 exportKeyingMaterial int
360 exportLabel string
361 exportContext string
362 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]363 // flags, if not empty, contains a list of command-line flags that will
364 // be passed to the shim program.
365 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]366 // testTLSUnique, if true, causes the shim to send the tls-unique value
367 // which will be compared against the expected value.
368 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]369 // sendEmptyRecords is the number of consecutive empty records to send
370 // before and after the test message.
371 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]372 // sendWarningAlerts is the number of consecutive warning alerts to send
373 // before and after the test message.
374 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]375 // sendKeyUpdates is the number of consecutive key updates to send
376 // before and after the test message.
377 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]378 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
379 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]380 // expectMessageDropped, if true, means the test message is expected to
381 // be dropped by the client rather than echoed back.
382 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]383 // expectPeerCertificate, if not nil, is the certificate chain the peer
384 // is expected to send.
385 expectPeerCertificate *Certificate
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]386 // expectShortHeader is whether the short header extension should be negotiated.
387 expectShortHeader bool
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]388}
389
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]390var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]391
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]392func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]393 if len(data) == 0 {
394 return
395 }
396
397 protocol := "tls"
398 if test.protocol == dtls {
399 protocol = "dtls"
400 }
401
402 side := "client"
403 if test.testType == serverTest {
404 side = "server"
405 }
406
407 dir := path.Join(*transcriptDir, protocol, side)
408 if err := os.MkdirAll(dir, 0755); err != nil {
409 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
410 return
411 }
412
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]413 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]414 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
415 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
416 }
417}
418
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]419// A timeoutConn implements an idle timeout on each Read and Write operation.
420type timeoutConn struct {
421 net.Conn
422 timeout time.Duration
423}
424
425func (t *timeoutConn) Read(b []byte) (int, error) {
426 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
427 return 0, err
428 }
429 return t.Conn.Read(b)
430}
431
432func (t *timeoutConn) Write(b []byte) (int, error) {
433 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
434 return 0, err
435 }
436 return t.Conn.Write(b)
437}
438
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]439func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]440 if !test.noSessionCache {
441 if config.ClientSessionCache == nil {
442 config.ClientSessionCache = NewLRUClientSessionCache(1)
443 }
444 if config.ServerSessionCache == nil {
445 config.ServerSessionCache = NewLRUServerSessionCache(1)
446 }
447 }
448 if test.testType == clientTest {
449 if len(config.Certificates) == 0 {
450 config.Certificates = []Certificate{rsaCertificate}
451 }
452 } else {
453 // Supply a ServerName to ensure a constant session cache key,
454 // rather than falling back to net.Conn.RemoteAddr.
455 if len(config.ServerName) == 0 {
456 config.ServerName = "test"
457 }
458 }
459 if *fuzzer {
460 config.Bugs.NullAllCiphers = true
461 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]462 if *deterministic {
463 config.Time = func() time.Time { return time.Unix(1234, 1234) }
464 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]465
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]466 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]467
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]468 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]469 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
470 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]471 }
472
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]473 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]474 local, peer := "client", "server"
475 if test.testType == clientTest {
476 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]477 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]478 connDebug := &recordingConn{
479 Conn: conn,
480 isDatagram: test.protocol == dtls,
481 local: local,
482 peer: peer,
483 }
484 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]485 if *flagDebug {
486 defer connDebug.WriteTo(os.Stdout)
487 }
488 if len(*transcriptDir) != 0 {
489 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]490 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]491 }()
492 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]493
494 if config.Bugs.PacketAdaptor != nil {
495 config.Bugs.PacketAdaptor.debug = connDebug
496 }
497 }
498
499 if test.replayWrites {
500 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]501 }
502
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]503 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]504 if test.damageFirstWrite {
505 connDamage = newDamageAdaptor(conn)
506 conn = connDamage
507 }
508
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]509 if test.sendPrefix != "" {
510 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
511 return err
512 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]513 }
514
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]515 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]516 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]517 if test.protocol == dtls {
518 tlsConn = DTLSServer(conn, config)
519 } else {
520 tlsConn = Server(conn, config)
521 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]522 } else {
523 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]524 if test.protocol == dtls {
525 tlsConn = DTLSClient(conn, config)
526 } else {
527 tlsConn = Client(conn, config)
528 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]529 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]530 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]531
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]532 if err := tlsConn.Handshake(); err != nil {
533 return err
534 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]535
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]536 // TODO(davidben): move all per-connection expectations into a dedicated
537 // expectations struct that can be specified separately for the two
538 // legs.
539 expectedVersion := test.expectedVersion
540 if isResume && test.expectedResumeVersion != 0 {
541 expectedVersion = test.expectedResumeVersion
542 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]543 connState := tlsConn.ConnectionState()
544 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]545 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]546 }
547
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]548 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]549 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
550 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]551 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
552 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
553 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]554
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]555 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]556 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]557 if channelID == nil {
558 return fmt.Errorf("no channel ID negotiated")
559 }
560 if channelID.Curve != channelIDKey.Curve ||
561 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
562 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
563 return fmt.Errorf("incorrect channel ID")
564 }
565 }
566
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]567 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]568 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]569 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
570 }
571 }
572
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]573 if test.expectNoNextProto {
574 if actual := connState.NegotiatedProtocol; actual != "" {
575 return fmt.Errorf("got unexpected next proto %s", actual)
576 }
577 }
578
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]579 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]580 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]581 return fmt.Errorf("next proto type mismatch")
582 }
583 }
584
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]585 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]586 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
587 }
588
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]589 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]590 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]591 }
592
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]593 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
594 return fmt.Errorf("SCT list mismatch")
595 }
596
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]597 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
598 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]599 }
600
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]601 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
602 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
603 }
604
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]605 if test.expectPeerCertificate != nil {
606 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
607 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
608 }
609 for i, cert := range connState.PeerCertificates {
610 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
611 return fmt.Errorf("peer certificate %d did not match", i+1)
612 }
613 }
614 }
615
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]616 if test.expectShortHeader != connState.ShortHeader {
617 return fmt.Errorf("ShortHeader is %t, but we expected the opposite", connState.ShortHeader)
618 }
619
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]620 if test.exportKeyingMaterial > 0 {
621 actual := make([]byte, test.exportKeyingMaterial)
622 if _, err := io.ReadFull(tlsConn, actual); err != nil {
623 return err
624 }
625 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
626 if err != nil {
627 return err
628 }
629 if !bytes.Equal(actual, expected) {
630 return fmt.Errorf("keying material mismatch")
631 }
632 }
633
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]634 if test.testTLSUnique {
635 var peersValue [12]byte
636 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
637 return err
638 }
639 expected := tlsConn.ConnectionState().TLSUnique
640 if !bytes.Equal(peersValue[:], expected) {
641 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
642 }
643 }
644
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]645 if test.shimWritesFirst {
646 var buf [5]byte
647 _, err := io.ReadFull(tlsConn, buf[:])
648 if err != nil {
649 return err
650 }
651 if string(buf[:]) != "hello" {
652 return fmt.Errorf("bad initial message")
653 }
654 }
655
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]656 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]657 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400[diff] [blame]658 return err
659 }
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]660 }
661
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]662 for i := 0; i < test.sendEmptyRecords; i++ {
663 tlsConn.Write(nil)
664 }
665
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]666 for i := 0; i < test.sendWarningAlerts; i++ {
667 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
668 }
669
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]670 if test.sendHalfHelloRequest {
671 tlsConn.SendHalfHelloRequest()
672 }
673
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]674 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]675 if test.renegotiateCiphers != nil {
676 config.CipherSuites = test.renegotiateCiphers
677 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]678 for i := 0; i < test.renegotiate; i++ {
679 if err := tlsConn.Renegotiate(); err != nil {
680 return err
681 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]682 }
683 } else if test.renegotiateCiphers != nil {
684 panic("renegotiateCiphers without renegotiate")
685 }
686
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]687 if test.damageFirstWrite {
688 connDamage.setDamage(true)
689 tlsConn.Write([]byte("DAMAGED WRITE"))
690 connDamage.setDamage(false)
691 }
692
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]693 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]694 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]695 if test.protocol == dtls {
696 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
697 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]698 // Read until EOF.
699 _, err := io.Copy(ioutil.Discard, tlsConn)
700 return err
701 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]702 if messageLen == 0 {
703 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]704 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]705
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]706 messageCount := test.messageCount
707 if messageCount == 0 {
708 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]709 }
710
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]711 for j := 0; j < messageCount; j++ {
712 testMessage := make([]byte, messageLen)
713 for i := range testMessage {
714 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]715 }
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]716 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]717
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]718 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]719 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 for i := 0; i < test.sendEmptyRecords; i++ {
723 tlsConn.Write(nil)
724 }
725
726 for i := 0; i < test.sendWarningAlerts; i++ {
727 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
728 }
729
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]730 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]731 // The shim will not respond.
732 continue
733 }
734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 buf := make([]byte, len(testMessage))
736 if test.protocol == dtls {
737 bufTmp := make([]byte, len(buf)+1)
738 n, err := tlsConn.Read(bufTmp)
739 if err != nil {
740 return err
741 }
742 if n != len(buf) {
743 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
744 }
745 copy(buf, bufTmp)
746 } else {
747 _, err := io.ReadFull(tlsConn, buf)
748 if err != nil {
749 return err
750 }
751 }
752
753 for i, v := range buf {
754 if v != testMessage[i]^0xff {
755 return fmt.Errorf("bad reply contents at byte %d", i)
756 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]757 }
758 }
759
760 return nil
761}
762
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]763func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]764 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]765 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]766 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]767 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]768 valgrindArgs = append(valgrindArgs, path)
769 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]770
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]771 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]772}
773
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]774func gdbOf(path string, args ...string) *exec.Cmd {
775 xtermArgs := []string{"-e", "gdb", "--args"}
776 xtermArgs = append(xtermArgs, path)
777 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]778
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]779 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]780}
781
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]782func lldbOf(path string, args ...string) *exec.Cmd {
783 xtermArgs := []string{"-e", "lldb", "--"}
784 xtermArgs = append(xtermArgs, path)
785 xtermArgs = append(xtermArgs, args...)
786
787 return exec.Command("xterm", xtermArgs...)
788}
789
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]790var (
791 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
792 errUnimplemented = errors.New("child process does not implement needed flags")
793)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]794
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]795// accept accepts a connection from listener, unless waitChan signals a process
796// exit first.
797func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
798 type connOrError struct {
799 conn net.Conn
800 err error
801 }
802 connChan := make(chan connOrError, 1)
803 go func() {
804 conn, err := listener.Accept()
805 connChan <- connOrError{conn, err}
806 close(connChan)
807 }()
808 select {
809 case result := <-connChan:
810 return result.conn, result.err
811 case childErr := <-waitChan:
812 waitChan <- childErr
813 return nil, fmt.Errorf("child exited early: %s", childErr)
814 }
815}
816
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]817func translateExpectedError(errorStr string) string {
818 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
819 return translated
820 }
821
822 if *looseErrors {
823 return ""
824 }
825
826 return errorStr
827}
828
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]829func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]830 // Help debugging panics on the Go side.
831 defer func() {
832 if r := recover(); r != nil {
833 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
834 panic(r)
835 }
836 }()
837
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]838 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
839 panic("Error expected without shouldFail in " + test.name)
840 }
841
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]842 if test.expectResumeRejected && !test.resumeSession {
843 panic("expectResumeRejected without resumeSession in " + test.name)
844 }
845
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]846 for _, ver := range tlsVersions {
847 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
848 continue
849 }
850
851 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
852 continue
853 }
854
855 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
856 }
857
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]858 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
859 if err != nil {
860 panic(err)
861 }
862 defer func() {
863 if listener != nil {
864 listener.Close()
865 }
866 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]867
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]868 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]869 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]870 flags = append(flags, "-server")
871
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]872 flags = append(flags, "-key-file")
873 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]874 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]875 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]876 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]877 }
878
879 flags = append(flags, "-cert-file")
880 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]881 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]882 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]883 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]884 }
885 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]886
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]887 if test.protocol == dtls {
888 flags = append(flags, "-dtls")
889 }
890
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]891 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]892 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]893 resumeCount++
894 if test.resumeRenewedSession {
895 resumeCount++
896 }
897 }
898
899 if resumeCount > 0 {
900 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]901 }
902
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]903 if test.shimWritesFirst {
904 flags = append(flags, "-shim-writes-first")
905 }
906
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]907 if test.shimShutsDown {
908 flags = append(flags, "-shim-shuts-down")
909 }
910
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]911 if test.exportKeyingMaterial > 0 {
912 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
913 flags = append(flags, "-export-label", test.exportLabel)
914 flags = append(flags, "-export-context", test.exportContext)
915 if test.useExportContext {
916 flags = append(flags, "-use-export-context")
917 }
918 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]919 if test.expectResumeRejected {
920 flags = append(flags, "-expect-session-miss")
921 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]922
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]923 if test.testTLSUnique {
924 flags = append(flags, "-tls-unique")
925 }
926
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]927 flags = append(flags, test.flags...)
928
929 var shim *exec.Cmd
930 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]931 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]932 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]933 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]934 } else if *useLLDB {
935 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]936 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]937 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]938 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]939 shim.Stdin = os.Stdin
940 var stdoutBuf, stderrBuf bytes.Buffer
941 shim.Stdout = &stdoutBuf
942 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]943 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]944 shim.Env = os.Environ()
945 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]946 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]947 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]948 }
949 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
950 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]951
952 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]953 panic(err)
954 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]955 waitChan := make(chan error, 1)
956 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]957
958 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]959
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]960 if *deterministic {
961 config.Rand = &deterministicRand{}
962 }
963
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]964 conn, err := acceptOrWait(listener, waitChan)
965 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]966 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]967 conn.Close()
968 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]969
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]970 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]971 var resumeConfig Config
972 if test.resumeConfig != nil {
973 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]974 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]975 resumeConfig.SessionTicketKey = config.SessionTicketKey
976 resumeConfig.ClientSessionCache = config.ClientSessionCache
977 resumeConfig.ServerSessionCache = config.ServerSessionCache
978 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]979 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]980 } else {
981 resumeConfig = config
982 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]983 var connResume net.Conn
984 connResume, err = acceptOrWait(listener, waitChan)
985 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]986 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]987 connResume.Close()
988 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]989 }
990
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]991 // Close the listener now. This is to avoid hangs should the shim try to
992 // open more connections than expected.
993 listener.Close()
994 listener = nil
995
996 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]997 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]998 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]999 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1000 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1001 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1002 case 89:
1003 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1004 case 99:
1005 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1006 }
1007 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1009 // Account for Windows line endings.
1010 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1011 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1012
1013 // Separate the errors from the shim and those from tools like
1014 // AddressSanitizer.
1015 var extraStderr string
1016 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1017 stderr = stderrParts[0]
1018 extraStderr = stderrParts[1]
1019 }
1020
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1021 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1022 expectedError := translateExpectedError(test.expectedError)
1023 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1024
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1025 localError := "none"
1026 if err != nil {
1027 localError = err.Error()
1028 }
1029 if len(test.expectedLocalError) != 0 {
1030 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1031 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1032
1033 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1034 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1035 if childErr != nil {
1036 childError = childErr.Error()
1037 }
1038
1039 var msg string
1040 switch {
1041 case failed && !test.shouldFail:
1042 msg = "unexpected failure"
1043 case !failed && test.shouldFail:
1044 msg = "unexpected success"
1045 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1046 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1047 default:
1048 panic("internal error")
1049 }
1050
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1051 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1052 }
1053
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1054 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1055 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1056 }
1057
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1058 if *useValgrind && isValgrindError {
1059 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1060 }
1061
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1062 return nil
1063}
1064
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1065type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066 name string
1067 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1068 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1069 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1070}
1071
1072var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1073 {"SSL3", VersionSSL30, "-no-ssl3", false},
1074 {"TLS1", VersionTLS10, "-no-tls1", true},
1075 {"TLS11", VersionTLS11, "-no-tls11", false},
1076 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1077 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078}
1079
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1080type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1081 name string
1082 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1083}
1084
1085var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1086 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1087 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1089 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1090 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1091 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1092 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1093 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1094 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1095 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1096 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
1097 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1098 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1099 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1100 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1101 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1102 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1103 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1104 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1105 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamine3203922015-12-09 21:21:31 -0500[diff] [blame]1106 {"ECDHE-ECDSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1108 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1109 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1110 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1111 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1112 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1113 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamine3203922015-12-09 21:21:31 -0500[diff] [blame]1114 {"ECDHE-RSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1115 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1116 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1117 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1118 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1119 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1120 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1121 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1122 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1123 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1124}
1125
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1126func hasComponent(suiteName, component string) bool {
1127 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1128}
1129
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1130func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1131 return hasComponent(suiteName, "GCM") ||
1132 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1133 hasComponent(suiteName, "SHA384") ||
1134 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1135}
1136
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1137func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1138 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1139}
1140
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1141func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1142 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1143}
1144
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1145func bigFromHex(hex string) *big.Int {
1146 ret, ok := new(big.Int).SetString(hex, 16)
1147 if !ok {
1148 panic("failed to parse hex number 0x" + hex)
1149 }
1150 return ret
1151}
1152
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1153func addBasicTests() {
1154 basicTests := []testCase{
1155 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1156 name: "NoFallbackSCSV",
1157 config: Config{
1158 Bugs: ProtocolBugs{
1159 FailIfNotFallbackSCSV: true,
1160 },
1161 },
1162 shouldFail: true,
1163 expectedLocalError: "no fallback SCSV found",
1164 },
1165 {
1166 name: "SendFallbackSCSV",
1167 config: Config{
1168 Bugs: ProtocolBugs{
1169 FailIfNotFallbackSCSV: true,
1170 },
1171 },
1172 flags: []string{"-fallback-scsv"},
1173 },
1174 {
1175 name: "ClientCertificateTypes",
1176 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1177 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1178 ClientAuth: RequestClientCert,
1179 ClientCertificateTypes: []byte{
1180 CertTypeDSSSign,
1181 CertTypeRSASign,
1182 CertTypeECDSASign,
1183 },
1184 },
1185 flags: []string{
1186 "-expect-certificate-types",
1187 base64.StdEncoding.EncodeToString([]byte{
1188 CertTypeDSSSign,
1189 CertTypeRSASign,
1190 CertTypeECDSASign,
1191 }),
1192 },
1193 },
1194 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1195 name: "UnauthenticatedECDH",
1196 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1197 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1198 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1199 Bugs: ProtocolBugs{
1200 UnauthenticatedECDH: true,
1201 },
1202 },
1203 shouldFail: true,
1204 expectedError: ":UNEXPECTED_MESSAGE:",
1205 },
1206 {
1207 name: "SkipCertificateStatus",
1208 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1209 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1210 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1211 Bugs: ProtocolBugs{
1212 SkipCertificateStatus: true,
1213 },
1214 },
1215 flags: []string{
1216 "-enable-ocsp-stapling",
1217 },
1218 },
1219 {
1220 name: "SkipServerKeyExchange",
1221 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1222 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1223 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1224 Bugs: ProtocolBugs{
1225 SkipServerKeyExchange: true,
1226 },
1227 },
1228 shouldFail: true,
1229 expectedError: ":UNEXPECTED_MESSAGE:",
1230 },
1231 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1232 testType: serverTest,
1233 name: "Alert",
1234 config: Config{
1235 Bugs: ProtocolBugs{
1236 SendSpuriousAlert: alertRecordOverflow,
1237 },
1238 },
1239 shouldFail: true,
1240 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1241 },
1242 {
1243 protocol: dtls,
1244 testType: serverTest,
1245 name: "Alert-DTLS",
1246 config: Config{
1247 Bugs: ProtocolBugs{
1248 SendSpuriousAlert: alertRecordOverflow,
1249 },
1250 },
1251 shouldFail: true,
1252 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1253 },
1254 {
1255 testType: serverTest,
1256 name: "FragmentAlert",
1257 config: Config{
1258 Bugs: ProtocolBugs{
1259 FragmentAlert: true,
1260 SendSpuriousAlert: alertRecordOverflow,
1261 },
1262 },
1263 shouldFail: true,
1264 expectedError: ":BAD_ALERT:",
1265 },
1266 {
1267 protocol: dtls,
1268 testType: serverTest,
1269 name: "FragmentAlert-DTLS",
1270 config: Config{
1271 Bugs: ProtocolBugs{
1272 FragmentAlert: true,
1273 SendSpuriousAlert: alertRecordOverflow,
1274 },
1275 },
1276 shouldFail: true,
1277 expectedError: ":BAD_ALERT:",
1278 },
1279 {
1280 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1281 name: "DoubleAlert",
1282 config: Config{
1283 Bugs: ProtocolBugs{
1284 DoubleAlert: true,
1285 SendSpuriousAlert: alertRecordOverflow,
1286 },
1287 },
1288 shouldFail: true,
1289 expectedError: ":BAD_ALERT:",
1290 },
1291 {
1292 protocol: dtls,
1293 testType: serverTest,
1294 name: "DoubleAlert-DTLS",
1295 config: Config{
1296 Bugs: ProtocolBugs{
1297 DoubleAlert: true,
1298 SendSpuriousAlert: alertRecordOverflow,
1299 },
1300 },
1301 shouldFail: true,
1302 expectedError: ":BAD_ALERT:",
1303 },
1304 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1305 name: "SkipNewSessionTicket",
1306 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1307 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1308 Bugs: ProtocolBugs{
1309 SkipNewSessionTicket: true,
1310 },
1311 },
1312 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1313 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1314 },
1315 {
1316 testType: serverTest,
1317 name: "FallbackSCSV",
1318 config: Config{
1319 MaxVersion: VersionTLS11,
1320 Bugs: ProtocolBugs{
1321 SendFallbackSCSV: true,
1322 },
1323 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1324 shouldFail: true,
1325 expectedError: ":INAPPROPRIATE_FALLBACK:",
1326 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1327 },
1328 {
1329 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1330 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1331 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1332 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1333 Bugs: ProtocolBugs{
1334 SendFallbackSCSV: true,
1335 },
1336 },
1337 },
1338 {
1339 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1340 name: "FallbackSCSV-VersionMatch-TLS12",
1341 config: Config{
1342 MaxVersion: VersionTLS12,
1343 Bugs: ProtocolBugs{
1344 SendFallbackSCSV: true,
1345 },
1346 },
1347 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1348 },
1349 {
1350 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1351 name: "FragmentedClientVersion",
1352 config: Config{
1353 Bugs: ProtocolBugs{
1354 MaxHandshakeRecordLength: 1,
1355 FragmentClientVersion: true,
1356 },
1357 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1358 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1359 },
1360 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1361 testType: serverTest,
1362 name: "HttpGET",
1363 sendPrefix: "GET / HTTP/1.0\n",
1364 shouldFail: true,
1365 expectedError: ":HTTP_REQUEST:",
1366 },
1367 {
1368 testType: serverTest,
1369 name: "HttpPOST",
1370 sendPrefix: "POST / HTTP/1.0\n",
1371 shouldFail: true,
1372 expectedError: ":HTTP_REQUEST:",
1373 },
1374 {
1375 testType: serverTest,
1376 name: "HttpHEAD",
1377 sendPrefix: "HEAD / HTTP/1.0\n",
1378 shouldFail: true,
1379 expectedError: ":HTTP_REQUEST:",
1380 },
1381 {
1382 testType: serverTest,
1383 name: "HttpPUT",
1384 sendPrefix: "PUT / HTTP/1.0\n",
1385 shouldFail: true,
1386 expectedError: ":HTTP_REQUEST:",
1387 },
1388 {
1389 testType: serverTest,
1390 name: "HttpCONNECT",
1391 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1392 shouldFail: true,
1393 expectedError: ":HTTPS_PROXY_REQUEST:",
1394 },
1395 {
1396 testType: serverTest,
1397 name: "Garbage",
1398 sendPrefix: "blah",
1399 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1400 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1401 },
1402 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1403 name: "RSAEphemeralKey",
1404 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1405 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1406 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1407 Bugs: ProtocolBugs{
1408 RSAEphemeralKey: true,
1409 },
1410 },
1411 shouldFail: true,
1412 expectedError: ":UNEXPECTED_MESSAGE:",
1413 },
1414 {
1415 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1416 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1417 shouldFail: true,
1418 expectedError: ":WRONG_SSL_VERSION:",
1419 },
1420 {
1421 protocol: dtls,
1422 name: "DisableEverything-DTLS",
1423 flags: []string{"-no-tls12", "-no-tls1"},
1424 shouldFail: true,
1425 expectedError: ":WRONG_SSL_VERSION:",
1426 },
1427 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1428 protocol: dtls,
1429 testType: serverTest,
1430 name: "MTU",
1431 config: Config{
1432 Bugs: ProtocolBugs{
1433 MaxPacketLength: 256,
1434 },
1435 },
1436 flags: []string{"-mtu", "256"},
1437 },
1438 {
1439 protocol: dtls,
1440 testType: serverTest,
1441 name: "MTUExceeded",
1442 config: Config{
1443 Bugs: ProtocolBugs{
1444 MaxPacketLength: 255,
1445 },
1446 },
1447 flags: []string{"-mtu", "256"},
1448 shouldFail: true,
1449 expectedLocalError: "dtls: exceeded maximum packet length",
1450 },
1451 {
1452 name: "CertMismatchRSA",
1453 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1454 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1455 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1456 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1457 Bugs: ProtocolBugs{
1458 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1459 },
1460 },
1461 shouldFail: true,
1462 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1463 },
1464 {
1465 name: "CertMismatchECDSA",
1466 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1467 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1468 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1469 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1470 Bugs: ProtocolBugs{
1471 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1472 },
1473 },
1474 shouldFail: true,
1475 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1476 },
1477 {
1478 name: "EmptyCertificateList",
1479 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1480 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1481 Bugs: ProtocolBugs{
1482 EmptyCertificateList: true,
1483 },
1484 },
1485 shouldFail: true,
1486 expectedError: ":DECODE_ERROR:",
1487 },
1488 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1489 name: "EmptyCertificateList-TLS13",
1490 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1491 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1492 Bugs: ProtocolBugs{
1493 EmptyCertificateList: true,
1494 },
1495 },
1496 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1497 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1498 },
1499 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1500 name: "TLSFatalBadPackets",
1501 damageFirstWrite: true,
1502 shouldFail: true,
1503 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1504 },
1505 {
1506 protocol: dtls,
1507 name: "DTLSIgnoreBadPackets",
1508 damageFirstWrite: true,
1509 },
1510 {
1511 protocol: dtls,
1512 name: "DTLSIgnoreBadPackets-Async",
1513 damageFirstWrite: true,
1514 flags: []string{"-async"},
1515 },
1516 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1517 name: "AppDataBeforeHandshake",
1518 config: Config{
1519 Bugs: ProtocolBugs{
1520 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1521 },
1522 },
1523 shouldFail: true,
1524 expectedError: ":UNEXPECTED_RECORD:",
1525 },
1526 {
1527 name: "AppDataBeforeHandshake-Empty",
1528 config: Config{
1529 Bugs: ProtocolBugs{
1530 AppDataBeforeHandshake: []byte{},
1531 },
1532 },
1533 shouldFail: true,
1534 expectedError: ":UNEXPECTED_RECORD:",
1535 },
1536 {
1537 protocol: dtls,
1538 name: "AppDataBeforeHandshake-DTLS",
1539 config: Config{
1540 Bugs: ProtocolBugs{
1541 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1542 },
1543 },
1544 shouldFail: true,
1545 expectedError: ":UNEXPECTED_RECORD:",
1546 },
1547 {
1548 protocol: dtls,
1549 name: "AppDataBeforeHandshake-DTLS-Empty",
1550 config: Config{
1551 Bugs: ProtocolBugs{
1552 AppDataBeforeHandshake: []byte{},
1553 },
1554 },
1555 shouldFail: true,
1556 expectedError: ":UNEXPECTED_RECORD:",
1557 },
1558 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1559 name: "AppDataAfterChangeCipherSpec",
1560 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1561 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1562 Bugs: ProtocolBugs{
1563 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1564 },
1565 },
1566 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1567 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1568 },
1569 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1570 name: "AppDataAfterChangeCipherSpec-Empty",
1571 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1572 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1573 Bugs: ProtocolBugs{
1574 AppDataAfterChangeCipherSpec: []byte{},
1575 },
1576 },
1577 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1578 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1579 },
1580 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1581 protocol: dtls,
1582 name: "AppDataAfterChangeCipherSpec-DTLS",
1583 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1584 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1585 Bugs: ProtocolBugs{
1586 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1587 },
1588 },
1589 // BoringSSL's DTLS implementation will drop the out-of-order
1590 // application data.
1591 },
1592 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1593 protocol: dtls,
1594 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1595 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1596 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1597 Bugs: ProtocolBugs{
1598 AppDataAfterChangeCipherSpec: []byte{},
1599 },
1600 },
1601 // BoringSSL's DTLS implementation will drop the out-of-order
1602 // application data.
1603 },
1604 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1605 name: "AlertAfterChangeCipherSpec",
1606 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1607 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1608 Bugs: ProtocolBugs{
1609 AlertAfterChangeCipherSpec: alertRecordOverflow,
1610 },
1611 },
1612 shouldFail: true,
1613 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1614 },
1615 {
1616 protocol: dtls,
1617 name: "AlertAfterChangeCipherSpec-DTLS",
1618 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1619 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1620 Bugs: ProtocolBugs{
1621 AlertAfterChangeCipherSpec: alertRecordOverflow,
1622 },
1623 },
1624 shouldFail: true,
1625 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1626 },
1627 {
1628 protocol: dtls,
1629 name: "ReorderHandshakeFragments-Small-DTLS",
1630 config: Config{
1631 Bugs: ProtocolBugs{
1632 ReorderHandshakeFragments: true,
1633 // Small enough that every handshake message is
1634 // fragmented.
1635 MaxHandshakeRecordLength: 2,
1636 },
1637 },
1638 },
1639 {
1640 protocol: dtls,
1641 name: "ReorderHandshakeFragments-Large-DTLS",
1642 config: Config{
1643 Bugs: ProtocolBugs{
1644 ReorderHandshakeFragments: true,
1645 // Large enough that no handshake message is
1646 // fragmented.
1647 MaxHandshakeRecordLength: 2048,
1648 },
1649 },
1650 },
1651 {
1652 protocol: dtls,
1653 name: "MixCompleteMessageWithFragments-DTLS",
1654 config: Config{
1655 Bugs: ProtocolBugs{
1656 ReorderHandshakeFragments: true,
1657 MixCompleteMessageWithFragments: true,
1658 MaxHandshakeRecordLength: 2,
1659 },
1660 },
1661 },
1662 {
1663 name: "SendInvalidRecordType",
1664 config: Config{
1665 Bugs: ProtocolBugs{
1666 SendInvalidRecordType: true,
1667 },
1668 },
1669 shouldFail: true,
1670 expectedError: ":UNEXPECTED_RECORD:",
1671 },
1672 {
1673 protocol: dtls,
1674 name: "SendInvalidRecordType-DTLS",
1675 config: Config{
1676 Bugs: ProtocolBugs{
1677 SendInvalidRecordType: true,
1678 },
1679 },
1680 shouldFail: true,
1681 expectedError: ":UNEXPECTED_RECORD:",
1682 },
1683 {
1684 name: "FalseStart-SkipServerSecondLeg",
1685 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1686 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1687 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1688 NextProtos: []string{"foo"},
1689 Bugs: ProtocolBugs{
1690 SkipNewSessionTicket: true,
1691 SkipChangeCipherSpec: true,
1692 SkipFinished: true,
1693 ExpectFalseStart: true,
1694 },
1695 },
1696 flags: []string{
1697 "-false-start",
1698 "-handshake-never-done",
1699 "-advertise-alpn", "\x03foo",
1700 },
1701 shimWritesFirst: true,
1702 shouldFail: true,
1703 expectedError: ":UNEXPECTED_RECORD:",
1704 },
1705 {
1706 name: "FalseStart-SkipServerSecondLeg-Implicit",
1707 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1708 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1709 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1710 NextProtos: []string{"foo"},
1711 Bugs: ProtocolBugs{
1712 SkipNewSessionTicket: true,
1713 SkipChangeCipherSpec: true,
1714 SkipFinished: true,
1715 },
1716 },
1717 flags: []string{
1718 "-implicit-handshake",
1719 "-false-start",
1720 "-handshake-never-done",
1721 "-advertise-alpn", "\x03foo",
1722 },
1723 shouldFail: true,
1724 expectedError: ":UNEXPECTED_RECORD:",
1725 },
1726 {
1727 testType: serverTest,
1728 name: "FailEarlyCallback",
1729 flags: []string{"-fail-early-callback"},
1730 shouldFail: true,
1731 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1732 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1733 },
1734 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1735 name: "FailCertCallback-Client-TLS12",
1736 config: Config{
1737 MaxVersion: VersionTLS12,
1738 ClientAuth: RequestClientCert,
1739 },
1740 flags: []string{"-fail-cert-callback"},
1741 shouldFail: true,
1742 expectedError: ":CERT_CB_ERROR:",
1743 expectedLocalError: "remote error: internal error",
1744 },
1745 {
1746 testType: serverTest,
1747 name: "FailCertCallback-Server-TLS12",
1748 config: Config{
1749 MaxVersion: VersionTLS12,
1750 },
1751 flags: []string{"-fail-cert-callback"},
1752 shouldFail: true,
1753 expectedError: ":CERT_CB_ERROR:",
1754 expectedLocalError: "remote error: internal error",
1755 },
1756 {
1757 name: "FailCertCallback-Client-TLS13",
1758 config: Config{
1759 MaxVersion: VersionTLS13,
1760 ClientAuth: RequestClientCert,
1761 },
1762 flags: []string{"-fail-cert-callback"},
1763 shouldFail: true,
1764 expectedError: ":CERT_CB_ERROR:",
1765 expectedLocalError: "remote error: internal error",
1766 },
1767 {
1768 testType: serverTest,
1769 name: "FailCertCallback-Server-TLS13",
1770 config: Config{
1771 MaxVersion: VersionTLS13,
1772 },
1773 flags: []string{"-fail-cert-callback"},
1774 shouldFail: true,
1775 expectedError: ":CERT_CB_ERROR:",
1776 expectedLocalError: "remote error: internal error",
1777 },
1778 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1779 protocol: dtls,
1780 name: "FragmentMessageTypeMismatch-DTLS",
1781 config: Config{
1782 Bugs: ProtocolBugs{
1783 MaxHandshakeRecordLength: 2,
1784 FragmentMessageTypeMismatch: true,
1785 },
1786 },
1787 shouldFail: true,
1788 expectedError: ":FRAGMENT_MISMATCH:",
1789 },
1790 {
1791 protocol: dtls,
1792 name: "FragmentMessageLengthMismatch-DTLS",
1793 config: Config{
1794 Bugs: ProtocolBugs{
1795 MaxHandshakeRecordLength: 2,
1796 FragmentMessageLengthMismatch: true,
1797 },
1798 },
1799 shouldFail: true,
1800 expectedError: ":FRAGMENT_MISMATCH:",
1801 },
1802 {
1803 protocol: dtls,
1804 name: "SplitFragments-Header-DTLS",
1805 config: Config{
1806 Bugs: ProtocolBugs{
1807 SplitFragments: 2,
1808 },
1809 },
1810 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1811 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1812 },
1813 {
1814 protocol: dtls,
1815 name: "SplitFragments-Boundary-DTLS",
1816 config: Config{
1817 Bugs: ProtocolBugs{
1818 SplitFragments: dtlsRecordHeaderLen,
1819 },
1820 },
1821 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1822 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1823 },
1824 {
1825 protocol: dtls,
1826 name: "SplitFragments-Body-DTLS",
1827 config: Config{
1828 Bugs: ProtocolBugs{
1829 SplitFragments: dtlsRecordHeaderLen + 1,
1830 },
1831 },
1832 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1833 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1834 },
1835 {
1836 protocol: dtls,
1837 name: "SendEmptyFragments-DTLS",
1838 config: Config{
1839 Bugs: ProtocolBugs{
1840 SendEmptyFragments: true,
1841 },
1842 },
1843 },
1844 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1845 name: "BadFinished-Client",
1846 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1847 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1848 Bugs: ProtocolBugs{
1849 BadFinished: true,
1850 },
1851 },
1852 shouldFail: true,
1853 expectedError: ":DIGEST_CHECK_FAILED:",
1854 },
1855 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1856 name: "BadFinished-Client-TLS13",
1857 config: Config{
1858 MaxVersion: VersionTLS13,
1859 Bugs: ProtocolBugs{
1860 BadFinished: true,
1861 },
1862 },
1863 shouldFail: true,
1864 expectedError: ":DIGEST_CHECK_FAILED:",
1865 },
1866 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1867 testType: serverTest,
1868 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1869 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1870 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1871 Bugs: ProtocolBugs{
1872 BadFinished: true,
1873 },
1874 },
1875 shouldFail: true,
1876 expectedError: ":DIGEST_CHECK_FAILED:",
1877 },
1878 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1879 testType: serverTest,
1880 name: "BadFinished-Server-TLS13",
1881 config: Config{
1882 MaxVersion: VersionTLS13,
1883 Bugs: ProtocolBugs{
1884 BadFinished: true,
1885 },
1886 },
1887 shouldFail: true,
1888 expectedError: ":DIGEST_CHECK_FAILED:",
1889 },
1890 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1891 name: "FalseStart-BadFinished",
1892 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1893 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1894 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1895 NextProtos: []string{"foo"},
1896 Bugs: ProtocolBugs{
1897 BadFinished: true,
1898 ExpectFalseStart: true,
1899 },
1900 },
1901 flags: []string{
1902 "-false-start",
1903 "-handshake-never-done",
1904 "-advertise-alpn", "\x03foo",
1905 },
1906 shimWritesFirst: true,
1907 shouldFail: true,
1908 expectedError: ":DIGEST_CHECK_FAILED:",
1909 },
1910 {
1911 name: "NoFalseStart-NoALPN",
1912 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1913 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1914 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1915 Bugs: ProtocolBugs{
1916 ExpectFalseStart: true,
1917 AlertBeforeFalseStartTest: alertAccessDenied,
1918 },
1919 },
1920 flags: []string{
1921 "-false-start",
1922 },
1923 shimWritesFirst: true,
1924 shouldFail: true,
1925 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1926 expectedLocalError: "tls: peer did not false start: EOF",
1927 },
1928 {
1929 name: "NoFalseStart-NoAEAD",
1930 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1931 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1932 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1933 NextProtos: []string{"foo"},
1934 Bugs: ProtocolBugs{
1935 ExpectFalseStart: true,
1936 AlertBeforeFalseStartTest: alertAccessDenied,
1937 },
1938 },
1939 flags: []string{
1940 "-false-start",
1941 "-advertise-alpn", "\x03foo",
1942 },
1943 shimWritesFirst: true,
1944 shouldFail: true,
1945 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1946 expectedLocalError: "tls: peer did not false start: EOF",
1947 },
1948 {
1949 name: "NoFalseStart-RSA",
1950 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1951 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1952 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1953 NextProtos: []string{"foo"},
1954 Bugs: ProtocolBugs{
1955 ExpectFalseStart: true,
1956 AlertBeforeFalseStartTest: alertAccessDenied,
1957 },
1958 },
1959 flags: []string{
1960 "-false-start",
1961 "-advertise-alpn", "\x03foo",
1962 },
1963 shimWritesFirst: true,
1964 shouldFail: true,
1965 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1966 expectedLocalError: "tls: peer did not false start: EOF",
1967 },
1968 {
1969 name: "NoFalseStart-DHE_RSA",
1970 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1971 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1972 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1973 NextProtos: []string{"foo"},
1974 Bugs: ProtocolBugs{
1975 ExpectFalseStart: true,
1976 AlertBeforeFalseStartTest: alertAccessDenied,
1977 },
1978 },
1979 flags: []string{
1980 "-false-start",
1981 "-advertise-alpn", "\x03foo",
1982 },
1983 shimWritesFirst: true,
1984 shouldFail: true,
1985 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1986 expectedLocalError: "tls: peer did not false start: EOF",
1987 },
1988 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1989 protocol: dtls,
1990 name: "SendSplitAlert-Sync",
1991 config: Config{
1992 Bugs: ProtocolBugs{
1993 SendSplitAlert: true,
1994 },
1995 },
1996 },
1997 {
1998 protocol: dtls,
1999 name: "SendSplitAlert-Async",
2000 config: Config{
2001 Bugs: ProtocolBugs{
2002 SendSplitAlert: true,
2003 },
2004 },
2005 flags: []string{"-async"},
2006 },
2007 {
2008 protocol: dtls,
2009 name: "PackDTLSHandshake",
2010 config: Config{
2011 Bugs: ProtocolBugs{
2012 MaxHandshakeRecordLength: 2,
2013 PackHandshakeFragments: 20,
2014 PackHandshakeRecords: 200,
2015 },
2016 },
2017 },
2018 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2019 name: "SendEmptyRecords-Pass",
2020 sendEmptyRecords: 32,
2021 },
2022 {
2023 name: "SendEmptyRecords",
2024 sendEmptyRecords: 33,
2025 shouldFail: true,
2026 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2027 },
2028 {
2029 name: "SendEmptyRecords-Async",
2030 sendEmptyRecords: 33,
2031 flags: []string{"-async"},
2032 shouldFail: true,
2033 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2034 },
2035 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2036 name: "SendWarningAlerts-Pass",
2037 config: Config{
2038 MaxVersion: VersionTLS12,
2039 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2040 sendWarningAlerts: 4,
2041 },
2042 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2043 protocol: dtls,
2044 name: "SendWarningAlerts-DTLS-Pass",
2045 config: Config{
2046 MaxVersion: VersionTLS12,
2047 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2048 sendWarningAlerts: 4,
2049 },
2050 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2051 name: "SendWarningAlerts-TLS13",
2052 config: Config{
2053 MaxVersion: VersionTLS13,
2054 },
2055 sendWarningAlerts: 4,
2056 shouldFail: true,
2057 expectedError: ":BAD_ALERT:",
2058 expectedLocalError: "remote error: error decoding message",
2059 },
2060 {
2061 name: "SendWarningAlerts",
2062 config: Config{
2063 MaxVersion: VersionTLS12,
2064 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2065 sendWarningAlerts: 5,
2066 shouldFail: true,
2067 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2068 },
2069 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2070 name: "SendWarningAlerts-Async",
2071 config: Config{
2072 MaxVersion: VersionTLS12,
2073 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2074 sendWarningAlerts: 5,
2075 flags: []string{"-async"},
2076 shouldFail: true,
2077 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2078 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2079 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2080 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2081 config: Config{
2082 MaxVersion: VersionTLS13,
2083 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2084 sendKeyUpdates: 33,
2085 keyUpdateRequest: keyUpdateNotRequested,
2086 shouldFail: true,
2087 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2088 },
2089 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2090 name: "EmptySessionID",
2091 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2092 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2093 SessionTicketsDisabled: true,
2094 },
2095 noSessionCache: true,
2096 flags: []string{"-expect-no-session"},
2097 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2098 {
2099 name: "Unclean-Shutdown",
2100 config: Config{
2101 Bugs: ProtocolBugs{
2102 NoCloseNotify: true,
2103 ExpectCloseNotify: true,
2104 },
2105 },
2106 shimShutsDown: true,
2107 flags: []string{"-check-close-notify"},
2108 shouldFail: true,
2109 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2110 },
2111 {
2112 name: "Unclean-Shutdown-Ignored",
2113 config: Config{
2114 Bugs: ProtocolBugs{
2115 NoCloseNotify: true,
2116 },
2117 },
2118 shimShutsDown: true,
2119 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2120 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2121 name: "Unclean-Shutdown-Alert",
2122 config: Config{
2123 Bugs: ProtocolBugs{
2124 SendAlertOnShutdown: alertDecompressionFailure,
2125 ExpectCloseNotify: true,
2126 },
2127 },
2128 shimShutsDown: true,
2129 flags: []string{"-check-close-notify"},
2130 shouldFail: true,
2131 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2132 },
2133 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2134 name: "LargePlaintext",
2135 config: Config{
2136 Bugs: ProtocolBugs{
2137 SendLargeRecords: true,
2138 },
2139 },
2140 messageLen: maxPlaintext + 1,
2141 shouldFail: true,
2142 expectedError: ":DATA_LENGTH_TOO_LONG:",
2143 },
2144 {
2145 protocol: dtls,
2146 name: "LargePlaintext-DTLS",
2147 config: Config{
2148 Bugs: ProtocolBugs{
2149 SendLargeRecords: true,
2150 },
2151 },
2152 messageLen: maxPlaintext + 1,
2153 shouldFail: true,
2154 expectedError: ":DATA_LENGTH_TOO_LONG:",
2155 },
2156 {
2157 name: "LargeCiphertext",
2158 config: Config{
2159 Bugs: ProtocolBugs{
2160 SendLargeRecords: true,
2161 },
2162 },
2163 messageLen: maxPlaintext * 2,
2164 shouldFail: true,
2165 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2166 },
2167 {
2168 protocol: dtls,
2169 name: "LargeCiphertext-DTLS",
2170 config: Config{
2171 Bugs: ProtocolBugs{
2172 SendLargeRecords: true,
2173 },
2174 },
2175 messageLen: maxPlaintext * 2,
2176 // Unlike the other four cases, DTLS drops records which
2177 // are invalid before authentication, so the connection
2178 // does not fail.
2179 expectMessageDropped: true,
2180 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2181 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2182 name: "BadHelloRequest-1",
2183 renegotiate: 1,
2184 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2185 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2186 Bugs: ProtocolBugs{
2187 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2188 },
2189 },
2190 flags: []string{
2191 "-renegotiate-freely",
2192 "-expect-total-renegotiations", "1",
2193 },
2194 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2195 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2196 },
2197 {
2198 name: "BadHelloRequest-2",
2199 renegotiate: 1,
2200 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2201 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2202 Bugs: ProtocolBugs{
2203 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2204 },
2205 },
2206 flags: []string{
2207 "-renegotiate-freely",
2208 "-expect-total-renegotiations", "1",
2209 },
2210 shouldFail: true,
2211 expectedError: ":BAD_HELLO_REQUEST:",
2212 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2213 {
2214 testType: serverTest,
2215 name: "SupportTicketsWithSessionID",
2216 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2217 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2218 SessionTicketsDisabled: true,
2219 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2220 resumeConfig: &Config{
2221 MaxVersion: VersionTLS12,
2222 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2223 resumeSession: true,
2224 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2225 {
2226 protocol: dtls,
2227 name: "DTLS-SendExtraFinished",
2228 config: Config{
2229 Bugs: ProtocolBugs{
2230 SendExtraFinished: true,
2231 },
2232 },
2233 shouldFail: true,
2234 expectedError: ":UNEXPECTED_RECORD:",
2235 },
2236 {
2237 protocol: dtls,
2238 name: "DTLS-SendExtraFinished-Reordered",
2239 config: Config{
2240 Bugs: ProtocolBugs{
2241 MaxHandshakeRecordLength: 2,
2242 ReorderHandshakeFragments: true,
2243 SendExtraFinished: true,
2244 },
2245 },
2246 shouldFail: true,
2247 expectedError: ":UNEXPECTED_RECORD:",
2248 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2249 {
2250 testType: serverTest,
2251 name: "V2ClientHello-EmptyRecordPrefix",
2252 config: Config{
2253 // Choose a cipher suite that does not involve
2254 // elliptic curves, so no extensions are
2255 // involved.
2256 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2257 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2258 Bugs: ProtocolBugs{
2259 SendV2ClientHello: true,
2260 },
2261 },
2262 sendPrefix: string([]byte{
2263 byte(recordTypeHandshake),
2264 3, 1, // version
2265 0, 0, // length
2266 }),
2267 // A no-op empty record may not be sent before V2ClientHello.
2268 shouldFail: true,
2269 expectedError: ":WRONG_VERSION_NUMBER:",
2270 },
2271 {
2272 testType: serverTest,
2273 name: "V2ClientHello-WarningAlertPrefix",
2274 config: Config{
2275 // Choose a cipher suite that does not involve
2276 // elliptic curves, so no extensions are
2277 // involved.
2278 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2279 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2280 Bugs: ProtocolBugs{
2281 SendV2ClientHello: true,
2282 },
2283 },
2284 sendPrefix: string([]byte{
2285 byte(recordTypeAlert),
2286 3, 1, // version
2287 0, 2, // length
2288 alertLevelWarning, byte(alertDecompressionFailure),
2289 }),
2290 // A no-op warning alert may not be sent before V2ClientHello.
2291 shouldFail: true,
2292 expectedError: ":WRONG_VERSION_NUMBER:",
2293 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2294 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2295 name: "KeyUpdate",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2296 config: Config{
2297 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2298 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2299 sendKeyUpdates: 1,
2300 keyUpdateRequest: keyUpdateNotRequested,
2301 },
2302 {
2303 name: "KeyUpdate-InvalidRequestMode",
2304 config: Config{
2305 MaxVersion: VersionTLS13,
2306 },
2307 sendKeyUpdates: 1,
2308 keyUpdateRequest: 42,
2309 shouldFail: true,
2310 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2311 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2312 {
2313 name: "SendSNIWarningAlert",
2314 config: Config{
2315 MaxVersion: VersionTLS12,
2316 Bugs: ProtocolBugs{
2317 SendSNIWarningAlert: true,
2318 },
2319 },
2320 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2321 {
2322 testType: serverTest,
2323 name: "ExtraCompressionMethods-TLS12",
2324 config: Config{
2325 MaxVersion: VersionTLS12,
2326 Bugs: ProtocolBugs{
2327 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2328 },
2329 },
2330 },
2331 {
2332 testType: serverTest,
2333 name: "ExtraCompressionMethods-TLS13",
2334 config: Config{
2335 MaxVersion: VersionTLS13,
2336 Bugs: ProtocolBugs{
2337 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2338 },
2339 },
2340 shouldFail: true,
2341 expectedError: ":INVALID_COMPRESSION_LIST:",
2342 expectedLocalError: "remote error: illegal parameter",
2343 },
2344 {
2345 testType: serverTest,
2346 name: "NoNullCompression-TLS12",
2347 config: Config{
2348 MaxVersion: VersionTLS12,
2349 Bugs: ProtocolBugs{
2350 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2351 },
2352 },
2353 shouldFail: true,
2354 expectedError: ":NO_COMPRESSION_SPECIFIED:",
2355 expectedLocalError: "remote error: illegal parameter",
2356 },
2357 {
2358 testType: serverTest,
2359 name: "NoNullCompression-TLS13",
2360 config: Config{
2361 MaxVersion: VersionTLS13,
2362 Bugs: ProtocolBugs{
2363 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2364 },
2365 },
2366 shouldFail: true,
2367 expectedError: ":INVALID_COMPRESSION_LIST:",
2368 expectedLocalError: "remote error: illegal parameter",
2369 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2370 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2371 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2372 config: Config{
2373 MaxVersion: VersionTLS12,
2374 Bugs: ProtocolBugs{
2375 ExpectGREASE: true,
2376 },
2377 },
2378 flags: []string{"-enable-grease"},
2379 },
2380 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2381 name: "GREASE-Client-TLS13",
2382 config: Config{
2383 MaxVersion: VersionTLS13,
2384 Bugs: ProtocolBugs{
2385 ExpectGREASE: true,
2386 },
2387 },
2388 flags: []string{"-enable-grease"},
2389 },
2390 {
2391 testType: serverTest,
2392 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2393 config: Config{
2394 MaxVersion: VersionTLS13,
2395 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2396 // TLS 1.3 servers are expected to
2397 // always enable GREASE. TLS 1.3 is new,
2398 // so there is no existing ecosystem to
2399 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2400 ExpectGREASE: true,
2401 },
2402 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2403 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2404 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2405 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2406
2407 // Test that very large messages can be received.
2408 cert := rsaCertificate
2409 for i := 0; i < 50; i++ {
2410 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2411 }
2412 testCases = append(testCases, testCase{
2413 name: "LargeMessage",
2414 config: Config{
2415 Certificates: []Certificate{cert},
2416 },
2417 })
2418 testCases = append(testCases, testCase{
2419 protocol: dtls,
2420 name: "LargeMessage-DTLS",
2421 config: Config{
2422 Certificates: []Certificate{cert},
2423 },
2424 })
2425
2426 // They are rejected if the maximum certificate chain length is capped.
2427 testCases = append(testCases, testCase{
2428 name: "LargeMessage-Reject",
2429 config: Config{
2430 Certificates: []Certificate{cert},
2431 },
2432 flags: []string{"-max-cert-list", "16384"},
2433 shouldFail: true,
2434 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2435 })
2436 testCases = append(testCases, testCase{
2437 protocol: dtls,
2438 name: "LargeMessage-Reject-DTLS",
2439 config: Config{
2440 Certificates: []Certificate{cert},
2441 },
2442 flags: []string{"-max-cert-list", "16384"},
2443 shouldFail: true,
2444 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2445 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2446}
2447
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2448func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2449 const psk = "12345"
2450 const pskIdentity = "luggage combo"
2451
2452 var prefix string
2453 if protocol == dtls {
2454 if !ver.hasDTLS {
2455 return
2456 }
2457 prefix = "D"
2458 }
2459
2460 var cert Certificate
2461 var certFile string
2462 var keyFile string
2463 if hasComponent(suite.name, "ECDSA") {
2464 cert = ecdsaP256Certificate
2465 certFile = ecdsaP256CertificateFile
2466 keyFile = ecdsaP256KeyFile
2467 } else {
2468 cert = rsaCertificate
2469 certFile = rsaCertificateFile
2470 keyFile = rsaKeyFile
2471 }
2472
2473 var flags []string
2474 if hasComponent(suite.name, "PSK") {
2475 flags = append(flags,
2476 "-psk", psk,
2477 "-psk-identity", pskIdentity)
2478 }
2479 if hasComponent(suite.name, "NULL") {
2480 // NULL ciphers must be explicitly enabled.
2481 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2482 }
2483 if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
2484 // ECDHE_PSK AES_GCM ciphers must be explicitly enabled
2485 // for now.
2486 flags = append(flags, "-cipher", suite.name)
2487 }
2488
2489 var shouldServerFail, shouldClientFail bool
2490 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2491 // BoringSSL clients accept ECDHE on SSLv3, but
2492 // a BoringSSL server will never select it
2493 // because the extension is missing.
2494 shouldServerFail = true
2495 }
2496 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2497 shouldClientFail = true
2498 shouldServerFail = true
2499 }
2500 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2501 shouldClientFail = true
2502 shouldServerFail = true
2503 }
2504 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2505 shouldClientFail = true
2506 shouldServerFail = true
2507 }
2508 if !isDTLSCipher(suite.name) && protocol == dtls {
2509 shouldClientFail = true
2510 shouldServerFail = true
2511 }
2512
2513 var sendCipherSuite uint16
2514 var expectedServerError, expectedClientError string
2515 serverCipherSuites := []uint16{suite.id}
2516 if shouldServerFail {
2517 expectedServerError = ":NO_SHARED_CIPHER:"
2518 }
2519 if shouldClientFail {
2520 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2521 // Configure the server to select ciphers as normal but
2522 // select an incompatible cipher in ServerHello.
2523 serverCipherSuites = nil
2524 sendCipherSuite = suite.id
2525 }
2526
2527 testCases = append(testCases, testCase{
2528 testType: serverTest,
2529 protocol: protocol,
2530 name: prefix + ver.name + "-" + suite.name + "-server",
2531 config: Config{
2532 MinVersion: ver.version,
2533 MaxVersion: ver.version,
2534 CipherSuites: []uint16{suite.id},
2535 Certificates: []Certificate{cert},
2536 PreSharedKey: []byte(psk),
2537 PreSharedKeyIdentity: pskIdentity,
2538 Bugs: ProtocolBugs{
2539 AdvertiseAllConfiguredCiphers: true,
2540 },
2541 },
2542 certFile: certFile,
2543 keyFile: keyFile,
2544 flags: flags,
2545 resumeSession: true,
2546 shouldFail: shouldServerFail,
2547 expectedError: expectedServerError,
2548 })
2549
2550 testCases = append(testCases, testCase{
2551 testType: clientTest,
2552 protocol: protocol,
2553 name: prefix + ver.name + "-" + suite.name + "-client",
2554 config: Config{
2555 MinVersion: ver.version,
2556 MaxVersion: ver.version,
2557 CipherSuites: serverCipherSuites,
2558 Certificates: []Certificate{cert},
2559 PreSharedKey: []byte(psk),
2560 PreSharedKeyIdentity: pskIdentity,
2561 Bugs: ProtocolBugs{
2562 IgnorePeerCipherPreferences: shouldClientFail,
2563 SendCipherSuite: sendCipherSuite,
2564 },
2565 },
2566 flags: flags,
2567 resumeSession: true,
2568 shouldFail: shouldClientFail,
2569 expectedError: expectedClientError,
2570 })
2571
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2572 if shouldClientFail {
2573 return
2574 }
2575
2576 // Ensure the maximum record size is accepted.
2577 testCases = append(testCases, testCase{
2578 protocol: protocol,
2579 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2580 config: Config{
2581 MinVersion: ver.version,
2582 MaxVersion: ver.version,
2583 CipherSuites: []uint16{suite.id},
2584 Certificates: []Certificate{cert},
2585 PreSharedKey: []byte(psk),
2586 PreSharedKeyIdentity: pskIdentity,
2587 },
2588 flags: flags,
2589 messageLen: maxPlaintext,
2590 })
2591
2592 // Test bad records for all ciphers. Bad records are fatal in TLS
2593 // and ignored in DTLS.
2594 var shouldFail bool
2595 var expectedError string
2596 if protocol == tls {
2597 shouldFail = true
2598 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2599 }
2600
2601 testCases = append(testCases, testCase{
2602 protocol: protocol,
2603 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2604 config: Config{
2605 MinVersion: ver.version,
2606 MaxVersion: ver.version,
2607 CipherSuites: []uint16{suite.id},
2608 Certificates: []Certificate{cert},
2609 PreSharedKey: []byte(psk),
2610 PreSharedKeyIdentity: pskIdentity,
2611 },
2612 flags: flags,
2613 damageFirstWrite: true,
2614 messageLen: maxPlaintext,
2615 shouldFail: shouldFail,
2616 expectedError: expectedError,
2617 })
2618
2619 if ver.version >= VersionTLS13 {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2620 testCases = append(testCases, testCase{
2621 protocol: protocol,
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2622 name: prefix + ver.name + "-" + suite.name + "-ShortHeader",
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2623 config: Config{
2624 MinVersion: ver.version,
2625 MaxVersion: ver.version,
2626 CipherSuites: []uint16{suite.id},
2627 Certificates: []Certificate{cert},
2628 PreSharedKey: []byte(psk),
2629 PreSharedKeyIdentity: pskIdentity,
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2630 Bugs: ProtocolBugs{
2631 EnableShortHeader: true,
2632 },
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2633 },
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2634 flags: append([]string{"-enable-short-header"}, flags...),
2635 resumeSession: true,
2636 expectShortHeader: true,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2637 })
2638 }
2639}
2640
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2641func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2642 const bogusCipher = 0xfe00
2643
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2644 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2645 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2646 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2647 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2648 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2649 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2650 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2651
2652 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2653 name: "NoSharedCipher",
2654 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2655 MaxVersion: VersionTLS12,
2656 CipherSuites: []uint16{},
2657 },
2658 shouldFail: true,
2659 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2660 })
2661
2662 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2663 name: "NoSharedCipher-TLS13",
2664 config: Config{
2665 MaxVersion: VersionTLS13,
2666 CipherSuites: []uint16{},
2667 },
2668 shouldFail: true,
2669 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2670 })
2671
2672 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2673 name: "UnsupportedCipherSuite",
2674 config: Config{
2675 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2676 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2677 Bugs: ProtocolBugs{
2678 IgnorePeerCipherPreferences: true,
2679 },
2680 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2681 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2682 shouldFail: true,
2683 expectedError: ":WRONG_CIPHER_RETURNED:",
2684 })
2685
2686 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2687 name: "ServerHelloBogusCipher",
2688 config: Config{
2689 MaxVersion: VersionTLS12,
2690 Bugs: ProtocolBugs{
2691 SendCipherSuite: bogusCipher,
2692 },
2693 },
2694 shouldFail: true,
2695 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2696 })
2697 testCases = append(testCases, testCase{
2698 name: "ServerHelloBogusCipher-TLS13",
2699 config: Config{
2700 MaxVersion: VersionTLS13,
2701 Bugs: ProtocolBugs{
2702 SendCipherSuite: bogusCipher,
2703 },
2704 },
2705 shouldFail: true,
2706 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2707 })
2708
2709 testCases = append(testCases, testCase{
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2710 name: "WeakDH",
2711 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2712 MaxVersion: VersionTLS12,
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2713 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2714 Bugs: ProtocolBugs{
2715 // This is a 1023-bit prime number, generated
2716 // with:
2717 // openssl gendh 1023 | openssl asn1parse -i
2718 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2719 },
2720 },
2721 shouldFail: true,
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2722 expectedError: ":BAD_DH_P_LENGTH:",
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2723 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2724
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2725 testCases = append(testCases, testCase{
2726 name: "SillyDH",
2727 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2728 MaxVersion: VersionTLS12,
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2729 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2730 Bugs: ProtocolBugs{
2731 // This is a 4097-bit prime number, generated
2732 // with:
2733 // openssl gendh 4097 | openssl asn1parse -i
2734 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2735 },
2736 },
2737 shouldFail: true,
2738 expectedError: ":DH_P_TOO_LONG:",
2739 })
2740
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2741 // This test ensures that Diffie-Hellman public values are padded with
2742 // zeros so that they're the same length as the prime. This is to avoid
2743 // hitting a bug in yaSSL.
2744 testCases = append(testCases, testCase{
2745 testType: serverTest,
2746 name: "DHPublicValuePadded",
2747 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2748 MaxVersion: VersionTLS12,
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2749 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2750 Bugs: ProtocolBugs{
2751 RequireDHPublicValueLen: (1025 + 7) / 8,
2752 },
2753 },
2754 flags: []string{"-use-sparse-dh-prime"},
2755 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2756
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2757 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2758 testCases = append(testCases, testCase{
2759 testType: serverTest,
2760 name: "UnknownCipher",
2761 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2762 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2763 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2764 Bugs: ProtocolBugs{
2765 AdvertiseAllConfiguredCiphers: true,
2766 },
2767 },
2768 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2769
2770 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2771 testCases = append(testCases, testCase{
2772 testType: serverTest,
2773 name: "UnknownCipher-TLS13",
2774 config: Config{
2775 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2776 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2777 Bugs: ProtocolBugs{
2778 AdvertiseAllConfiguredCiphers: true,
2779 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2780 },
2781 })
2782
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2783 // Test empty ECDHE_PSK identity hints work as expected.
2784 testCases = append(testCases, testCase{
2785 name: "EmptyECDHEPSKHint",
2786 config: Config{
2787 MaxVersion: VersionTLS12,
2788 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2789 PreSharedKey: []byte("secret"),
2790 },
2791 flags: []string{"-psk", "secret"},
2792 })
2793
2794 // Test empty PSK identity hints work as expected, even if an explicit
2795 // ServerKeyExchange is sent.
2796 testCases = append(testCases, testCase{
2797 name: "ExplicitEmptyPSKHint",
2798 config: Config{
2799 MaxVersion: VersionTLS12,
2800 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2801 PreSharedKey: []byte("secret"),
2802 Bugs: ProtocolBugs{
2803 AlwaysSendPreSharedKeyIdentityHint: true,
2804 },
2805 },
2806 flags: []string{"-psk", "secret"},
2807 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2808}
2809
2810func addBadECDSASignatureTests() {
2811 for badR := BadValue(1); badR < NumBadValues; badR++ {
2812 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2813 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2814 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2815 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2816 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2817 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2818 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2819 Bugs: ProtocolBugs{
2820 BadECDSAR: badR,
2821 BadECDSAS: badS,
2822 },
2823 },
2824 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2825 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2826 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2827 testCases = append(testCases, testCase{
2828 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2829 config: Config{
2830 MaxVersion: VersionTLS13,
2831 Certificates: []Certificate{ecdsaP256Certificate},
2832 Bugs: ProtocolBugs{
2833 BadECDSAR: badR,
2834 BadECDSAS: badS,
2835 },
2836 },
2837 shouldFail: true,
2838 expectedError: ":BAD_SIGNATURE:",
2839 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2840 }
2841 }
2842}
2843
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2844func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2845 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2846 name: "MaxCBCPadding",
2847 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2848 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2849 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2850 Bugs: ProtocolBugs{
2851 MaxPadding: true,
2852 },
2853 },
2854 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2855 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2856 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2857 name: "BadCBCPadding",
2858 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2859 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2860 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2861 Bugs: ProtocolBugs{
2862 PaddingFirstByteBad: true,
2863 },
2864 },
2865 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2866 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2867 })
2868 // OpenSSL previously had an issue where the first byte of padding in
2869 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2870 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2871 name: "BadCBCPadding255",
2872 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2873 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2874 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2875 Bugs: ProtocolBugs{
2876 MaxPadding: true,
2877 PaddingFirstByteBadIf255: true,
2878 },
2879 },
2880 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2881 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2882 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2883 })
2884}
2885
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2886func addCBCSplittingTests() {
2887 testCases = append(testCases, testCase{
2888 name: "CBCRecordSplitting",
2889 config: Config{
2890 MaxVersion: VersionTLS10,
2891 MinVersion: VersionTLS10,
2892 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2893 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2894 messageLen: -1, // read until EOF
2895 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2896 flags: []string{
2897 "-async",
2898 "-write-different-record-sizes",
2899 "-cbc-record-splitting",
2900 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]2901 })
2902 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2903 name: "CBCRecordSplittingPartialWrite",
2904 config: Config{
2905 MaxVersion: VersionTLS10,
2906 MinVersion: VersionTLS10,
2907 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2908 },
2909 messageLen: -1, // read until EOF
2910 flags: []string{
2911 "-async",
2912 "-write-different-record-sizes",
2913 "-cbc-record-splitting",
2914 "-partial-write",
2915 },
2916 })
2917}
2918
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2919func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2920 // Add a dummy cert pool to stress certificate authority parsing.
2921 // TODO(davidben): Add tests that those values parse out correctly.
2922 certPool := x509.NewCertPool()
2923 cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
2924 if err != nil {
2925 panic(err)
2926 }
2927 certPool.AddCert(cert)
2928
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2929 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2930 testCases = append(testCases, testCase{
2931 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2932 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2933 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2934 MinVersion: ver.version,
2935 MaxVersion: ver.version,
2936 ClientAuth: RequireAnyClientCert,
2937 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2938 },
2939 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2940 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2941 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2942 },
2943 })
2944 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2945 testType: serverTest,
2946 name: ver.name + "-Server-ClientAuth-RSA",
2947 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2948 MinVersion: ver.version,
2949 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2950 Certificates: []Certificate{rsaCertificate},
2951 },
2952 flags: []string{"-require-any-client-certificate"},
2953 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2954 if ver.version != VersionSSL30 {
2955 testCases = append(testCases, testCase{
2956 testType: serverTest,
2957 name: ver.name + "-Server-ClientAuth-ECDSA",
2958 config: Config{
2959 MinVersion: ver.version,
2960 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2961 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2962 },
2963 flags: []string{"-require-any-client-certificate"},
2964 })
2965 testCases = append(testCases, testCase{
2966 testType: clientTest,
2967 name: ver.name + "-Client-ClientAuth-ECDSA",
2968 config: Config{
2969 MinVersion: ver.version,
2970 MaxVersion: ver.version,
2971 ClientAuth: RequireAnyClientCert,
2972 ClientCAs: certPool,
2973 },
2974 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2975 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2976 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2977 },
2978 })
2979 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]2980
2981 testCases = append(testCases, testCase{
2982 name: "NoClientCertificate-" + ver.name,
2983 config: Config{
2984 MinVersion: ver.version,
2985 MaxVersion: ver.version,
2986 ClientAuth: RequireAnyClientCert,
2987 },
2988 shouldFail: true,
2989 expectedLocalError: "client didn't provide a certificate",
2990 })
2991
2992 testCases = append(testCases, testCase{
2993 // Even if not configured to expect a certificate, OpenSSL will
2994 // return X509_V_OK as the verify_result.
2995 testType: serverTest,
2996 name: "NoClientCertificateRequested-Server-" + ver.name,
2997 config: Config{
2998 MinVersion: ver.version,
2999 MaxVersion: ver.version,
3000 },
3001 flags: []string{
3002 "-expect-verify-result",
3003 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3004 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3005 })
3006
3007 testCases = append(testCases, testCase{
3008 // If a client certificate is not provided, OpenSSL will still
3009 // return X509_V_OK as the verify_result.
3010 testType: serverTest,
3011 name: "NoClientCertificate-Server-" + ver.name,
3012 config: Config{
3013 MinVersion: ver.version,
3014 MaxVersion: ver.version,
3015 },
3016 flags: []string{
3017 "-expect-verify-result",
3018 "-verify-peer",
3019 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3020 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3021 })
3022
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3023 certificateRequired := "remote error: certificate required"
3024 if ver.version < VersionTLS13 {
3025 // Prior to TLS 1.3, the generic handshake_failure alert
3026 // was used.
3027 certificateRequired = "remote error: handshake failure"
3028 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3029 testCases = append(testCases, testCase{
3030 testType: serverTest,
3031 name: "RequireAnyClientCertificate-" + ver.name,
3032 config: Config{
3033 MinVersion: ver.version,
3034 MaxVersion: ver.version,
3035 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3036 flags: []string{"-require-any-client-certificate"},
3037 shouldFail: true,
3038 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3039 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3040 })
3041
3042 if ver.version != VersionSSL30 {
3043 testCases = append(testCases, testCase{
3044 testType: serverTest,
3045 name: "SkipClientCertificate-" + ver.name,
3046 config: Config{
3047 MinVersion: ver.version,
3048 MaxVersion: ver.version,
3049 Bugs: ProtocolBugs{
3050 SkipClientCertificate: true,
3051 },
3052 },
3053 // Setting SSL_VERIFY_PEER allows anonymous clients.
3054 flags: []string{"-verify-peer"},
3055 shouldFail: true,
3056 expectedError: ":UNEXPECTED_MESSAGE:",
3057 })
3058 }
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3059 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3060
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3061 // Client auth is only legal in certificate-based ciphers.
3062 testCases = append(testCases, testCase{
3063 testType: clientTest,
3064 name: "ClientAuth-PSK",
3065 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3066 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3067 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3068 PreSharedKey: []byte("secret"),
3069 ClientAuth: RequireAnyClientCert,
3070 },
3071 flags: []string{
3072 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3073 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3074 "-psk", "secret",
3075 },
3076 shouldFail: true,
3077 expectedError: ":UNEXPECTED_MESSAGE:",
3078 })
3079 testCases = append(testCases, testCase{
3080 testType: clientTest,
3081 name: "ClientAuth-ECDHE_PSK",
3082 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3083 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3084 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3085 PreSharedKey: []byte("secret"),
3086 ClientAuth: RequireAnyClientCert,
3087 },
3088 flags: []string{
3089 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3090 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3091 "-psk", "secret",
3092 },
3093 shouldFail: true,
3094 expectedError: ":UNEXPECTED_MESSAGE:",
3095 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3096
3097 // Regression test for a bug where the client CA list, if explicitly
3098 // set to NULL, was mis-encoded.
3099 testCases = append(testCases, testCase{
3100 testType: serverTest,
3101 name: "Null-Client-CA-List",
3102 config: Config{
3103 MaxVersion: VersionTLS12,
3104 Certificates: []Certificate{rsaCertificate},
3105 },
3106 flags: []string{
3107 "-require-any-client-certificate",
3108 "-use-null-client-ca-list",
3109 },
3110 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3111}
3112
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3113func addExtendedMasterSecretTests() {
3114 const expectEMSFlag = "-expect-extended-master-secret"
3115
3116 for _, with := range []bool{false, true} {
3117 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3118 if with {
3119 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3120 }
3121
3122 for _, isClient := range []bool{false, true} {
3123 suffix := "-Server"
3124 testType := serverTest
3125 if isClient {
3126 suffix = "-Client"
3127 testType = clientTest
3128 }
3129
3130 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3131 // In TLS 1.3, the extension is irrelevant and
3132 // always reports as enabled.
3133 var flags []string
3134 if with || ver.version >= VersionTLS13 {
3135 flags = []string{expectEMSFlag}
3136 }
3137
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3138 test := testCase{
3139 testType: testType,
3140 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3141 config: Config{
3142 MinVersion: ver.version,
3143 MaxVersion: ver.version,
3144 Bugs: ProtocolBugs{
3145 NoExtendedMasterSecret: !with,
3146 RequireExtendedMasterSecret: with,
3147 },
3148 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3149 flags: flags,
3150 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3151 }
3152 if test.shouldFail {
3153 test.expectedLocalError = "extended master secret required but not supported by peer"
3154 }
3155 testCases = append(testCases, test)
3156 }
3157 }
3158 }
3159
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3160 for _, isClient := range []bool{false, true} {
3161 for _, supportedInFirstConnection := range []bool{false, true} {
3162 for _, supportedInResumeConnection := range []bool{false, true} {
3163 boolToWord := func(b bool) string {
3164 if b {
3165 return "Yes"
3166 }
3167 return "No"
3168 }
3169 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3170 if isClient {
3171 suffix += "Client"
3172 } else {
3173 suffix += "Server"
3174 }
3175
3176 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3177 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3178 Bugs: ProtocolBugs{
3179 RequireExtendedMasterSecret: true,
3180 },
3181 }
3182
3183 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3184 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3185 Bugs: ProtocolBugs{
3186 NoExtendedMasterSecret: true,
3187 },
3188 }
3189
3190 test := testCase{
3191 name: "ExtendedMasterSecret-" + suffix,
3192 resumeSession: true,
3193 }
3194
3195 if !isClient {
3196 test.testType = serverTest
3197 }
3198
3199 if supportedInFirstConnection {
3200 test.config = supportedConfig
3201 } else {
3202 test.config = noSupportConfig
3203 }
3204
3205 if supportedInResumeConnection {
3206 test.resumeConfig = &supportedConfig
3207 } else {
3208 test.resumeConfig = &noSupportConfig
3209 }
3210
3211 switch suffix {
3212 case "YesToYes-Client", "YesToYes-Server":
3213 // When a session is resumed, it should
3214 // still be aware that its master
3215 // secret was generated via EMS and
3216 // thus it's safe to use tls-unique.
3217 test.flags = []string{expectEMSFlag}
3218 case "NoToYes-Server":
3219 // If an original connection did not
3220 // contain EMS, but a resumption
3221 // handshake does, then a server should
3222 // not resume the session.
3223 test.expectResumeRejected = true
3224 case "YesToNo-Server":
3225 // Resuming an EMS session without the
3226 // EMS extension should cause the
3227 // server to abort the connection.
3228 test.shouldFail = true
3229 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3230 case "NoToYes-Client":
3231 // A client should abort a connection
3232 // where the server resumed a non-EMS
3233 // session but echoed the EMS
3234 // extension.
3235 test.shouldFail = true
3236 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3237 case "YesToNo-Client":
3238 // A client should abort a connection
3239 // where the server didn't echo EMS
3240 // when the session used it.
3241 test.shouldFail = true
3242 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3243 }
3244
3245 testCases = append(testCases, test)
3246 }
3247 }
3248 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3249
3250 // Switching EMS on renegotiation is forbidden.
3251 testCases = append(testCases, testCase{
3252 name: "ExtendedMasterSecret-Renego-NoEMS",
3253 config: Config{
3254 MaxVersion: VersionTLS12,
3255 Bugs: ProtocolBugs{
3256 NoExtendedMasterSecret: true,
3257 NoExtendedMasterSecretOnRenegotiation: true,
3258 },
3259 },
3260 renegotiate: 1,
3261 flags: []string{
3262 "-renegotiate-freely",
3263 "-expect-total-renegotiations", "1",
3264 },
3265 })
3266
3267 testCases = append(testCases, testCase{
3268 name: "ExtendedMasterSecret-Renego-Upgrade",
3269 config: Config{
3270 MaxVersion: VersionTLS12,
3271 Bugs: ProtocolBugs{
3272 NoExtendedMasterSecret: true,
3273 },
3274 },
3275 renegotiate: 1,
3276 flags: []string{
3277 "-renegotiate-freely",
3278 "-expect-total-renegotiations", "1",
3279 },
3280 shouldFail: true,
3281 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3282 })
3283
3284 testCases = append(testCases, testCase{
3285 name: "ExtendedMasterSecret-Renego-Downgrade",
3286 config: Config{
3287 MaxVersion: VersionTLS12,
3288 Bugs: ProtocolBugs{
3289 NoExtendedMasterSecretOnRenegotiation: true,
3290 },
3291 },
3292 renegotiate: 1,
3293 flags: []string{
3294 "-renegotiate-freely",
3295 "-expect-total-renegotiations", "1",
3296 },
3297 shouldFail: true,
3298 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3299 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3300}
3301
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3302type stateMachineTestConfig struct {
3303 protocol protocol
3304 async bool
3305 splitHandshake, packHandshakeFlight bool
3306}
3307
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3308// Adds tests that try to cover the range of the handshake state machine, under
3309// various conditions. Some of these are redundant with other tests, but they
3310// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3311func addAllStateMachineCoverageTests() {
3312 for _, async := range []bool{false, true} {
3313 for _, protocol := range []protocol{tls, dtls} {
3314 addStateMachineCoverageTests(stateMachineTestConfig{
3315 protocol: protocol,
3316 async: async,
3317 })
3318 addStateMachineCoverageTests(stateMachineTestConfig{
3319 protocol: protocol,
3320 async: async,
3321 splitHandshake: true,
3322 })
3323 if protocol == tls {
3324 addStateMachineCoverageTests(stateMachineTestConfig{
3325 protocol: protocol,
3326 async: async,
3327 packHandshakeFlight: true,
3328 })
3329 }
3330 }
3331 }
3332}
3333
3334func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3335 var tests []testCase
3336
3337 // Basic handshake, with resumption. Client and server,
3338 // session ID and session ticket.
3339 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3340 name: "Basic-Client",
3341 config: Config{
3342 MaxVersion: VersionTLS12,
3343 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3344 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3345 // Ensure session tickets are used, not session IDs.
3346 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3347 })
3348 tests = append(tests, testCase{
3349 name: "Basic-Client-RenewTicket",
3350 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3351 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3352 Bugs: ProtocolBugs{
3353 RenewTicketOnResume: true,
3354 },
3355 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3356 flags: []string{"-expect-ticket-renewal"},
3357 resumeSession: true,
3358 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3359 })
3360 tests = append(tests, testCase{
3361 name: "Basic-Client-NoTicket",
3362 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3363 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3364 SessionTicketsDisabled: true,
3365 },
3366 resumeSession: true,
3367 })
3368 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3369 name: "Basic-Client-Implicit",
3370 config: Config{
3371 MaxVersion: VersionTLS12,
3372 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3373 flags: []string{"-implicit-handshake"},
3374 resumeSession: true,
3375 })
3376 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3377 testType: serverTest,
3378 name: "Basic-Server",
3379 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3380 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3381 Bugs: ProtocolBugs{
3382 RequireSessionTickets: true,
3383 },
3384 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3385 resumeSession: true,
3386 })
3387 tests = append(tests, testCase{
3388 testType: serverTest,
3389 name: "Basic-Server-NoTickets",
3390 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3391 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3392 SessionTicketsDisabled: true,
3393 },
3394 resumeSession: true,
3395 })
3396 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3397 testType: serverTest,
3398 name: "Basic-Server-Implicit",
3399 config: Config{
3400 MaxVersion: VersionTLS12,
3401 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3402 flags: []string{"-implicit-handshake"},
3403 resumeSession: true,
3404 })
3405 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3406 testType: serverTest,
3407 name: "Basic-Server-EarlyCallback",
3408 config: Config{
3409 MaxVersion: VersionTLS12,
3410 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3411 flags: []string{"-use-early-callback"},
3412 resumeSession: true,
3413 })
3414
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3415 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3416 if config.protocol == tls {
3417 tests = append(tests, testCase{
3418 name: "TLS13-1RTT-Client",
3419 config: Config{
3420 MaxVersion: VersionTLS13,
3421 MinVersion: VersionTLS13,
3422 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3423 resumeSession: true,
3424 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3425 })
3426
3427 tests = append(tests, testCase{
3428 testType: serverTest,
3429 name: "TLS13-1RTT-Server",
3430 config: Config{
3431 MaxVersion: VersionTLS13,
3432 MinVersion: VersionTLS13,
3433 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3434 resumeSession: true,
3435 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3436 })
3437
3438 tests = append(tests, testCase{
3439 name: "TLS13-HelloRetryRequest-Client",
3440 config: Config{
3441 MaxVersion: VersionTLS13,
3442 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3443 // P-384 requires a HelloRetryRequest against BoringSSL's default
3444 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3445 CurvePreferences: []CurveID{CurveP384},
3446 Bugs: ProtocolBugs{
3447 ExpectMissingKeyShare: true,
3448 },
3449 },
3450 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3451 resumeSession: true,
3452 })
3453
3454 tests = append(tests, testCase{
3455 testType: serverTest,
3456 name: "TLS13-HelloRetryRequest-Server",
3457 config: Config{
3458 MaxVersion: VersionTLS13,
3459 MinVersion: VersionTLS13,
3460 // Require a HelloRetryRequest for every curve.
3461 DefaultCurves: []CurveID{},
3462 },
3463 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3464 resumeSession: true,
3465 })
3466 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3467
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3468 // TLS client auth.
3469 tests = append(tests, testCase{
3470 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3471 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3472 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3473 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3474 ClientAuth: RequestClientCert,
3475 },
3476 })
3477 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3478 testType: serverTest,
3479 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3480 config: Config{
3481 MaxVersion: VersionTLS12,
3482 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3483 // Setting SSL_VERIFY_PEER allows anonymous clients.
3484 flags: []string{"-verify-peer"},
3485 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3486 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3487 tests = append(tests, testCase{
3488 testType: clientTest,
3489 name: "ClientAuth-NoCertificate-Client-SSL3",
3490 config: Config{
3491 MaxVersion: VersionSSL30,
3492 ClientAuth: RequestClientCert,
3493 },
3494 })
3495 tests = append(tests, testCase{
3496 testType: serverTest,
3497 name: "ClientAuth-NoCertificate-Server-SSL3",
3498 config: Config{
3499 MaxVersion: VersionSSL30,
3500 },
3501 // Setting SSL_VERIFY_PEER allows anonymous clients.
3502 flags: []string{"-verify-peer"},
3503 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3504 tests = append(tests, testCase{
3505 testType: clientTest,
3506 name: "ClientAuth-NoCertificate-Client-TLS13",
3507 config: Config{
3508 MaxVersion: VersionTLS13,
3509 ClientAuth: RequestClientCert,
3510 },
3511 })
3512 tests = append(tests, testCase{
3513 testType: serverTest,
3514 name: "ClientAuth-NoCertificate-Server-TLS13",
3515 config: Config{
3516 MaxVersion: VersionTLS13,
3517 },
3518 // Setting SSL_VERIFY_PEER allows anonymous clients.
3519 flags: []string{"-verify-peer"},
3520 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3521 }
3522 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3523 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3524 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3525 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3526 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3527 ClientAuth: RequireAnyClientCert,
3528 },
3529 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3530 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3531 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3532 },
3533 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3534 tests = append(tests, testCase{
3535 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3536 name: "ClientAuth-RSA-Client-TLS13",
3537 config: Config{
3538 MaxVersion: VersionTLS13,
3539 ClientAuth: RequireAnyClientCert,
3540 },
3541 flags: []string{
3542 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3543 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3544 },
3545 })
3546 tests = append(tests, testCase{
3547 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3548 name: "ClientAuth-ECDSA-Client",
3549 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3550 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3551 ClientAuth: RequireAnyClientCert,
3552 },
3553 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3554 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3555 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3556 },
3557 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3558 tests = append(tests, testCase{
3559 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3560 name: "ClientAuth-ECDSA-Client-TLS13",
3561 config: Config{
3562 MaxVersion: VersionTLS13,
3563 ClientAuth: RequireAnyClientCert,
3564 },
3565 flags: []string{
3566 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3567 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3568 },
3569 })
3570 tests = append(tests, testCase{
3571 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3572 name: "ClientAuth-NoCertificate-OldCallback",
3573 config: Config{
3574 MaxVersion: VersionTLS12,
3575 ClientAuth: RequestClientCert,
3576 },
3577 flags: []string{"-use-old-client-cert-callback"},
3578 })
3579 tests = append(tests, testCase{
3580 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3581 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3582 config: Config{
3583 MaxVersion: VersionTLS13,
3584 ClientAuth: RequestClientCert,
3585 },
3586 flags: []string{"-use-old-client-cert-callback"},
3587 })
3588 tests = append(tests, testCase{
3589 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3590 name: "ClientAuth-OldCallback",
3591 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3592 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3593 ClientAuth: RequireAnyClientCert,
3594 },
3595 flags: []string{
3596 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3597 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3598 "-use-old-client-cert-callback",
3599 },
3600 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3601 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3602 testType: clientTest,
3603 name: "ClientAuth-OldCallback-TLS13",
3604 config: Config{
3605 MaxVersion: VersionTLS13,
3606 ClientAuth: RequireAnyClientCert,
3607 },
3608 flags: []string{
3609 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3610 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3611 "-use-old-client-cert-callback",
3612 },
3613 })
3614 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3615 testType: serverTest,
3616 name: "ClientAuth-Server",
3617 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3618 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3619 Certificates: []Certificate{rsaCertificate},
3620 },
3621 flags: []string{"-require-any-client-certificate"},
3622 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3623 tests = append(tests, testCase{
3624 testType: serverTest,
3625 name: "ClientAuth-Server-TLS13",
3626 config: Config{
3627 MaxVersion: VersionTLS13,
3628 Certificates: []Certificate{rsaCertificate},
3629 },
3630 flags: []string{"-require-any-client-certificate"},
3631 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3632
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3633 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3634 tests = append(tests, testCase{
3635 testType: serverTest,
3636 name: "Basic-Server-RSA",
3637 config: Config{
3638 MaxVersion: VersionTLS12,
3639 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3640 },
3641 flags: []string{
3642 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3643 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3644 },
3645 })
3646 tests = append(tests, testCase{
3647 testType: serverTest,
3648 name: "Basic-Server-ECDHE-RSA",
3649 config: Config{
3650 MaxVersion: VersionTLS12,
3651 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3652 },
3653 flags: []string{
3654 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3655 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3656 },
3657 })
3658 tests = append(tests, testCase{
3659 testType: serverTest,
3660 name: "Basic-Server-ECDHE-ECDSA",
3661 config: Config{
3662 MaxVersion: VersionTLS12,
3663 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3664 },
3665 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3666 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3667 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3668 },
3669 })
3670
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3671 // No session ticket support; server doesn't send NewSessionTicket.
3672 tests = append(tests, testCase{
3673 name: "SessionTicketsDisabled-Client",
3674 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3675 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3676 SessionTicketsDisabled: true,
3677 },
3678 })
3679 tests = append(tests, testCase{
3680 testType: serverTest,
3681 name: "SessionTicketsDisabled-Server",
3682 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3683 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3684 SessionTicketsDisabled: true,
3685 },
3686 })
3687
3688 // Skip ServerKeyExchange in PSK key exchange if there's no
3689 // identity hint.
3690 tests = append(tests, testCase{
3691 name: "EmptyPSKHint-Client",
3692 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3693 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3694 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3695 PreSharedKey: []byte("secret"),
3696 },
3697 flags: []string{"-psk", "secret"},
3698 })
3699 tests = append(tests, testCase{
3700 testType: serverTest,
3701 name: "EmptyPSKHint-Server",
3702 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3703 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3704 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3705 PreSharedKey: []byte("secret"),
3706 },
3707 flags: []string{"-psk", "secret"},
3708 })
3709
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3710 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3711 tests = append(tests, testCase{
3712 testType: clientTest,
3713 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3714 config: Config{
3715 MaxVersion: VersionTLS12,
3716 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3717 flags: []string{
3718 "-enable-ocsp-stapling",
3719 "-expect-ocsp-response",
3720 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3721 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3722 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3723 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3724 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3725 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3726 testType: serverTest,
3727 name: "OCSPStapling-Server",
3728 config: Config{
3729 MaxVersion: VersionTLS12,
3730 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3731 expectedOCSPResponse: testOCSPResponse,
3732 flags: []string{
3733 "-ocsp-response",
3734 base64.StdEncoding.EncodeToString(testOCSPResponse),
3735 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3736 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3737 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3738 tests = append(tests, testCase{
3739 testType: clientTest,
3740 name: "OCSPStapling-Client-TLS13",
3741 config: Config{
3742 MaxVersion: VersionTLS13,
3743 },
3744 flags: []string{
3745 "-enable-ocsp-stapling",
3746 "-expect-ocsp-response",
3747 base64.StdEncoding.EncodeToString(testOCSPResponse),
3748 "-verify-peer",
3749 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3750 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3751 })
3752 tests = append(tests, testCase{
3753 testType: serverTest,
3754 name: "OCSPStapling-Server-TLS13",
3755 config: Config{
3756 MaxVersion: VersionTLS13,
3757 },
3758 expectedOCSPResponse: testOCSPResponse,
3759 flags: []string{
3760 "-ocsp-response",
3761 base64.StdEncoding.EncodeToString(testOCSPResponse),
3762 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3763 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3764 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3765
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3766 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3767 for _, vers := range tlsVersions {
3768 if config.protocol == dtls && !vers.hasDTLS {
3769 continue
3770 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3771 for _, testType := range []testType{clientTest, serverTest} {
3772 suffix := "-Client"
3773 if testType == serverTest {
3774 suffix = "-Server"
3775 }
3776 suffix += "-" + vers.name
3777
3778 flag := "-verify-peer"
3779 if testType == serverTest {
3780 flag = "-require-any-client-certificate"
3781 }
3782
3783 tests = append(tests, testCase{
3784 testType: testType,
3785 name: "CertificateVerificationSucceed" + suffix,
3786 config: Config{
3787 MaxVersion: vers.version,
3788 Certificates: []Certificate{rsaCertificate},
3789 },
3790 flags: []string{
3791 flag,
3792 "-expect-verify-result",
3793 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3794 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3795 })
3796 tests = append(tests, testCase{
3797 testType: testType,
3798 name: "CertificateVerificationFail" + suffix,
3799 config: Config{
3800 MaxVersion: vers.version,
3801 Certificates: []Certificate{rsaCertificate},
3802 },
3803 flags: []string{
3804 flag,
3805 "-verify-fail",
3806 },
3807 shouldFail: true,
3808 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3809 })
3810 }
3811
3812 // By default, the client is in a soft fail mode where the peer
3813 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3814 tests = append(tests, testCase{
3815 testType: clientTest,
3816 name: "CertificateVerificationSoftFail-" + vers.name,
3817 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3818 MaxVersion: vers.version,
3819 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3820 },
3821 flags: []string{
3822 "-verify-fail",
3823 "-expect-verify-result",
3824 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3825 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3826 })
3827 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3828
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]3829 tests = append(tests, testCase{
3830 name: "ShimSendAlert",
3831 flags: []string{"-send-alert"},
3832 shimWritesFirst: true,
3833 shouldFail: true,
3834 expectedLocalError: "remote error: decompression failure",
3835 })
3836
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3837 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3838 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3839 name: "Renegotiate-Client",
3840 config: Config{
3841 MaxVersion: VersionTLS12,
3842 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]3843 renegotiate: 1,
3844 flags: []string{
3845 "-renegotiate-freely",
3846 "-expect-total-renegotiations", "1",
3847 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3848 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3849
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]3850 tests = append(tests, testCase{
3851 name: "SendHalfHelloRequest",
3852 config: Config{
3853 MaxVersion: VersionTLS12,
3854 Bugs: ProtocolBugs{
3855 PackHelloRequestWithFinished: config.packHandshakeFlight,
3856 },
3857 },
3858 sendHalfHelloRequest: true,
3859 flags: []string{"-renegotiate-ignore"},
3860 shouldFail: true,
3861 expectedError: ":UNEXPECTED_RECORD:",
3862 })
3863
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3864 // NPN on client and server; results in post-handshake message.
3865 tests = append(tests, testCase{
3866 name: "NPN-Client",
3867 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3868 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3869 NextProtos: []string{"foo"},
3870 },
3871 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3872 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3873 expectedNextProto: "foo",
3874 expectedNextProtoType: npn,
3875 })
3876 tests = append(tests, testCase{
3877 testType: serverTest,
3878 name: "NPN-Server",
3879 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3880 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3881 NextProtos: []string{"bar"},
3882 },
3883 flags: []string{
3884 "-advertise-npn", "\x03foo\x03bar\x03baz",
3885 "-expect-next-proto", "bar",
3886 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3887 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3888 expectedNextProto: "bar",
3889 expectedNextProtoType: npn,
3890 })
3891
3892 // TODO(davidben): Add tests for when False Start doesn't trigger.
3893
3894 // Client does False Start and negotiates NPN.
3895 tests = append(tests, testCase{
3896 name: "FalseStart",
3897 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3898 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3899 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3900 NextProtos: []string{"foo"},
3901 Bugs: ProtocolBugs{
3902 ExpectFalseStart: true,
3903 },
3904 },
3905 flags: []string{
3906 "-false-start",
3907 "-select-next-proto", "foo",
3908 },
3909 shimWritesFirst: true,
3910 resumeSession: true,
3911 })
3912
3913 // Client does False Start and negotiates ALPN.
3914 tests = append(tests, testCase{
3915 name: "FalseStart-ALPN",
3916 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3917 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3918 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3919 NextProtos: []string{"foo"},
3920 Bugs: ProtocolBugs{
3921 ExpectFalseStart: true,
3922 },
3923 },
3924 flags: []string{
3925 "-false-start",
3926 "-advertise-alpn", "\x03foo",
3927 },
3928 shimWritesFirst: true,
3929 resumeSession: true,
3930 })
3931
3932 // Client does False Start but doesn't explicitly call
3933 // SSL_connect.
3934 tests = append(tests, testCase{
3935 name: "FalseStart-Implicit",
3936 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3937 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3938 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3939 NextProtos: []string{"foo"},
3940 },
3941 flags: []string{
3942 "-implicit-handshake",
3943 "-false-start",
3944 "-advertise-alpn", "\x03foo",
3945 },
3946 })
3947
3948 // False Start without session tickets.
3949 tests = append(tests, testCase{
3950 name: "FalseStart-SessionTicketsDisabled",
3951 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3952 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3953 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3954 NextProtos: []string{"foo"},
3955 SessionTicketsDisabled: true,
3956 Bugs: ProtocolBugs{
3957 ExpectFalseStart: true,
3958 },
3959 },
3960 flags: []string{
3961 "-false-start",
3962 "-select-next-proto", "foo",
3963 },
3964 shimWritesFirst: true,
3965 })
3966
3967 // Server parses a V2ClientHello.
3968 tests = append(tests, testCase{
3969 testType: serverTest,
3970 name: "SendV2ClientHello",
3971 config: Config{
3972 // Choose a cipher suite that does not involve
3973 // elliptic curves, so no extensions are
3974 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3975 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]3976 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3977 Bugs: ProtocolBugs{
3978 SendV2ClientHello: true,
3979 },
3980 },
3981 })
3982
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]3983 // Test Channel ID
3984 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]3985 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]3986 continue
3987 }
3988 // Client sends a Channel ID.
3989 tests = append(tests, testCase{
3990 name: "ChannelID-Client-" + ver.name,
3991 config: Config{
3992 MaxVersion: ver.version,
3993 RequestChannelID: true,
3994 },
3995 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
3996 resumeSession: true,
3997 expectChannelID: true,
3998 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3999
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4000 // Server accepts a Channel ID.
4001 tests = append(tests, testCase{
4002 testType: serverTest,
4003 name: "ChannelID-Server-" + ver.name,
4004 config: Config{
4005 MaxVersion: ver.version,
4006 ChannelID: channelIDKey,
4007 },
4008 flags: []string{
4009 "-expect-channel-id",
4010 base64.StdEncoding.EncodeToString(channelIDBytes),
4011 },
4012 resumeSession: true,
4013 expectChannelID: true,
4014 })
4015
4016 tests = append(tests, testCase{
4017 testType: serverTest,
4018 name: "InvalidChannelIDSignature-" + ver.name,
4019 config: Config{
4020 MaxVersion: ver.version,
4021 ChannelID: channelIDKey,
4022 Bugs: ProtocolBugs{
4023 InvalidChannelIDSignature: true,
4024 },
4025 },
4026 flags: []string{"-enable-channel-id"},
4027 shouldFail: true,
4028 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4029 })
4030 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4031
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4032 // Channel ID and NPN at the same time, to ensure their relative
4033 // ordering is correct.
4034 tests = append(tests, testCase{
4035 name: "ChannelID-NPN-Client",
4036 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4037 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4038 RequestChannelID: true,
4039 NextProtos: []string{"foo"},
4040 },
4041 flags: []string{
4042 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4043 "-select-next-proto", "foo",
4044 },
4045 resumeSession: true,
4046 expectChannelID: true,
4047 expectedNextProto: "foo",
4048 expectedNextProtoType: npn,
4049 })
4050 tests = append(tests, testCase{
4051 testType: serverTest,
4052 name: "ChannelID-NPN-Server",
4053 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4054 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4055 ChannelID: channelIDKey,
4056 NextProtos: []string{"bar"},
4057 },
4058 flags: []string{
4059 "-expect-channel-id",
4060 base64.StdEncoding.EncodeToString(channelIDBytes),
4061 "-advertise-npn", "\x03foo\x03bar\x03baz",
4062 "-expect-next-proto", "bar",
4063 },
4064 resumeSession: true,
4065 expectChannelID: true,
4066 expectedNextProto: "bar",
4067 expectedNextProtoType: npn,
4068 })
4069
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4070 // Bidirectional shutdown with the runner initiating.
4071 tests = append(tests, testCase{
4072 name: "Shutdown-Runner",
4073 config: Config{
4074 Bugs: ProtocolBugs{
4075 ExpectCloseNotify: true,
4076 },
4077 },
4078 flags: []string{"-check-close-notify"},
4079 })
4080
4081 // Bidirectional shutdown with the shim initiating. The runner,
4082 // in the meantime, sends garbage before the close_notify which
4083 // the shim must ignore.
4084 tests = append(tests, testCase{
4085 name: "Shutdown-Shim",
4086 config: Config{
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]4087 MaxVersion: VersionTLS12,
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4088 Bugs: ProtocolBugs{
4089 ExpectCloseNotify: true,
4090 },
4091 },
4092 shimShutsDown: true,
4093 sendEmptyRecords: 1,
4094 sendWarningAlerts: 1,
4095 flags: []string{"-check-close-notify"},
4096 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4097 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4098 // TODO(davidben): DTLS 1.3 will want a similar thing for
4099 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4100 tests = append(tests, testCase{
4101 name: "SkipHelloVerifyRequest",
4102 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4103 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4104 Bugs: ProtocolBugs{
4105 SkipHelloVerifyRequest: true,
4106 },
4107 },
4108 })
4109 }
4110
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4111 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4112 test.protocol = config.protocol
4113 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4114 test.name += "-DTLS"
4115 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4116 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4117 test.name += "-Async"
4118 test.flags = append(test.flags, "-async")
4119 } else {
4120 test.name += "-Sync"
4121 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4122 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4123 test.name += "-SplitHandshakeRecords"
4124 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4125 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4126 test.config.Bugs.MaxPacketLength = 256
4127 test.flags = append(test.flags, "-mtu", "256")
4128 }
4129 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4130 if config.packHandshakeFlight {
4131 test.name += "-PackHandshakeFlight"
4132 test.config.Bugs.PackHandshakeFlight = true
4133 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4134 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4135 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4136}
4137
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4138func addDDoSCallbackTests() {
4139 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4140 for _, resume := range []bool{false, true} {
4141 suffix := "Resume"
4142 if resume {
4143 suffix = "No" + suffix
4144 }
4145
4146 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4147 testType: serverTest,
4148 name: "Server-DDoS-OK-" + suffix,
4149 config: Config{
4150 MaxVersion: VersionTLS12,
4151 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4152 flags: []string{"-install-ddos-callback"},
4153 resumeSession: resume,
4154 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4155 testCases = append(testCases, testCase{
4156 testType: serverTest,
4157 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4158 config: Config{
4159 MaxVersion: VersionTLS13,
4160 },
4161 flags: []string{"-install-ddos-callback"},
4162 resumeSession: resume,
4163 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4164
4165 failFlag := "-fail-ddos-callback"
4166 if resume {
4167 failFlag = "-fail-second-ddos-callback"
4168 }
4169 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4170 testType: serverTest,
4171 name: "Server-DDoS-Reject-" + suffix,
4172 config: Config{
4173 MaxVersion: VersionTLS12,
4174 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4175 flags: []string{"-install-ddos-callback", failFlag},
4176 resumeSession: resume,
4177 shouldFail: true,
4178 expectedError: ":CONNECTION_REJECTED:",
4179 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4180 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4181 testCases = append(testCases, testCase{
4182 testType: serverTest,
4183 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4184 config: Config{
4185 MaxVersion: VersionTLS13,
4186 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4187 flags: []string{"-install-ddos-callback", failFlag},
4188 resumeSession: resume,
4189 shouldFail: true,
4190 expectedError: ":CONNECTION_REJECTED:",
4191 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4192 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4193 }
4194}
4195
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4196func addVersionNegotiationTests() {
4197 for i, shimVers := range tlsVersions {
4198 // Assemble flags to disable all newer versions on the shim.
4199 var flags []string
4200 for _, vers := range tlsVersions[i+1:] {
4201 flags = append(flags, vers.flag)
4202 }
4203
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4204 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4205 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4206 protocols := []protocol{tls}
4207 if runnerVers.hasDTLS && shimVers.hasDTLS {
4208 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4209 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4210 for _, protocol := range protocols {
4211 expectedVersion := shimVers.version
4212 if runnerVers.version < shimVers.version {
4213 expectedVersion = runnerVers.version
4214 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4215
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4216 suffix := shimVers.name + "-" + runnerVers.name
4217 if protocol == dtls {
4218 suffix += "-DTLS"
4219 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4220
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4221 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4222
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4223 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4224 clientVers := shimVers.version
4225 if clientVers > VersionTLS10 {
4226 clientVers = VersionTLS10
4227 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4228 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4229 serverVers := expectedVersion
4230 if expectedVersion >= VersionTLS13 {
4231 serverVers = VersionTLS10
4232 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4233 serverVers = versionToWire(serverVers, protocol == dtls)
4234
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4235 testCases = append(testCases, testCase{
4236 protocol: protocol,
4237 testType: clientTest,
4238 name: "VersionNegotiation-Client-" + suffix,
4239 config: Config{
4240 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4241 Bugs: ProtocolBugs{
4242 ExpectInitialRecordVersion: clientVers,
4243 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4244 },
4245 flags: flags,
4246 expectedVersion: expectedVersion,
4247 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4248 testCases = append(testCases, testCase{
4249 protocol: protocol,
4250 testType: clientTest,
4251 name: "VersionNegotiation-Client2-" + suffix,
4252 config: Config{
4253 MaxVersion: runnerVers.version,
4254 Bugs: ProtocolBugs{
4255 ExpectInitialRecordVersion: clientVers,
4256 },
4257 },
4258 flags: []string{"-max-version", shimVersFlag},
4259 expectedVersion: expectedVersion,
4260 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4261
4262 testCases = append(testCases, testCase{
4263 protocol: protocol,
4264 testType: serverTest,
4265 name: "VersionNegotiation-Server-" + suffix,
4266 config: Config{
4267 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4268 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4269 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4270 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4271 },
4272 flags: flags,
4273 expectedVersion: expectedVersion,
4274 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4275 testCases = append(testCases, testCase{
4276 protocol: protocol,
4277 testType: serverTest,
4278 name: "VersionNegotiation-Server2-" + suffix,
4279 config: Config{
4280 MaxVersion: runnerVers.version,
4281 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4282 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4283 },
4284 },
4285 flags: []string{"-max-version", shimVersFlag},
4286 expectedVersion: expectedVersion,
4287 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4288 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4289 }
4290 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4291
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4292 // Test the version extension at all versions.
4293 for _, vers := range tlsVersions {
4294 protocols := []protocol{tls}
4295 if vers.hasDTLS {
4296 protocols = append(protocols, dtls)
4297 }
4298 for _, protocol := range protocols {
4299 suffix := vers.name
4300 if protocol == dtls {
4301 suffix += "-DTLS"
4302 }
4303
4304 wireVersion := versionToWire(vers.version, protocol == dtls)
4305 testCases = append(testCases, testCase{
4306 protocol: protocol,
4307 testType: serverTest,
4308 name: "VersionNegotiationExtension-" + suffix,
4309 config: Config{
4310 Bugs: ProtocolBugs{
4311 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4312 },
4313 },
4314 expectedVersion: vers.version,
4315 })
4316 }
4317
4318 }
4319
4320 // If all versions are unknown, negotiation fails.
4321 testCases = append(testCases, testCase{
4322 testType: serverTest,
4323 name: "NoSupportedVersions",
4324 config: Config{
4325 Bugs: ProtocolBugs{
4326 SendSupportedVersions: []uint16{0x1111},
4327 },
4328 },
4329 shouldFail: true,
4330 expectedError: ":UNSUPPORTED_PROTOCOL:",
4331 })
4332 testCases = append(testCases, testCase{
4333 protocol: dtls,
4334 testType: serverTest,
4335 name: "NoSupportedVersions-DTLS",
4336 config: Config{
4337 Bugs: ProtocolBugs{
4338 SendSupportedVersions: []uint16{0x1111},
4339 },
4340 },
4341 shouldFail: true,
4342 expectedError: ":UNSUPPORTED_PROTOCOL:",
4343 })
4344
4345 testCases = append(testCases, testCase{
4346 testType: serverTest,
4347 name: "ClientHelloVersionTooHigh",
4348 config: Config{
4349 MaxVersion: VersionTLS13,
4350 Bugs: ProtocolBugs{
4351 SendClientVersion: 0x0304,
4352 OmitSupportedVersions: true,
4353 },
4354 },
4355 expectedVersion: VersionTLS12,
4356 })
4357
4358 testCases = append(testCases, testCase{
4359 testType: serverTest,
4360 name: "ConflictingVersionNegotiation",
4361 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4362 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4363 SendClientVersion: VersionTLS12,
4364 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4365 },
4366 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4367 // The extension takes precedence over the ClientHello version.
4368 expectedVersion: VersionTLS11,
4369 })
4370
4371 testCases = append(testCases, testCase{
4372 testType: serverTest,
4373 name: "ConflictingVersionNegotiation-2",
4374 config: Config{
4375 Bugs: ProtocolBugs{
4376 SendClientVersion: VersionTLS11,
4377 SendSupportedVersions: []uint16{VersionTLS12},
4378 },
4379 },
4380 // The extension takes precedence over the ClientHello version.
4381 expectedVersion: VersionTLS12,
4382 })
4383
4384 testCases = append(testCases, testCase{
4385 testType: serverTest,
4386 name: "RejectFinalTLS13",
4387 config: Config{
4388 Bugs: ProtocolBugs{
4389 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4390 },
4391 },
4392 // We currently implement a draft TLS 1.3 version. Ensure that
4393 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4394 expectedVersion: VersionTLS12,
4395 })
4396
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4397 // Test that the maximum version is selected regardless of the
4398 // client-sent order.
4399 testCases = append(testCases, testCase{
4400 testType: serverTest,
4401 name: "IgnoreClientVersionOrder",
4402 config: Config{
4403 Bugs: ProtocolBugs{
4404 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4405 },
4406 },
4407 expectedVersion: VersionTLS13,
4408 })
4409
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4410 // Test for version tolerance.
4411 testCases = append(testCases, testCase{
4412 testType: serverTest,
4413 name: "MinorVersionTolerance",
4414 config: Config{
4415 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4416 SendClientVersion: 0x03ff,
4417 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4418 },
4419 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4420 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4421 })
4422 testCases = append(testCases, testCase{
4423 testType: serverTest,
4424 name: "MajorVersionTolerance",
4425 config: Config{
4426 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4427 SendClientVersion: 0x0400,
4428 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4429 },
4430 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4431 // TLS 1.3 must be negotiated with the supported_versions
4432 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4433 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4434 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4435 testCases = append(testCases, testCase{
4436 testType: serverTest,
4437 name: "VersionTolerance-TLS13",
4438 config: Config{
4439 Bugs: ProtocolBugs{
4440 // Although TLS 1.3 does not use
4441 // ClientHello.version, it still tolerates high
4442 // values there.
4443 SendClientVersion: 0x0400,
4444 },
4445 },
4446 expectedVersion: VersionTLS13,
4447 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4448
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4449 testCases = append(testCases, testCase{
4450 protocol: dtls,
4451 testType: serverTest,
4452 name: "MinorVersionTolerance-DTLS",
4453 config: Config{
4454 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4455 SendClientVersion: 0xfe00,
4456 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4457 },
4458 },
4459 expectedVersion: VersionTLS12,
4460 })
4461 testCases = append(testCases, testCase{
4462 protocol: dtls,
4463 testType: serverTest,
4464 name: "MajorVersionTolerance-DTLS",
4465 config: Config{
4466 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4467 SendClientVersion: 0xfdff,
4468 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4469 },
4470 },
4471 expectedVersion: VersionTLS12,
4472 })
4473
4474 // Test that versions below 3.0 are rejected.
4475 testCases = append(testCases, testCase{
4476 testType: serverTest,
4477 name: "VersionTooLow",
4478 config: Config{
4479 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4480 SendClientVersion: 0x0200,
4481 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4482 },
4483 },
4484 shouldFail: true,
4485 expectedError: ":UNSUPPORTED_PROTOCOL:",
4486 })
4487 testCases = append(testCases, testCase{
4488 protocol: dtls,
4489 testType: serverTest,
4490 name: "VersionTooLow-DTLS",
4491 config: Config{
4492 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4493 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4494 },
4495 },
4496 shouldFail: true,
4497 expectedError: ":UNSUPPORTED_PROTOCOL:",
4498 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4499
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4500 testCases = append(testCases, testCase{
4501 name: "ServerBogusVersion",
4502 config: Config{
4503 Bugs: ProtocolBugs{
4504 SendServerHelloVersion: 0x1234,
4505 },
4506 },
4507 shouldFail: true,
4508 expectedError: ":UNSUPPORTED_PROTOCOL:",
4509 })
4510
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4511 // Test TLS 1.3's downgrade signal.
4512 testCases = append(testCases, testCase{
4513 name: "Downgrade-TLS12-Client",
4514 config: Config{
4515 Bugs: ProtocolBugs{
4516 NegotiateVersion: VersionTLS12,
4517 },
4518 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4519 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4520 // TODO(davidben): This test should fail once TLS 1.3 is final
4521 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4522 })
4523 testCases = append(testCases, testCase{
4524 testType: serverTest,
4525 name: "Downgrade-TLS12-Server",
4526 config: Config{
4527 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4528 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4529 },
4530 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4531 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4532 // TODO(davidben): This test should fail once TLS 1.3 is final
4533 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4534 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4535}
4536
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4537func addMinimumVersionTests() {
4538 for i, shimVers := range tlsVersions {
4539 // Assemble flags to disable all older versions on the shim.
4540 var flags []string
4541 for _, vers := range tlsVersions[:i] {
4542 flags = append(flags, vers.flag)
4543 }
4544
4545 for _, runnerVers := range tlsVersions {
4546 protocols := []protocol{tls}
4547 if runnerVers.hasDTLS && shimVers.hasDTLS {
4548 protocols = append(protocols, dtls)
4549 }
4550 for _, protocol := range protocols {
4551 suffix := shimVers.name + "-" + runnerVers.name
4552 if protocol == dtls {
4553 suffix += "-DTLS"
4554 }
4555 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4556
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4557 var expectedVersion uint16
4558 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4559 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4560 if runnerVers.version >= shimVers.version {
4561 expectedVersion = runnerVers.version
4562 } else {
4563 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4564 expectedError = ":UNSUPPORTED_PROTOCOL:"
4565 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4566 }
4567
4568 testCases = append(testCases, testCase{
4569 protocol: protocol,
4570 testType: clientTest,
4571 name: "MinimumVersion-Client-" + suffix,
4572 config: Config{
4573 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4574 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4575 // Ensure the server does not decline to
4576 // select a version (versions extension) or
4577 // cipher (some ciphers depend on versions).
4578 NegotiateVersion: runnerVers.version,
4579 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4580 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4581 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4582 flags: flags,
4583 expectedVersion: expectedVersion,
4584 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4585 expectedError: expectedError,
4586 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4587 })
4588 testCases = append(testCases, testCase{
4589 protocol: protocol,
4590 testType: clientTest,
4591 name: "MinimumVersion-Client2-" + suffix,
4592 config: Config{
4593 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4594 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4595 // Ensure the server does not decline to
4596 // select a version (versions extension) or
4597 // cipher (some ciphers depend on versions).
4598 NegotiateVersion: runnerVers.version,
4599 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4600 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4601 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4602 flags: []string{"-min-version", shimVersFlag},
4603 expectedVersion: expectedVersion,
4604 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4605 expectedError: expectedError,
4606 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4607 })
4608
4609 testCases = append(testCases, testCase{
4610 protocol: protocol,
4611 testType: serverTest,
4612 name: "MinimumVersion-Server-" + suffix,
4613 config: Config{
4614 MaxVersion: runnerVers.version,
4615 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4616 flags: flags,
4617 expectedVersion: expectedVersion,
4618 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4619 expectedError: expectedError,
4620 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4621 })
4622 testCases = append(testCases, testCase{
4623 protocol: protocol,
4624 testType: serverTest,
4625 name: "MinimumVersion-Server2-" + suffix,
4626 config: Config{
4627 MaxVersion: runnerVers.version,
4628 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4629 flags: []string{"-min-version", shimVersFlag},
4630 expectedVersion: expectedVersion,
4631 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4632 expectedError: expectedError,
4633 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4634 })
4635 }
4636 }
4637 }
4638}
4639
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4640func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4641 // TODO(davidben): Extensions, where applicable, all move their server
4642 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4643 // tests for both. Also test interaction with 0-RTT when implemented.
4644
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4645 // Repeat extensions tests all versions except SSL 3.0.
4646 for _, ver := range tlsVersions {
4647 if ver.version == VersionSSL30 {
4648 continue
4649 }
4650
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4651 // Test that duplicate extensions are rejected.
4652 testCases = append(testCases, testCase{
4653 testType: clientTest,
4654 name: "DuplicateExtensionClient-" + ver.name,
4655 config: Config{
4656 MaxVersion: ver.version,
4657 Bugs: ProtocolBugs{
4658 DuplicateExtension: true,
4659 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4660 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4661 shouldFail: true,
4662 expectedLocalError: "remote error: error decoding message",
4663 })
4664 testCases = append(testCases, testCase{
4665 testType: serverTest,
4666 name: "DuplicateExtensionServer-" + ver.name,
4667 config: Config{
4668 MaxVersion: ver.version,
4669 Bugs: ProtocolBugs{
4670 DuplicateExtension: true,
4671 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4672 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4673 shouldFail: true,
4674 expectedLocalError: "remote error: error decoding message",
4675 })
4676
4677 // Test SNI.
4678 testCases = append(testCases, testCase{
4679 testType: clientTest,
4680 name: "ServerNameExtensionClient-" + ver.name,
4681 config: Config{
4682 MaxVersion: ver.version,
4683 Bugs: ProtocolBugs{
4684 ExpectServerName: "example.com",
4685 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4686 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4687 flags: []string{"-host-name", "example.com"},
4688 })
4689 testCases = append(testCases, testCase{
4690 testType: clientTest,
4691 name: "ServerNameExtensionClientMismatch-" + ver.name,
4692 config: Config{
4693 MaxVersion: ver.version,
4694 Bugs: ProtocolBugs{
4695 ExpectServerName: "mismatch.com",
4696 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4697 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4698 flags: []string{"-host-name", "example.com"},
4699 shouldFail: true,
4700 expectedLocalError: "tls: unexpected server name",
4701 })
4702 testCases = append(testCases, testCase{
4703 testType: clientTest,
4704 name: "ServerNameExtensionClientMissing-" + ver.name,
4705 config: Config{
4706 MaxVersion: ver.version,
4707 Bugs: ProtocolBugs{
4708 ExpectServerName: "missing.com",
4709 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4710 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4711 shouldFail: true,
4712 expectedLocalError: "tls: unexpected server name",
4713 })
4714 testCases = append(testCases, testCase{
4715 testType: serverTest,
4716 name: "ServerNameExtensionServer-" + ver.name,
4717 config: Config{
4718 MaxVersion: ver.version,
4719 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4720 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4721 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4722 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4723 })
4724
4725 // Test ALPN.
4726 testCases = append(testCases, testCase{
4727 testType: clientTest,
4728 name: "ALPNClient-" + ver.name,
4729 config: Config{
4730 MaxVersion: ver.version,
4731 NextProtos: []string{"foo"},
4732 },
4733 flags: []string{
4734 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4735 "-expect-alpn", "foo",
4736 },
4737 expectedNextProto: "foo",
4738 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4739 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4740 })
4741 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4742 testType: clientTest,
4743 name: "ALPNClient-Mismatch-" + ver.name,
4744 config: Config{
4745 MaxVersion: ver.version,
4746 Bugs: ProtocolBugs{
4747 SendALPN: "baz",
4748 },
4749 },
4750 flags: []string{
4751 "-advertise-alpn", "\x03foo\x03bar",
4752 },
4753 shouldFail: true,
4754 expectedError: ":INVALID_ALPN_PROTOCOL:",
4755 expectedLocalError: "remote error: illegal parameter",
4756 })
4757 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4758 testType: serverTest,
4759 name: "ALPNServer-" + ver.name,
4760 config: Config{
4761 MaxVersion: ver.version,
4762 NextProtos: []string{"foo", "bar", "baz"},
4763 },
4764 flags: []string{
4765 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4766 "-select-alpn", "foo",
4767 },
4768 expectedNextProto: "foo",
4769 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4770 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4771 })
4772 testCases = append(testCases, testCase{
4773 testType: serverTest,
4774 name: "ALPNServer-Decline-" + ver.name,
4775 config: Config{
4776 MaxVersion: ver.version,
4777 NextProtos: []string{"foo", "bar", "baz"},
4778 },
4779 flags: []string{"-decline-alpn"},
4780 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4781 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4782 })
4783
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4784 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4785 // called once.
4786 testCases = append(testCases, testCase{
4787 testType: serverTest,
4788 name: "ALPNServer-Async-" + ver.name,
4789 config: Config{
4790 MaxVersion: ver.version,
4791 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]4792 // Prior to TLS 1.3, exercise the asynchronous session callback.
4793 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4794 },
4795 flags: []string{
4796 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4797 "-select-alpn", "foo",
4798 "-async",
4799 },
4800 expectedNextProto: "foo",
4801 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4802 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4803 })
4804
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4805 var emptyString string
4806 testCases = append(testCases, testCase{
4807 testType: clientTest,
4808 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4809 config: Config{
4810 MaxVersion: ver.version,
4811 NextProtos: []string{""},
4812 Bugs: ProtocolBugs{
4813 // A server returning an empty ALPN protocol
4814 // should be rejected.
4815 ALPNProtocol: &emptyString,
4816 },
4817 },
4818 flags: []string{
4819 "-advertise-alpn", "\x03foo",
4820 },
4821 shouldFail: true,
4822 expectedError: ":PARSE_TLSEXT:",
4823 })
4824 testCases = append(testCases, testCase{
4825 testType: serverTest,
4826 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4827 config: Config{
4828 MaxVersion: ver.version,
4829 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4830 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4831 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4832 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4833 flags: []string{
4834 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]4835 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4836 shouldFail: true,
4837 expectedError: ":PARSE_TLSEXT:",
4838 })
4839
4840 // Test NPN and the interaction with ALPN.
4841 if ver.version < VersionTLS13 {
4842 // Test that the server prefers ALPN over NPN.
4843 testCases = append(testCases, testCase{
4844 testType: serverTest,
4845 name: "ALPNServer-Preferred-" + ver.name,
4846 config: Config{
4847 MaxVersion: ver.version,
4848 NextProtos: []string{"foo", "bar", "baz"},
4849 },
4850 flags: []string{
4851 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4852 "-select-alpn", "foo",
4853 "-advertise-npn", "\x03foo\x03bar\x03baz",
4854 },
4855 expectedNextProto: "foo",
4856 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4857 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4858 })
4859 testCases = append(testCases, testCase{
4860 testType: serverTest,
4861 name: "ALPNServer-Preferred-Swapped-" + ver.name,
4862 config: Config{
4863 MaxVersion: ver.version,
4864 NextProtos: []string{"foo", "bar", "baz"},
4865 Bugs: ProtocolBugs{
4866 SwapNPNAndALPN: true,
4867 },
4868 },
4869 flags: []string{
4870 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4871 "-select-alpn", "foo",
4872 "-advertise-npn", "\x03foo\x03bar\x03baz",
4873 },
4874 expectedNextProto: "foo",
4875 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4876 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4877 })
4878
4879 // Test that negotiating both NPN and ALPN is forbidden.
4880 testCases = append(testCases, testCase{
4881 name: "NegotiateALPNAndNPN-" + ver.name,
4882 config: Config{
4883 MaxVersion: ver.version,
4884 NextProtos: []string{"foo", "bar", "baz"},
4885 Bugs: ProtocolBugs{
4886 NegotiateALPNAndNPN: true,
4887 },
4888 },
4889 flags: []string{
4890 "-advertise-alpn", "\x03foo",
4891 "-select-next-proto", "foo",
4892 },
4893 shouldFail: true,
4894 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4895 })
4896 testCases = append(testCases, testCase{
4897 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
4898 config: Config{
4899 MaxVersion: ver.version,
4900 NextProtos: []string{"foo", "bar", "baz"},
4901 Bugs: ProtocolBugs{
4902 NegotiateALPNAndNPN: true,
4903 SwapNPNAndALPN: true,
4904 },
4905 },
4906 flags: []string{
4907 "-advertise-alpn", "\x03foo",
4908 "-select-next-proto", "foo",
4909 },
4910 shouldFail: true,
4911 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4912 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4913 }
4914
4915 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4916
4917 // Resume with a corrupt ticket.
4918 testCases = append(testCases, testCase{
4919 testType: serverTest,
4920 name: "CorruptTicket-" + ver.name,
4921 config: Config{
4922 MaxVersion: ver.version,
4923 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]4924 FilterTicket: func(in []byte) ([]byte, error) {
4925 in[len(in)-1] ^= 1
4926 return in, nil
4927 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4928 },
4929 },
4930 resumeSession: true,
4931 expectResumeRejected: true,
4932 })
4933 // Test the ticket callback, with and without renewal.
4934 testCases = append(testCases, testCase{
4935 testType: serverTest,
4936 name: "TicketCallback-" + ver.name,
4937 config: Config{
4938 MaxVersion: ver.version,
4939 },
4940 resumeSession: true,
4941 flags: []string{"-use-ticket-callback"},
4942 })
4943 testCases = append(testCases, testCase{
4944 testType: serverTest,
4945 name: "TicketCallback-Renew-" + ver.name,
4946 config: Config{
4947 MaxVersion: ver.version,
4948 Bugs: ProtocolBugs{
4949 ExpectNewTicket: true,
4950 },
4951 },
4952 flags: []string{"-use-ticket-callback", "-renew-ticket"},
4953 resumeSession: true,
4954 })
4955
4956 // Test that the ticket callback is only called once when everything before
4957 // it in the ClientHello is asynchronous. This corrupts the ticket so
4958 // certificate selection callbacks run.
4959 testCases = append(testCases, testCase{
4960 testType: serverTest,
4961 name: "TicketCallback-SingleCall-" + ver.name,
4962 config: Config{
4963 MaxVersion: ver.version,
4964 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]4965 FilterTicket: func(in []byte) ([]byte, error) {
4966 in[len(in)-1] ^= 1
4967 return in, nil
4968 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4969 },
4970 },
4971 resumeSession: true,
4972 expectResumeRejected: true,
4973 flags: []string{
4974 "-use-ticket-callback",
4975 "-async",
4976 },
4977 })
4978
4979 // Resume with an oversized session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4980 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4981 testCases = append(testCases, testCase{
4982 testType: serverTest,
4983 name: "OversizedSessionId-" + ver.name,
4984 config: Config{
4985 MaxVersion: ver.version,
4986 Bugs: ProtocolBugs{
4987 OversizedSessionId: true,
4988 },
4989 },
4990 resumeSession: true,
4991 shouldFail: true,
4992 expectedError: ":DECODE_ERROR:",
4993 })
4994 }
4995
4996 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
4997 // are ignored.
4998 if ver.hasDTLS {
4999 testCases = append(testCases, testCase{
5000 protocol: dtls,
5001 name: "SRTP-Client-" + ver.name,
5002 config: Config{
5003 MaxVersion: ver.version,
5004 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5005 },
5006 flags: []string{
5007 "-srtp-profiles",
5008 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5009 },
5010 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5011 })
5012 testCases = append(testCases, testCase{
5013 protocol: dtls,
5014 testType: serverTest,
5015 name: "SRTP-Server-" + ver.name,
5016 config: Config{
5017 MaxVersion: ver.version,
5018 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5019 },
5020 flags: []string{
5021 "-srtp-profiles",
5022 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5023 },
5024 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5025 })
5026 // Test that the MKI is ignored.
5027 testCases = append(testCases, testCase{
5028 protocol: dtls,
5029 testType: serverTest,
5030 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5031 config: Config{
5032 MaxVersion: ver.version,
5033 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5034 Bugs: ProtocolBugs{
5035 SRTPMasterKeyIdentifer: "bogus",
5036 },
5037 },
5038 flags: []string{
5039 "-srtp-profiles",
5040 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5041 },
5042 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5043 })
5044 // Test that SRTP isn't negotiated on the server if there were
5045 // no matching profiles.
5046 testCases = append(testCases, testCase{
5047 protocol: dtls,
5048 testType: serverTest,
5049 name: "SRTP-Server-NoMatch-" + ver.name,
5050 config: Config{
5051 MaxVersion: ver.version,
5052 SRTPProtectionProfiles: []uint16{100, 101, 102},
5053 },
5054 flags: []string{
5055 "-srtp-profiles",
5056 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5057 },
5058 expectedSRTPProtectionProfile: 0,
5059 })
5060 // Test that the server returning an invalid SRTP profile is
5061 // flagged as an error by the client.
5062 testCases = append(testCases, testCase{
5063 protocol: dtls,
5064 name: "SRTP-Client-NoMatch-" + ver.name,
5065 config: Config{
5066 MaxVersion: ver.version,
5067 Bugs: ProtocolBugs{
5068 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5069 },
5070 },
5071 flags: []string{
5072 "-srtp-profiles",
5073 "SRTP_AES128_CM_SHA1_80",
5074 },
5075 shouldFail: true,
5076 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5077 })
5078 }
5079
5080 // Test SCT list.
5081 testCases = append(testCases, testCase{
5082 name: "SignedCertificateTimestampList-Client-" + ver.name,
5083 testType: clientTest,
5084 config: Config{
5085 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5086 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5087 flags: []string{
5088 "-enable-signed-cert-timestamps",
5089 "-expect-signed-cert-timestamps",
5090 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5091 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5092 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5093 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5094
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5095 var differentSCTList []byte
5096 differentSCTList = append(differentSCTList, testSCTList...)
5097 differentSCTList[len(differentSCTList)-1] ^= 1
5098
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5099 // The SCT extension did not specify that it must only be sent on resumption as it
5100 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5101 testCases = append(testCases, testCase{
5102 name: "SendSCTListOnResume-" + ver.name,
5103 config: Config{
5104 MaxVersion: ver.version,
5105 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5106 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5107 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5108 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5109 flags: []string{
5110 "-enable-signed-cert-timestamps",
5111 "-expect-signed-cert-timestamps",
5112 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5113 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5114 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5115 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5116
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5117 testCases = append(testCases, testCase{
5118 name: "SignedCertificateTimestampList-Server-" + ver.name,
5119 testType: serverTest,
5120 config: Config{
5121 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5122 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5123 flags: []string{
5124 "-signed-cert-timestamps",
5125 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5126 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5127 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5128 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5129 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5130
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5131 emptySCTListCert := *testCerts[0].cert
5132 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5133
5134 // Test empty SCT list.
5135 testCases = append(testCases, testCase{
5136 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5137 testType: clientTest,
5138 config: Config{
5139 MaxVersion: ver.version,
5140 Certificates: []Certificate{emptySCTListCert},
5141 },
5142 flags: []string{
5143 "-enable-signed-cert-timestamps",
5144 },
5145 shouldFail: true,
5146 expectedError: ":ERROR_PARSING_EXTENSION:",
5147 })
5148
5149 emptySCTCert := *testCerts[0].cert
5150 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5151
5152 // Test empty SCT in non-empty list.
5153 testCases = append(testCases, testCase{
5154 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5155 testType: clientTest,
5156 config: Config{
5157 MaxVersion: ver.version,
5158 Certificates: []Certificate{emptySCTCert},
5159 },
5160 flags: []string{
5161 "-enable-signed-cert-timestamps",
5162 },
5163 shouldFail: true,
5164 expectedError: ":ERROR_PARSING_EXTENSION:",
5165 })
5166
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5167 // Test that certificate-related extensions are not sent unsolicited.
5168 testCases = append(testCases, testCase{
5169 testType: serverTest,
5170 name: "UnsolicitedCertificateExtensions-" + ver.name,
5171 config: Config{
5172 MaxVersion: ver.version,
5173 Bugs: ProtocolBugs{
5174 NoOCSPStapling: true,
5175 NoSignedCertificateTimestamps: true,
5176 },
5177 },
5178 flags: []string{
5179 "-ocsp-response",
5180 base64.StdEncoding.EncodeToString(testOCSPResponse),
5181 "-signed-cert-timestamps",
5182 base64.StdEncoding.EncodeToString(testSCTList),
5183 },
5184 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5185 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5186
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5187 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5188 testType: clientTest,
5189 name: "ClientHelloPadding",
5190 config: Config{
5191 Bugs: ProtocolBugs{
5192 RequireClientHelloSize: 512,
5193 },
5194 },
5195 // This hostname just needs to be long enough to push the
5196 // ClientHello into F5's danger zone between 256 and 511 bytes
5197 // long.
5198 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5199 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5200
5201 // Extensions should not function in SSL 3.0.
5202 testCases = append(testCases, testCase{
5203 testType: serverTest,
5204 name: "SSLv3Extensions-NoALPN",
5205 config: Config{
5206 MaxVersion: VersionSSL30,
5207 NextProtos: []string{"foo", "bar", "baz"},
5208 },
5209 flags: []string{
5210 "-select-alpn", "foo",
5211 },
5212 expectNoNextProto: true,
5213 })
5214
5215 // Test session tickets separately as they follow a different codepath.
5216 testCases = append(testCases, testCase{
5217 testType: serverTest,
5218 name: "SSLv3Extensions-NoTickets",
5219 config: Config{
5220 MaxVersion: VersionSSL30,
5221 Bugs: ProtocolBugs{
5222 // Historically, session tickets in SSL 3.0
5223 // failed in different ways depending on whether
5224 // the client supported renegotiation_info.
5225 NoRenegotiationInfo: true,
5226 },
5227 },
5228 resumeSession: true,
5229 })
5230 testCases = append(testCases, testCase{
5231 testType: serverTest,
5232 name: "SSLv3Extensions-NoTickets2",
5233 config: Config{
5234 MaxVersion: VersionSSL30,
5235 },
5236 resumeSession: true,
5237 })
5238
5239 // But SSL 3.0 does send and process renegotiation_info.
5240 testCases = append(testCases, testCase{
5241 testType: serverTest,
5242 name: "SSLv3Extensions-RenegotiationInfo",
5243 config: Config{
5244 MaxVersion: VersionSSL30,
5245 Bugs: ProtocolBugs{
5246 RequireRenegotiationInfo: true,
5247 },
5248 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5249 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5250 })
5251 testCases = append(testCases, testCase{
5252 testType: serverTest,
5253 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5254 config: Config{
5255 MaxVersion: VersionSSL30,
5256 Bugs: ProtocolBugs{
5257 NoRenegotiationInfo: true,
5258 SendRenegotiationSCSV: true,
5259 RequireRenegotiationInfo: true,
5260 },
5261 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5262 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5263 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5264
5265 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5266 // in ServerHello.
5267 testCases = append(testCases, testCase{
5268 name: "NPN-Forbidden-TLS13",
5269 config: Config{
5270 MaxVersion: VersionTLS13,
5271 NextProtos: []string{"foo"},
5272 Bugs: ProtocolBugs{
5273 NegotiateNPNAtAllVersions: true,
5274 },
5275 },
5276 flags: []string{"-select-next-proto", "foo"},
5277 shouldFail: true,
5278 expectedError: ":ERROR_PARSING_EXTENSION:",
5279 })
5280 testCases = append(testCases, testCase{
5281 name: "EMS-Forbidden-TLS13",
5282 config: Config{
5283 MaxVersion: VersionTLS13,
5284 Bugs: ProtocolBugs{
5285 NegotiateEMSAtAllVersions: true,
5286 },
5287 },
5288 shouldFail: true,
5289 expectedError: ":ERROR_PARSING_EXTENSION:",
5290 })
5291 testCases = append(testCases, testCase{
5292 name: "RenegotiationInfo-Forbidden-TLS13",
5293 config: Config{
5294 MaxVersion: VersionTLS13,
5295 Bugs: ProtocolBugs{
5296 NegotiateRenegotiationInfoAtAllVersions: true,
5297 },
5298 },
5299 shouldFail: true,
5300 expectedError: ":ERROR_PARSING_EXTENSION:",
5301 })
5302 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5303 name: "Ticket-Forbidden-TLS13",
5304 config: Config{
5305 MaxVersion: VersionTLS12,
5306 },
5307 resumeConfig: &Config{
5308 MaxVersion: VersionTLS13,
5309 Bugs: ProtocolBugs{
5310 AdvertiseTicketExtension: true,
5311 },
5312 },
5313 resumeSession: true,
5314 shouldFail: true,
5315 expectedError: ":ERROR_PARSING_EXTENSION:",
5316 })
5317
5318 // Test that illegal extensions in TLS 1.3 are declined by the server if
5319 // offered in ClientHello. The runner's server will fail if this occurs,
5320 // so we exercise the offering path. (EMS and Renegotiation Info are
5321 // implicit in every test.)
5322 testCases = append(testCases, testCase{
5323 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5324 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5325 config: Config{
5326 MaxVersion: VersionTLS13,
5327 NextProtos: []string{"bar"},
5328 },
5329 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5330 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5331
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5332 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5333 // tolerated.
5334 testCases = append(testCases, testCase{
5335 name: "SendOCSPResponseOnResume-TLS12",
5336 config: Config{
5337 MaxVersion: VersionTLS12,
5338 Bugs: ProtocolBugs{
5339 SendOCSPResponseOnResume: []byte("bogus"),
5340 },
5341 },
5342 flags: []string{
5343 "-enable-ocsp-stapling",
5344 "-expect-ocsp-response",
5345 base64.StdEncoding.EncodeToString(testOCSPResponse),
5346 },
5347 resumeSession: true,
5348 })
5349
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5350 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5351 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5352 config: Config{
5353 MaxVersion: VersionTLS13,
5354 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5355 SendExtensionOnCertificate: testOCSPExtension,
5356 },
5357 },
5358 shouldFail: true,
5359 expectedError: ":UNEXPECTED_EXTENSION:",
5360 })
5361
5362 testCases = append(testCases, testCase{
5363 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5364 config: Config{
5365 MaxVersion: VersionTLS13,
5366 Bugs: ProtocolBugs{
5367 SendExtensionOnCertificate: testSCTExtension,
5368 },
5369 },
5370 shouldFail: true,
5371 expectedError: ":UNEXPECTED_EXTENSION:",
5372 })
5373
5374 // Test that extensions on client certificates are never accepted.
5375 testCases = append(testCases, testCase{
5376 name: "SendExtensionOnClientCertificate-TLS13",
5377 testType: serverTest,
5378 config: Config{
5379 MaxVersion: VersionTLS13,
5380 Certificates: []Certificate{rsaCertificate},
5381 Bugs: ProtocolBugs{
5382 SendExtensionOnCertificate: testOCSPExtension,
5383 },
5384 },
5385 flags: []string{
5386 "-enable-ocsp-stapling",
5387 "-require-any-client-certificate",
5388 },
5389 shouldFail: true,
5390 expectedError: ":UNEXPECTED_EXTENSION:",
5391 })
5392
5393 testCases = append(testCases, testCase{
5394 name: "SendUnknownExtensionOnCertificate-TLS13",
5395 config: Config{
5396 MaxVersion: VersionTLS13,
5397 Bugs: ProtocolBugs{
5398 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5399 },
5400 },
5401 shouldFail: true,
5402 expectedError: ":UNEXPECTED_EXTENSION:",
5403 })
5404
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5405 var differentSCTList []byte
5406 differentSCTList = append(differentSCTList, testSCTList...)
5407 differentSCTList[len(differentSCTList)-1] ^= 1
5408
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5409 // Test that extensions on intermediates are allowed but ignored.
5410 testCases = append(testCases, testCase{
5411 name: "IgnoreExtensionsOnIntermediates-TLS13",
5412 config: Config{
5413 MaxVersion: VersionTLS13,
5414 Certificates: []Certificate{rsaChainCertificate},
5415 Bugs: ProtocolBugs{
5416 // Send different values on the intermediate. This tests
5417 // the intermediate's extensions do not override the
5418 // leaf's.
5419 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5420 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5421 },
5422 },
5423 flags: []string{
5424 "-enable-ocsp-stapling",
5425 "-expect-ocsp-response",
5426 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5427 "-enable-signed-cert-timestamps",
5428 "-expect-signed-cert-timestamps",
5429 base64.StdEncoding.EncodeToString(testSCTList),
5430 },
5431 resumeSession: true,
5432 })
5433
5434 // Test that extensions are not sent on intermediates when configured
5435 // only for a leaf.
5436 testCases = append(testCases, testCase{
5437 testType: serverTest,
5438 name: "SendNoExtensionsOnIntermediate-TLS13",
5439 config: Config{
5440 MaxVersion: VersionTLS13,
5441 Bugs: ProtocolBugs{
5442 ExpectNoExtensionsOnIntermediate: true,
5443 },
5444 },
5445 flags: []string{
5446 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5447 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5448 "-ocsp-response",
5449 base64.StdEncoding.EncodeToString(testOCSPResponse),
5450 "-signed-cert-timestamps",
5451 base64.StdEncoding.EncodeToString(testSCTList),
5452 },
5453 })
5454
5455 // Test that extensions are not sent on client certificates.
5456 testCases = append(testCases, testCase{
5457 name: "SendNoClientCertificateExtensions-TLS13",
5458 config: Config{
5459 MaxVersion: VersionTLS13,
5460 ClientAuth: RequireAnyClientCert,
5461 },
5462 flags: []string{
5463 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5464 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5465 "-ocsp-response",
5466 base64.StdEncoding.EncodeToString(testOCSPResponse),
5467 "-signed-cert-timestamps",
5468 base64.StdEncoding.EncodeToString(testSCTList),
5469 },
5470 })
5471
5472 testCases = append(testCases, testCase{
5473 name: "SendDuplicateExtensionsOnCerts-TLS13",
5474 config: Config{
5475 MaxVersion: VersionTLS13,
5476 Bugs: ProtocolBugs{
5477 SendDuplicateCertExtensions: true,
5478 },
5479 },
5480 flags: []string{
5481 "-enable-ocsp-stapling",
5482 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5483 },
5484 resumeSession: true,
5485 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5486 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5487 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5488
5489 testCases = append(testCases, testCase{
5490 name: "SignedCertificateTimestampListInvalid-Server",
5491 testType: serverTest,
5492 flags: []string{
5493 "-signed-cert-timestamps",
5494 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5495 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5496 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5497 expectedError: ":INVALID_SCT_LIST:",
5498 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5499}
5500
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5501func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5502 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5503 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5504 // SSL 3.0 does not have tickets and TLS 1.3 does not
5505 // have session IDs, so skip their cross-resumption
5506 // tests.
5507 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5508 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5509 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5510 }
5511
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5512 protocols := []protocol{tls}
5513 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5514 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5515 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5516 for _, protocol := range protocols {
5517 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5518 if protocol == dtls {
5519 suffix += "-DTLS"
5520 }
5521
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5522 if sessionVers.version == resumeVers.version {
5523 testCases = append(testCases, testCase{
5524 protocol: protocol,
5525 name: "Resume-Client" + suffix,
5526 resumeSession: true,
5527 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5528 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5529 Bugs: ProtocolBugs{
5530 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5531 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5532 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5533 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5534 expectedVersion: sessionVers.version,
5535 expectedResumeVersion: resumeVers.version,
5536 })
5537 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5538 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5539
5540 // Offering a TLS 1.3 session sends an empty session ID, so
5541 // there is no way to convince a non-lookahead client the
5542 // session was resumed. It will appear to the client that a
5543 // stray ChangeCipherSpec was sent.
5544 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5545 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5546 }
5547
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5548 testCases = append(testCases, testCase{
5549 protocol: protocol,
5550 name: "Resume-Client-Mismatch" + suffix,
5551 resumeSession: true,
5552 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5553 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5554 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5555 expectedVersion: sessionVers.version,
5556 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5557 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5558 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5559 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5560 },
5561 },
5562 expectedResumeVersion: resumeVers.version,
5563 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5564 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5565 })
5566 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5567
5568 testCases = append(testCases, testCase{
5569 protocol: protocol,
5570 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5571 resumeSession: true,
5572 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5573 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5574 },
5575 expectedVersion: sessionVers.version,
5576 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5577 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5578 },
5579 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5580 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5581 expectedResumeVersion: resumeVers.version,
5582 })
5583
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5584 testCases = append(testCases, testCase{
5585 protocol: protocol,
5586 testType: serverTest,
5587 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5588 resumeSession: true,
5589 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5590 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5591 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5592 expectedVersion: sessionVers.version,
5593 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5594 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5595 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5596 Bugs: ProtocolBugs{
5597 SendBothTickets: true,
5598 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5599 },
5600 expectedResumeVersion: resumeVers.version,
5601 })
5602 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5603 }
5604 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5605
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5606 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5607 testCases = append(testCases, testCase{
5608 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5609 name: "ShimTicketRewritable",
5610 resumeSession: true,
5611 config: Config{
5612 MaxVersion: VersionTLS12,
5613 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5614 Bugs: ProtocolBugs{
5615 FilterTicket: func(in []byte) ([]byte, error) {
5616 in, err := SetShimTicketVersion(in, VersionTLS12)
5617 if err != nil {
5618 return nil, err
5619 }
5620 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5621 },
5622 },
5623 },
5624 flags: []string{
5625 "-ticket-key",
5626 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5627 },
5628 })
5629
5630 // Resumptions are declined if the version does not match.
5631 testCases = append(testCases, testCase{
5632 testType: serverTest,
5633 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5634 resumeSession: true,
5635 config: Config{
5636 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5637 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5638 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5639 FilterTicket: func(in []byte) ([]byte, error) {
5640 return SetShimTicketVersion(in, VersionTLS13)
5641 },
5642 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5643 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5644 flags: []string{
5645 "-ticket-key",
5646 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5647 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5648 expectResumeRejected: true,
5649 })
5650
5651 testCases = append(testCases, testCase{
5652 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5653 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5654 resumeSession: true,
5655 config: Config{
5656 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5657 Bugs: ProtocolBugs{
5658 FilterTicket: func(in []byte) ([]byte, error) {
5659 return SetShimTicketVersion(in, VersionTLS12)
5660 },
5661 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5662 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5663 flags: []string{
5664 "-ticket-key",
5665 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5666 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5667 expectResumeRejected: true,
5668 })
5669
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5670 // Resumptions are declined if the cipher is invalid or disabled.
5671 testCases = append(testCases, testCase{
5672 testType: serverTest,
5673 name: "Resume-Server-DeclineBadCipher",
5674 resumeSession: true,
5675 config: Config{
5676 MaxVersion: VersionTLS12,
5677 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5678 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5679 FilterTicket: func(in []byte) ([]byte, error) {
5680 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5681 },
5682 },
5683 },
5684 flags: []string{
5685 "-ticket-key",
5686 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5687 },
5688 expectResumeRejected: true,
5689 })
5690
5691 testCases = append(testCases, testCase{
5692 testType: serverTest,
5693 name: "Resume-Server-DeclineBadCipher-2",
5694 resumeSession: true,
5695 config: Config{
5696 MaxVersion: VersionTLS12,
5697 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5698 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5699 FilterTicket: func(in []byte) ([]byte, error) {
5700 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5701 },
5702 },
5703 },
5704 flags: []string{
5705 "-cipher", "AES128",
5706 "-ticket-key",
5707 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5708 },
5709 expectResumeRejected: true,
5710 })
5711
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5712 // Sessions are not resumed if they do not use the preferred cipher.
5713 testCases = append(testCases, testCase{
5714 testType: serverTest,
5715 name: "Resume-Server-CipherNotPreferred",
5716 resumeSession: true,
5717 config: Config{
5718 MaxVersion: VersionTLS12,
5719 Bugs: ProtocolBugs{
5720 ExpectNewTicket: true,
5721 FilterTicket: func(in []byte) ([]byte, error) {
5722 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5723 },
5724 },
5725 },
5726 flags: []string{
5727 "-ticket-key",
5728 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5729 },
5730 shouldFail: false,
5731 expectResumeRejected: true,
5732 })
5733
5734 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5735 // PRF hashes match, but BoringSSL will always decline such resumptions.
5736 testCases = append(testCases, testCase{
5737 testType: serverTest,
5738 name: "Resume-Server-CipherNotPreferred-TLS13",
5739 resumeSession: true,
5740 config: Config{
5741 MaxVersion: VersionTLS13,
5742 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5743 Bugs: ProtocolBugs{
5744 FilterTicket: func(in []byte) ([]byte, error) {
5745 // If the client (runner) offers ChaCha20-Poly1305 first, the
5746 // server (shim) always prefers it. Switch it to AES-GCM.
5747 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5748 },
5749 },
5750 },
5751 flags: []string{
5752 "-ticket-key",
5753 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5754 },
5755 shouldFail: false,
5756 expectResumeRejected: true,
5757 })
5758
5759 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5760 testCases = append(testCases, testCase{
5761 testType: serverTest,
5762 name: "Resume-Server-DeclineBadCipher-TLS13",
5763 resumeSession: true,
5764 config: Config{
5765 MaxVersion: VersionTLS13,
5766 Bugs: ProtocolBugs{
5767 FilterTicket: func(in []byte) ([]byte, error) {
5768 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5769 },
5770 },
5771 },
5772 flags: []string{
5773 "-ticket-key",
5774 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5775 },
5776 expectResumeRejected: true,
5777 })
5778
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5779 // If the client does not offer the cipher from the session, decline to
5780 // resume. Clients are forbidden from doing this, but BoringSSL selects
5781 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5782 testCases = append(testCases, testCase{
5783 testType: serverTest,
5784 name: "Resume-Server-UnofferedCipher",
5785 resumeSession: true,
5786 config: Config{
5787 MaxVersion: VersionTLS12,
5788 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5789 },
5790 resumeConfig: &Config{
5791 MaxVersion: VersionTLS12,
5792 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5793 Bugs: ProtocolBugs{
5794 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5795 },
5796 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5797 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5798 })
5799
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5800 // In TLS 1.3, clients may advertise a cipher list which does not
5801 // include the selected cipher. Test that we tolerate this. Servers may
5802 // resume at another cipher if the PRF matches, but BoringSSL will
5803 // always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5804 testCases = append(testCases, testCase{
5805 testType: serverTest,
5806 name: "Resume-Server-UnofferedCipher-TLS13",
5807 resumeSession: true,
5808 config: Config{
5809 MaxVersion: VersionTLS13,
5810 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5811 },
5812 resumeConfig: &Config{
5813 MaxVersion: VersionTLS13,
5814 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5815 Bugs: ProtocolBugs{
5816 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5817 },
5818 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5819 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5820 })
5821
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5822 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5823 testCases = append(testCases, testCase{
5824 name: "Resume-Client-CipherMismatch",
5825 resumeSession: true,
5826 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5827 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5828 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5829 },
5830 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5831 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5832 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5833 Bugs: ProtocolBugs{
5834 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
5835 },
5836 },
5837 shouldFail: true,
5838 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
5839 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5840
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5841 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
5842 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5843 testCases = append(testCases, testCase{
5844 name: "Resume-Client-CipherMismatch-TLS13",
5845 resumeSession: true,
5846 config: Config{
5847 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5848 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5849 },
5850 resumeConfig: &Config{
5851 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5852 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5853 },
5854 })
5855
5856 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
5857 testCases = append(testCases, testCase{
5858 name: "Resume-Client-PRFMismatch-TLS13",
5859 resumeSession: true,
5860 config: Config{
5861 MaxVersion: VersionTLS13,
5862 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5863 },
5864 resumeConfig: &Config{
5865 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5866 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5867 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5868 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5869 },
5870 },
5871 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5872 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5873 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5874
5875 testCases = append(testCases, testCase{
5876 testType: serverTest,
5877 name: "Resume-Server-BinderWrongLength",
5878 resumeSession: true,
5879 config: Config{
5880 MaxVersion: VersionTLS13,
5881 Bugs: ProtocolBugs{
5882 SendShortPSKBinder: true,
5883 },
5884 },
5885 shouldFail: true,
5886 expectedLocalError: "remote error: error decrypting message",
5887 expectedError: ":DIGEST_CHECK_FAILED:",
5888 })
5889
5890 testCases = append(testCases, testCase{
5891 testType: serverTest,
5892 name: "Resume-Server-NoPSKBinder",
5893 resumeSession: true,
5894 config: Config{
5895 MaxVersion: VersionTLS13,
5896 Bugs: ProtocolBugs{
5897 SendNoPSKBinder: true,
5898 },
5899 },
5900 shouldFail: true,
5901 expectedLocalError: "remote error: error decoding message",
5902 expectedError: ":DECODE_ERROR:",
5903 })
5904
5905 testCases = append(testCases, testCase{
5906 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]5907 name: "Resume-Server-ExtraPSKBinder",
5908 resumeSession: true,
5909 config: Config{
5910 MaxVersion: VersionTLS13,
5911 Bugs: ProtocolBugs{
5912 SendExtraPSKBinder: true,
5913 },
5914 },
5915 shouldFail: true,
5916 expectedLocalError: "remote error: illegal parameter",
5917 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
5918 })
5919
5920 testCases = append(testCases, testCase{
5921 testType: serverTest,
5922 name: "Resume-Server-ExtraIdentityNoBinder",
5923 resumeSession: true,
5924 config: Config{
5925 MaxVersion: VersionTLS13,
5926 Bugs: ProtocolBugs{
5927 ExtraPSKIdentity: true,
5928 },
5929 },
5930 shouldFail: true,
5931 expectedLocalError: "remote error: illegal parameter",
5932 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
5933 })
5934
5935 testCases = append(testCases, testCase{
5936 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5937 name: "Resume-Server-InvalidPSKBinder",
5938 resumeSession: true,
5939 config: Config{
5940 MaxVersion: VersionTLS13,
5941 Bugs: ProtocolBugs{
5942 SendInvalidPSKBinder: true,
5943 },
5944 },
5945 shouldFail: true,
5946 expectedLocalError: "remote error: error decrypting message",
5947 expectedError: ":DIGEST_CHECK_FAILED:",
5948 })
5949
5950 testCases = append(testCases, testCase{
5951 testType: serverTest,
5952 name: "Resume-Server-PSKBinderFirstExtension",
5953 resumeSession: true,
5954 config: Config{
5955 MaxVersion: VersionTLS13,
5956 Bugs: ProtocolBugs{
5957 PSKBinderFirst: true,
5958 },
5959 },
5960 shouldFail: true,
5961 expectedLocalError: "remote error: illegal parameter",
5962 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
5963 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5964}
5965
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]5966func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]5967 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]5968 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5969 testType: serverTest,
5970 name: "Renegotiate-Server-Forbidden",
5971 config: Config{
5972 MaxVersion: VersionTLS12,
5973 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]5974 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]5975 shouldFail: true,
5976 expectedError: ":NO_RENEGOTIATION:",
5977 expectedLocalError: "remote error: no renegotiation",
5978 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]5979 // The server shouldn't echo the renegotiation extension unless
5980 // requested by the client.
5981 testCases = append(testCases, testCase{
5982 testType: serverTest,
5983 name: "Renegotiate-Server-NoExt",
5984 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5985 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]5986 Bugs: ProtocolBugs{
5987 NoRenegotiationInfo: true,
5988 RequireRenegotiationInfo: true,
5989 },
5990 },
5991 shouldFail: true,
5992 expectedLocalError: "renegotiation extension missing",
5993 })
5994 // The renegotiation SCSV should be sufficient for the server to echo
5995 // the extension.
5996 testCases = append(testCases, testCase{
5997 testType: serverTest,
5998 name: "Renegotiate-Server-NoExt-SCSV",
5999 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6000 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6001 Bugs: ProtocolBugs{
6002 NoRenegotiationInfo: true,
6003 SendRenegotiationSCSV: true,
6004 RequireRenegotiationInfo: true,
6005 },
6006 },
6007 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6008 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6009 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6010 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6011 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6012 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6013 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6014 },
6015 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6016 renegotiate: 1,
6017 flags: []string{
6018 "-renegotiate-freely",
6019 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6020 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6021 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6022 })
6023 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6024 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6025 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6026 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6027 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6028 Bugs: ProtocolBugs{
6029 EmptyRenegotiationInfo: true,
6030 },
6031 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6032 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6033 shouldFail: true,
6034 expectedError: ":RENEGOTIATION_MISMATCH:",
6035 })
6036 testCases = append(testCases, testCase{
6037 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6038 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6039 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6040 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6041 Bugs: ProtocolBugs{
6042 BadRenegotiationInfo: true,
6043 },
6044 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6045 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6046 shouldFail: true,
6047 expectedError: ":RENEGOTIATION_MISMATCH:",
6048 })
6049 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6050 name: "Renegotiate-Client-Downgrade",
6051 renegotiate: 1,
6052 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6053 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6054 Bugs: ProtocolBugs{
6055 NoRenegotiationInfoAfterInitial: true,
6056 },
6057 },
6058 flags: []string{"-renegotiate-freely"},
6059 shouldFail: true,
6060 expectedError: ":RENEGOTIATION_MISMATCH:",
6061 })
6062 testCases = append(testCases, testCase{
6063 name: "Renegotiate-Client-Upgrade",
6064 renegotiate: 1,
6065 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6066 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6067 Bugs: ProtocolBugs{
6068 NoRenegotiationInfoInInitial: true,
6069 },
6070 },
6071 flags: []string{"-renegotiate-freely"},
6072 shouldFail: true,
6073 expectedError: ":RENEGOTIATION_MISMATCH:",
6074 })
6075 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6076 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6077 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6078 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6079 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6080 Bugs: ProtocolBugs{
6081 NoRenegotiationInfo: true,
6082 },
6083 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6084 flags: []string{
6085 "-renegotiate-freely",
6086 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6087 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6088 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6089 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6090
6091 // Test that the server may switch ciphers on renegotiation without
6092 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6093 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6094 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6095 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6096 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6097 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6098 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6099 },
6100 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6101 flags: []string{
6102 "-renegotiate-freely",
6103 "-expect-total-renegotiations", "1",
6104 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6105 })
6106 testCases = append(testCases, testCase{
6107 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6108 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6109 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6110 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6111 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6112 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6113 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6114 flags: []string{
6115 "-renegotiate-freely",
6116 "-expect-total-renegotiations", "1",
6117 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6118 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6119
6120 // Test that the server may not switch versions on renegotiation.
6121 testCases = append(testCases, testCase{
6122 name: "Renegotiate-Client-SwitchVersion",
6123 config: Config{
6124 MaxVersion: VersionTLS12,
6125 // Pick a cipher which exists at both versions.
6126 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6127 Bugs: ProtocolBugs{
6128 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6129 // Avoid failing early at the record layer.
6130 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6131 },
6132 },
6133 renegotiate: 1,
6134 flags: []string{
6135 "-renegotiate-freely",
6136 "-expect-total-renegotiations", "1",
6137 },
6138 shouldFail: true,
6139 expectedError: ":WRONG_SSL_VERSION:",
6140 })
6141
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6142 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6143 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6144 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6145 config: Config{
6146 MaxVersion: VersionTLS10,
6147 Bugs: ProtocolBugs{
6148 RequireSameRenegoClientVersion: true,
6149 },
6150 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6151 flags: []string{
6152 "-renegotiate-freely",
6153 "-expect-total-renegotiations", "1",
6154 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6155 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6156 testCases = append(testCases, testCase{
6157 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6158 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6159 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6160 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6161 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6162 NextProtos: []string{"foo"},
6163 },
6164 flags: []string{
6165 "-false-start",
6166 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6167 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6168 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6169 },
6170 shimWritesFirst: true,
6171 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6172
6173 // Client-side renegotiation controls.
6174 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6175 name: "Renegotiate-Client-Forbidden-1",
6176 config: Config{
6177 MaxVersion: VersionTLS12,
6178 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6179 renegotiate: 1,
6180 shouldFail: true,
6181 expectedError: ":NO_RENEGOTIATION:",
6182 expectedLocalError: "remote error: no renegotiation",
6183 })
6184 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6185 name: "Renegotiate-Client-Once-1",
6186 config: Config{
6187 MaxVersion: VersionTLS12,
6188 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6189 renegotiate: 1,
6190 flags: []string{
6191 "-renegotiate-once",
6192 "-expect-total-renegotiations", "1",
6193 },
6194 })
6195 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6196 name: "Renegotiate-Client-Freely-1",
6197 config: Config{
6198 MaxVersion: VersionTLS12,
6199 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6200 renegotiate: 1,
6201 flags: []string{
6202 "-renegotiate-freely",
6203 "-expect-total-renegotiations", "1",
6204 },
6205 })
6206 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6207 name: "Renegotiate-Client-Once-2",
6208 config: Config{
6209 MaxVersion: VersionTLS12,
6210 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6211 renegotiate: 2,
6212 flags: []string{"-renegotiate-once"},
6213 shouldFail: true,
6214 expectedError: ":NO_RENEGOTIATION:",
6215 expectedLocalError: "remote error: no renegotiation",
6216 })
6217 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6218 name: "Renegotiate-Client-Freely-2",
6219 config: Config{
6220 MaxVersion: VersionTLS12,
6221 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6222 renegotiate: 2,
6223 flags: []string{
6224 "-renegotiate-freely",
6225 "-expect-total-renegotiations", "2",
6226 },
6227 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6228 testCases = append(testCases, testCase{
6229 name: "Renegotiate-Client-NoIgnore",
6230 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6231 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6232 Bugs: ProtocolBugs{
6233 SendHelloRequestBeforeEveryAppDataRecord: true,
6234 },
6235 },
6236 shouldFail: true,
6237 expectedError: ":NO_RENEGOTIATION:",
6238 })
6239 testCases = append(testCases, testCase{
6240 name: "Renegotiate-Client-Ignore",
6241 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6242 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6243 Bugs: ProtocolBugs{
6244 SendHelloRequestBeforeEveryAppDataRecord: true,
6245 },
6246 },
6247 flags: []string{
6248 "-renegotiate-ignore",
6249 "-expect-total-renegotiations", "0",
6250 },
6251 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6252
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6253 // Renegotiation is not allowed at SSL 3.0.
6254 testCases = append(testCases, testCase{
6255 name: "Renegotiate-Client-SSL3",
6256 config: Config{
6257 MaxVersion: VersionSSL30,
6258 },
6259 renegotiate: 1,
6260 flags: []string{
6261 "-renegotiate-freely",
6262 "-expect-total-renegotiations", "1",
6263 },
6264 shouldFail: true,
6265 expectedError: ":NO_RENEGOTIATION:",
6266 expectedLocalError: "remote error: no renegotiation",
6267 })
6268
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6269 // Renegotiation is not allowed when there is an unfinished write.
6270 testCases = append(testCases, testCase{
6271 name: "Renegotiate-Client-UnfinishedWrite",
6272 config: Config{
6273 MaxVersion: VersionTLS12,
6274 },
6275 renegotiate: 1,
6276 flags: []string{
6277 "-async",
6278 "-renegotiate-freely",
6279 "-read-with-unfinished-write",
6280 },
6281 shouldFail: true,
6282 expectedError: ":NO_RENEGOTIATION:",
6283 // We do not successfully send the no_renegotiation alert in
6284 // this case. https://crbug.com/boringssl/130
6285 })
6286
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6287 // Stray HelloRequests during the handshake are ignored in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6288 testCases = append(testCases, testCase{
6289 name: "StrayHelloRequest",
6290 config: Config{
6291 MaxVersion: VersionTLS12,
6292 Bugs: ProtocolBugs{
6293 SendHelloRequestBeforeEveryHandshakeMessage: true,
6294 },
6295 },
6296 })
6297 testCases = append(testCases, testCase{
6298 name: "StrayHelloRequest-Packed",
6299 config: Config{
6300 MaxVersion: VersionTLS12,
6301 Bugs: ProtocolBugs{
6302 PackHandshakeFlight: true,
6303 SendHelloRequestBeforeEveryHandshakeMessage: true,
6304 },
6305 },
6306 })
6307
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6308 // Test renegotiation works if HelloRequest and server Finished come in
6309 // the same record.
6310 testCases = append(testCases, testCase{
6311 name: "Renegotiate-Client-Packed",
6312 config: Config{
6313 MaxVersion: VersionTLS12,
6314 Bugs: ProtocolBugs{
6315 PackHandshakeFlight: true,
6316 PackHelloRequestWithFinished: true,
6317 },
6318 },
6319 renegotiate: 1,
6320 flags: []string{
6321 "-renegotiate-freely",
6322 "-expect-total-renegotiations", "1",
6323 },
6324 })
6325
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6326 // Renegotiation is forbidden in TLS 1.3.
6327 testCases = append(testCases, testCase{
6328 name: "Renegotiate-Client-TLS13",
6329 config: Config{
6330 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6331 Bugs: ProtocolBugs{
6332 SendHelloRequestBeforeEveryAppDataRecord: true,
6333 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6334 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6335 flags: []string{
6336 "-renegotiate-freely",
6337 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6338 shouldFail: true,
6339 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6340 })
6341
6342 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6343 testCases = append(testCases, testCase{
6344 name: "StrayHelloRequest-TLS13",
6345 config: Config{
6346 MaxVersion: VersionTLS13,
6347 Bugs: ProtocolBugs{
6348 SendHelloRequestBeforeEveryHandshakeMessage: true,
6349 },
6350 },
6351 shouldFail: true,
6352 expectedError: ":UNEXPECTED_MESSAGE:",
6353 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6354
6355 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6356 // always reads as supporting it, regardless of whether it was
6357 // negotiated.
6358 testCases = append(testCases, testCase{
6359 name: "AlwaysReportRenegotiationInfo-TLS13",
6360 config: Config{
6361 MaxVersion: VersionTLS13,
6362 Bugs: ProtocolBugs{
6363 NoRenegotiationInfo: true,
6364 },
6365 },
6366 flags: []string{
6367 "-expect-secure-renegotiation",
6368 },
6369 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6370}
6371
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6372func addDTLSReplayTests() {
6373 // Test that sequence number replays are detected.
6374 testCases = append(testCases, testCase{
6375 protocol: dtls,
6376 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6377 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6378 replayWrites: true,
6379 })
6380
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6381 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6382 // than the retransmit window.
6383 testCases = append(testCases, testCase{
6384 protocol: dtls,
6385 name: "DTLS-Replay-LargeGaps",
6386 config: Config{
6387 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6388 SequenceNumberMapping: func(in uint64) uint64 {
6389 return in * 127
6390 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6391 },
6392 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6393 messageCount: 200,
6394 replayWrites: true,
6395 })
6396
6397 // Test the incoming sequence number changing non-monotonically.
6398 testCases = append(testCases, testCase{
6399 protocol: dtls,
6400 name: "DTLS-Replay-NonMonotonic",
6401 config: Config{
6402 Bugs: ProtocolBugs{
6403 SequenceNumberMapping: func(in uint64) uint64 {
6404 return in ^ 31
6405 },
6406 },
6407 },
6408 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6409 replayWrites: true,
6410 })
6411}
6412
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6413var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6414 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6415 id signatureAlgorithm
6416 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6417}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6418 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6419 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6420 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6421 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6422 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6423 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6424 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6425 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6426 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6427 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6428 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6429 // Tests for key types prior to TLS 1.2.
6430 {"RSA", 0, testCertRSA},
6431 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6432}
6433
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6434const fakeSigAlg1 signatureAlgorithm = 0x2a01
6435const fakeSigAlg2 signatureAlgorithm = 0xff01
6436
6437func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6438 // Not all ciphers involve a signature. Advertise a list which gives all
6439 // versions a signing cipher.
6440 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6441 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6442 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6443 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6444 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6445 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
6446 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
6447 }
6448
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6449 var allAlgorithms []signatureAlgorithm
6450 for _, alg := range testSignatureAlgorithms {
6451 if alg.id != 0 {
6452 allAlgorithms = append(allAlgorithms, alg.id)
6453 }
6454 }
6455
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6456 // Make sure each signature algorithm works. Include some fake values in
6457 // the list and ensure they're ignored.
6458 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6459 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6460 if (ver.version < VersionTLS12) != (alg.id == 0) {
6461 continue
6462 }
6463
6464 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6465 // or remove it in C.
6466 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6467 continue
6468 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6469
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6470 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6471 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6472 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6473 shouldSignFail = true
6474 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6475 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6476 // RSA-PKCS1 does not exist in TLS 1.3.
6477 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6478 shouldSignFail = true
6479 shouldVerifyFail = true
6480 }
6481
6482 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6483 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6484 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6485 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6486
6487 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6488 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6489 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6490 }
6491 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6492 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6493 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6494
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6495 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6496
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6497 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6498 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6499 config: Config{
6500 MaxVersion: ver.version,
6501 ClientAuth: RequireAnyClientCert,
6502 VerifySignatureAlgorithms: []signatureAlgorithm{
6503 fakeSigAlg1,
6504 alg.id,
6505 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6506 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6507 },
6508 flags: []string{
6509 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6510 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6511 "-enable-all-curves",
6512 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6513 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6514 expectedError: signError,
6515 expectedPeerSignatureAlgorithm: alg.id,
6516 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6517
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6518 testCases = append(testCases, testCase{
6519 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6520 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6521 config: Config{
6522 MaxVersion: ver.version,
6523 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6524 SignSignatureAlgorithms: []signatureAlgorithm{
6525 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6526 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6527 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6528 SkipECDSACurveCheck: shouldVerifyFail,
6529 IgnoreSignatureVersionChecks: shouldVerifyFail,
6530 // Some signature algorithms may not be advertised.
6531 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6532 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6533 },
6534 flags: []string{
6535 "-require-any-client-certificate",
6536 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6537 "-enable-all-curves",
6538 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6539 // Resume the session to assert the peer signature
6540 // algorithm is reported on both handshakes.
6541 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6542 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6543 expectedError: verifyError,
6544 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6545
6546 testCases = append(testCases, testCase{
6547 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6548 name: "ServerAuth-Sign" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6549 config: Config{
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6550 MaxVersion: ver.version,
6551 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6552 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6553 fakeSigAlg1,
6554 alg.id,
6555 fakeSigAlg2,
6556 },
6557 },
6558 flags: []string{
6559 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6560 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6561 "-enable-all-curves",
6562 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6563 shouldFail: shouldSignFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6564 expectedError: signError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6565 expectedPeerSignatureAlgorithm: alg.id,
6566 })
6567
6568 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6569 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6570 config: Config{
6571 MaxVersion: ver.version,
6572 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6573 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6574 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6575 alg.id,
6576 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6577 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6578 SkipECDSACurveCheck: shouldVerifyFail,
6579 IgnoreSignatureVersionChecks: shouldVerifyFail,
6580 // Some signature algorithms may not be advertised.
6581 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6582 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6583 },
6584 flags: []string{
6585 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6586 "-enable-all-curves",
6587 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6588 // Resume the session to assert the peer signature
6589 // algorithm is reported on both handshakes.
6590 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6591 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6592 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6593 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6594
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6595 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6596 testCases = append(testCases, testCase{
6597 testType: serverTest,
6598 name: "ClientAuth-InvalidSignature" + suffix,
6599 config: Config{
6600 MaxVersion: ver.version,
6601 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6602 SignSignatureAlgorithms: []signatureAlgorithm{
6603 alg.id,
6604 },
6605 Bugs: ProtocolBugs{
6606 InvalidSignature: true,
6607 },
6608 },
6609 flags: []string{
6610 "-require-any-client-certificate",
6611 "-enable-all-curves",
6612 },
6613 shouldFail: true,
6614 expectedError: ":BAD_SIGNATURE:",
6615 })
6616
6617 testCases = append(testCases, testCase{
6618 name: "ServerAuth-InvalidSignature" + suffix,
6619 config: Config{
6620 MaxVersion: ver.version,
6621 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6622 CipherSuites: signingCiphers,
6623 SignSignatureAlgorithms: []signatureAlgorithm{
6624 alg.id,
6625 },
6626 Bugs: ProtocolBugs{
6627 InvalidSignature: true,
6628 },
6629 },
6630 flags: []string{"-enable-all-curves"},
6631 shouldFail: true,
6632 expectedError: ":BAD_SIGNATURE:",
6633 })
6634 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6635
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6636 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6637 testCases = append(testCases, testCase{
6638 name: "ClientAuth-Sign-Negotiate" + suffix,
6639 config: Config{
6640 MaxVersion: ver.version,
6641 ClientAuth: RequireAnyClientCert,
6642 VerifySignatureAlgorithms: allAlgorithms,
6643 },
6644 flags: []string{
6645 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6646 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6647 "-enable-all-curves",
6648 "-signing-prefs", strconv.Itoa(int(alg.id)),
6649 },
6650 expectedPeerSignatureAlgorithm: alg.id,
6651 })
6652
6653 testCases = append(testCases, testCase{
6654 testType: serverTest,
6655 name: "ServerAuth-Sign-Negotiate" + suffix,
6656 config: Config{
6657 MaxVersion: ver.version,
6658 CipherSuites: signingCiphers,
6659 VerifySignatureAlgorithms: allAlgorithms,
6660 },
6661 flags: []string{
6662 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6663 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6664 "-enable-all-curves",
6665 "-signing-prefs", strconv.Itoa(int(alg.id)),
6666 },
6667 expectedPeerSignatureAlgorithm: alg.id,
6668 })
6669 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6670 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6671 }
6672
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6673 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6674 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6675 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6676 config: Config{
6677 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6678 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6679 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6680 signatureECDSAWithP521AndSHA512,
6681 signatureRSAPKCS1WithSHA384,
6682 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6683 },
6684 },
6685 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6686 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6687 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6688 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6689 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6690 })
6691
6692 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6693 name: "ClientAuth-SignatureType-TLS13",
6694 config: Config{
6695 ClientAuth: RequireAnyClientCert,
6696 MaxVersion: VersionTLS13,
6697 VerifySignatureAlgorithms: []signatureAlgorithm{
6698 signatureECDSAWithP521AndSHA512,
6699 signatureRSAPKCS1WithSHA384,
6700 signatureRSAPSSWithSHA384,
6701 signatureECDSAWithSHA1,
6702 },
6703 },
6704 flags: []string{
6705 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6706 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6707 },
6708 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6709 })
6710
6711 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6712 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6713 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6714 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6715 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6716 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6717 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6718 signatureECDSAWithP521AndSHA512,
6719 signatureRSAPKCS1WithSHA384,
6720 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6721 },
6722 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6723 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6724 })
6725
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6726 testCases = append(testCases, testCase{
6727 testType: serverTest,
6728 name: "ServerAuth-SignatureType-TLS13",
6729 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6730 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6731 VerifySignatureAlgorithms: []signatureAlgorithm{
6732 signatureECDSAWithP521AndSHA512,
6733 signatureRSAPKCS1WithSHA384,
6734 signatureRSAPSSWithSHA384,
6735 signatureECDSAWithSHA1,
6736 },
6737 },
6738 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6739 })
6740
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6741 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6742 testCases = append(testCases, testCase{
6743 testType: serverTest,
6744 name: "Verify-ClientAuth-SignatureType",
6745 config: Config{
6746 MaxVersion: VersionTLS12,
6747 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6748 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6749 signatureRSAPKCS1WithSHA256,
6750 },
6751 Bugs: ProtocolBugs{
6752 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6753 },
6754 },
6755 flags: []string{
6756 "-require-any-client-certificate",
6757 },
6758 shouldFail: true,
6759 expectedError: ":WRONG_SIGNATURE_TYPE:",
6760 })
6761
6762 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6763 testType: serverTest,
6764 name: "Verify-ClientAuth-SignatureType-TLS13",
6765 config: Config{
6766 MaxVersion: VersionTLS13,
6767 Certificates: []Certificate{rsaCertificate},
6768 SignSignatureAlgorithms: []signatureAlgorithm{
6769 signatureRSAPSSWithSHA256,
6770 },
6771 Bugs: ProtocolBugs{
6772 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6773 },
6774 },
6775 flags: []string{
6776 "-require-any-client-certificate",
6777 },
6778 shouldFail: true,
6779 expectedError: ":WRONG_SIGNATURE_TYPE:",
6780 })
6781
6782 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6783 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6784 config: Config{
6785 MaxVersion: VersionTLS12,
6786 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6787 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6788 signatureRSAPKCS1WithSHA256,
6789 },
6790 Bugs: ProtocolBugs{
6791 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6792 },
6793 },
6794 shouldFail: true,
6795 expectedError: ":WRONG_SIGNATURE_TYPE:",
6796 })
6797
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6798 testCases = append(testCases, testCase{
6799 name: "Verify-ServerAuth-SignatureType-TLS13",
6800 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6801 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6802 SignSignatureAlgorithms: []signatureAlgorithm{
6803 signatureRSAPSSWithSHA256,
6804 },
6805 Bugs: ProtocolBugs{
6806 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6807 },
6808 },
6809 shouldFail: true,
6810 expectedError: ":WRONG_SIGNATURE_TYPE:",
6811 })
6812
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6813 // Test that, if the list is missing, the peer falls back to SHA-1 in
6814 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6815 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6816 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6817 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6818 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6819 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6820 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6821 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6822 },
6823 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6824 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6825 },
6826 },
6827 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6828 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6829 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6830 },
6831 })
6832
6833 testCases = append(testCases, testCase{
6834 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6835 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6836 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6837 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6838 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6839 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6840 },
6841 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6842 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6843 },
6844 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6845 flags: []string{
6846 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6847 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6848 },
6849 })
6850
6851 testCases = append(testCases, testCase{
6852 name: "ClientAuth-SHA1-Fallback-ECDSA",
6853 config: Config{
6854 MaxVersion: VersionTLS12,
6855 ClientAuth: RequireAnyClientCert,
6856 VerifySignatureAlgorithms: []signatureAlgorithm{
6857 signatureECDSAWithSHA1,
6858 },
6859 Bugs: ProtocolBugs{
6860 NoSignatureAlgorithms: true,
6861 },
6862 },
6863 flags: []string{
6864 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6865 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6866 },
6867 })
6868
6869 testCases = append(testCases, testCase{
6870 testType: serverTest,
6871 name: "ServerAuth-SHA1-Fallback-ECDSA",
6872 config: Config{
6873 MaxVersion: VersionTLS12,
6874 VerifySignatureAlgorithms: []signatureAlgorithm{
6875 signatureECDSAWithSHA1,
6876 },
6877 Bugs: ProtocolBugs{
6878 NoSignatureAlgorithms: true,
6879 },
6880 },
6881 flags: []string{
6882 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6883 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6884 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6885 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6886
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6887 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6888 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6889 config: Config{
6890 MaxVersion: VersionTLS13,
6891 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6892 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6893 signatureRSAPKCS1WithSHA1,
6894 },
6895 Bugs: ProtocolBugs{
6896 NoSignatureAlgorithms: true,
6897 },
6898 },
6899 flags: []string{
6900 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6901 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6902 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]6903 shouldFail: true,
6904 // An empty CertificateRequest signature algorithm list is a
6905 // syntax error in TLS 1.3.
6906 expectedError: ":DECODE_ERROR:",
6907 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6908 })
6909
6910 testCases = append(testCases, testCase{
6911 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6912 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6913 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6914 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6915 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6916 signatureRSAPKCS1WithSHA1,
6917 },
6918 Bugs: ProtocolBugs{
6919 NoSignatureAlgorithms: true,
6920 },
6921 },
6922 shouldFail: true,
6923 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6924 })
6925
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]6926 // Test that hash preferences are enforced. BoringSSL does not implement
6927 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6928 testCases = append(testCases, testCase{
6929 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6930 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6931 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6932 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6933 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6934 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6935 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6936 },
6937 Bugs: ProtocolBugs{
6938 IgnorePeerSignatureAlgorithmPreferences: true,
6939 },
6940 },
6941 flags: []string{"-require-any-client-certificate"},
6942 shouldFail: true,
6943 expectedError: ":WRONG_SIGNATURE_TYPE:",
6944 })
6945
6946 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6947 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6948 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6949 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6950 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6951 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6952 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6953 },
6954 Bugs: ProtocolBugs{
6955 IgnorePeerSignatureAlgorithmPreferences: true,
6956 },
6957 },
6958 shouldFail: true,
6959 expectedError: ":WRONG_SIGNATURE_TYPE:",
6960 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]6961 testCases = append(testCases, testCase{
6962 testType: serverTest,
6963 name: "ClientAuth-Enforced-TLS13",
6964 config: Config{
6965 MaxVersion: VersionTLS13,
6966 Certificates: []Certificate{rsaCertificate},
6967 SignSignatureAlgorithms: []signatureAlgorithm{
6968 signatureRSAPKCS1WithMD5,
6969 },
6970 Bugs: ProtocolBugs{
6971 IgnorePeerSignatureAlgorithmPreferences: true,
6972 IgnoreSignatureVersionChecks: true,
6973 },
6974 },
6975 flags: []string{"-require-any-client-certificate"},
6976 shouldFail: true,
6977 expectedError: ":WRONG_SIGNATURE_TYPE:",
6978 })
6979
6980 testCases = append(testCases, testCase{
6981 name: "ServerAuth-Enforced-TLS13",
6982 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6983 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]6984 SignSignatureAlgorithms: []signatureAlgorithm{
6985 signatureRSAPKCS1WithMD5,
6986 },
6987 Bugs: ProtocolBugs{
6988 IgnorePeerSignatureAlgorithmPreferences: true,
6989 IgnoreSignatureVersionChecks: true,
6990 },
6991 },
6992 shouldFail: true,
6993 expectedError: ":WRONG_SIGNATURE_TYPE:",
6994 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]6995
6996 // Test that the agreed upon digest respects the client preferences and
6997 // the server digests.
6998 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6999 name: "NoCommonAlgorithms-Digests",
7000 config: Config{
7001 MaxVersion: VersionTLS12,
7002 ClientAuth: RequireAnyClientCert,
7003 VerifySignatureAlgorithms: []signatureAlgorithm{
7004 signatureRSAPKCS1WithSHA512,
7005 signatureRSAPKCS1WithSHA1,
7006 },
7007 },
7008 flags: []string{
7009 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7010 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7011 "-digest-prefs", "SHA256",
7012 },
7013 shouldFail: true,
7014 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7015 })
7016 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7017 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7018 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7019 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7020 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7021 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7022 signatureRSAPKCS1WithSHA512,
7023 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7024 },
7025 },
7026 flags: []string{
7027 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7028 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7029 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7030 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7031 shouldFail: true,
7032 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7033 })
7034 testCases = append(testCases, testCase{
7035 name: "NoCommonAlgorithms-TLS13",
7036 config: Config{
7037 MaxVersion: VersionTLS13,
7038 ClientAuth: RequireAnyClientCert,
7039 VerifySignatureAlgorithms: []signatureAlgorithm{
7040 signatureRSAPSSWithSHA512,
7041 signatureRSAPSSWithSHA384,
7042 },
7043 },
7044 flags: []string{
7045 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7046 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7047 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7048 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7049 shouldFail: true,
7050 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7051 })
7052 testCases = append(testCases, testCase{
7053 name: "Agree-Digest-SHA256",
7054 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7055 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7056 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7057 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7058 signatureRSAPKCS1WithSHA1,
7059 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7060 },
7061 },
7062 flags: []string{
7063 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7064 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7065 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7066 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7067 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7068 })
7069 testCases = append(testCases, testCase{
7070 name: "Agree-Digest-SHA1",
7071 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7072 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7073 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7074 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7075 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7076 },
7077 },
7078 flags: []string{
7079 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7080 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7081 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7082 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7083 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7084 })
7085 testCases = append(testCases, testCase{
7086 name: "Agree-Digest-Default",
7087 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7088 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7089 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7090 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7091 signatureRSAPKCS1WithSHA256,
7092 signatureECDSAWithP256AndSHA256,
7093 signatureRSAPKCS1WithSHA1,
7094 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7095 },
7096 },
7097 flags: []string{
7098 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7099 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7100 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7101 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7102 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7103
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7104 // Test that the signing preference list may include extra algorithms
7105 // without negotiation problems.
7106 testCases = append(testCases, testCase{
7107 testType: serverTest,
7108 name: "FilterExtraAlgorithms",
7109 config: Config{
7110 MaxVersion: VersionTLS12,
7111 VerifySignatureAlgorithms: []signatureAlgorithm{
7112 signatureRSAPKCS1WithSHA256,
7113 },
7114 },
7115 flags: []string{
7116 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7117 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7118 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7119 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7120 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7121 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7122 },
7123 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7124 })
7125
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7126 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7127 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7128 testCases = append(testCases, testCase{
7129 name: "CheckLeafCurve",
7130 config: Config{
7131 MaxVersion: VersionTLS12,
7132 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7133 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7134 },
7135 flags: []string{"-p384-only"},
7136 shouldFail: true,
7137 expectedError: ":BAD_ECC_CERT:",
7138 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7139
7140 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7141 testCases = append(testCases, testCase{
7142 name: "CheckLeafCurve-TLS13",
7143 config: Config{
7144 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7145 Certificates: []Certificate{ecdsaP256Certificate},
7146 },
7147 flags: []string{"-p384-only"},
7148 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7149
7150 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7151 testCases = append(testCases, testCase{
7152 name: "ECDSACurveMismatch-Verify-TLS12",
7153 config: Config{
7154 MaxVersion: VersionTLS12,
7155 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7156 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7157 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7158 signatureECDSAWithP384AndSHA384,
7159 },
7160 },
7161 })
7162
7163 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7164 testCases = append(testCases, testCase{
7165 name: "ECDSACurveMismatch-Verify-TLS13",
7166 config: Config{
7167 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7168 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7169 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7170 signatureECDSAWithP384AndSHA384,
7171 },
7172 Bugs: ProtocolBugs{
7173 SkipECDSACurveCheck: true,
7174 },
7175 },
7176 shouldFail: true,
7177 expectedError: ":WRONG_SIGNATURE_TYPE:",
7178 })
7179
7180 // Signature algorithm selection in TLS 1.3 should take the curve into
7181 // account.
7182 testCases = append(testCases, testCase{
7183 testType: serverTest,
7184 name: "ECDSACurveMismatch-Sign-TLS13",
7185 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7186 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7187 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7188 signatureECDSAWithP384AndSHA384,
7189 signatureECDSAWithP256AndSHA256,
7190 },
7191 },
7192 flags: []string{
7193 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7194 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7195 },
7196 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7197 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7198
7199 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7200 // server does not attempt to sign in that case.
7201 testCases = append(testCases, testCase{
7202 testType: serverTest,
7203 name: "RSA-PSS-Large",
7204 config: Config{
7205 MaxVersion: VersionTLS13,
7206 VerifySignatureAlgorithms: []signatureAlgorithm{
7207 signatureRSAPSSWithSHA512,
7208 },
7209 },
7210 flags: []string{
7211 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7212 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7213 },
7214 shouldFail: true,
7215 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7216 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7217
7218 // Test that RSA-PSS is enabled by default for TLS 1.2.
7219 testCases = append(testCases, testCase{
7220 testType: clientTest,
7221 name: "RSA-PSS-Default-Verify",
7222 config: Config{
7223 MaxVersion: VersionTLS12,
7224 SignSignatureAlgorithms: []signatureAlgorithm{
7225 signatureRSAPSSWithSHA256,
7226 },
7227 },
7228 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7229 })
7230
7231 testCases = append(testCases, testCase{
7232 testType: serverTest,
7233 name: "RSA-PSS-Default-Sign",
7234 config: Config{
7235 MaxVersion: VersionTLS12,
7236 VerifySignatureAlgorithms: []signatureAlgorithm{
7237 signatureRSAPSSWithSHA256,
7238 },
7239 },
7240 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7241 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7242}
7243
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7244// timeouts is the retransmit schedule for BoringSSL. It doubles and
7245// caps at 60 seconds. On the 13th timeout, it gives up.
7246var timeouts = []time.Duration{
7247 1 * time.Second,
7248 2 * time.Second,
7249 4 * time.Second,
7250 8 * time.Second,
7251 16 * time.Second,
7252 32 * time.Second,
7253 60 * time.Second,
7254 60 * time.Second,
7255 60 * time.Second,
7256 60 * time.Second,
7257 60 * time.Second,
7258 60 * time.Second,
7259 60 * time.Second,
7260}
7261
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7262// shortTimeouts is an alternate set of timeouts which would occur if the
7263// initial timeout duration was set to 250ms.
7264var shortTimeouts = []time.Duration{
7265 250 * time.Millisecond,
7266 500 * time.Millisecond,
7267 1 * time.Second,
7268 2 * time.Second,
7269 4 * time.Second,
7270 8 * time.Second,
7271 16 * time.Second,
7272 32 * time.Second,
7273 60 * time.Second,
7274 60 * time.Second,
7275 60 * time.Second,
7276 60 * time.Second,
7277 60 * time.Second,
7278}
7279
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7280func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7281 // These tests work by coordinating some behavior on both the shim and
7282 // the runner.
7283 //
7284 // TimeoutSchedule configures the runner to send a series of timeout
7285 // opcodes to the shim (see packetAdaptor) immediately before reading
7286 // each peer handshake flight N. The timeout opcode both simulates a
7287 // timeout in the shim and acts as a synchronization point to help the
7288 // runner bracket each handshake flight.
7289 //
7290 // We assume the shim does not read from the channel eagerly. It must
7291 // first wait until it has sent flight N and is ready to receive
7292 // handshake flight N+1. At this point, it will process the timeout
7293 // opcode. It must then immediately respond with a timeout ACK and act
7294 // as if the shim was idle for the specified amount of time.
7295 //
7296 // The runner then drops all packets received before the ACK and
7297 // continues waiting for flight N. This ordering results in one attempt
7298 // at sending flight N to be dropped. For the test to complete, the
7299 // shim must send flight N again, testing that the shim implements DTLS
7300 // retransmit on a timeout.
7301
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7302 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7303 // likely be more epochs to cross and the final message's retransmit may
7304 // be more complex.
7305
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7306 for _, async := range []bool{true, false} {
7307 var tests []testCase
7308
7309 // Test that this is indeed the timeout schedule. Stress all
7310 // four patterns of handshake.
7311 for i := 1; i < len(timeouts); i++ {
7312 number := strconv.Itoa(i)
7313 tests = append(tests, testCase{
7314 protocol: dtls,
7315 name: "DTLS-Retransmit-Client-" + number,
7316 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7317 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7318 Bugs: ProtocolBugs{
7319 TimeoutSchedule: timeouts[:i],
7320 },
7321 },
7322 resumeSession: true,
7323 })
7324 tests = append(tests, testCase{
7325 protocol: dtls,
7326 testType: serverTest,
7327 name: "DTLS-Retransmit-Server-" + number,
7328 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7329 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7330 Bugs: ProtocolBugs{
7331 TimeoutSchedule: timeouts[:i],
7332 },
7333 },
7334 resumeSession: true,
7335 })
7336 }
7337
7338 // Test that exceeding the timeout schedule hits a read
7339 // timeout.
7340 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7341 protocol: dtls,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7342 name: "DTLS-Retransmit-Timeout",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7343 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7344 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7345 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7346 TimeoutSchedule: timeouts,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7347 },
7348 },
7349 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7350 shouldFail: true,
7351 expectedError: ":READ_TIMEOUT_EXPIRED:",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7352 })
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7353
7354 if async {
7355 // Test that timeout handling has a fudge factor, due to API
7356 // problems.
7357 tests = append(tests, testCase{
7358 protocol: dtls,
7359 name: "DTLS-Retransmit-Fudge",
7360 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7361 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7362 Bugs: ProtocolBugs{
7363 TimeoutSchedule: []time.Duration{
7364 timeouts[0] - 10*time.Millisecond,
7365 },
7366 },
7367 },
7368 resumeSession: true,
7369 })
7370 }
7371
7372 // Test that the final Finished retransmitting isn't
7373 // duplicated if the peer badly fragments everything.
7374 tests = append(tests, testCase{
7375 testType: serverTest,
7376 protocol: dtls,
7377 name: "DTLS-Retransmit-Fragmented",
7378 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7379 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7380 Bugs: ProtocolBugs{
7381 TimeoutSchedule: []time.Duration{timeouts[0]},
7382 MaxHandshakeRecordLength: 2,
7383 },
7384 },
7385 })
7386
7387 // Test the timeout schedule when a shorter initial timeout duration is set.
7388 tests = append(tests, testCase{
7389 protocol: dtls,
7390 name: "DTLS-Retransmit-Short-Client",
7391 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7392 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7393 Bugs: ProtocolBugs{
7394 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7395 },
7396 },
7397 resumeSession: true,
7398 flags: []string{"-initial-timeout-duration-ms", "250"},
7399 })
7400 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7401 protocol: dtls,
7402 testType: serverTest,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7403 name: "DTLS-Retransmit-Short-Server",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7404 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7405 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7406 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7407 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7408 },
7409 },
7410 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7411 flags: []string{"-initial-timeout-duration-ms", "250"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7412 })
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7413
7414 for _, test := range tests {
7415 if async {
7416 test.name += "-Async"
7417 test.flags = append(test.flags, "-async")
7418 }
7419
7420 testCases = append(testCases, test)
7421 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7422 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7423}
7424
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7425func addExportKeyingMaterialTests() {
7426 for _, vers := range tlsVersions {
7427 if vers.version == VersionSSL30 {
7428 continue
7429 }
7430 testCases = append(testCases, testCase{
7431 name: "ExportKeyingMaterial-" + vers.name,
7432 config: Config{
7433 MaxVersion: vers.version,
7434 },
7435 exportKeyingMaterial: 1024,
7436 exportLabel: "label",
7437 exportContext: "context",
7438 useExportContext: true,
7439 })
7440 testCases = append(testCases, testCase{
7441 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7442 config: Config{
7443 MaxVersion: vers.version,
7444 },
7445 exportKeyingMaterial: 1024,
7446 })
7447 testCases = append(testCases, testCase{
7448 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7449 config: Config{
7450 MaxVersion: vers.version,
7451 },
7452 exportKeyingMaterial: 1024,
7453 useExportContext: true,
7454 })
7455 testCases = append(testCases, testCase{
7456 name: "ExportKeyingMaterial-Small-" + vers.name,
7457 config: Config{
7458 MaxVersion: vers.version,
7459 },
7460 exportKeyingMaterial: 1,
7461 exportLabel: "label",
7462 exportContext: "context",
7463 useExportContext: true,
7464 })
7465 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7466
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7467 testCases = append(testCases, testCase{
7468 name: "ExportKeyingMaterial-SSL3",
7469 config: Config{
7470 MaxVersion: VersionSSL30,
7471 },
7472 exportKeyingMaterial: 1024,
7473 exportLabel: "label",
7474 exportContext: "context",
7475 useExportContext: true,
7476 shouldFail: true,
7477 expectedError: "failed to export keying material",
7478 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7479
7480 // Exporters work during a False Start.
7481 testCases = append(testCases, testCase{
7482 name: "ExportKeyingMaterial-FalseStart",
7483 config: Config{
7484 MaxVersion: VersionTLS12,
7485 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7486 NextProtos: []string{"foo"},
7487 Bugs: ProtocolBugs{
7488 ExpectFalseStart: true,
7489 },
7490 },
7491 flags: []string{
7492 "-false-start",
7493 "-advertise-alpn", "\x03foo",
7494 },
7495 shimWritesFirst: true,
7496 exportKeyingMaterial: 1024,
7497 exportLabel: "label",
7498 exportContext: "context",
7499 useExportContext: true,
7500 })
7501
7502 // Exporters do not work in the middle of a renegotiation. Test this by
7503 // triggering the exporter after every SSL_read call and configuring the
7504 // shim to run asynchronously.
7505 testCases = append(testCases, testCase{
7506 name: "ExportKeyingMaterial-Renegotiate",
7507 config: Config{
7508 MaxVersion: VersionTLS12,
7509 },
7510 renegotiate: 1,
7511 flags: []string{
7512 "-async",
7513 "-use-exporter-between-reads",
7514 "-renegotiate-freely",
7515 "-expect-total-renegotiations", "1",
7516 },
7517 shouldFail: true,
7518 expectedError: "failed to export keying material",
7519 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7520}
7521
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7522func addTLSUniqueTests() {
7523 for _, isClient := range []bool{false, true} {
7524 for _, isResumption := range []bool{false, true} {
7525 for _, hasEMS := range []bool{false, true} {
7526 var suffix string
7527 if isResumption {
7528 suffix = "Resume-"
7529 } else {
7530 suffix = "Full-"
7531 }
7532
7533 if hasEMS {
7534 suffix += "EMS-"
7535 } else {
7536 suffix += "NoEMS-"
7537 }
7538
7539 if isClient {
7540 suffix += "Client"
7541 } else {
7542 suffix += "Server"
7543 }
7544
7545 test := testCase{
7546 name: "TLSUnique-" + suffix,
7547 testTLSUnique: true,
7548 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7549 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7550 Bugs: ProtocolBugs{
7551 NoExtendedMasterSecret: !hasEMS,
7552 },
7553 },
7554 }
7555
7556 if isResumption {
7557 test.resumeSession = true
7558 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7559 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7560 Bugs: ProtocolBugs{
7561 NoExtendedMasterSecret: !hasEMS,
7562 },
7563 }
7564 }
7565
7566 if isResumption && !hasEMS {
7567 test.shouldFail = true
7568 test.expectedError = "failed to get tls-unique"
7569 }
7570
7571 testCases = append(testCases, test)
7572 }
7573 }
7574 }
7575}
7576
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7577func addCustomExtensionTests() {
7578 expectedContents := "custom extension"
7579 emptyString := ""
7580
7581 for _, isClient := range []bool{false, true} {
7582 suffix := "Server"
7583 flag := "-enable-server-custom-extension"
7584 testType := serverTest
7585 if isClient {
7586 suffix = "Client"
7587 flag = "-enable-client-custom-extension"
7588 testType = clientTest
7589 }
7590
7591 testCases = append(testCases, testCase{
7592 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7593 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7594 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7595 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7596 Bugs: ProtocolBugs{
7597 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7598 ExpectedCustomExtension: &expectedContents,
7599 },
7600 },
7601 flags: []string{flag},
7602 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7603 testCases = append(testCases, testCase{
7604 testType: testType,
7605 name: "CustomExtensions-" + suffix + "-TLS13",
7606 config: Config{
7607 MaxVersion: VersionTLS13,
7608 Bugs: ProtocolBugs{
7609 CustomExtension: expectedContents,
7610 ExpectedCustomExtension: &expectedContents,
7611 },
7612 },
7613 flags: []string{flag},
7614 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7615
7616 // If the parse callback fails, the handshake should also fail.
7617 testCases = append(testCases, testCase{
7618 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7619 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7620 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7621 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7622 Bugs: ProtocolBugs{
7623 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7624 ExpectedCustomExtension: &expectedContents,
7625 },
7626 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7627 flags: []string{flag},
7628 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7629 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7630 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7631 testCases = append(testCases, testCase{
7632 testType: testType,
7633 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7634 config: Config{
7635 MaxVersion: VersionTLS13,
7636 Bugs: ProtocolBugs{
7637 CustomExtension: expectedContents + "foo",
7638 ExpectedCustomExtension: &expectedContents,
7639 },
7640 },
7641 flags: []string{flag},
7642 shouldFail: true,
7643 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7644 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7645
7646 // If the add callback fails, the handshake should also fail.
7647 testCases = append(testCases, testCase{
7648 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7649 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7650 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7651 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7652 Bugs: ProtocolBugs{
7653 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7654 ExpectedCustomExtension: &expectedContents,
7655 },
7656 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7657 flags: []string{flag, "-custom-extension-fail-add"},
7658 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7659 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7660 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7661 testCases = append(testCases, testCase{
7662 testType: testType,
7663 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7664 config: Config{
7665 MaxVersion: VersionTLS13,
7666 Bugs: ProtocolBugs{
7667 CustomExtension: expectedContents,
7668 ExpectedCustomExtension: &expectedContents,
7669 },
7670 },
7671 flags: []string{flag, "-custom-extension-fail-add"},
7672 shouldFail: true,
7673 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7674 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7675
7676 // If the add callback returns zero, no extension should be
7677 // added.
7678 skipCustomExtension := expectedContents
7679 if isClient {
7680 // For the case where the client skips sending the
7681 // custom extension, the server must not “echo” it.
7682 skipCustomExtension = ""
7683 }
7684 testCases = append(testCases, testCase{
7685 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7686 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7687 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7688 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7689 Bugs: ProtocolBugs{
7690 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7691 ExpectedCustomExtension: &emptyString,
7692 },
7693 },
7694 flags: []string{flag, "-custom-extension-skip"},
7695 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7696 testCases = append(testCases, testCase{
7697 testType: testType,
7698 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7699 config: Config{
7700 MaxVersion: VersionTLS13,
7701 Bugs: ProtocolBugs{
7702 CustomExtension: skipCustomExtension,
7703 ExpectedCustomExtension: &emptyString,
7704 },
7705 },
7706 flags: []string{flag, "-custom-extension-skip"},
7707 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7708 }
7709
7710 // The custom extension add callback should not be called if the client
7711 // doesn't send the extension.
7712 testCases = append(testCases, testCase{
7713 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7714 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7715 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7716 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7717 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7718 ExpectedCustomExtension: &emptyString,
7719 },
7720 },
7721 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7722 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7723
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7724 testCases = append(testCases, testCase{
7725 testType: serverTest,
7726 name: "CustomExtensions-NotCalled-Server-TLS13",
7727 config: Config{
7728 MaxVersion: VersionTLS13,
7729 Bugs: ProtocolBugs{
7730 ExpectedCustomExtension: &emptyString,
7731 },
7732 },
7733 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7734 })
7735
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7736 // Test an unknown extension from the server.
7737 testCases = append(testCases, testCase{
7738 testType: clientTest,
7739 name: "UnknownExtension-Client",
7740 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7741 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7742 Bugs: ProtocolBugs{
7743 CustomExtension: expectedContents,
7744 },
7745 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7746 shouldFail: true,
7747 expectedError: ":UNEXPECTED_EXTENSION:",
7748 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7749 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7750 testCases = append(testCases, testCase{
7751 testType: clientTest,
7752 name: "UnknownExtension-Client-TLS13",
7753 config: Config{
7754 MaxVersion: VersionTLS13,
7755 Bugs: ProtocolBugs{
7756 CustomExtension: expectedContents,
7757 },
7758 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7759 shouldFail: true,
7760 expectedError: ":UNEXPECTED_EXTENSION:",
7761 expectedLocalError: "remote error: unsupported extension",
7762 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]7763 testCases = append(testCases, testCase{
7764 testType: clientTest,
7765 name: "UnknownUnencryptedExtension-Client-TLS13",
7766 config: Config{
7767 MaxVersion: VersionTLS13,
7768 Bugs: ProtocolBugs{
7769 CustomUnencryptedExtension: expectedContents,
7770 },
7771 },
7772 shouldFail: true,
7773 expectedError: ":UNEXPECTED_EXTENSION:",
7774 // The shim must send an alert, but alerts at this point do not
7775 // get successfully decrypted by the runner.
7776 expectedLocalError: "local error: bad record MAC",
7777 })
7778 testCases = append(testCases, testCase{
7779 testType: clientTest,
7780 name: "UnexpectedUnencryptedExtension-Client-TLS13",
7781 config: Config{
7782 MaxVersion: VersionTLS13,
7783 Bugs: ProtocolBugs{
7784 SendUnencryptedALPN: "foo",
7785 },
7786 },
7787 flags: []string{
7788 "-advertise-alpn", "\x03foo\x03bar",
7789 },
7790 shouldFail: true,
7791 expectedError: ":UNEXPECTED_EXTENSION:",
7792 // The shim must send an alert, but alerts at this point do not
7793 // get successfully decrypted by the runner.
7794 expectedLocalError: "local error: bad record MAC",
7795 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7796
7797 // Test a known but unoffered extension from the server.
7798 testCases = append(testCases, testCase{
7799 testType: clientTest,
7800 name: "UnofferedExtension-Client",
7801 config: Config{
7802 MaxVersion: VersionTLS12,
7803 Bugs: ProtocolBugs{
7804 SendALPN: "alpn",
7805 },
7806 },
7807 shouldFail: true,
7808 expectedError: ":UNEXPECTED_EXTENSION:",
7809 expectedLocalError: "remote error: unsupported extension",
7810 })
7811 testCases = append(testCases, testCase{
7812 testType: clientTest,
7813 name: "UnofferedExtension-Client-TLS13",
7814 config: Config{
7815 MaxVersion: VersionTLS13,
7816 Bugs: ProtocolBugs{
7817 SendALPN: "alpn",
7818 },
7819 },
7820 shouldFail: true,
7821 expectedError: ":UNEXPECTED_EXTENSION:",
7822 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7823 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7824}
7825
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7826func addRSAClientKeyExchangeTests() {
7827 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
7828 testCases = append(testCases, testCase{
7829 testType: serverTest,
7830 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
7831 config: Config{
7832 // Ensure the ClientHello version and final
7833 // version are different, to detect if the
7834 // server uses the wrong one.
7835 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]7836 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7837 Bugs: ProtocolBugs{
7838 BadRSAClientKeyExchange: bad,
7839 },
7840 },
7841 shouldFail: true,
7842 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7843 })
7844 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]7845
7846 // The server must compare whatever was in ClientHello.version for the
7847 // RSA premaster.
7848 testCases = append(testCases, testCase{
7849 testType: serverTest,
7850 name: "SendClientVersion-RSA",
7851 config: Config{
7852 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
7853 Bugs: ProtocolBugs{
7854 SendClientVersion: 0x1234,
7855 },
7856 },
7857 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7858 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7859}
7860
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7861var testCurves = []struct {
7862 name string
7863 id CurveID
7864}{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7865 {"P-256", CurveP256},
7866 {"P-384", CurveP384},
7867 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]7868 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7869}
7870
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7871const bogusCurve = 0x1234
7872
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7873func addCurveTests() {
7874 for _, curve := range testCurves {
7875 testCases = append(testCases, testCase{
7876 name: "CurveTest-Client-" + curve.name,
7877 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7878 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7879 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7880 CurvePreferences: []CurveID{curve.id},
7881 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7882 flags: []string{
7883 "-enable-all-curves",
7884 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7885 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7886 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7887 })
7888 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7889 name: "CurveTest-Client-" + curve.name + "-TLS13",
7890 config: Config{
7891 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7892 CurvePreferences: []CurveID{curve.id},
7893 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7894 flags: []string{
7895 "-enable-all-curves",
7896 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7897 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7898 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7899 })
7900 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7901 testType: serverTest,
7902 name: "CurveTest-Server-" + curve.name,
7903 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7904 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7905 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7906 CurvePreferences: []CurveID{curve.id},
7907 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7908 flags: []string{
7909 "-enable-all-curves",
7910 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7911 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7912 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7913 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7914 testCases = append(testCases, testCase{
7915 testType: serverTest,
7916 name: "CurveTest-Server-" + curve.name + "-TLS13",
7917 config: Config{
7918 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7919 CurvePreferences: []CurveID{curve.id},
7920 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7921 flags: []string{
7922 "-enable-all-curves",
7923 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7924 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7925 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7926 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7927 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7928
7929 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7930 testCases = append(testCases, testCase{
7931 testType: serverTest,
7932 name: "UnknownCurve",
7933 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7934 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7935 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7936 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7937 },
7938 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7939
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7940 // The server must be tolerant to bogus curves.
7941 testCases = append(testCases, testCase{
7942 testType: serverTest,
7943 name: "UnknownCurve-TLS13",
7944 config: Config{
7945 MaxVersion: VersionTLS13,
7946 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7947 },
7948 })
7949
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7950 // The server must not consider ECDHE ciphers when there are no
7951 // supported curves.
7952 testCases = append(testCases, testCase{
7953 testType: serverTest,
7954 name: "NoSupportedCurves",
7955 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7956 MaxVersion: VersionTLS12,
7957 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7958 Bugs: ProtocolBugs{
7959 NoSupportedCurves: true,
7960 },
7961 },
7962 shouldFail: true,
7963 expectedError: ":NO_SHARED_CIPHER:",
7964 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7965 testCases = append(testCases, testCase{
7966 testType: serverTest,
7967 name: "NoSupportedCurves-TLS13",
7968 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7969 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7970 Bugs: ProtocolBugs{
7971 NoSupportedCurves: true,
7972 },
7973 },
7974 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7975 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7976 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7977
7978 // The server must fall back to another cipher when there are no
7979 // supported curves.
7980 testCases = append(testCases, testCase{
7981 testType: serverTest,
7982 name: "NoCommonCurves",
7983 config: Config{
7984 MaxVersion: VersionTLS12,
7985 CipherSuites: []uint16{
7986 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
7987 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
7988 },
7989 CurvePreferences: []CurveID{CurveP224},
7990 },
7991 expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
7992 })
7993
7994 // The client must reject bogus curves and disabled curves.
7995 testCases = append(testCases, testCase{
7996 name: "BadECDHECurve",
7997 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7998 MaxVersion: VersionTLS12,
7999 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8000 Bugs: ProtocolBugs{
8001 SendCurve: bogusCurve,
8002 },
8003 },
8004 shouldFail: true,
8005 expectedError: ":WRONG_CURVE:",
8006 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8007 testCases = append(testCases, testCase{
8008 name: "BadECDHECurve-TLS13",
8009 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8010 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8011 Bugs: ProtocolBugs{
8012 SendCurve: bogusCurve,
8013 },
8014 },
8015 shouldFail: true,
8016 expectedError: ":WRONG_CURVE:",
8017 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8018
8019 testCases = append(testCases, testCase{
8020 name: "UnsupportedCurve",
8021 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8022 MaxVersion: VersionTLS12,
8023 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8024 CurvePreferences: []CurveID{CurveP256},
8025 Bugs: ProtocolBugs{
8026 IgnorePeerCurvePreferences: true,
8027 },
8028 },
8029 flags: []string{"-p384-only"},
8030 shouldFail: true,
8031 expectedError: ":WRONG_CURVE:",
8032 })
8033
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8034 testCases = append(testCases, testCase{
8035 // TODO(davidben): Add a TLS 1.3 version where
8036 // HelloRetryRequest requests an unsupported curve.
8037 name: "UnsupportedCurve-ServerHello-TLS13",
8038 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8039 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8040 CurvePreferences: []CurveID{CurveP384},
8041 Bugs: ProtocolBugs{
8042 SendCurve: CurveP256,
8043 },
8044 },
8045 flags: []string{"-p384-only"},
8046 shouldFail: true,
8047 expectedError: ":WRONG_CURVE:",
8048 })
8049
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8050 // Test invalid curve points.
8051 testCases = append(testCases, testCase{
8052 name: "InvalidECDHPoint-Client",
8053 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8054 MaxVersion: VersionTLS12,
8055 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8056 CurvePreferences: []CurveID{CurveP256},
8057 Bugs: ProtocolBugs{
8058 InvalidECDHPoint: true,
8059 },
8060 },
8061 shouldFail: true,
8062 expectedError: ":INVALID_ENCODING:",
8063 })
8064 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8065 name: "InvalidECDHPoint-Client-TLS13",
8066 config: Config{
8067 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8068 CurvePreferences: []CurveID{CurveP256},
8069 Bugs: ProtocolBugs{
8070 InvalidECDHPoint: true,
8071 },
8072 },
8073 shouldFail: true,
8074 expectedError: ":INVALID_ENCODING:",
8075 })
8076 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8077 testType: serverTest,
8078 name: "InvalidECDHPoint-Server",
8079 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8080 MaxVersion: VersionTLS12,
8081 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8082 CurvePreferences: []CurveID{CurveP256},
8083 Bugs: ProtocolBugs{
8084 InvalidECDHPoint: true,
8085 },
8086 },
8087 shouldFail: true,
8088 expectedError: ":INVALID_ENCODING:",
8089 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8090 testCases = append(testCases, testCase{
8091 testType: serverTest,
8092 name: "InvalidECDHPoint-Server-TLS13",
8093 config: Config{
8094 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8095 CurvePreferences: []CurveID{CurveP256},
8096 Bugs: ProtocolBugs{
8097 InvalidECDHPoint: true,
8098 },
8099 },
8100 shouldFail: true,
8101 expectedError: ":INVALID_ENCODING:",
8102 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8103
8104 // The previous curve ID should be reported on TLS 1.2 resumption.
8105 testCases = append(testCases, testCase{
8106 name: "CurveID-Resume-Client",
8107 config: Config{
8108 MaxVersion: VersionTLS12,
8109 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8110 CurvePreferences: []CurveID{CurveX25519},
8111 },
8112 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8113 resumeSession: true,
8114 })
8115 testCases = append(testCases, testCase{
8116 testType: serverTest,
8117 name: "CurveID-Resume-Server",
8118 config: Config{
8119 MaxVersion: VersionTLS12,
8120 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8121 CurvePreferences: []CurveID{CurveX25519},
8122 },
8123 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8124 resumeSession: true,
8125 })
8126
8127 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8128 // one should be reported.
8129 testCases = append(testCases, testCase{
8130 name: "CurveID-Resume-Client-TLS13",
8131 config: Config{
8132 MaxVersion: VersionTLS13,
8133 CurvePreferences: []CurveID{CurveX25519},
8134 },
8135 resumeConfig: &Config{
8136 MaxVersion: VersionTLS13,
8137 CurvePreferences: []CurveID{CurveP256},
8138 },
8139 flags: []string{
8140 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8141 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8142 },
8143 resumeSession: true,
8144 })
8145 testCases = append(testCases, testCase{
8146 testType: serverTest,
8147 name: "CurveID-Resume-Server-TLS13",
8148 config: Config{
8149 MaxVersion: VersionTLS13,
8150 CurvePreferences: []CurveID{CurveX25519},
8151 },
8152 resumeConfig: &Config{
8153 MaxVersion: VersionTLS13,
8154 CurvePreferences: []CurveID{CurveP256},
8155 },
8156 flags: []string{
8157 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8158 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8159 },
8160 resumeSession: true,
8161 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8162
8163 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8164 testCases = append(testCases, testCase{
8165 name: "PointFormat-ServerHello-TLS12",
8166 config: Config{
8167 MaxVersion: VersionTLS12,
8168 Bugs: ProtocolBugs{
8169 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8170 },
8171 },
8172 })
8173 testCases = append(testCases, testCase{
8174 name: "PointFormat-EncryptedExtensions-TLS13",
8175 config: Config{
8176 MaxVersion: VersionTLS13,
8177 Bugs: ProtocolBugs{
8178 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8179 },
8180 },
8181 shouldFail: true,
8182 expectedError: ":ERROR_PARSING_EXTENSION:",
8183 })
8184
8185 // Test that we tolerate unknown point formats, as long as
8186 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8187 // check they are still functional.
8188 testCases = append(testCases, testCase{
8189 name: "PointFormat-Client-Tolerance",
8190 config: Config{
8191 MaxVersion: VersionTLS12,
8192 Bugs: ProtocolBugs{
8193 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8194 },
8195 },
8196 })
8197 testCases = append(testCases, testCase{
8198 testType: serverTest,
8199 name: "PointFormat-Server-Tolerance",
8200 config: Config{
8201 MaxVersion: VersionTLS12,
8202 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8203 Bugs: ProtocolBugs{
8204 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8205 },
8206 },
8207 })
8208
8209 // Test TLS 1.2 does not require the point format extension to be
8210 // present.
8211 testCases = append(testCases, testCase{
8212 name: "PointFormat-Client-Missing",
8213 config: Config{
8214 MaxVersion: VersionTLS12,
8215 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8216 Bugs: ProtocolBugs{
8217 SendSupportedPointFormats: []byte{},
8218 },
8219 },
8220 })
8221 testCases = append(testCases, testCase{
8222 testType: serverTest,
8223 name: "PointFormat-Server-Missing",
8224 config: Config{
8225 MaxVersion: VersionTLS12,
8226 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8227 Bugs: ProtocolBugs{
8228 SendSupportedPointFormats: []byte{},
8229 },
8230 },
8231 })
8232
8233 // If the point format extension is present, uncompressed points must be
8234 // offered. BoringSSL requires this whether or not ECDHE is used.
8235 testCases = append(testCases, testCase{
8236 name: "PointFormat-Client-MissingUncompressed",
8237 config: Config{
8238 MaxVersion: VersionTLS12,
8239 Bugs: ProtocolBugs{
8240 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8241 },
8242 },
8243 shouldFail: true,
8244 expectedError: ":ERROR_PARSING_EXTENSION:",
8245 })
8246 testCases = append(testCases, testCase{
8247 testType: serverTest,
8248 name: "PointFormat-Server-MissingUncompressed",
8249 config: Config{
8250 MaxVersion: VersionTLS12,
8251 Bugs: ProtocolBugs{
8252 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8253 },
8254 },
8255 shouldFail: true,
8256 expectedError: ":ERROR_PARSING_EXTENSION:",
8257 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8258}
8259
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8260func addTLS13RecordTests() {
8261 testCases = append(testCases, testCase{
8262 name: "TLS13-RecordPadding",
8263 config: Config{
8264 MaxVersion: VersionTLS13,
8265 MinVersion: VersionTLS13,
8266 Bugs: ProtocolBugs{
8267 RecordPadding: 10,
8268 },
8269 },
8270 })
8271
8272 testCases = append(testCases, testCase{
8273 name: "TLS13-EmptyRecords",
8274 config: Config{
8275 MaxVersion: VersionTLS13,
8276 MinVersion: VersionTLS13,
8277 Bugs: ProtocolBugs{
8278 OmitRecordContents: true,
8279 },
8280 },
8281 shouldFail: true,
8282 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8283 })
8284
8285 testCases = append(testCases, testCase{
8286 name: "TLS13-OnlyPadding",
8287 config: Config{
8288 MaxVersion: VersionTLS13,
8289 MinVersion: VersionTLS13,
8290 Bugs: ProtocolBugs{
8291 OmitRecordContents: true,
8292 RecordPadding: 10,
8293 },
8294 },
8295 shouldFail: true,
8296 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8297 })
8298
8299 testCases = append(testCases, testCase{
8300 name: "TLS13-WrongOuterRecord",
8301 config: Config{
8302 MaxVersion: VersionTLS13,
8303 MinVersion: VersionTLS13,
8304 Bugs: ProtocolBugs{
8305 OuterRecordType: recordTypeHandshake,
8306 },
8307 },
8308 shouldFail: true,
8309 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8310 })
8311}
8312
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8313func addSessionTicketTests() {
8314 testCases = append(testCases, testCase{
8315 // In TLS 1.2 and below, empty NewSessionTicket messages
8316 // mean the server changed its mind on sending a ticket.
8317 name: "SendEmptySessionTicket",
8318 config: Config{
8319 MaxVersion: VersionTLS12,
8320 Bugs: ProtocolBugs{
8321 SendEmptySessionTicket: true,
8322 },
8323 },
8324 flags: []string{"-expect-no-session"},
8325 })
8326
8327 // Test that the server ignores unknown PSK modes.
8328 testCases = append(testCases, testCase{
8329 testType: serverTest,
8330 name: "TLS13-SendUnknownModeSessionTicket-Server",
8331 config: Config{
8332 MaxVersion: VersionTLS13,
8333 Bugs: ProtocolBugs{
8334 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8335 },
8336 },
8337 resumeSession: true,
8338 expectedResumeVersion: VersionTLS13,
8339 })
8340
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8341 // Test that the server does not send session tickets with no matching key exchange mode.
8342 testCases = append(testCases, testCase{
8343 testType: serverTest,
8344 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8345 config: Config{
8346 MaxVersion: VersionTLS13,
8347 Bugs: ProtocolBugs{
8348 SendPSKKeyExchangeModes: []byte{0x1a},
8349 ExpectNoNewSessionTicket: true,
8350 },
8351 },
8352 })
8353
8354 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8355 testCases = append(testCases, testCase{
8356 testType: serverTest,
8357 name: "TLS13-SendBadKEModeSessionTicket-Server",
8358 config: Config{
8359 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8360 },
8361 resumeConfig: &Config{
8362 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8363 Bugs: ProtocolBugs{
8364 SendPSKKeyExchangeModes: []byte{0x1a},
8365 },
8366 },
8367 resumeSession: true,
8368 expectResumeRejected: true,
8369 })
8370
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8371 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8372 testCases = append(testCases, testCase{
8373 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8374 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8375 config: Config{
8376 MaxVersion: VersionTLS13,
8377 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8378 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8379 },
8380 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8381 resumeSession: true,
8382 flags: []string{
8383 "-resumption-delay", "10",
8384 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8385 })
8386
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8387 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8388 testCases = append(testCases, testCase{
8389 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8390 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8391 config: Config{
8392 MaxVersion: VersionTLS13,
8393 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8394 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8395 },
8396 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8397 resumeSession: true,
8398 shouldFail: true,
8399 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8400 })
8401
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8402 testCases = append(testCases, testCase{
8403 testType: clientTest,
8404 name: "TLS13-SendTicketEarlyDataInfo",
8405 config: Config{
8406 MaxVersion: VersionTLS13,
8407 Bugs: ProtocolBugs{
8408 SendTicketEarlyDataInfo: 16384,
8409 },
8410 },
8411 flags: []string{
8412 "-expect-early-data-info",
8413 },
8414 })
8415
8416 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8417 testType: clientTest,
8418 name: "TLS13-DuplicateTicketEarlyDataInfo",
8419 config: Config{
8420 MaxVersion: VersionTLS13,
8421 Bugs: ProtocolBugs{
8422 SendTicketEarlyDataInfo: 16384,
8423 DuplicateTicketEarlyDataInfo: true,
8424 },
8425 },
8426 shouldFail: true,
8427 expectedError: ":DUPLICATE_EXTENSION:",
8428 expectedLocalError: "remote error: illegal parameter",
8429 })
8430
8431 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8432 testType: serverTest,
8433 name: "TLS13-ExpectTicketEarlyDataInfo",
8434 config: Config{
8435 MaxVersion: VersionTLS13,
8436 Bugs: ProtocolBugs{
8437 ExpectTicketEarlyDataInfo: true,
8438 },
8439 },
8440 flags: []string{
8441 "-enable-early-data",
8442 },
8443 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8444}
8445
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8446func addChangeCipherSpecTests() {
8447 // Test missing ChangeCipherSpecs.
8448 testCases = append(testCases, testCase{
8449 name: "SkipChangeCipherSpec-Client",
8450 config: Config{
8451 MaxVersion: VersionTLS12,
8452 Bugs: ProtocolBugs{
8453 SkipChangeCipherSpec: true,
8454 },
8455 },
8456 shouldFail: true,
8457 expectedError: ":UNEXPECTED_RECORD:",
8458 })
8459 testCases = append(testCases, testCase{
8460 testType: serverTest,
8461 name: "SkipChangeCipherSpec-Server",
8462 config: Config{
8463 MaxVersion: VersionTLS12,
8464 Bugs: ProtocolBugs{
8465 SkipChangeCipherSpec: true,
8466 },
8467 },
8468 shouldFail: true,
8469 expectedError: ":UNEXPECTED_RECORD:",
8470 })
8471 testCases = append(testCases, testCase{
8472 testType: serverTest,
8473 name: "SkipChangeCipherSpec-Server-NPN",
8474 config: Config{
8475 MaxVersion: VersionTLS12,
8476 NextProtos: []string{"bar"},
8477 Bugs: ProtocolBugs{
8478 SkipChangeCipherSpec: true,
8479 },
8480 },
8481 flags: []string{
8482 "-advertise-npn", "\x03foo\x03bar\x03baz",
8483 },
8484 shouldFail: true,
8485 expectedError: ":UNEXPECTED_RECORD:",
8486 })
8487
8488 // Test synchronization between the handshake and ChangeCipherSpec.
8489 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8490 // rejected. Test both with and without handshake packing to handle both
8491 // when the partial post-CCS message is in its own record and when it is
8492 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8493 for _, packed := range []bool{false, true} {
8494 var suffix string
8495 if packed {
8496 suffix = "-Packed"
8497 }
8498
8499 testCases = append(testCases, testCase{
8500 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
8501 config: Config{
8502 MaxVersion: VersionTLS12,
8503 Bugs: ProtocolBugs{
8504 FragmentAcrossChangeCipherSpec: true,
8505 PackHandshakeFlight: packed,
8506 },
8507 },
8508 shouldFail: true,
8509 expectedError: ":UNEXPECTED_RECORD:",
8510 })
8511 testCases = append(testCases, testCase{
8512 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
8513 config: Config{
8514 MaxVersion: VersionTLS12,
8515 },
8516 resumeSession: true,
8517 resumeConfig: &Config{
8518 MaxVersion: VersionTLS12,
8519 Bugs: ProtocolBugs{
8520 FragmentAcrossChangeCipherSpec: true,
8521 PackHandshakeFlight: packed,
8522 },
8523 },
8524 shouldFail: true,
8525 expectedError: ":UNEXPECTED_RECORD:",
8526 })
8527 testCases = append(testCases, testCase{
8528 testType: serverTest,
8529 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
8530 config: Config{
8531 MaxVersion: VersionTLS12,
8532 Bugs: ProtocolBugs{
8533 FragmentAcrossChangeCipherSpec: true,
8534 PackHandshakeFlight: packed,
8535 },
8536 },
8537 shouldFail: true,
8538 expectedError: ":UNEXPECTED_RECORD:",
8539 })
8540 testCases = append(testCases, testCase{
8541 testType: serverTest,
8542 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
8543 config: Config{
8544 MaxVersion: VersionTLS12,
8545 },
8546 resumeSession: true,
8547 resumeConfig: &Config{
8548 MaxVersion: VersionTLS12,
8549 Bugs: ProtocolBugs{
8550 FragmentAcrossChangeCipherSpec: true,
8551 PackHandshakeFlight: packed,
8552 },
8553 },
8554 shouldFail: true,
8555 expectedError: ":UNEXPECTED_RECORD:",
8556 })
8557 testCases = append(testCases, testCase{
8558 testType: serverTest,
8559 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
8560 config: Config{
8561 MaxVersion: VersionTLS12,
8562 NextProtos: []string{"bar"},
8563 Bugs: ProtocolBugs{
8564 FragmentAcrossChangeCipherSpec: true,
8565 PackHandshakeFlight: packed,
8566 },
8567 },
8568 flags: []string{
8569 "-advertise-npn", "\x03foo\x03bar\x03baz",
8570 },
8571 shouldFail: true,
8572 expectedError: ":UNEXPECTED_RECORD:",
8573 })
8574 }
8575
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]8576 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
8577 // messages in the handshake queue. Do this by testing the server
8578 // reading the client Finished, reversing the flight so Finished comes
8579 // first.
8580 testCases = append(testCases, testCase{
8581 protocol: dtls,
8582 testType: serverTest,
8583 name: "SendUnencryptedFinished-DTLS",
8584 config: Config{
8585 MaxVersion: VersionTLS12,
8586 Bugs: ProtocolBugs{
8587 SendUnencryptedFinished: true,
8588 ReverseHandshakeFragments: true,
8589 },
8590 },
8591 shouldFail: true,
8592 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8593 })
8594
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8595 // Test synchronization between encryption changes and the handshake in
8596 // TLS 1.3, where ChangeCipherSpec is implicit.
8597 testCases = append(testCases, testCase{
8598 name: "PartialEncryptedExtensionsWithServerHello",
8599 config: Config{
8600 MaxVersion: VersionTLS13,
8601 Bugs: ProtocolBugs{
8602 PartialEncryptedExtensionsWithServerHello: true,
8603 },
8604 },
8605 shouldFail: true,
8606 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8607 })
8608 testCases = append(testCases, testCase{
8609 testType: serverTest,
8610 name: "PartialClientFinishedWithClientHello",
8611 config: Config{
8612 MaxVersion: VersionTLS13,
8613 Bugs: ProtocolBugs{
8614 PartialClientFinishedWithClientHello: true,
8615 },
8616 },
8617 shouldFail: true,
8618 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8619 })
8620
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8621 // Test that early ChangeCipherSpecs are handled correctly.
8622 testCases = append(testCases, testCase{
8623 testType: serverTest,
8624 name: "EarlyChangeCipherSpec-server-1",
8625 config: Config{
8626 MaxVersion: VersionTLS12,
8627 Bugs: ProtocolBugs{
8628 EarlyChangeCipherSpec: 1,
8629 },
8630 },
8631 shouldFail: true,
8632 expectedError: ":UNEXPECTED_RECORD:",
8633 })
8634 testCases = append(testCases, testCase{
8635 testType: serverTest,
8636 name: "EarlyChangeCipherSpec-server-2",
8637 config: Config{
8638 MaxVersion: VersionTLS12,
8639 Bugs: ProtocolBugs{
8640 EarlyChangeCipherSpec: 2,
8641 },
8642 },
8643 shouldFail: true,
8644 expectedError: ":UNEXPECTED_RECORD:",
8645 })
8646 testCases = append(testCases, testCase{
8647 protocol: dtls,
8648 name: "StrayChangeCipherSpec",
8649 config: Config{
8650 // TODO(davidben): Once DTLS 1.3 exists, test
8651 // that stray ChangeCipherSpec messages are
8652 // rejected.
8653 MaxVersion: VersionTLS12,
8654 Bugs: ProtocolBugs{
8655 StrayChangeCipherSpec: true,
8656 },
8657 },
8658 })
8659
8660 // Test that the contents of ChangeCipherSpec are checked.
8661 testCases = append(testCases, testCase{
8662 name: "BadChangeCipherSpec-1",
8663 config: Config{
8664 MaxVersion: VersionTLS12,
8665 Bugs: ProtocolBugs{
8666 BadChangeCipherSpec: []byte{2},
8667 },
8668 },
8669 shouldFail: true,
8670 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8671 })
8672 testCases = append(testCases, testCase{
8673 name: "BadChangeCipherSpec-2",
8674 config: Config{
8675 MaxVersion: VersionTLS12,
8676 Bugs: ProtocolBugs{
8677 BadChangeCipherSpec: []byte{1, 1},
8678 },
8679 },
8680 shouldFail: true,
8681 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8682 })
8683 testCases = append(testCases, testCase{
8684 protocol: dtls,
8685 name: "BadChangeCipherSpec-DTLS-1",
8686 config: Config{
8687 MaxVersion: VersionTLS12,
8688 Bugs: ProtocolBugs{
8689 BadChangeCipherSpec: []byte{2},
8690 },
8691 },
8692 shouldFail: true,
8693 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8694 })
8695 testCases = append(testCases, testCase{
8696 protocol: dtls,
8697 name: "BadChangeCipherSpec-DTLS-2",
8698 config: Config{
8699 MaxVersion: VersionTLS12,
8700 Bugs: ProtocolBugs{
8701 BadChangeCipherSpec: []byte{1, 1},
8702 },
8703 },
8704 shouldFail: true,
8705 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8706 })
8707}
8708
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8709type perMessageTest struct {
8710 messageType uint8
8711 test testCase
8712}
8713
8714// makePerMessageTests returns a series of test templates which cover each
8715// message in the TLS handshake. These may be used with bugs like
8716// WrongMessageType to fully test a per-message bug.
8717func makePerMessageTests() []perMessageTest {
8718 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8719 for _, protocol := range []protocol{tls, dtls} {
8720 var suffix string
8721 if protocol == dtls {
8722 suffix = "-DTLS"
8723 }
8724
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8725 ret = append(ret, perMessageTest{
8726 messageType: typeClientHello,
8727 test: testCase{
8728 protocol: protocol,
8729 testType: serverTest,
8730 name: "ClientHello" + suffix,
8731 config: Config{
8732 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8733 },
8734 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8735 })
8736
8737 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8738 ret = append(ret, perMessageTest{
8739 messageType: typeHelloVerifyRequest,
8740 test: testCase{
8741 protocol: protocol,
8742 name: "HelloVerifyRequest" + suffix,
8743 config: Config{
8744 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8745 },
8746 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8747 })
8748 }
8749
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8750 ret = append(ret, perMessageTest{
8751 messageType: typeServerHello,
8752 test: testCase{
8753 protocol: protocol,
8754 name: "ServerHello" + suffix,
8755 config: Config{
8756 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8757 },
8758 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8759 })
8760
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8761 ret = append(ret, perMessageTest{
8762 messageType: typeCertificate,
8763 test: testCase{
8764 protocol: protocol,
8765 name: "ServerCertificate" + suffix,
8766 config: Config{
8767 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8768 },
8769 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8770 })
8771
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8772 ret = append(ret, perMessageTest{
8773 messageType: typeCertificateStatus,
8774 test: testCase{
8775 protocol: protocol,
8776 name: "CertificateStatus" + suffix,
8777 config: Config{
8778 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8779 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8780 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8781 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8782 })
8783
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8784 ret = append(ret, perMessageTest{
8785 messageType: typeServerKeyExchange,
8786 test: testCase{
8787 protocol: protocol,
8788 name: "ServerKeyExchange" + suffix,
8789 config: Config{
8790 MaxVersion: VersionTLS12,
8791 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8792 },
8793 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8794 })
8795
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8796 ret = append(ret, perMessageTest{
8797 messageType: typeCertificateRequest,
8798 test: testCase{
8799 protocol: protocol,
8800 name: "CertificateRequest" + suffix,
8801 config: Config{
8802 MaxVersion: VersionTLS12,
8803 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8804 },
8805 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8806 })
8807
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8808 ret = append(ret, perMessageTest{
8809 messageType: typeServerHelloDone,
8810 test: testCase{
8811 protocol: protocol,
8812 name: "ServerHelloDone" + suffix,
8813 config: Config{
8814 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8815 },
8816 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8817 })
8818
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8819 ret = append(ret, perMessageTest{
8820 messageType: typeCertificate,
8821 test: testCase{
8822 testType: serverTest,
8823 protocol: protocol,
8824 name: "ClientCertificate" + suffix,
8825 config: Config{
8826 Certificates: []Certificate{rsaCertificate},
8827 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8828 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8829 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8830 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8831 })
8832
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8833 ret = append(ret, perMessageTest{
8834 messageType: typeCertificateVerify,
8835 test: testCase{
8836 testType: serverTest,
8837 protocol: protocol,
8838 name: "CertificateVerify" + suffix,
8839 config: Config{
8840 Certificates: []Certificate{rsaCertificate},
8841 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8842 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8843 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8844 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8845 })
8846
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8847 ret = append(ret, perMessageTest{
8848 messageType: typeClientKeyExchange,
8849 test: testCase{
8850 testType: serverTest,
8851 protocol: protocol,
8852 name: "ClientKeyExchange" + suffix,
8853 config: Config{
8854 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8855 },
8856 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8857 })
8858
8859 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8860 ret = append(ret, perMessageTest{
8861 messageType: typeNextProtocol,
8862 test: testCase{
8863 testType: serverTest,
8864 protocol: protocol,
8865 name: "NextProtocol" + suffix,
8866 config: Config{
8867 MaxVersion: VersionTLS12,
8868 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8869 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8870 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8871 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8872 })
8873
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8874 ret = append(ret, perMessageTest{
8875 messageType: typeChannelID,
8876 test: testCase{
8877 testType: serverTest,
8878 protocol: protocol,
8879 name: "ChannelID" + suffix,
8880 config: Config{
8881 MaxVersion: VersionTLS12,
8882 ChannelID: channelIDKey,
8883 },
8884 flags: []string{
8885 "-expect-channel-id",
8886 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8887 },
8888 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8889 })
8890 }
8891
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8892 ret = append(ret, perMessageTest{
8893 messageType: typeFinished,
8894 test: testCase{
8895 testType: serverTest,
8896 protocol: protocol,
8897 name: "ClientFinished" + suffix,
8898 config: Config{
8899 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8900 },
8901 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8902 })
8903
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8904 ret = append(ret, perMessageTest{
8905 messageType: typeNewSessionTicket,
8906 test: testCase{
8907 protocol: protocol,
8908 name: "NewSessionTicket" + suffix,
8909 config: Config{
8910 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8911 },
8912 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8913 })
8914
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8915 ret = append(ret, perMessageTest{
8916 messageType: typeFinished,
8917 test: testCase{
8918 protocol: protocol,
8919 name: "ServerFinished" + suffix,
8920 config: Config{
8921 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8922 },
8923 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8924 })
8925
8926 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8927
8928 ret = append(ret, perMessageTest{
8929 messageType: typeClientHello,
8930 test: testCase{
8931 testType: serverTest,
8932 name: "TLS13-ClientHello",
8933 config: Config{
8934 MaxVersion: VersionTLS13,
8935 },
8936 },
8937 })
8938
8939 ret = append(ret, perMessageTest{
8940 messageType: typeServerHello,
8941 test: testCase{
8942 name: "TLS13-ServerHello",
8943 config: Config{
8944 MaxVersion: VersionTLS13,
8945 },
8946 },
8947 })
8948
8949 ret = append(ret, perMessageTest{
8950 messageType: typeEncryptedExtensions,
8951 test: testCase{
8952 name: "TLS13-EncryptedExtensions",
8953 config: Config{
8954 MaxVersion: VersionTLS13,
8955 },
8956 },
8957 })
8958
8959 ret = append(ret, perMessageTest{
8960 messageType: typeCertificateRequest,
8961 test: testCase{
8962 name: "TLS13-CertificateRequest",
8963 config: Config{
8964 MaxVersion: VersionTLS13,
8965 ClientAuth: RequireAnyClientCert,
8966 },
8967 },
8968 })
8969
8970 ret = append(ret, perMessageTest{
8971 messageType: typeCertificate,
8972 test: testCase{
8973 name: "TLS13-ServerCertificate",
8974 config: Config{
8975 MaxVersion: VersionTLS13,
8976 },
8977 },
8978 })
8979
8980 ret = append(ret, perMessageTest{
8981 messageType: typeCertificateVerify,
8982 test: testCase{
8983 name: "TLS13-ServerCertificateVerify",
8984 config: Config{
8985 MaxVersion: VersionTLS13,
8986 },
8987 },
8988 })
8989
8990 ret = append(ret, perMessageTest{
8991 messageType: typeFinished,
8992 test: testCase{
8993 name: "TLS13-ServerFinished",
8994 config: Config{
8995 MaxVersion: VersionTLS13,
8996 },
8997 },
8998 })
8999
9000 ret = append(ret, perMessageTest{
9001 messageType: typeCertificate,
9002 test: testCase{
9003 testType: serverTest,
9004 name: "TLS13-ClientCertificate",
9005 config: Config{
9006 Certificates: []Certificate{rsaCertificate},
9007 MaxVersion: VersionTLS13,
9008 },
9009 flags: []string{"-require-any-client-certificate"},
9010 },
9011 })
9012
9013 ret = append(ret, perMessageTest{
9014 messageType: typeCertificateVerify,
9015 test: testCase{
9016 testType: serverTest,
9017 name: "TLS13-ClientCertificateVerify",
9018 config: Config{
9019 Certificates: []Certificate{rsaCertificate},
9020 MaxVersion: VersionTLS13,
9021 },
9022 flags: []string{"-require-any-client-certificate"},
9023 },
9024 })
9025
9026 ret = append(ret, perMessageTest{
9027 messageType: typeFinished,
9028 test: testCase{
9029 testType: serverTest,
9030 name: "TLS13-ClientFinished",
9031 config: Config{
9032 MaxVersion: VersionTLS13,
9033 },
9034 },
9035 })
9036
9037 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9038}
9039
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9040func addWrongMessageTypeTests() {
9041 for _, t := range makePerMessageTests() {
9042 t.test.name = "WrongMessageType-" + t.test.name
9043 t.test.config.Bugs.SendWrongMessageType = t.messageType
9044 t.test.shouldFail = true
9045 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9046 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9047
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9048 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9049 // In TLS 1.3, a bad ServerHello means the client sends
9050 // an unencrypted alert while the server expects
9051 // encryption, so the alert is not readable by runner.
9052 t.test.expectedLocalError = "local error: bad record MAC"
9053 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9054
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9055 testCases = append(testCases, t.test)
9056 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9057}
9058
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9059func addTrailingMessageDataTests() {
9060 for _, t := range makePerMessageTests() {
9061 t.test.name = "TrailingMessageData-" + t.test.name
9062 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9063 t.test.shouldFail = true
9064 t.test.expectedError = ":DECODE_ERROR:"
9065 t.test.expectedLocalError = "remote error: error decoding message"
9066
9067 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9068 // In TLS 1.3, a bad ServerHello means the client sends
9069 // an unencrypted alert while the server expects
9070 // encryption, so the alert is not readable by runner.
9071 t.test.expectedLocalError = "local error: bad record MAC"
9072 }
9073
9074 if t.messageType == typeFinished {
9075 // Bad Finished messages read as the verify data having
9076 // the wrong length.
9077 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9078 t.test.expectedLocalError = "remote error: error decrypting message"
9079 }
9080
9081 testCases = append(testCases, t.test)
9082 }
9083}
9084
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9085func addTLS13HandshakeTests() {
9086 testCases = append(testCases, testCase{
9087 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9088 name: "NegotiatePSKResumption-TLS13",
9089 config: Config{
9090 MaxVersion: VersionTLS13,
9091 Bugs: ProtocolBugs{
9092 NegotiatePSKResumption: true,
9093 },
9094 },
9095 resumeSession: true,
9096 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9097 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9098 })
9099
9100 testCases = append(testCases, testCase{
9101 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9102 name: "MissingKeyShare-Client",
9103 config: Config{
9104 MaxVersion: VersionTLS13,
9105 Bugs: ProtocolBugs{
9106 MissingKeyShare: true,
9107 },
9108 },
9109 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9110 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9111 })
9112
9113 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9114 testType: serverTest,
9115 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9116 config: Config{
9117 MaxVersion: VersionTLS13,
9118 Bugs: ProtocolBugs{
9119 MissingKeyShare: true,
9120 },
9121 },
9122 shouldFail: true,
9123 expectedError: ":MISSING_KEY_SHARE:",
9124 })
9125
9126 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9127 testType: serverTest,
9128 name: "DuplicateKeyShares",
9129 config: Config{
9130 MaxVersion: VersionTLS13,
9131 Bugs: ProtocolBugs{
9132 DuplicateKeyShares: true,
9133 },
9134 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9135 shouldFail: true,
9136 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9137 })
9138
9139 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9140 testType: serverTest,
9141 name: "SkipEarlyData",
9142 config: Config{
9143 MaxVersion: VersionTLS13,
9144 Bugs: ProtocolBugs{
9145 SendEarlyDataLength: 4,
9146 },
9147 },
9148 })
9149
9150 testCases = append(testCases, testCase{
9151 testType: serverTest,
9152 name: "SkipEarlyData-OmitEarlyDataExtension",
9153 config: Config{
9154 MaxVersion: VersionTLS13,
9155 Bugs: ProtocolBugs{
9156 SendEarlyDataLength: 4,
9157 OmitEarlyDataExtension: true,
9158 },
9159 },
9160 shouldFail: true,
9161 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9162 })
9163
9164 testCases = append(testCases, testCase{
9165 testType: serverTest,
9166 name: "SkipEarlyData-TooMuchData",
9167 config: Config{
9168 MaxVersion: VersionTLS13,
9169 Bugs: ProtocolBugs{
9170 SendEarlyDataLength: 16384 + 1,
9171 },
9172 },
9173 shouldFail: true,
9174 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9175 })
9176
9177 testCases = append(testCases, testCase{
9178 testType: serverTest,
9179 name: "SkipEarlyData-Interleaved",
9180 config: Config{
9181 MaxVersion: VersionTLS13,
9182 Bugs: ProtocolBugs{
9183 SendEarlyDataLength: 4,
9184 InterleaveEarlyData: true,
9185 },
9186 },
9187 shouldFail: true,
9188 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9189 })
9190
9191 testCases = append(testCases, testCase{
9192 testType: serverTest,
9193 name: "SkipEarlyData-EarlyDataInTLS12",
9194 config: Config{
9195 MaxVersion: VersionTLS13,
9196 Bugs: ProtocolBugs{
9197 SendEarlyDataLength: 4,
9198 },
9199 },
9200 shouldFail: true,
9201 expectedError: ":UNEXPECTED_RECORD:",
9202 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9203 })
9204
9205 testCases = append(testCases, testCase{
9206 testType: serverTest,
9207 name: "SkipEarlyData-HRR",
9208 config: Config{
9209 MaxVersion: VersionTLS13,
9210 Bugs: ProtocolBugs{
9211 SendEarlyDataLength: 4,
9212 },
9213 DefaultCurves: []CurveID{},
9214 },
9215 })
9216
9217 testCases = append(testCases, testCase{
9218 testType: serverTest,
9219 name: "SkipEarlyData-HRR-Interleaved",
9220 config: Config{
9221 MaxVersion: VersionTLS13,
9222 Bugs: ProtocolBugs{
9223 SendEarlyDataLength: 4,
9224 InterleaveEarlyData: true,
9225 },
9226 DefaultCurves: []CurveID{},
9227 },
9228 shouldFail: true,
9229 expectedError: ":UNEXPECTED_RECORD:",
9230 })
9231
9232 testCases = append(testCases, testCase{
9233 testType: serverTest,
9234 name: "SkipEarlyData-HRR-TooMuchData",
9235 config: Config{
9236 MaxVersion: VersionTLS13,
9237 Bugs: ProtocolBugs{
9238 SendEarlyDataLength: 16384 + 1,
9239 },
9240 DefaultCurves: []CurveID{},
9241 },
9242 shouldFail: true,
9243 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9244 })
9245
9246 // Test that skipping early data looking for cleartext correctly
9247 // processes an alert record.
9248 testCases = append(testCases, testCase{
9249 testType: serverTest,
9250 name: "SkipEarlyData-HRR-FatalAlert",
9251 config: Config{
9252 MaxVersion: VersionTLS13,
9253 Bugs: ProtocolBugs{
9254 SendEarlyAlert: true,
9255 SendEarlyDataLength: 4,
9256 },
9257 DefaultCurves: []CurveID{},
9258 },
9259 shouldFail: true,
9260 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9261 })
9262
9263 testCases = append(testCases, testCase{
9264 testType: serverTest,
9265 name: "SkipEarlyData-SecondClientHelloEarlyData",
9266 config: Config{
9267 MaxVersion: VersionTLS13,
9268 Bugs: ProtocolBugs{
9269 SendEarlyDataOnSecondClientHello: true,
9270 },
9271 DefaultCurves: []CurveID{},
9272 },
9273 shouldFail: true,
9274 expectedLocalError: "remote error: bad record MAC",
9275 })
9276
9277 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9278 testType: clientTest,
9279 name: "EmptyEncryptedExtensions",
9280 config: Config{
9281 MaxVersion: VersionTLS13,
9282 Bugs: ProtocolBugs{
9283 EmptyEncryptedExtensions: true,
9284 },
9285 },
9286 shouldFail: true,
9287 expectedLocalError: "remote error: error decoding message",
9288 })
9289
9290 testCases = append(testCases, testCase{
9291 testType: clientTest,
9292 name: "EncryptedExtensionsWithKeyShare",
9293 config: Config{
9294 MaxVersion: VersionTLS13,
9295 Bugs: ProtocolBugs{
9296 EncryptedExtensionsWithKeyShare: true,
9297 },
9298 },
9299 shouldFail: true,
9300 expectedLocalError: "remote error: unsupported extension",
9301 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9302
9303 testCases = append(testCases, testCase{
9304 testType: serverTest,
9305 name: "SendHelloRetryRequest",
9306 config: Config{
9307 MaxVersion: VersionTLS13,
9308 // Require a HelloRetryRequest for every curve.
9309 DefaultCurves: []CurveID{},
9310 },
9311 expectedCurveID: CurveX25519,
9312 })
9313
9314 testCases = append(testCases, testCase{
9315 testType: serverTest,
9316 name: "SendHelloRetryRequest-2",
9317 config: Config{
9318 MaxVersion: VersionTLS13,
9319 DefaultCurves: []CurveID{CurveP384},
9320 },
9321 // Although the ClientHello did not predict our preferred curve,
9322 // we always select it whether it is predicted or not.
9323 expectedCurveID: CurveX25519,
9324 })
9325
9326 testCases = append(testCases, testCase{
9327 name: "UnknownCurve-HelloRetryRequest",
9328 config: Config{
9329 MaxVersion: VersionTLS13,
9330 // P-384 requires HelloRetryRequest in BoringSSL.
9331 CurvePreferences: []CurveID{CurveP384},
9332 Bugs: ProtocolBugs{
9333 SendHelloRetryRequestCurve: bogusCurve,
9334 },
9335 },
9336 shouldFail: true,
9337 expectedError: ":WRONG_CURVE:",
9338 })
9339
9340 testCases = append(testCases, testCase{
9341 name: "DisabledCurve-HelloRetryRequest",
9342 config: Config{
9343 MaxVersion: VersionTLS13,
9344 CurvePreferences: []CurveID{CurveP256},
9345 Bugs: ProtocolBugs{
9346 IgnorePeerCurvePreferences: true,
9347 },
9348 },
9349 flags: []string{"-p384-only"},
9350 shouldFail: true,
9351 expectedError: ":WRONG_CURVE:",
9352 })
9353
9354 testCases = append(testCases, testCase{
9355 name: "UnnecessaryHelloRetryRequest",
9356 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9357 MaxVersion: VersionTLS13,
9358 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9359 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9360 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9361 },
9362 },
9363 shouldFail: true,
9364 expectedError: ":WRONG_CURVE:",
9365 })
9366
9367 testCases = append(testCases, testCase{
9368 name: "SecondHelloRetryRequest",
9369 config: Config{
9370 MaxVersion: VersionTLS13,
9371 // P-384 requires HelloRetryRequest in BoringSSL.
9372 CurvePreferences: []CurveID{CurveP384},
9373 Bugs: ProtocolBugs{
9374 SecondHelloRetryRequest: true,
9375 },
9376 },
9377 shouldFail: true,
9378 expectedError: ":UNEXPECTED_MESSAGE:",
9379 })
9380
9381 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9382 name: "HelloRetryRequest-Empty",
9383 config: Config{
9384 MaxVersion: VersionTLS13,
9385 Bugs: ProtocolBugs{
9386 AlwaysSendHelloRetryRequest: true,
9387 },
9388 },
9389 shouldFail: true,
9390 expectedError: ":DECODE_ERROR:",
9391 })
9392
9393 testCases = append(testCases, testCase{
9394 name: "HelloRetryRequest-DuplicateCurve",
9395 config: Config{
9396 MaxVersion: VersionTLS13,
9397 // P-384 requires a HelloRetryRequest against BoringSSL's default
9398 // configuration. Assert this ExpectMissingKeyShare.
9399 CurvePreferences: []CurveID{CurveP384},
9400 Bugs: ProtocolBugs{
9401 ExpectMissingKeyShare: true,
9402 DuplicateHelloRetryRequestExtensions: true,
9403 },
9404 },
9405 shouldFail: true,
9406 expectedError: ":DUPLICATE_EXTENSION:",
9407 expectedLocalError: "remote error: illegal parameter",
9408 })
9409
9410 testCases = append(testCases, testCase{
9411 name: "HelloRetryRequest-Cookie",
9412 config: Config{
9413 MaxVersion: VersionTLS13,
9414 Bugs: ProtocolBugs{
9415 SendHelloRetryRequestCookie: []byte("cookie"),
9416 },
9417 },
9418 })
9419
9420 testCases = append(testCases, testCase{
9421 name: "HelloRetryRequest-DuplicateCookie",
9422 config: Config{
9423 MaxVersion: VersionTLS13,
9424 Bugs: ProtocolBugs{
9425 SendHelloRetryRequestCookie: []byte("cookie"),
9426 DuplicateHelloRetryRequestExtensions: true,
9427 },
9428 },
9429 shouldFail: true,
9430 expectedError: ":DUPLICATE_EXTENSION:",
9431 expectedLocalError: "remote error: illegal parameter",
9432 })
9433
9434 testCases = append(testCases, testCase{
9435 name: "HelloRetryRequest-EmptyCookie",
9436 config: Config{
9437 MaxVersion: VersionTLS13,
9438 Bugs: ProtocolBugs{
9439 SendHelloRetryRequestCookie: []byte{},
9440 },
9441 },
9442 shouldFail: true,
9443 expectedError: ":DECODE_ERROR:",
9444 })
9445
9446 testCases = append(testCases, testCase{
9447 name: "HelloRetryRequest-Cookie-Curve",
9448 config: Config{
9449 MaxVersion: VersionTLS13,
9450 // P-384 requires HelloRetryRequest in BoringSSL.
9451 CurvePreferences: []CurveID{CurveP384},
9452 Bugs: ProtocolBugs{
9453 SendHelloRetryRequestCookie: []byte("cookie"),
9454 ExpectMissingKeyShare: true,
9455 },
9456 },
9457 })
9458
9459 testCases = append(testCases, testCase{
9460 name: "HelloRetryRequest-Unknown",
9461 config: Config{
9462 MaxVersion: VersionTLS13,
9463 Bugs: ProtocolBugs{
9464 CustomHelloRetryRequestExtension: "extension",
9465 },
9466 },
9467 shouldFail: true,
9468 expectedError: ":UNEXPECTED_EXTENSION:",
9469 expectedLocalError: "remote error: unsupported extension",
9470 })
9471
9472 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9473 testType: serverTest,
9474 name: "SecondClientHelloMissingKeyShare",
9475 config: Config{
9476 MaxVersion: VersionTLS13,
9477 DefaultCurves: []CurveID{},
9478 Bugs: ProtocolBugs{
9479 SecondClientHelloMissingKeyShare: true,
9480 },
9481 },
9482 shouldFail: true,
9483 expectedError: ":MISSING_KEY_SHARE:",
9484 })
9485
9486 testCases = append(testCases, testCase{
9487 testType: serverTest,
9488 name: "SecondClientHelloWrongCurve",
9489 config: Config{
9490 MaxVersion: VersionTLS13,
9491 DefaultCurves: []CurveID{},
9492 Bugs: ProtocolBugs{
9493 MisinterpretHelloRetryRequestCurve: CurveP521,
9494 },
9495 },
9496 shouldFail: true,
9497 expectedError: ":WRONG_CURVE:",
9498 })
9499
9500 testCases = append(testCases, testCase{
9501 name: "HelloRetryRequestVersionMismatch",
9502 config: Config{
9503 MaxVersion: VersionTLS13,
9504 // P-384 requires HelloRetryRequest in BoringSSL.
9505 CurvePreferences: []CurveID{CurveP384},
9506 Bugs: ProtocolBugs{
9507 SendServerHelloVersion: 0x0305,
9508 },
9509 },
9510 shouldFail: true,
9511 expectedError: ":WRONG_VERSION_NUMBER:",
9512 })
9513
9514 testCases = append(testCases, testCase{
9515 name: "HelloRetryRequestCurveMismatch",
9516 config: Config{
9517 MaxVersion: VersionTLS13,
9518 // P-384 requires HelloRetryRequest in BoringSSL.
9519 CurvePreferences: []CurveID{CurveP384},
9520 Bugs: ProtocolBugs{
9521 // Send P-384 (correct) in the HelloRetryRequest.
9522 SendHelloRetryRequestCurve: CurveP384,
9523 // But send P-256 in the ServerHello.
9524 SendCurve: CurveP256,
9525 },
9526 },
9527 shouldFail: true,
9528 expectedError: ":WRONG_CURVE:",
9529 })
9530
9531 // Test the server selecting a curve that requires a HelloRetryRequest
9532 // without sending it.
9533 testCases = append(testCases, testCase{
9534 name: "SkipHelloRetryRequest",
9535 config: Config{
9536 MaxVersion: VersionTLS13,
9537 // P-384 requires HelloRetryRequest in BoringSSL.
9538 CurvePreferences: []CurveID{CurveP384},
9539 Bugs: ProtocolBugs{
9540 SkipHelloRetryRequest: true,
9541 },
9542 },
9543 shouldFail: true,
9544 expectedError: ":WRONG_CURVE:",
9545 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]9546
9547 testCases = append(testCases, testCase{
9548 name: "TLS13-RequestContextInHandshake",
9549 config: Config{
9550 MaxVersion: VersionTLS13,
9551 MinVersion: VersionTLS13,
9552 ClientAuth: RequireAnyClientCert,
9553 Bugs: ProtocolBugs{
9554 SendRequestContext: []byte("request context"),
9555 },
9556 },
9557 flags: []string{
9558 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9559 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9560 },
9561 shouldFail: true,
9562 expectedError: ":DECODE_ERROR:",
9563 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9564
9565 testCases = append(testCases, testCase{
9566 testType: serverTest,
9567 name: "TLS13-TrailingKeyShareData",
9568 config: Config{
9569 MaxVersion: VersionTLS13,
9570 Bugs: ProtocolBugs{
9571 TrailingKeyShareData: true,
9572 },
9573 },
9574 shouldFail: true,
9575 expectedError: ":DECODE_ERROR:",
9576 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]9577
9578 testCases = append(testCases, testCase{
9579 name: "TLS13-AlwaysSelectPSKIdentity",
9580 config: Config{
9581 MaxVersion: VersionTLS13,
9582 Bugs: ProtocolBugs{
9583 AlwaysSelectPSKIdentity: true,
9584 },
9585 },
9586 shouldFail: true,
9587 expectedError: ":UNEXPECTED_EXTENSION:",
9588 })
9589
9590 testCases = append(testCases, testCase{
9591 name: "TLS13-InvalidPSKIdentity",
9592 config: Config{
9593 MaxVersion: VersionTLS13,
9594 Bugs: ProtocolBugs{
9595 SelectPSKIdentityOnResume: 1,
9596 },
9597 },
9598 resumeSession: true,
9599 shouldFail: true,
9600 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
9601 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9602
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9603 testCases = append(testCases, testCase{
9604 testType: serverTest,
9605 name: "TLS13-ExtraPSKIdentity",
9606 config: Config{
9607 MaxVersion: VersionTLS13,
9608 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]9609 ExtraPSKIdentity: true,
9610 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9611 },
9612 },
9613 resumeSession: true,
9614 })
9615
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9616 // Test that unknown NewSessionTicket extensions are tolerated.
9617 testCases = append(testCases, testCase{
9618 name: "TLS13-CustomTicketExtension",
9619 config: Config{
9620 MaxVersion: VersionTLS13,
9621 Bugs: ProtocolBugs{
9622 CustomTicketExtension: "1234",
9623 },
9624 },
9625 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9626}
9627
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]9628func addTLS13CipherPreferenceTests() {
9629 // Test that client preference is honored if the shim has AES hardware
9630 // and ChaCha20-Poly1305 is preferred otherwise.
9631 testCases = append(testCases, testCase{
9632 testType: serverTest,
9633 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
9634 config: Config{
9635 MaxVersion: VersionTLS13,
9636 CipherSuites: []uint16{
9637 TLS_CHACHA20_POLY1305_SHA256,
9638 TLS_AES_128_GCM_SHA256,
9639 },
9640 },
9641 flags: []string{
9642 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9643 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9644 },
9645 })
9646
9647 testCases = append(testCases, testCase{
9648 testType: serverTest,
9649 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
9650 config: Config{
9651 MaxVersion: VersionTLS13,
9652 CipherSuites: []uint16{
9653 TLS_AES_128_GCM_SHA256,
9654 TLS_CHACHA20_POLY1305_SHA256,
9655 },
9656 },
9657 flags: []string{
9658 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9659 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9660 },
9661 })
9662
9663 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
9664 // whether it has AES hardware.
9665 testCases = append(testCases, testCase{
9666 name: "TLS13-CipherPreference-Client",
9667 config: Config{
9668 MaxVersion: VersionTLS13,
9669 // Use the client cipher order. (This is the default but
9670 // is listed to be explicit.)
9671 PreferServerCipherSuites: false,
9672 },
9673 flags: []string{
9674 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9675 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9676 },
9677 })
9678}
9679
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9680func addPeekTests() {
9681 // Test SSL_peek works, including on empty records.
9682 testCases = append(testCases, testCase{
9683 name: "Peek-Basic",
9684 sendEmptyRecords: 1,
9685 flags: []string{"-peek-then-read"},
9686 })
9687
9688 // Test SSL_peek can drive the initial handshake.
9689 testCases = append(testCases, testCase{
9690 name: "Peek-ImplicitHandshake",
9691 flags: []string{
9692 "-peek-then-read",
9693 "-implicit-handshake",
9694 },
9695 })
9696
9697 // Test SSL_peek can discover and drive a renegotiation.
9698 testCases = append(testCases, testCase{
9699 name: "Peek-Renegotiate",
9700 config: Config{
9701 MaxVersion: VersionTLS12,
9702 },
9703 renegotiate: 1,
9704 flags: []string{
9705 "-peek-then-read",
9706 "-renegotiate-freely",
9707 "-expect-total-renegotiations", "1",
9708 },
9709 })
9710
9711 // Test SSL_peek can discover a close_notify.
9712 testCases = append(testCases, testCase{
9713 name: "Peek-Shutdown",
9714 config: Config{
9715 Bugs: ProtocolBugs{
9716 ExpectCloseNotify: true,
9717 },
9718 },
9719 flags: []string{
9720 "-peek-then-read",
9721 "-check-close-notify",
9722 },
9723 })
9724
9725 // Test SSL_peek can discover an alert.
9726 testCases = append(testCases, testCase{
9727 name: "Peek-Alert",
9728 config: Config{
9729 Bugs: ProtocolBugs{
9730 SendSpuriousAlert: alertRecordOverflow,
9731 },
9732 },
9733 flags: []string{"-peek-then-read"},
9734 shouldFail: true,
9735 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
9736 })
9737
9738 // Test SSL_peek can handle KeyUpdate.
9739 testCases = append(testCases, testCase{
9740 name: "Peek-KeyUpdate",
9741 config: Config{
9742 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9743 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]9744 sendKeyUpdates: 1,
9745 keyUpdateRequest: keyUpdateNotRequested,
9746 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9747 })
9748}
9749
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]9750func addRecordVersionTests() {
9751 for _, ver := range tlsVersions {
9752 // Test that the record version is enforced.
9753 testCases = append(testCases, testCase{
9754 name: "CheckRecordVersion-" + ver.name,
9755 config: Config{
9756 MinVersion: ver.version,
9757 MaxVersion: ver.version,
9758 Bugs: ProtocolBugs{
9759 SendRecordVersion: 0x03ff,
9760 },
9761 },
9762 shouldFail: true,
9763 expectedError: ":WRONG_VERSION_NUMBER:",
9764 })
9765
9766 // Test that the ClientHello may use any record version, for
9767 // compatibility reasons.
9768 testCases = append(testCases, testCase{
9769 testType: serverTest,
9770 name: "LooseInitialRecordVersion-" + ver.name,
9771 config: Config{
9772 MinVersion: ver.version,
9773 MaxVersion: ver.version,
9774 Bugs: ProtocolBugs{
9775 SendInitialRecordVersion: 0x03ff,
9776 },
9777 },
9778 })
9779
9780 // Test that garbage ClientHello record versions are rejected.
9781 testCases = append(testCases, testCase{
9782 testType: serverTest,
9783 name: "GarbageInitialRecordVersion-" + ver.name,
9784 config: Config{
9785 MinVersion: ver.version,
9786 MaxVersion: ver.version,
9787 Bugs: ProtocolBugs{
9788 SendInitialRecordVersion: 0xffff,
9789 },
9790 },
9791 shouldFail: true,
9792 expectedError: ":WRONG_VERSION_NUMBER:",
9793 })
9794 }
9795}
9796
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9797func addCertificateTests() {
9798 // Test that a certificate chain with intermediate may be sent and
9799 // received as both client and server.
9800 for _, ver := range tlsVersions {
9801 testCases = append(testCases, testCase{
9802 testType: clientTest,
9803 name: "SendReceiveIntermediate-Client-" + ver.name,
9804 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]9805 MinVersion: ver.version,
9806 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9807 Certificates: []Certificate{rsaChainCertificate},
9808 ClientAuth: RequireAnyClientCert,
9809 },
9810 expectPeerCertificate: &rsaChainCertificate,
9811 flags: []string{
9812 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9813 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9814 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9815 },
9816 })
9817
9818 testCases = append(testCases, testCase{
9819 testType: serverTest,
9820 name: "SendReceiveIntermediate-Server-" + ver.name,
9821 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]9822 MinVersion: ver.version,
9823 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9824 Certificates: []Certificate{rsaChainCertificate},
9825 },
9826 expectPeerCertificate: &rsaChainCertificate,
9827 flags: []string{
9828 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9829 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9830 "-require-any-client-certificate",
9831 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9832 },
9833 })
9834 }
9835}
9836
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]9837func addRetainOnlySHA256ClientCertTests() {
9838 for _, ver := range tlsVersions {
9839 // Test that enabling
9840 // SSL_CTX_set_retain_only_sha256_of_client_certs without
9841 // actually requesting a client certificate is a no-op.
9842 testCases = append(testCases, testCase{
9843 testType: serverTest,
9844 name: "RetainOnlySHA256-NoCert-" + ver.name,
9845 config: Config{
9846 MinVersion: ver.version,
9847 MaxVersion: ver.version,
9848 },
9849 flags: []string{
9850 "-retain-only-sha256-client-cert-initial",
9851 "-retain-only-sha256-client-cert-resume",
9852 },
9853 resumeSession: true,
9854 })
9855
9856 // Test that when retaining only a SHA-256 certificate is
9857 // enabled, the hash appears as expected.
9858 testCases = append(testCases, testCase{
9859 testType: serverTest,
9860 name: "RetainOnlySHA256-Cert-" + ver.name,
9861 config: Config{
9862 MinVersion: ver.version,
9863 MaxVersion: ver.version,
9864 Certificates: []Certificate{rsaCertificate},
9865 },
9866 flags: []string{
9867 "-verify-peer",
9868 "-retain-only-sha256-client-cert-initial",
9869 "-retain-only-sha256-client-cert-resume",
9870 "-expect-sha256-client-cert-initial",
9871 "-expect-sha256-client-cert-resume",
9872 },
9873 resumeSession: true,
9874 })
9875
9876 // Test that when the config changes from on to off, a
9877 // resumption is rejected because the server now wants the full
9878 // certificate chain.
9879 testCases = append(testCases, testCase{
9880 testType: serverTest,
9881 name: "RetainOnlySHA256-OnOff-" + ver.name,
9882 config: Config{
9883 MinVersion: ver.version,
9884 MaxVersion: ver.version,
9885 Certificates: []Certificate{rsaCertificate},
9886 },
9887 flags: []string{
9888 "-verify-peer",
9889 "-retain-only-sha256-client-cert-initial",
9890 "-expect-sha256-client-cert-initial",
9891 },
9892 resumeSession: true,
9893 expectResumeRejected: true,
9894 })
9895
9896 // Test that when the config changes from off to on, a
9897 // resumption is rejected because the server now wants just the
9898 // hash.
9899 testCases = append(testCases, testCase{
9900 testType: serverTest,
9901 name: "RetainOnlySHA256-OffOn-" + ver.name,
9902 config: Config{
9903 MinVersion: ver.version,
9904 MaxVersion: ver.version,
9905 Certificates: []Certificate{rsaCertificate},
9906 },
9907 flags: []string{
9908 "-verify-peer",
9909 "-retain-only-sha256-client-cert-resume",
9910 "-expect-sha256-client-cert-resume",
9911 },
9912 resumeSession: true,
9913 expectResumeRejected: true,
9914 })
9915 }
9916}
9917
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]9918func addECDSAKeyUsageTests() {
9919 p256 := elliptic.P256()
9920 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
9921 if err != nil {
9922 panic(err)
9923 }
9924
9925 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
9926 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
9927 if err != nil {
9928 panic(err)
9929 }
9930
9931 template := x509.Certificate{
9932 SerialNumber: serialNumber,
9933 Subject: pkix.Name{
9934 Organization: []string{"Acme Co"},
9935 },
9936 NotBefore: time.Now(),
9937 NotAfter: time.Now(),
9938
9939 // An ECC certificate with only the keyAgreement key usgae may
9940 // be used with ECDH, but not ECDSA.
9941 KeyUsage: x509.KeyUsageKeyAgreement,
9942 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
9943 BasicConstraintsValid: true,
9944 }
9945
9946 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
9947 if err != nil {
9948 panic(err)
9949 }
9950
9951 cert := Certificate{
9952 Certificate: [][]byte{derBytes},
9953 PrivateKey: priv,
9954 }
9955
9956 for _, ver := range tlsVersions {
9957 if ver.version < VersionTLS12 {
9958 continue
9959 }
9960
9961 testCases = append(testCases, testCase{
9962 testType: clientTest,
9963 name: "ECDSAKeyUsage-" + ver.name,
9964 config: Config{
9965 MinVersion: ver.version,
9966 MaxVersion: ver.version,
9967 Certificates: []Certificate{cert},
9968 },
9969 shouldFail: true,
9970 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
9971 })
9972 }
9973}
9974
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]9975func addShortHeaderTests() {
9976 // The short header extension may be negotiated as either client or
9977 // server.
9978 testCases = append(testCases, testCase{
9979 name: "ShortHeader-Client",
9980 config: Config{
9981 MaxVersion: VersionTLS13,
9982 Bugs: ProtocolBugs{
9983 EnableShortHeader: true,
9984 },
9985 },
9986 flags: []string{"-enable-short-header"},
9987 expectShortHeader: true,
9988 })
9989 testCases = append(testCases, testCase{
9990 testType: serverTest,
9991 name: "ShortHeader-Server",
9992 config: Config{
9993 MaxVersion: VersionTLS13,
9994 Bugs: ProtocolBugs{
9995 EnableShortHeader: true,
9996 },
9997 },
9998 flags: []string{"-enable-short-header"},
9999 expectShortHeader: true,
10000 })
10001
10002 // If the peer doesn't support it, it will not be negotiated.
10003 testCases = append(testCases, testCase{
10004 name: "ShortHeader-No-Yes-Client",
10005 config: Config{
10006 MaxVersion: VersionTLS13,
10007 },
10008 flags: []string{"-enable-short-header"},
10009 })
10010 testCases = append(testCases, testCase{
10011 testType: serverTest,
10012 name: "ShortHeader-No-Yes-Server",
10013 config: Config{
10014 MaxVersion: VersionTLS13,
10015 },
10016 flags: []string{"-enable-short-header"},
10017 })
10018
10019 // If we don't support it, it will not be negotiated.
10020 testCases = append(testCases, testCase{
10021 name: "ShortHeader-Yes-No-Client",
10022 config: Config{
10023 MaxVersion: VersionTLS13,
10024 Bugs: ProtocolBugs{
10025 EnableShortHeader: true,
10026 },
10027 },
10028 })
10029 testCases = append(testCases, testCase{
10030 testType: serverTest,
10031 name: "ShortHeader-Yes-No-Server",
10032 config: Config{
10033 MaxVersion: VersionTLS13,
10034 Bugs: ProtocolBugs{
10035 EnableShortHeader: true,
10036 },
10037 },
10038 })
10039
10040 // It will not be negotiated at TLS 1.2.
10041 testCases = append(testCases, testCase{
10042 name: "ShortHeader-TLS12-Client",
10043 config: Config{
10044 MaxVersion: VersionTLS12,
10045 Bugs: ProtocolBugs{
10046 EnableShortHeader: true,
10047 },
10048 },
10049 flags: []string{"-enable-short-header"},
10050 })
10051 testCases = append(testCases, testCase{
10052 testType: serverTest,
10053 name: "ShortHeader-TLS12-Server",
10054 config: Config{
10055 MaxVersion: VersionTLS12,
10056 Bugs: ProtocolBugs{
10057 EnableShortHeader: true,
10058 },
10059 },
10060 flags: []string{"-enable-short-header"},
10061 })
10062
10063 // Servers reject early data and short header sent together.
10064 testCases = append(testCases, testCase{
10065 testType: serverTest,
10066 name: "ShortHeader-EarlyData",
10067 config: Config{
10068 MaxVersion: VersionTLS13,
10069 Bugs: ProtocolBugs{
10070 EnableShortHeader: true,
10071 SendEarlyDataLength: 1,
10072 },
10073 },
10074 flags: []string{"-enable-short-header"},
10075 shouldFail: true,
10076 expectedError: ":UNEXPECTED_EXTENSION:",
10077 })
10078
10079 // Clients reject unsolicited short header extensions.
10080 testCases = append(testCases, testCase{
10081 name: "ShortHeader-Unsolicited",
10082 config: Config{
10083 MaxVersion: VersionTLS13,
10084 Bugs: ProtocolBugs{
10085 AlwaysNegotiateShortHeader: true,
10086 },
10087 },
10088 shouldFail: true,
10089 expectedError: ":UNEXPECTED_EXTENSION:",
10090 })
10091 testCases = append(testCases, testCase{
10092 name: "ShortHeader-Unsolicited-TLS12",
10093 config: Config{
10094 MaxVersion: VersionTLS12,
10095 Bugs: ProtocolBugs{
10096 AlwaysNegotiateShortHeader: true,
10097 },
10098 },
10099 shouldFail: true,
10100 expectedError: ":UNEXPECTED_EXTENSION:",
10101 })
10102
10103 // The high bit must be checked in short headers.
10104 testCases = append(testCases, testCase{
10105 name: "ShortHeader-ClearShortHeaderBit",
10106 config: Config{
10107 Bugs: ProtocolBugs{
10108 EnableShortHeader: true,
10109 ClearShortHeaderBit: true,
10110 },
10111 },
10112 flags: []string{"-enable-short-header"},
10113 shouldFail: true,
10114 expectedError: ":DECODE_ERROR:",
10115 expectedLocalError: "remote error: error decoding message",
10116 })
10117}
10118
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10119func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10120 defer wg.Done()
10121
10122 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10123 var err error
10124
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10125 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10126 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
10127 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10128 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10129 if err != nil {
10130 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
10131 }
10132 break
10133 }
10134 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10135 } else if *repeatUntilFailure {
10136 for err == nil {
10137 statusChan <- statusMsg{test: test, started: true}
10138 err = runTest(test, shimPath, -1)
10139 }
10140 } else {
10141 statusChan <- statusMsg{test: test, started: true}
10142 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10143 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10144 statusChan <- statusMsg{test: test, err: err}
10145 }
10146}
10147
10148type statusMsg struct {
10149 test *testCase
10150 started bool
10151 err error
10152}
10153
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10154func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10155 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10156
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10157 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10158 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10159 if !*pipe {
10160 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]10161 var erase string
10162 for i := 0; i < lineLen; i++ {
10163 erase += "\b \b"
10164 }
10165 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10166 }
10167
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10168 if msg.started {
10169 started++
10170 } else {
10171 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10172
10173 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10174 if msg.err == errUnimplemented {
10175 if *pipe {
10176 // Print each test instead of a status line.
10177 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
10178 }
10179 unimplemented++
10180 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
10181 } else {
10182 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
10183 failed++
10184 testOutput.addResult(msg.test.name, "FAIL")
10185 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10186 } else {
10187 if *pipe {
10188 // Print each test instead of a status line.
10189 fmt.Printf("PASSED (%s)\n", msg.test.name)
10190 }
10191 testOutput.addResult(msg.test.name, "PASS")
10192 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10193 }
10194
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10195 if !*pipe {
10196 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10197 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10198 lineLen = len(line)
10199 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10200 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10201 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10202
10203 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10204}
10205
10206func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10207 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10208 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]10209 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10210
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10211 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10212 addCipherSuiteTests()
10213 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]10214 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]10215 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]10216 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]10217 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]10218 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]10219 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]10220 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]10221 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]10222 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]10223 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]10224 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]10225 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]10226 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]10227 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]10228 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]10229 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]10230 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]10231 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]10232 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]10233 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]10234 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]10235 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10236 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]10237 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10238 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10239 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10240 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10241 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10242 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10243 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10244 addECDSAKeyUsageTests()
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]10245 addShortHeaderTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10246
10247 var wg sync.WaitGroup
10248
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10249 statusChan := make(chan statusMsg, *numWorkers)
10250 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10251 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10252
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10253 if len(*shimConfigFile) != 0 {
10254 encoded, err := ioutil.ReadFile(*shimConfigFile)
10255 if err != nil {
10256 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
10257 os.Exit(1)
10258 }
10259
10260 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
10261 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
10262 os.Exit(1)
10263 }
10264 }
10265
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10266 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10267
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10268 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10269 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10270 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10271 }
10272
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10273 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10274 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10275 matched := true
10276 if len(*testToRun) != 0 {
10277 var err error
10278 matched, err = filepath.Match(*testToRun, testCases[i].name)
10279 if err != nil {
10280 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
10281 os.Exit(1)
10282 }
10283 }
10284
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10285 if !*includeDisabled {
10286 for pattern := range shimConfig.DisabledTests {
10287 isDisabled, err := filepath.Match(pattern, testCases[i].name)
10288 if err != nil {
10289 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
10290 os.Exit(1)
10291 }
10292
10293 if isDisabled {
10294 matched = false
10295 break
10296 }
10297 }
10298 }
10299
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10300 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10301 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10302 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10303
10304 // Only run one test if repeating until failure.
10305 if *repeatUntilFailure {
10306 break
10307 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10308 }
10309 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10310
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10311 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10312 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10313 os.Exit(1)
10314 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10315
10316 close(testChan)
10317 wg.Wait()
10318 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10319 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10320
10321 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10322
10323 if *jsonOutput != "" {
10324 if err := testOutput.writeTo(*jsonOutput); err != nil {
10325 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
10326 }
10327 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10328
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10329 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
10330 os.Exit(1)
10331 }
10332
10333 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10334 os.Exit(1)
10335 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10336}