Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / e3fbb36005d7b7fd611a10e104a2a3373e06e133 / . / ssl / test / runner / runner.go
blob: 3a884bc4c3356d8a30311fed6fadf33083cb0824 [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]25 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]26 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]27 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]28 "flag"
29 "fmt"
30 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]31 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]32 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]33 "net"
34 "os"
35 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]36 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]37 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]38 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]39 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]40 "strings"
41 "sync"
42 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]43 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]44)
45
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]46var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]47 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
48 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
49 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
50 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
51 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
52 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
53 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
54 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]55 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]56 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
57 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
58 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
59 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
60 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
61 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
62 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
63 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]64 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]65 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
66 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]67 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]68)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]69
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]70// ShimConfigurations is used with the “json” package and represents a shim
71// config file.
72type ShimConfiguration struct {
73 // DisabledTests maps from a glob-based pattern to a freeform string.
74 // The glob pattern is used to exclude tests from being run and the
75 // freeform string is unparsed but expected to explain why the test is
76 // disabled.
77 DisabledTests map[string]string
78
79 // ErrorMap maps from expected error strings to the correct error
80 // string for the shim in question. For example, it might map
81 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
82 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
83 ErrorMap map[string]string
84}
85
86var shimConfig ShimConfiguration
87
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]88type testCert int
89
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]90const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]91 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]92 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]93 testCertRSAChain
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]94 testCertECDSAP256
95 testCertECDSAP384
96 testCertECDSAP521
97)
98
99const (
100 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]101 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]102 rsaChainCertificateFile = "rsa_chain_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]103 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
104 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
105 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]106)
107
108const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]109 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]110 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]111 rsaChainKeyFile = "rsa_chain_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]112 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
113 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
114 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]115 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]116)
117
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]118var (
119 rsaCertificate Certificate
120 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]121 rsaChainCertificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]122 ecdsaP256Certificate Certificate
123 ecdsaP384Certificate Certificate
124 ecdsaP521Certificate Certificate
125)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]126
127var testCerts = []struct {
128 id testCert
129 certFile, keyFile string
130 cert *Certificate
131}{
132 {
133 id: testCertRSA,
134 certFile: rsaCertificateFile,
135 keyFile: rsaKeyFile,
136 cert: &rsaCertificate,
137 },
138 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]139 id: testCertRSA1024,
140 certFile: rsa1024CertificateFile,
141 keyFile: rsa1024KeyFile,
142 cert: &rsa1024Certificate,
143 },
144 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]145 id: testCertRSAChain,
146 certFile: rsaChainCertificateFile,
147 keyFile: rsaChainKeyFile,
148 cert: &rsaChainCertificate,
149 },
150 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]151 id: testCertECDSAP256,
152 certFile: ecdsaP256CertificateFile,
153 keyFile: ecdsaP256KeyFile,
154 cert: &ecdsaP256Certificate,
155 },
156 {
157 id: testCertECDSAP384,
158 certFile: ecdsaP384CertificateFile,
159 keyFile: ecdsaP384KeyFile,
160 cert: &ecdsaP384Certificate,
161 },
162 {
163 id: testCertECDSAP521,
164 certFile: ecdsaP521CertificateFile,
165 keyFile: ecdsaP521KeyFile,
166 cert: &ecdsaP521Certificate,
167 },
168}
169
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]170var channelIDKey *ecdsa.PrivateKey
171var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]172
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]173var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]174var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]175
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]176var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]177var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]178
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]179func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]180 for i := range testCerts {
181 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
182 if err != nil {
183 panic(err)
184 }
185 cert.OCSPStaple = testOCSPResponse
186 cert.SignedCertificateTimestampList = testSCTList
187 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]189
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]190 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]191 if err != nil {
192 panic(err)
193 }
194 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
195 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
196 panic("bad key type")
197 }
198 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
199 if err != nil {
200 panic(err)
201 }
202 if channelIDKey.Curve != elliptic.P256() {
203 panic("bad curve")
204 }
205
206 channelIDBytes = make([]byte, 64)
207 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
208 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]209}
210
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]211func getRunnerCertificate(t testCert) Certificate {
212 for _, cert := range testCerts {
213 if cert.id == t {
214 return *cert.cert
215 }
216 }
217 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]218}
219
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]220func getShimCertificate(t testCert) string {
221 for _, cert := range testCerts {
222 if cert.id == t {
223 return cert.certFile
224 }
225 }
226 panic("Unknown test certificate")
227}
228
229func getShimKey(t testCert) string {
230 for _, cert := range testCerts {
231 if cert.id == t {
232 return cert.keyFile
233 }
234 }
235 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]236}
237
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]238type testType int
239
240const (
241 clientTest testType = iota
242 serverTest
243)
244
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]245type protocol int
246
247const (
248 tls protocol = iota
249 dtls
250)
251
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]252const (
253 alpn = 1
254 npn = 2
255)
256
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]257type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]258 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]259 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]260 name string
261 config Config
262 shouldFail bool
263 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]264 // expectedLocalError, if not empty, contains a substring that must be
265 // found in the local error.
266 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]267 // expectedVersion, if non-zero, specifies the TLS version that must be
268 // negotiated.
269 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]270 // expectedResumeVersion, if non-zero, specifies the TLS version that
271 // must be negotiated on resumption. If zero, expectedVersion is used.
272 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]273 // expectedCipher, if non-zero, specifies the TLS cipher suite that
274 // should be negotiated.
275 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]276 // expectChannelID controls whether the connection should have
277 // negotiated a Channel ID with channelIDKey.
278 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]279 // expectedNextProto controls whether the connection should
280 // negotiate a next protocol via NPN or ALPN.
281 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]282 // expectNoNextProto, if true, means that no next protocol should be
283 // negotiated.
284 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]285 // expectedNextProtoType, if non-zero, is the expected next
286 // protocol negotiation mechanism.
287 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]288 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
289 // should be negotiated. If zero, none should be negotiated.
290 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]291 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
292 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]293 // expectedSCTList, if not nil, is the expected SCT list to be received.
294 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]295 // expectedPeerSignatureAlgorithm, if not zero, is the signature
296 // algorithm that the peer should have used in the handshake.
297 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]298 // expectedCurveID, if not zero, is the curve that the handshake should
299 // have used.
300 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]301 // messageLen is the length, in bytes, of the test message that will be
302 // sent.
303 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]304 // messageCount is the number of test messages that will be sent.
305 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]306 // certFile is the path to the certificate to use for the server.
307 certFile string
308 // keyFile is the path to the private key to use for the server.
309 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]310 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]311 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]312 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]313 // resumeRenewedSession controls whether a third connection should be
314 // tested which attempts to resume the second connection's session.
315 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]316 // expectResumeRejected, if true, specifies that the attempted
317 // resumption must be rejected by the client. This is only valid for a
318 // serverTest.
319 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]320 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]321 // resumption. Unless newSessionsOnResume is set,
322 // SessionTicketKey, ServerSessionCache, and
323 // ClientSessionCache are copied from the initial connection's
324 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]325 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]326 // newSessionsOnResume, if true, will cause resumeConfig to
327 // use a different session resumption context.
328 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]329 // noSessionCache, if true, will cause the server to run without a
330 // session cache.
331 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]332 // sendPrefix sends a prefix on the socket before actually performing a
333 // handshake.
334 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]335 // shimWritesFirst controls whether the shim sends an initial "hello"
336 // message before doing a roundtrip with the runner.
337 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]338 // shimShutsDown, if true, runs a test where the shim shuts down the
339 // connection immediately after the handshake rather than echoing
340 // messages from the runner.
341 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]342 // renegotiate indicates the number of times the connection should be
343 // renegotiated during the exchange.
344 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]345 // sendHalfHelloRequest, if true, causes the server to send half a
346 // HelloRequest when the handshake completes.
347 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]348 // renegotiateCiphers is a list of ciphersuite ids that will be
349 // switched in just before renegotiation.
350 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]351 // replayWrites, if true, configures the underlying transport
352 // to replay every write it makes in DTLS tests.
353 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]354 // damageFirstWrite, if true, configures the underlying transport to
355 // damage the final byte of the first application data write.
356 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]357 // exportKeyingMaterial, if non-zero, configures the test to exchange
358 // keying material and verify they match.
359 exportKeyingMaterial int
360 exportLabel string
361 exportContext string
362 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]363 // flags, if not empty, contains a list of command-line flags that will
364 // be passed to the shim program.
365 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]366 // testTLSUnique, if true, causes the shim to send the tls-unique value
367 // which will be compared against the expected value.
368 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]369 // sendEmptyRecords is the number of consecutive empty records to send
370 // before and after the test message.
371 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]372 // sendWarningAlerts is the number of consecutive warning alerts to send
373 // before and after the test message.
374 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]375 // sendKeyUpdates is the number of consecutive key updates to send
376 // before and after the test message.
377 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]378 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
379 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]380 // expectMessageDropped, if true, means the test message is expected to
381 // be dropped by the client rather than echoed back.
382 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]383 // expectPeerCertificate, if not nil, is the certificate chain the peer
384 // is expected to send.
385 expectPeerCertificate *Certificate
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]386 // expectShortHeader is whether the short header extension should be negotiated.
387 expectShortHeader bool
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]388}
389
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]390var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]391
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]392func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]393 if len(data) == 0 {
394 return
395 }
396
397 protocol := "tls"
398 if test.protocol == dtls {
399 protocol = "dtls"
400 }
401
402 side := "client"
403 if test.testType == serverTest {
404 side = "server"
405 }
406
407 dir := path.Join(*transcriptDir, protocol, side)
408 if err := os.MkdirAll(dir, 0755); err != nil {
409 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
410 return
411 }
412
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]413 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]414 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
415 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
416 }
417}
418
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]419// A timeoutConn implements an idle timeout on each Read and Write operation.
420type timeoutConn struct {
421 net.Conn
422 timeout time.Duration
423}
424
425func (t *timeoutConn) Read(b []byte) (int, error) {
426 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
427 return 0, err
428 }
429 return t.Conn.Read(b)
430}
431
432func (t *timeoutConn) Write(b []byte) (int, error) {
433 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
434 return 0, err
435 }
436 return t.Conn.Write(b)
437}
438
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]439func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]440 if !test.noSessionCache {
441 if config.ClientSessionCache == nil {
442 config.ClientSessionCache = NewLRUClientSessionCache(1)
443 }
444 if config.ServerSessionCache == nil {
445 config.ServerSessionCache = NewLRUServerSessionCache(1)
446 }
447 }
448 if test.testType == clientTest {
449 if len(config.Certificates) == 0 {
450 config.Certificates = []Certificate{rsaCertificate}
451 }
452 } else {
453 // Supply a ServerName to ensure a constant session cache key,
454 // rather than falling back to net.Conn.RemoteAddr.
455 if len(config.ServerName) == 0 {
456 config.ServerName = "test"
457 }
458 }
459 if *fuzzer {
460 config.Bugs.NullAllCiphers = true
461 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]462 if *deterministic {
463 config.Time = func() time.Time { return time.Unix(1234, 1234) }
464 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]465
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]466 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]467
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]468 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]469 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
470 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]471 }
472
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]473 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]474 local, peer := "client", "server"
475 if test.testType == clientTest {
476 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]477 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]478 connDebug := &recordingConn{
479 Conn: conn,
480 isDatagram: test.protocol == dtls,
481 local: local,
482 peer: peer,
483 }
484 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]485 if *flagDebug {
486 defer connDebug.WriteTo(os.Stdout)
487 }
488 if len(*transcriptDir) != 0 {
489 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]490 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]491 }()
492 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]493
494 if config.Bugs.PacketAdaptor != nil {
495 config.Bugs.PacketAdaptor.debug = connDebug
496 }
497 }
498
499 if test.replayWrites {
500 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]501 }
502
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]503 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]504 if test.damageFirstWrite {
505 connDamage = newDamageAdaptor(conn)
506 conn = connDamage
507 }
508
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]509 if test.sendPrefix != "" {
510 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
511 return err
512 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]513 }
514
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]515 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]516 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]517 if test.protocol == dtls {
518 tlsConn = DTLSServer(conn, config)
519 } else {
520 tlsConn = Server(conn, config)
521 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]522 } else {
523 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]524 if test.protocol == dtls {
525 tlsConn = DTLSClient(conn, config)
526 } else {
527 tlsConn = Client(conn, config)
528 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]529 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]530 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]531
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]532 if err := tlsConn.Handshake(); err != nil {
533 return err
534 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]535
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]536 // TODO(davidben): move all per-connection expectations into a dedicated
537 // expectations struct that can be specified separately for the two
538 // legs.
539 expectedVersion := test.expectedVersion
540 if isResume && test.expectedResumeVersion != 0 {
541 expectedVersion = test.expectedResumeVersion
542 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]543 connState := tlsConn.ConnectionState()
544 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]545 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]546 }
547
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]548 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]549 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
550 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]551 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
552 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
553 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]554
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]555 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]556 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]557 if channelID == nil {
558 return fmt.Errorf("no channel ID negotiated")
559 }
560 if channelID.Curve != channelIDKey.Curve ||
561 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
562 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
563 return fmt.Errorf("incorrect channel ID")
564 }
565 }
566
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]567 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]568 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]569 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
570 }
571 }
572
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]573 if test.expectNoNextProto {
574 if actual := connState.NegotiatedProtocol; actual != "" {
575 return fmt.Errorf("got unexpected next proto %s", actual)
576 }
577 }
578
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]579 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]580 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]581 return fmt.Errorf("next proto type mismatch")
582 }
583 }
584
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]585 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]586 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
587 }
588
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]589 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]590 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]591 }
592
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]593 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
594 return fmt.Errorf("SCT list mismatch")
595 }
596
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]597 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
598 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]599 }
600
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]601 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
602 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
603 }
604
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]605 if test.expectPeerCertificate != nil {
606 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
607 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
608 }
609 for i, cert := range connState.PeerCertificates {
610 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
611 return fmt.Errorf("peer certificate %d did not match", i+1)
612 }
613 }
614 }
615
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]616 if test.expectShortHeader != connState.ShortHeader {
617 return fmt.Errorf("ShortHeader is %t, but we expected the opposite", connState.ShortHeader)
618 }
619
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]620 if test.exportKeyingMaterial > 0 {
621 actual := make([]byte, test.exportKeyingMaterial)
622 if _, err := io.ReadFull(tlsConn, actual); err != nil {
623 return err
624 }
625 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
626 if err != nil {
627 return err
628 }
629 if !bytes.Equal(actual, expected) {
630 return fmt.Errorf("keying material mismatch")
631 }
632 }
633
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]634 if test.testTLSUnique {
635 var peersValue [12]byte
636 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
637 return err
638 }
639 expected := tlsConn.ConnectionState().TLSUnique
640 if !bytes.Equal(peersValue[:], expected) {
641 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
642 }
643 }
644
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]645 if test.shimWritesFirst {
646 var buf [5]byte
647 _, err := io.ReadFull(tlsConn, buf[:])
648 if err != nil {
649 return err
650 }
651 if string(buf[:]) != "hello" {
652 return fmt.Errorf("bad initial message")
653 }
654 }
655
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]656 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]657 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400[diff] [blame]658 return err
659 }
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]660 }
661
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]662 for i := 0; i < test.sendEmptyRecords; i++ {
663 tlsConn.Write(nil)
664 }
665
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]666 for i := 0; i < test.sendWarningAlerts; i++ {
667 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
668 }
669
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]670 if test.sendHalfHelloRequest {
671 tlsConn.SendHalfHelloRequest()
672 }
673
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]674 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]675 if test.renegotiateCiphers != nil {
676 config.CipherSuites = test.renegotiateCiphers
677 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]678 for i := 0; i < test.renegotiate; i++ {
679 if err := tlsConn.Renegotiate(); err != nil {
680 return err
681 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]682 }
683 } else if test.renegotiateCiphers != nil {
684 panic("renegotiateCiphers without renegotiate")
685 }
686
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]687 if test.damageFirstWrite {
688 connDamage.setDamage(true)
689 tlsConn.Write([]byte("DAMAGED WRITE"))
690 connDamage.setDamage(false)
691 }
692
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]693 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]694 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]695 if test.protocol == dtls {
696 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
697 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]698 // Read until EOF.
699 _, err := io.Copy(ioutil.Discard, tlsConn)
700 return err
701 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]702 if messageLen == 0 {
703 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]704 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]705
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]706 messageCount := test.messageCount
707 if messageCount == 0 {
708 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]709 }
710
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]711 for j := 0; j < messageCount; j++ {
712 testMessage := make([]byte, messageLen)
713 for i := range testMessage {
714 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]715 }
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]716 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]717
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]718 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]719 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]720 }
721
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]722 for i := 0; i < test.sendEmptyRecords; i++ {
723 tlsConn.Write(nil)
724 }
725
726 for i := 0; i < test.sendWarningAlerts; i++ {
727 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
728 }
729
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]730 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]731 // The shim will not respond.
732 continue
733 }
734
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 buf := make([]byte, len(testMessage))
736 if test.protocol == dtls {
737 bufTmp := make([]byte, len(buf)+1)
738 n, err := tlsConn.Read(bufTmp)
739 if err != nil {
740 return err
741 }
742 if n != len(buf) {
743 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
744 }
745 copy(buf, bufTmp)
746 } else {
747 _, err := io.ReadFull(tlsConn, buf)
748 if err != nil {
749 return err
750 }
751 }
752
753 for i, v := range buf {
754 if v != testMessage[i]^0xff {
755 return fmt.Errorf("bad reply contents at byte %d", i)
756 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]757 }
758 }
759
760 return nil
761}
762
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]763func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]764 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]765 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]766 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]767 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]768 valgrindArgs = append(valgrindArgs, path)
769 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]770
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]771 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]772}
773
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]774func gdbOf(path string, args ...string) *exec.Cmd {
775 xtermArgs := []string{"-e", "gdb", "--args"}
776 xtermArgs = append(xtermArgs, path)
777 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]778
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]779 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]780}
781
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]782func lldbOf(path string, args ...string) *exec.Cmd {
783 xtermArgs := []string{"-e", "lldb", "--"}
784 xtermArgs = append(xtermArgs, path)
785 xtermArgs = append(xtermArgs, args...)
786
787 return exec.Command("xterm", xtermArgs...)
788}
789
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]790var (
791 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
792 errUnimplemented = errors.New("child process does not implement needed flags")
793)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]794
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]795// accept accepts a connection from listener, unless waitChan signals a process
796// exit first.
797func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
798 type connOrError struct {
799 conn net.Conn
800 err error
801 }
802 connChan := make(chan connOrError, 1)
803 go func() {
804 conn, err := listener.Accept()
805 connChan <- connOrError{conn, err}
806 close(connChan)
807 }()
808 select {
809 case result := <-connChan:
810 return result.conn, result.err
811 case childErr := <-waitChan:
812 waitChan <- childErr
813 return nil, fmt.Errorf("child exited early: %s", childErr)
814 }
815}
816
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]817func translateExpectedError(errorStr string) string {
818 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
819 return translated
820 }
821
822 if *looseErrors {
823 return ""
824 }
825
826 return errorStr
827}
828
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]829func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]830 // Help debugging panics on the Go side.
831 defer func() {
832 if r := recover(); r != nil {
833 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
834 panic(r)
835 }
836 }()
837
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]838 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
839 panic("Error expected without shouldFail in " + test.name)
840 }
841
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]842 if test.expectResumeRejected && !test.resumeSession {
843 panic("expectResumeRejected without resumeSession in " + test.name)
844 }
845
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]846 for _, ver := range tlsVersions {
847 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
848 continue
849 }
850
851 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
852 continue
853 }
854
855 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
856 }
857
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]858 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
859 if err != nil {
860 panic(err)
861 }
862 defer func() {
863 if listener != nil {
864 listener.Close()
865 }
866 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]867
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]868 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]869 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]870 flags = append(flags, "-server")
871
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]872 flags = append(flags, "-key-file")
873 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]874 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]875 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]876 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]877 }
878
879 flags = append(flags, "-cert-file")
880 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]881 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]882 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]883 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]884 }
885 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]886
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]887 if test.protocol == dtls {
888 flags = append(flags, "-dtls")
889 }
890
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]891 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]892 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]893 resumeCount++
894 if test.resumeRenewedSession {
895 resumeCount++
896 }
897 }
898
899 if resumeCount > 0 {
900 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]901 }
902
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]903 if test.shimWritesFirst {
904 flags = append(flags, "-shim-writes-first")
905 }
906
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]907 if test.shimShutsDown {
908 flags = append(flags, "-shim-shuts-down")
909 }
910
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]911 if test.exportKeyingMaterial > 0 {
912 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
913 flags = append(flags, "-export-label", test.exportLabel)
914 flags = append(flags, "-export-context", test.exportContext)
915 if test.useExportContext {
916 flags = append(flags, "-use-export-context")
917 }
918 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]919 if test.expectResumeRejected {
920 flags = append(flags, "-expect-session-miss")
921 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]922
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]923 if test.testTLSUnique {
924 flags = append(flags, "-tls-unique")
925 }
926
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]927 flags = append(flags, test.flags...)
928
929 var shim *exec.Cmd
930 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]931 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]932 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]933 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]934 } else if *useLLDB {
935 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]936 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]937 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]938 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]939 shim.Stdin = os.Stdin
940 var stdoutBuf, stderrBuf bytes.Buffer
941 shim.Stdout = &stdoutBuf
942 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]943 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]944 shim.Env = os.Environ()
945 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]946 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]947 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]948 }
949 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
950 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]951
952 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]953 panic(err)
954 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]955 waitChan := make(chan error, 1)
956 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]957
958 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]959
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]960 if *deterministic {
961 config.Rand = &deterministicRand{}
962 }
963
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]964 conn, err := acceptOrWait(listener, waitChan)
965 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]966 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]967 conn.Close()
968 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]969
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]970 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]971 var resumeConfig Config
972 if test.resumeConfig != nil {
973 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]974 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]975 resumeConfig.SessionTicketKey = config.SessionTicketKey
976 resumeConfig.ClientSessionCache = config.ClientSessionCache
977 resumeConfig.ServerSessionCache = config.ServerSessionCache
978 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]979 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]980 } else {
981 resumeConfig = config
982 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]983 var connResume net.Conn
984 connResume, err = acceptOrWait(listener, waitChan)
985 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]986 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]987 connResume.Close()
988 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]989 }
990
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]991 // Close the listener now. This is to avoid hangs should the shim try to
992 // open more connections than expected.
993 listener.Close()
994 listener = nil
995
996 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]997 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]998 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]999 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1000 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1001 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1002 case 89:
1003 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1004 case 99:
1005 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1006 }
1007 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1009 // Account for Windows line endings.
1010 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1011 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1012
1013 // Separate the errors from the shim and those from tools like
1014 // AddressSanitizer.
1015 var extraStderr string
1016 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1017 stderr = stderrParts[0]
1018 extraStderr = stderrParts[1]
1019 }
1020
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1021 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1022 expectedError := translateExpectedError(test.expectedError)
1023 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1024
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1025 localError := "none"
1026 if err != nil {
1027 localError = err.Error()
1028 }
1029 if len(test.expectedLocalError) != 0 {
1030 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1031 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1032
1033 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1034 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1035 if childErr != nil {
1036 childError = childErr.Error()
1037 }
1038
1039 var msg string
1040 switch {
1041 case failed && !test.shouldFail:
1042 msg = "unexpected failure"
1043 case !failed && test.shouldFail:
1044 msg = "unexpected success"
1045 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1046 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1047 default:
1048 panic("internal error")
1049 }
1050
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1051 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1052 }
1053
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1054 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1055 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1056 }
1057
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1058 if *useValgrind && isValgrindError {
1059 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1060 }
1061
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1062 return nil
1063}
1064
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1065type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066 name string
1067 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1068 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1069 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1070}
1071
1072var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1073 {"SSL3", VersionSSL30, "-no-ssl3", false},
1074 {"TLS1", VersionTLS10, "-no-tls1", true},
1075 {"TLS11", VersionTLS11, "-no-tls11", false},
1076 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1077 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078}
1079
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1080type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1081 name string
1082 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1083}
1084
1085var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1086 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1087 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1089 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1090 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1091 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1092 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1093 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1094 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1095 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1096 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
1097 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1098 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1099 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1100 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1101 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1102 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1103 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1104 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1105 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamine3203922015-12-09 21:21:31 -0500[diff] [blame]1106 {"ECDHE-ECDSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1108 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1109 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1110 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1111 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1112 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1113 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamine3203922015-12-09 21:21:31 -0500[diff] [blame]1114 {"ECDHE-RSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1115 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1116 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1117 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1118 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1119 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1120 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1121 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1122 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1123 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1124}
1125
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1126func hasComponent(suiteName, component string) bool {
1127 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1128}
1129
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1130func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1131 return hasComponent(suiteName, "GCM") ||
1132 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1133 hasComponent(suiteName, "SHA384") ||
1134 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1135}
1136
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1137func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1138 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1139}
1140
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1141func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1142 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1143}
1144
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1145func bigFromHex(hex string) *big.Int {
1146 ret, ok := new(big.Int).SetString(hex, 16)
1147 if !ok {
1148 panic("failed to parse hex number 0x" + hex)
1149 }
1150 return ret
1151}
1152
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1153func addBasicTests() {
1154 basicTests := []testCase{
1155 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1156 name: "NoFallbackSCSV",
1157 config: Config{
1158 Bugs: ProtocolBugs{
1159 FailIfNotFallbackSCSV: true,
1160 },
1161 },
1162 shouldFail: true,
1163 expectedLocalError: "no fallback SCSV found",
1164 },
1165 {
1166 name: "SendFallbackSCSV",
1167 config: Config{
1168 Bugs: ProtocolBugs{
1169 FailIfNotFallbackSCSV: true,
1170 },
1171 },
1172 flags: []string{"-fallback-scsv"},
1173 },
1174 {
1175 name: "ClientCertificateTypes",
1176 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1177 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1178 ClientAuth: RequestClientCert,
1179 ClientCertificateTypes: []byte{
1180 CertTypeDSSSign,
1181 CertTypeRSASign,
1182 CertTypeECDSASign,
1183 },
1184 },
1185 flags: []string{
1186 "-expect-certificate-types",
1187 base64.StdEncoding.EncodeToString([]byte{
1188 CertTypeDSSSign,
1189 CertTypeRSASign,
1190 CertTypeECDSASign,
1191 }),
1192 },
1193 },
1194 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1195 name: "UnauthenticatedECDH",
1196 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1197 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1198 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1199 Bugs: ProtocolBugs{
1200 UnauthenticatedECDH: true,
1201 },
1202 },
1203 shouldFail: true,
1204 expectedError: ":UNEXPECTED_MESSAGE:",
1205 },
1206 {
1207 name: "SkipCertificateStatus",
1208 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1209 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1210 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1211 Bugs: ProtocolBugs{
1212 SkipCertificateStatus: true,
1213 },
1214 },
1215 flags: []string{
1216 "-enable-ocsp-stapling",
1217 },
1218 },
1219 {
1220 name: "SkipServerKeyExchange",
1221 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1222 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1223 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1224 Bugs: ProtocolBugs{
1225 SkipServerKeyExchange: true,
1226 },
1227 },
1228 shouldFail: true,
1229 expectedError: ":UNEXPECTED_MESSAGE:",
1230 },
1231 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1232 testType: serverTest,
1233 name: "Alert",
1234 config: Config{
1235 Bugs: ProtocolBugs{
1236 SendSpuriousAlert: alertRecordOverflow,
1237 },
1238 },
1239 shouldFail: true,
1240 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1241 },
1242 {
1243 protocol: dtls,
1244 testType: serverTest,
1245 name: "Alert-DTLS",
1246 config: Config{
1247 Bugs: ProtocolBugs{
1248 SendSpuriousAlert: alertRecordOverflow,
1249 },
1250 },
1251 shouldFail: true,
1252 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1253 },
1254 {
1255 testType: serverTest,
1256 name: "FragmentAlert",
1257 config: Config{
1258 Bugs: ProtocolBugs{
1259 FragmentAlert: true,
1260 SendSpuriousAlert: alertRecordOverflow,
1261 },
1262 },
1263 shouldFail: true,
1264 expectedError: ":BAD_ALERT:",
1265 },
1266 {
1267 protocol: dtls,
1268 testType: serverTest,
1269 name: "FragmentAlert-DTLS",
1270 config: Config{
1271 Bugs: ProtocolBugs{
1272 FragmentAlert: true,
1273 SendSpuriousAlert: alertRecordOverflow,
1274 },
1275 },
1276 shouldFail: true,
1277 expectedError: ":BAD_ALERT:",
1278 },
1279 {
1280 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1281 name: "DoubleAlert",
1282 config: Config{
1283 Bugs: ProtocolBugs{
1284 DoubleAlert: true,
1285 SendSpuriousAlert: alertRecordOverflow,
1286 },
1287 },
1288 shouldFail: true,
1289 expectedError: ":BAD_ALERT:",
1290 },
1291 {
1292 protocol: dtls,
1293 testType: serverTest,
1294 name: "DoubleAlert-DTLS",
1295 config: Config{
1296 Bugs: ProtocolBugs{
1297 DoubleAlert: true,
1298 SendSpuriousAlert: alertRecordOverflow,
1299 },
1300 },
1301 shouldFail: true,
1302 expectedError: ":BAD_ALERT:",
1303 },
1304 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1305 name: "SkipNewSessionTicket",
1306 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1307 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1308 Bugs: ProtocolBugs{
1309 SkipNewSessionTicket: true,
1310 },
1311 },
1312 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1313 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1314 },
1315 {
1316 testType: serverTest,
1317 name: "FallbackSCSV",
1318 config: Config{
1319 MaxVersion: VersionTLS11,
1320 Bugs: ProtocolBugs{
1321 SendFallbackSCSV: true,
1322 },
1323 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1324 shouldFail: true,
1325 expectedError: ":INAPPROPRIATE_FALLBACK:",
1326 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1327 },
1328 {
1329 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1330 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1331 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1332 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1333 Bugs: ProtocolBugs{
1334 SendFallbackSCSV: true,
1335 },
1336 },
1337 },
1338 {
1339 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1340 name: "FallbackSCSV-VersionMatch-TLS12",
1341 config: Config{
1342 MaxVersion: VersionTLS12,
1343 Bugs: ProtocolBugs{
1344 SendFallbackSCSV: true,
1345 },
1346 },
1347 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1348 },
1349 {
1350 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1351 name: "FragmentedClientVersion",
1352 config: Config{
1353 Bugs: ProtocolBugs{
1354 MaxHandshakeRecordLength: 1,
1355 FragmentClientVersion: true,
1356 },
1357 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1358 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1359 },
1360 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1361 testType: serverTest,
1362 name: "HttpGET",
1363 sendPrefix: "GET / HTTP/1.0\n",
1364 shouldFail: true,
1365 expectedError: ":HTTP_REQUEST:",
1366 },
1367 {
1368 testType: serverTest,
1369 name: "HttpPOST",
1370 sendPrefix: "POST / HTTP/1.0\n",
1371 shouldFail: true,
1372 expectedError: ":HTTP_REQUEST:",
1373 },
1374 {
1375 testType: serverTest,
1376 name: "HttpHEAD",
1377 sendPrefix: "HEAD / HTTP/1.0\n",
1378 shouldFail: true,
1379 expectedError: ":HTTP_REQUEST:",
1380 },
1381 {
1382 testType: serverTest,
1383 name: "HttpPUT",
1384 sendPrefix: "PUT / HTTP/1.0\n",
1385 shouldFail: true,
1386 expectedError: ":HTTP_REQUEST:",
1387 },
1388 {
1389 testType: serverTest,
1390 name: "HttpCONNECT",
1391 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1392 shouldFail: true,
1393 expectedError: ":HTTPS_PROXY_REQUEST:",
1394 },
1395 {
1396 testType: serverTest,
1397 name: "Garbage",
1398 sendPrefix: "blah",
1399 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1400 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1401 },
1402 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1403 name: "RSAEphemeralKey",
1404 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1405 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1406 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1407 Bugs: ProtocolBugs{
1408 RSAEphemeralKey: true,
1409 },
1410 },
1411 shouldFail: true,
1412 expectedError: ":UNEXPECTED_MESSAGE:",
1413 },
1414 {
1415 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1416 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1417 shouldFail: true,
1418 expectedError: ":WRONG_SSL_VERSION:",
1419 },
1420 {
1421 protocol: dtls,
1422 name: "DisableEverything-DTLS",
1423 flags: []string{"-no-tls12", "-no-tls1"},
1424 shouldFail: true,
1425 expectedError: ":WRONG_SSL_VERSION:",
1426 },
1427 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1428 protocol: dtls,
1429 testType: serverTest,
1430 name: "MTU",
1431 config: Config{
1432 Bugs: ProtocolBugs{
1433 MaxPacketLength: 256,
1434 },
1435 },
1436 flags: []string{"-mtu", "256"},
1437 },
1438 {
1439 protocol: dtls,
1440 testType: serverTest,
1441 name: "MTUExceeded",
1442 config: Config{
1443 Bugs: ProtocolBugs{
1444 MaxPacketLength: 255,
1445 },
1446 },
1447 flags: []string{"-mtu", "256"},
1448 shouldFail: true,
1449 expectedLocalError: "dtls: exceeded maximum packet length",
1450 },
1451 {
1452 name: "CertMismatchRSA",
1453 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1454 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1455 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1456 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1457 Bugs: ProtocolBugs{
1458 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1459 },
1460 },
1461 shouldFail: true,
1462 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1463 },
1464 {
1465 name: "CertMismatchECDSA",
1466 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1467 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1468 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1469 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1470 Bugs: ProtocolBugs{
1471 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1472 },
1473 },
1474 shouldFail: true,
1475 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1476 },
1477 {
1478 name: "EmptyCertificateList",
1479 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1480 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1481 Bugs: ProtocolBugs{
1482 EmptyCertificateList: true,
1483 },
1484 },
1485 shouldFail: true,
1486 expectedError: ":DECODE_ERROR:",
1487 },
1488 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1489 name: "EmptyCertificateList-TLS13",
1490 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1491 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1492 Bugs: ProtocolBugs{
1493 EmptyCertificateList: true,
1494 },
1495 },
1496 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1497 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1498 },
1499 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1500 name: "TLSFatalBadPackets",
1501 damageFirstWrite: true,
1502 shouldFail: true,
1503 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1504 },
1505 {
1506 protocol: dtls,
1507 name: "DTLSIgnoreBadPackets",
1508 damageFirstWrite: true,
1509 },
1510 {
1511 protocol: dtls,
1512 name: "DTLSIgnoreBadPackets-Async",
1513 damageFirstWrite: true,
1514 flags: []string{"-async"},
1515 },
1516 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1517 name: "AppDataBeforeHandshake",
1518 config: Config{
1519 Bugs: ProtocolBugs{
1520 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1521 },
1522 },
1523 shouldFail: true,
1524 expectedError: ":UNEXPECTED_RECORD:",
1525 },
1526 {
1527 name: "AppDataBeforeHandshake-Empty",
1528 config: Config{
1529 Bugs: ProtocolBugs{
1530 AppDataBeforeHandshake: []byte{},
1531 },
1532 },
1533 shouldFail: true,
1534 expectedError: ":UNEXPECTED_RECORD:",
1535 },
1536 {
1537 protocol: dtls,
1538 name: "AppDataBeforeHandshake-DTLS",
1539 config: Config{
1540 Bugs: ProtocolBugs{
1541 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1542 },
1543 },
1544 shouldFail: true,
1545 expectedError: ":UNEXPECTED_RECORD:",
1546 },
1547 {
1548 protocol: dtls,
1549 name: "AppDataBeforeHandshake-DTLS-Empty",
1550 config: Config{
1551 Bugs: ProtocolBugs{
1552 AppDataBeforeHandshake: []byte{},
1553 },
1554 },
1555 shouldFail: true,
1556 expectedError: ":UNEXPECTED_RECORD:",
1557 },
1558 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1559 name: "AppDataAfterChangeCipherSpec",
1560 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1561 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1562 Bugs: ProtocolBugs{
1563 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1564 },
1565 },
1566 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1567 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1568 },
1569 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1570 name: "AppDataAfterChangeCipherSpec-Empty",
1571 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1572 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1573 Bugs: ProtocolBugs{
1574 AppDataAfterChangeCipherSpec: []byte{},
1575 },
1576 },
1577 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1578 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1579 },
1580 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1581 protocol: dtls,
1582 name: "AppDataAfterChangeCipherSpec-DTLS",
1583 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1584 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1585 Bugs: ProtocolBugs{
1586 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1587 },
1588 },
1589 // BoringSSL's DTLS implementation will drop the out-of-order
1590 // application data.
1591 },
1592 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1593 protocol: dtls,
1594 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1595 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1596 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1597 Bugs: ProtocolBugs{
1598 AppDataAfterChangeCipherSpec: []byte{},
1599 },
1600 },
1601 // BoringSSL's DTLS implementation will drop the out-of-order
1602 // application data.
1603 },
1604 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1605 name: "AlertAfterChangeCipherSpec",
1606 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1607 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1608 Bugs: ProtocolBugs{
1609 AlertAfterChangeCipherSpec: alertRecordOverflow,
1610 },
1611 },
1612 shouldFail: true,
1613 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1614 },
1615 {
1616 protocol: dtls,
1617 name: "AlertAfterChangeCipherSpec-DTLS",
1618 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1619 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1620 Bugs: ProtocolBugs{
1621 AlertAfterChangeCipherSpec: alertRecordOverflow,
1622 },
1623 },
1624 shouldFail: true,
1625 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1626 },
1627 {
1628 protocol: dtls,
1629 name: "ReorderHandshakeFragments-Small-DTLS",
1630 config: Config{
1631 Bugs: ProtocolBugs{
1632 ReorderHandshakeFragments: true,
1633 // Small enough that every handshake message is
1634 // fragmented.
1635 MaxHandshakeRecordLength: 2,
1636 },
1637 },
1638 },
1639 {
1640 protocol: dtls,
1641 name: "ReorderHandshakeFragments-Large-DTLS",
1642 config: Config{
1643 Bugs: ProtocolBugs{
1644 ReorderHandshakeFragments: true,
1645 // Large enough that no handshake message is
1646 // fragmented.
1647 MaxHandshakeRecordLength: 2048,
1648 },
1649 },
1650 },
1651 {
1652 protocol: dtls,
1653 name: "MixCompleteMessageWithFragments-DTLS",
1654 config: Config{
1655 Bugs: ProtocolBugs{
1656 ReorderHandshakeFragments: true,
1657 MixCompleteMessageWithFragments: true,
1658 MaxHandshakeRecordLength: 2,
1659 },
1660 },
1661 },
1662 {
1663 name: "SendInvalidRecordType",
1664 config: Config{
1665 Bugs: ProtocolBugs{
1666 SendInvalidRecordType: true,
1667 },
1668 },
1669 shouldFail: true,
1670 expectedError: ":UNEXPECTED_RECORD:",
1671 },
1672 {
1673 protocol: dtls,
1674 name: "SendInvalidRecordType-DTLS",
1675 config: Config{
1676 Bugs: ProtocolBugs{
1677 SendInvalidRecordType: true,
1678 },
1679 },
1680 shouldFail: true,
1681 expectedError: ":UNEXPECTED_RECORD:",
1682 },
1683 {
1684 name: "FalseStart-SkipServerSecondLeg",
1685 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1686 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1687 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1688 NextProtos: []string{"foo"},
1689 Bugs: ProtocolBugs{
1690 SkipNewSessionTicket: true,
1691 SkipChangeCipherSpec: true,
1692 SkipFinished: true,
1693 ExpectFalseStart: true,
1694 },
1695 },
1696 flags: []string{
1697 "-false-start",
1698 "-handshake-never-done",
1699 "-advertise-alpn", "\x03foo",
1700 },
1701 shimWritesFirst: true,
1702 shouldFail: true,
1703 expectedError: ":UNEXPECTED_RECORD:",
1704 },
1705 {
1706 name: "FalseStart-SkipServerSecondLeg-Implicit",
1707 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1708 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1709 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1710 NextProtos: []string{"foo"},
1711 Bugs: ProtocolBugs{
1712 SkipNewSessionTicket: true,
1713 SkipChangeCipherSpec: true,
1714 SkipFinished: true,
1715 },
1716 },
1717 flags: []string{
1718 "-implicit-handshake",
1719 "-false-start",
1720 "-handshake-never-done",
1721 "-advertise-alpn", "\x03foo",
1722 },
1723 shouldFail: true,
1724 expectedError: ":UNEXPECTED_RECORD:",
1725 },
1726 {
1727 testType: serverTest,
1728 name: "FailEarlyCallback",
1729 flags: []string{"-fail-early-callback"},
1730 shouldFail: true,
1731 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1732 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1733 },
1734 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1735 name: "FailCertCallback-Client-TLS12",
1736 config: Config{
1737 MaxVersion: VersionTLS12,
1738 ClientAuth: RequestClientCert,
1739 },
1740 flags: []string{"-fail-cert-callback"},
1741 shouldFail: true,
1742 expectedError: ":CERT_CB_ERROR:",
1743 expectedLocalError: "remote error: internal error",
1744 },
1745 {
1746 testType: serverTest,
1747 name: "FailCertCallback-Server-TLS12",
1748 config: Config{
1749 MaxVersion: VersionTLS12,
1750 },
1751 flags: []string{"-fail-cert-callback"},
1752 shouldFail: true,
1753 expectedError: ":CERT_CB_ERROR:",
1754 expectedLocalError: "remote error: internal error",
1755 },
1756 {
1757 name: "FailCertCallback-Client-TLS13",
1758 config: Config{
1759 MaxVersion: VersionTLS13,
1760 ClientAuth: RequestClientCert,
1761 },
1762 flags: []string{"-fail-cert-callback"},
1763 shouldFail: true,
1764 expectedError: ":CERT_CB_ERROR:",
1765 expectedLocalError: "remote error: internal error",
1766 },
1767 {
1768 testType: serverTest,
1769 name: "FailCertCallback-Server-TLS13",
1770 config: Config{
1771 MaxVersion: VersionTLS13,
1772 },
1773 flags: []string{"-fail-cert-callback"},
1774 shouldFail: true,
1775 expectedError: ":CERT_CB_ERROR:",
1776 expectedLocalError: "remote error: internal error",
1777 },
1778 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1779 protocol: dtls,
1780 name: "FragmentMessageTypeMismatch-DTLS",
1781 config: Config{
1782 Bugs: ProtocolBugs{
1783 MaxHandshakeRecordLength: 2,
1784 FragmentMessageTypeMismatch: true,
1785 },
1786 },
1787 shouldFail: true,
1788 expectedError: ":FRAGMENT_MISMATCH:",
1789 },
1790 {
1791 protocol: dtls,
1792 name: "FragmentMessageLengthMismatch-DTLS",
1793 config: Config{
1794 Bugs: ProtocolBugs{
1795 MaxHandshakeRecordLength: 2,
1796 FragmentMessageLengthMismatch: true,
1797 },
1798 },
1799 shouldFail: true,
1800 expectedError: ":FRAGMENT_MISMATCH:",
1801 },
1802 {
1803 protocol: dtls,
1804 name: "SplitFragments-Header-DTLS",
1805 config: Config{
1806 Bugs: ProtocolBugs{
1807 SplitFragments: 2,
1808 },
1809 },
1810 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1811 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1812 },
1813 {
1814 protocol: dtls,
1815 name: "SplitFragments-Boundary-DTLS",
1816 config: Config{
1817 Bugs: ProtocolBugs{
1818 SplitFragments: dtlsRecordHeaderLen,
1819 },
1820 },
1821 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1822 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1823 },
1824 {
1825 protocol: dtls,
1826 name: "SplitFragments-Body-DTLS",
1827 config: Config{
1828 Bugs: ProtocolBugs{
1829 SplitFragments: dtlsRecordHeaderLen + 1,
1830 },
1831 },
1832 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1833 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1834 },
1835 {
1836 protocol: dtls,
1837 name: "SendEmptyFragments-DTLS",
1838 config: Config{
1839 Bugs: ProtocolBugs{
1840 SendEmptyFragments: true,
1841 },
1842 },
1843 },
1844 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1845 name: "BadFinished-Client",
1846 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1847 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1848 Bugs: ProtocolBugs{
1849 BadFinished: true,
1850 },
1851 },
1852 shouldFail: true,
1853 expectedError: ":DIGEST_CHECK_FAILED:",
1854 },
1855 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1856 name: "BadFinished-Client-TLS13",
1857 config: Config{
1858 MaxVersion: VersionTLS13,
1859 Bugs: ProtocolBugs{
1860 BadFinished: true,
1861 },
1862 },
1863 shouldFail: true,
1864 expectedError: ":DIGEST_CHECK_FAILED:",
1865 },
1866 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1867 testType: serverTest,
1868 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1869 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1870 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1871 Bugs: ProtocolBugs{
1872 BadFinished: true,
1873 },
1874 },
1875 shouldFail: true,
1876 expectedError: ":DIGEST_CHECK_FAILED:",
1877 },
1878 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1879 testType: serverTest,
1880 name: "BadFinished-Server-TLS13",
1881 config: Config{
1882 MaxVersion: VersionTLS13,
1883 Bugs: ProtocolBugs{
1884 BadFinished: true,
1885 },
1886 },
1887 shouldFail: true,
1888 expectedError: ":DIGEST_CHECK_FAILED:",
1889 },
1890 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1891 name: "FalseStart-BadFinished",
1892 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1893 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1894 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1895 NextProtos: []string{"foo"},
1896 Bugs: ProtocolBugs{
1897 BadFinished: true,
1898 ExpectFalseStart: true,
1899 },
1900 },
1901 flags: []string{
1902 "-false-start",
1903 "-handshake-never-done",
1904 "-advertise-alpn", "\x03foo",
1905 },
1906 shimWritesFirst: true,
1907 shouldFail: true,
1908 expectedError: ":DIGEST_CHECK_FAILED:",
1909 },
1910 {
1911 name: "NoFalseStart-NoALPN",
1912 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1913 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1914 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1915 Bugs: ProtocolBugs{
1916 ExpectFalseStart: true,
1917 AlertBeforeFalseStartTest: alertAccessDenied,
1918 },
1919 },
1920 flags: []string{
1921 "-false-start",
1922 },
1923 shimWritesFirst: true,
1924 shouldFail: true,
1925 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1926 expectedLocalError: "tls: peer did not false start: EOF",
1927 },
1928 {
1929 name: "NoFalseStart-NoAEAD",
1930 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1931 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1932 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1933 NextProtos: []string{"foo"},
1934 Bugs: ProtocolBugs{
1935 ExpectFalseStart: true,
1936 AlertBeforeFalseStartTest: alertAccessDenied,
1937 },
1938 },
1939 flags: []string{
1940 "-false-start",
1941 "-advertise-alpn", "\x03foo",
1942 },
1943 shimWritesFirst: true,
1944 shouldFail: true,
1945 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1946 expectedLocalError: "tls: peer did not false start: EOF",
1947 },
1948 {
1949 name: "NoFalseStart-RSA",
1950 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1951 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1952 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1953 NextProtos: []string{"foo"},
1954 Bugs: ProtocolBugs{
1955 ExpectFalseStart: true,
1956 AlertBeforeFalseStartTest: alertAccessDenied,
1957 },
1958 },
1959 flags: []string{
1960 "-false-start",
1961 "-advertise-alpn", "\x03foo",
1962 },
1963 shimWritesFirst: true,
1964 shouldFail: true,
1965 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1966 expectedLocalError: "tls: peer did not false start: EOF",
1967 },
1968 {
1969 name: "NoFalseStart-DHE_RSA",
1970 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1971 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1972 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
1973 NextProtos: []string{"foo"},
1974 Bugs: ProtocolBugs{
1975 ExpectFalseStart: true,
1976 AlertBeforeFalseStartTest: alertAccessDenied,
1977 },
1978 },
1979 flags: []string{
1980 "-false-start",
1981 "-advertise-alpn", "\x03foo",
1982 },
1983 shimWritesFirst: true,
1984 shouldFail: true,
1985 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1986 expectedLocalError: "tls: peer did not false start: EOF",
1987 },
1988 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1989 protocol: dtls,
1990 name: "SendSplitAlert-Sync",
1991 config: Config{
1992 Bugs: ProtocolBugs{
1993 SendSplitAlert: true,
1994 },
1995 },
1996 },
1997 {
1998 protocol: dtls,
1999 name: "SendSplitAlert-Async",
2000 config: Config{
2001 Bugs: ProtocolBugs{
2002 SendSplitAlert: true,
2003 },
2004 },
2005 flags: []string{"-async"},
2006 },
2007 {
2008 protocol: dtls,
2009 name: "PackDTLSHandshake",
2010 config: Config{
2011 Bugs: ProtocolBugs{
2012 MaxHandshakeRecordLength: 2,
2013 PackHandshakeFragments: 20,
2014 PackHandshakeRecords: 200,
2015 },
2016 },
2017 },
2018 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2019 name: "SendEmptyRecords-Pass",
2020 sendEmptyRecords: 32,
2021 },
2022 {
2023 name: "SendEmptyRecords",
2024 sendEmptyRecords: 33,
2025 shouldFail: true,
2026 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2027 },
2028 {
2029 name: "SendEmptyRecords-Async",
2030 sendEmptyRecords: 33,
2031 flags: []string{"-async"},
2032 shouldFail: true,
2033 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2034 },
2035 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2036 name: "SendWarningAlerts-Pass",
2037 config: Config{
2038 MaxVersion: VersionTLS12,
2039 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2040 sendWarningAlerts: 4,
2041 },
2042 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2043 protocol: dtls,
2044 name: "SendWarningAlerts-DTLS-Pass",
2045 config: Config{
2046 MaxVersion: VersionTLS12,
2047 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2048 sendWarningAlerts: 4,
2049 },
2050 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2051 name: "SendWarningAlerts-TLS13",
2052 config: Config{
2053 MaxVersion: VersionTLS13,
2054 },
2055 sendWarningAlerts: 4,
2056 shouldFail: true,
2057 expectedError: ":BAD_ALERT:",
2058 expectedLocalError: "remote error: error decoding message",
2059 },
2060 {
2061 name: "SendWarningAlerts",
2062 config: Config{
2063 MaxVersion: VersionTLS12,
2064 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2065 sendWarningAlerts: 5,
2066 shouldFail: true,
2067 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2068 },
2069 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2070 name: "SendWarningAlerts-Async",
2071 config: Config{
2072 MaxVersion: VersionTLS12,
2073 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2074 sendWarningAlerts: 5,
2075 flags: []string{"-async"},
2076 shouldFail: true,
2077 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2078 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2079 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2080 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2081 config: Config{
2082 MaxVersion: VersionTLS13,
2083 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2084 sendKeyUpdates: 33,
2085 keyUpdateRequest: keyUpdateNotRequested,
2086 shouldFail: true,
2087 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2088 },
2089 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2090 name: "EmptySessionID",
2091 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2092 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2093 SessionTicketsDisabled: true,
2094 },
2095 noSessionCache: true,
2096 flags: []string{"-expect-no-session"},
2097 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2098 {
2099 name: "Unclean-Shutdown",
2100 config: Config{
2101 Bugs: ProtocolBugs{
2102 NoCloseNotify: true,
2103 ExpectCloseNotify: true,
2104 },
2105 },
2106 shimShutsDown: true,
2107 flags: []string{"-check-close-notify"},
2108 shouldFail: true,
2109 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2110 },
2111 {
2112 name: "Unclean-Shutdown-Ignored",
2113 config: Config{
2114 Bugs: ProtocolBugs{
2115 NoCloseNotify: true,
2116 },
2117 },
2118 shimShutsDown: true,
2119 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2120 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2121 name: "Unclean-Shutdown-Alert",
2122 config: Config{
2123 Bugs: ProtocolBugs{
2124 SendAlertOnShutdown: alertDecompressionFailure,
2125 ExpectCloseNotify: true,
2126 },
2127 },
2128 shimShutsDown: true,
2129 flags: []string{"-check-close-notify"},
2130 shouldFail: true,
2131 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2132 },
2133 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2134 name: "LargePlaintext",
2135 config: Config{
2136 Bugs: ProtocolBugs{
2137 SendLargeRecords: true,
2138 },
2139 },
2140 messageLen: maxPlaintext + 1,
2141 shouldFail: true,
2142 expectedError: ":DATA_LENGTH_TOO_LONG:",
2143 },
2144 {
2145 protocol: dtls,
2146 name: "LargePlaintext-DTLS",
2147 config: Config{
2148 Bugs: ProtocolBugs{
2149 SendLargeRecords: true,
2150 },
2151 },
2152 messageLen: maxPlaintext + 1,
2153 shouldFail: true,
2154 expectedError: ":DATA_LENGTH_TOO_LONG:",
2155 },
2156 {
2157 name: "LargeCiphertext",
2158 config: Config{
2159 Bugs: ProtocolBugs{
2160 SendLargeRecords: true,
2161 },
2162 },
2163 messageLen: maxPlaintext * 2,
2164 shouldFail: true,
2165 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2166 },
2167 {
2168 protocol: dtls,
2169 name: "LargeCiphertext-DTLS",
2170 config: Config{
2171 Bugs: ProtocolBugs{
2172 SendLargeRecords: true,
2173 },
2174 },
2175 messageLen: maxPlaintext * 2,
2176 // Unlike the other four cases, DTLS drops records which
2177 // are invalid before authentication, so the connection
2178 // does not fail.
2179 expectMessageDropped: true,
2180 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2181 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2182 name: "BadHelloRequest-1",
2183 renegotiate: 1,
2184 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2185 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2186 Bugs: ProtocolBugs{
2187 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2188 },
2189 },
2190 flags: []string{
2191 "-renegotiate-freely",
2192 "-expect-total-renegotiations", "1",
2193 },
2194 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2195 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2196 },
2197 {
2198 name: "BadHelloRequest-2",
2199 renegotiate: 1,
2200 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2201 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2202 Bugs: ProtocolBugs{
2203 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2204 },
2205 },
2206 flags: []string{
2207 "-renegotiate-freely",
2208 "-expect-total-renegotiations", "1",
2209 },
2210 shouldFail: true,
2211 expectedError: ":BAD_HELLO_REQUEST:",
2212 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2213 {
2214 testType: serverTest,
2215 name: "SupportTicketsWithSessionID",
2216 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2217 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2218 SessionTicketsDisabled: true,
2219 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2220 resumeConfig: &Config{
2221 MaxVersion: VersionTLS12,
2222 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2223 resumeSession: true,
2224 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2225 {
2226 protocol: dtls,
2227 name: "DTLS-SendExtraFinished",
2228 config: Config{
2229 Bugs: ProtocolBugs{
2230 SendExtraFinished: true,
2231 },
2232 },
2233 shouldFail: true,
2234 expectedError: ":UNEXPECTED_RECORD:",
2235 },
2236 {
2237 protocol: dtls,
2238 name: "DTLS-SendExtraFinished-Reordered",
2239 config: Config{
2240 Bugs: ProtocolBugs{
2241 MaxHandshakeRecordLength: 2,
2242 ReorderHandshakeFragments: true,
2243 SendExtraFinished: true,
2244 },
2245 },
2246 shouldFail: true,
2247 expectedError: ":UNEXPECTED_RECORD:",
2248 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2249 {
2250 testType: serverTest,
2251 name: "V2ClientHello-EmptyRecordPrefix",
2252 config: Config{
2253 // Choose a cipher suite that does not involve
2254 // elliptic curves, so no extensions are
2255 // involved.
2256 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2257 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2258 Bugs: ProtocolBugs{
2259 SendV2ClientHello: true,
2260 },
2261 },
2262 sendPrefix: string([]byte{
2263 byte(recordTypeHandshake),
2264 3, 1, // version
2265 0, 0, // length
2266 }),
2267 // A no-op empty record may not be sent before V2ClientHello.
2268 shouldFail: true,
2269 expectedError: ":WRONG_VERSION_NUMBER:",
2270 },
2271 {
2272 testType: serverTest,
2273 name: "V2ClientHello-WarningAlertPrefix",
2274 config: Config{
2275 // Choose a cipher suite that does not involve
2276 // elliptic curves, so no extensions are
2277 // involved.
2278 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2279 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2280 Bugs: ProtocolBugs{
2281 SendV2ClientHello: true,
2282 },
2283 },
2284 sendPrefix: string([]byte{
2285 byte(recordTypeAlert),
2286 3, 1, // version
2287 0, 2, // length
2288 alertLevelWarning, byte(alertDecompressionFailure),
2289 }),
2290 // A no-op warning alert may not be sent before V2ClientHello.
2291 shouldFail: true,
2292 expectedError: ":WRONG_VERSION_NUMBER:",
2293 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2294 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2295 name: "KeyUpdate",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2296 config: Config{
2297 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2298 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2299 sendKeyUpdates: 1,
2300 keyUpdateRequest: keyUpdateNotRequested,
2301 },
2302 {
2303 name: "KeyUpdate-InvalidRequestMode",
2304 config: Config{
2305 MaxVersion: VersionTLS13,
2306 },
2307 sendKeyUpdates: 1,
2308 keyUpdateRequest: 42,
2309 shouldFail: true,
2310 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2311 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2312 {
2313 name: "SendSNIWarningAlert",
2314 config: Config{
2315 MaxVersion: VersionTLS12,
2316 Bugs: ProtocolBugs{
2317 SendSNIWarningAlert: true,
2318 },
2319 },
2320 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2321 {
2322 testType: serverTest,
2323 name: "ExtraCompressionMethods-TLS12",
2324 config: Config{
2325 MaxVersion: VersionTLS12,
2326 Bugs: ProtocolBugs{
2327 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2328 },
2329 },
2330 },
2331 {
2332 testType: serverTest,
2333 name: "ExtraCompressionMethods-TLS13",
2334 config: Config{
2335 MaxVersion: VersionTLS13,
2336 Bugs: ProtocolBugs{
2337 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2338 },
2339 },
2340 shouldFail: true,
2341 expectedError: ":INVALID_COMPRESSION_LIST:",
2342 expectedLocalError: "remote error: illegal parameter",
2343 },
2344 {
2345 testType: serverTest,
2346 name: "NoNullCompression-TLS12",
2347 config: Config{
2348 MaxVersion: VersionTLS12,
2349 Bugs: ProtocolBugs{
2350 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2351 },
2352 },
2353 shouldFail: true,
2354 expectedError: ":NO_COMPRESSION_SPECIFIED:",
2355 expectedLocalError: "remote error: illegal parameter",
2356 },
2357 {
2358 testType: serverTest,
2359 name: "NoNullCompression-TLS13",
2360 config: Config{
2361 MaxVersion: VersionTLS13,
2362 Bugs: ProtocolBugs{
2363 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2364 },
2365 },
2366 shouldFail: true,
2367 expectedError: ":INVALID_COMPRESSION_LIST:",
2368 expectedLocalError: "remote error: illegal parameter",
2369 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2370 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2371 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2372 config: Config{
2373 MaxVersion: VersionTLS12,
2374 Bugs: ProtocolBugs{
2375 ExpectGREASE: true,
2376 },
2377 },
2378 flags: []string{"-enable-grease"},
2379 },
2380 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2381 name: "GREASE-Client-TLS13",
2382 config: Config{
2383 MaxVersion: VersionTLS13,
2384 Bugs: ProtocolBugs{
2385 ExpectGREASE: true,
2386 },
2387 },
2388 flags: []string{"-enable-grease"},
2389 },
2390 {
2391 testType: serverTest,
2392 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2393 config: Config{
2394 MaxVersion: VersionTLS13,
2395 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2396 // TLS 1.3 servers are expected to
2397 // always enable GREASE. TLS 1.3 is new,
2398 // so there is no existing ecosystem to
2399 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2400 ExpectGREASE: true,
2401 },
2402 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2403 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame^]2404 {
2405 // Test the server so there is a large certificate as
2406 // well as application data.
2407 testType: serverTest,
2408 name: "MaxSendFragment",
2409 config: Config{
2410 Bugs: ProtocolBugs{
2411 MaxReceivePlaintext: 512,
2412 },
2413 },
2414 messageLen: 1024,
2415 flags: []string{
2416 "-max-send-fragment", "512",
2417 "-read-size", "1024",
2418 },
2419 },
2420 {
2421 // Test the server so there is a large certificate as
2422 // well as application data.
2423 testType: serverTest,
2424 name: "MaxSendFragment-TooLarge",
2425 config: Config{
2426 Bugs: ProtocolBugs{
2427 // Ensure that some of the records are
2428 // 512.
2429 MaxReceivePlaintext: 511,
2430 },
2431 },
2432 messageLen: 1024,
2433 flags: []string{
2434 "-max-send-fragment", "512",
2435 "-read-size", "1024",
2436 },
2437 shouldFail: true,
2438 expectedLocalError: "local error: record overflow",
2439 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2440 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2441 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2442
2443 // Test that very large messages can be received.
2444 cert := rsaCertificate
2445 for i := 0; i < 50; i++ {
2446 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2447 }
2448 testCases = append(testCases, testCase{
2449 name: "LargeMessage",
2450 config: Config{
2451 Certificates: []Certificate{cert},
2452 },
2453 })
2454 testCases = append(testCases, testCase{
2455 protocol: dtls,
2456 name: "LargeMessage-DTLS",
2457 config: Config{
2458 Certificates: []Certificate{cert},
2459 },
2460 })
2461
2462 // They are rejected if the maximum certificate chain length is capped.
2463 testCases = append(testCases, testCase{
2464 name: "LargeMessage-Reject",
2465 config: Config{
2466 Certificates: []Certificate{cert},
2467 },
2468 flags: []string{"-max-cert-list", "16384"},
2469 shouldFail: true,
2470 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2471 })
2472 testCases = append(testCases, testCase{
2473 protocol: dtls,
2474 name: "LargeMessage-Reject-DTLS",
2475 config: Config{
2476 Certificates: []Certificate{cert},
2477 },
2478 flags: []string{"-max-cert-list", "16384"},
2479 shouldFail: true,
2480 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2481 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2482}
2483
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2484func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2485 const psk = "12345"
2486 const pskIdentity = "luggage combo"
2487
2488 var prefix string
2489 if protocol == dtls {
2490 if !ver.hasDTLS {
2491 return
2492 }
2493 prefix = "D"
2494 }
2495
2496 var cert Certificate
2497 var certFile string
2498 var keyFile string
2499 if hasComponent(suite.name, "ECDSA") {
2500 cert = ecdsaP256Certificate
2501 certFile = ecdsaP256CertificateFile
2502 keyFile = ecdsaP256KeyFile
2503 } else {
2504 cert = rsaCertificate
2505 certFile = rsaCertificateFile
2506 keyFile = rsaKeyFile
2507 }
2508
2509 var flags []string
2510 if hasComponent(suite.name, "PSK") {
2511 flags = append(flags,
2512 "-psk", psk,
2513 "-psk-identity", pskIdentity)
2514 }
2515 if hasComponent(suite.name, "NULL") {
2516 // NULL ciphers must be explicitly enabled.
2517 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2518 }
2519 if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
2520 // ECDHE_PSK AES_GCM ciphers must be explicitly enabled
2521 // for now.
2522 flags = append(flags, "-cipher", suite.name)
2523 }
2524
2525 var shouldServerFail, shouldClientFail bool
2526 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2527 // BoringSSL clients accept ECDHE on SSLv3, but
2528 // a BoringSSL server will never select it
2529 // because the extension is missing.
2530 shouldServerFail = true
2531 }
2532 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2533 shouldClientFail = true
2534 shouldServerFail = true
2535 }
2536 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2537 shouldClientFail = true
2538 shouldServerFail = true
2539 }
2540 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2541 shouldClientFail = true
2542 shouldServerFail = true
2543 }
2544 if !isDTLSCipher(suite.name) && protocol == dtls {
2545 shouldClientFail = true
2546 shouldServerFail = true
2547 }
2548
2549 var sendCipherSuite uint16
2550 var expectedServerError, expectedClientError string
2551 serverCipherSuites := []uint16{suite.id}
2552 if shouldServerFail {
2553 expectedServerError = ":NO_SHARED_CIPHER:"
2554 }
2555 if shouldClientFail {
2556 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2557 // Configure the server to select ciphers as normal but
2558 // select an incompatible cipher in ServerHello.
2559 serverCipherSuites = nil
2560 sendCipherSuite = suite.id
2561 }
2562
2563 testCases = append(testCases, testCase{
2564 testType: serverTest,
2565 protocol: protocol,
2566 name: prefix + ver.name + "-" + suite.name + "-server",
2567 config: Config{
2568 MinVersion: ver.version,
2569 MaxVersion: ver.version,
2570 CipherSuites: []uint16{suite.id},
2571 Certificates: []Certificate{cert},
2572 PreSharedKey: []byte(psk),
2573 PreSharedKeyIdentity: pskIdentity,
2574 Bugs: ProtocolBugs{
2575 AdvertiseAllConfiguredCiphers: true,
2576 },
2577 },
2578 certFile: certFile,
2579 keyFile: keyFile,
2580 flags: flags,
2581 resumeSession: true,
2582 shouldFail: shouldServerFail,
2583 expectedError: expectedServerError,
2584 })
2585
2586 testCases = append(testCases, testCase{
2587 testType: clientTest,
2588 protocol: protocol,
2589 name: prefix + ver.name + "-" + suite.name + "-client",
2590 config: Config{
2591 MinVersion: ver.version,
2592 MaxVersion: ver.version,
2593 CipherSuites: serverCipherSuites,
2594 Certificates: []Certificate{cert},
2595 PreSharedKey: []byte(psk),
2596 PreSharedKeyIdentity: pskIdentity,
2597 Bugs: ProtocolBugs{
2598 IgnorePeerCipherPreferences: shouldClientFail,
2599 SendCipherSuite: sendCipherSuite,
2600 },
2601 },
2602 flags: flags,
2603 resumeSession: true,
2604 shouldFail: shouldClientFail,
2605 expectedError: expectedClientError,
2606 })
2607
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2608 if shouldClientFail {
2609 return
2610 }
2611
2612 // Ensure the maximum record size is accepted.
2613 testCases = append(testCases, testCase{
2614 protocol: protocol,
2615 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2616 config: Config{
2617 MinVersion: ver.version,
2618 MaxVersion: ver.version,
2619 CipherSuites: []uint16{suite.id},
2620 Certificates: []Certificate{cert},
2621 PreSharedKey: []byte(psk),
2622 PreSharedKeyIdentity: pskIdentity,
2623 },
2624 flags: flags,
2625 messageLen: maxPlaintext,
2626 })
2627
2628 // Test bad records for all ciphers. Bad records are fatal in TLS
2629 // and ignored in DTLS.
2630 var shouldFail bool
2631 var expectedError string
2632 if protocol == tls {
2633 shouldFail = true
2634 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2635 }
2636
2637 testCases = append(testCases, testCase{
2638 protocol: protocol,
2639 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2640 config: Config{
2641 MinVersion: ver.version,
2642 MaxVersion: ver.version,
2643 CipherSuites: []uint16{suite.id},
2644 Certificates: []Certificate{cert},
2645 PreSharedKey: []byte(psk),
2646 PreSharedKeyIdentity: pskIdentity,
2647 },
2648 flags: flags,
2649 damageFirstWrite: true,
2650 messageLen: maxPlaintext,
2651 shouldFail: shouldFail,
2652 expectedError: expectedError,
2653 })
2654
2655 if ver.version >= VersionTLS13 {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2656 testCases = append(testCases, testCase{
2657 protocol: protocol,
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2658 name: prefix + ver.name + "-" + suite.name + "-ShortHeader",
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2659 config: Config{
2660 MinVersion: ver.version,
2661 MaxVersion: ver.version,
2662 CipherSuites: []uint16{suite.id},
2663 Certificates: []Certificate{cert},
2664 PreSharedKey: []byte(psk),
2665 PreSharedKeyIdentity: pskIdentity,
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2666 Bugs: ProtocolBugs{
2667 EnableShortHeader: true,
2668 },
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2669 },
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2670 flags: append([]string{"-enable-short-header"}, flags...),
2671 resumeSession: true,
2672 expectShortHeader: true,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2673 })
2674 }
2675}
2676
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2677func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2678 const bogusCipher = 0xfe00
2679
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2680 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2681 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2682 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2683 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2684 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2685 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2686 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2687
2688 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2689 name: "NoSharedCipher",
2690 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2691 MaxVersion: VersionTLS12,
2692 CipherSuites: []uint16{},
2693 },
2694 shouldFail: true,
2695 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2696 })
2697
2698 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2699 name: "NoSharedCipher-TLS13",
2700 config: Config{
2701 MaxVersion: VersionTLS13,
2702 CipherSuites: []uint16{},
2703 },
2704 shouldFail: true,
2705 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2706 })
2707
2708 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2709 name: "UnsupportedCipherSuite",
2710 config: Config{
2711 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2712 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2713 Bugs: ProtocolBugs{
2714 IgnorePeerCipherPreferences: true,
2715 },
2716 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2717 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2718 shouldFail: true,
2719 expectedError: ":WRONG_CIPHER_RETURNED:",
2720 })
2721
2722 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2723 name: "ServerHelloBogusCipher",
2724 config: Config{
2725 MaxVersion: VersionTLS12,
2726 Bugs: ProtocolBugs{
2727 SendCipherSuite: bogusCipher,
2728 },
2729 },
2730 shouldFail: true,
2731 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2732 })
2733 testCases = append(testCases, testCase{
2734 name: "ServerHelloBogusCipher-TLS13",
2735 config: Config{
2736 MaxVersion: VersionTLS13,
2737 Bugs: ProtocolBugs{
2738 SendCipherSuite: bogusCipher,
2739 },
2740 },
2741 shouldFail: true,
2742 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2743 })
2744
2745 testCases = append(testCases, testCase{
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2746 name: "WeakDH",
2747 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2748 MaxVersion: VersionTLS12,
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2749 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2750 Bugs: ProtocolBugs{
2751 // This is a 1023-bit prime number, generated
2752 // with:
2753 // openssl gendh 1023 | openssl asn1parse -i
2754 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2755 },
2756 },
2757 shouldFail: true,
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2758 expectedError: ":BAD_DH_P_LENGTH:",
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2759 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2760
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2761 testCases = append(testCases, testCase{
2762 name: "SillyDH",
2763 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2764 MaxVersion: VersionTLS12,
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2765 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2766 Bugs: ProtocolBugs{
2767 // This is a 4097-bit prime number, generated
2768 // with:
2769 // openssl gendh 4097 | openssl asn1parse -i
2770 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2771 },
2772 },
2773 shouldFail: true,
2774 expectedError: ":DH_P_TOO_LONG:",
2775 })
2776
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2777 // This test ensures that Diffie-Hellman public values are padded with
2778 // zeros so that they're the same length as the prime. This is to avoid
2779 // hitting a bug in yaSSL.
2780 testCases = append(testCases, testCase{
2781 testType: serverTest,
2782 name: "DHPublicValuePadded",
2783 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2784 MaxVersion: VersionTLS12,
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2785 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2786 Bugs: ProtocolBugs{
2787 RequireDHPublicValueLen: (1025 + 7) / 8,
2788 },
2789 },
2790 flags: []string{"-use-sparse-dh-prime"},
2791 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2792
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2793 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2794 testCases = append(testCases, testCase{
2795 testType: serverTest,
2796 name: "UnknownCipher",
2797 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2798 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2799 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2800 Bugs: ProtocolBugs{
2801 AdvertiseAllConfiguredCiphers: true,
2802 },
2803 },
2804 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2805
2806 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2807 testCases = append(testCases, testCase{
2808 testType: serverTest,
2809 name: "UnknownCipher-TLS13",
2810 config: Config{
2811 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2812 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2813 Bugs: ProtocolBugs{
2814 AdvertiseAllConfiguredCiphers: true,
2815 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2816 },
2817 })
2818
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2819 // Test empty ECDHE_PSK identity hints work as expected.
2820 testCases = append(testCases, testCase{
2821 name: "EmptyECDHEPSKHint",
2822 config: Config{
2823 MaxVersion: VersionTLS12,
2824 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2825 PreSharedKey: []byte("secret"),
2826 },
2827 flags: []string{"-psk", "secret"},
2828 })
2829
2830 // Test empty PSK identity hints work as expected, even if an explicit
2831 // ServerKeyExchange is sent.
2832 testCases = append(testCases, testCase{
2833 name: "ExplicitEmptyPSKHint",
2834 config: Config{
2835 MaxVersion: VersionTLS12,
2836 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2837 PreSharedKey: []byte("secret"),
2838 Bugs: ProtocolBugs{
2839 AlwaysSendPreSharedKeyIdentityHint: true,
2840 },
2841 },
2842 flags: []string{"-psk", "secret"},
2843 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2844}
2845
2846func addBadECDSASignatureTests() {
2847 for badR := BadValue(1); badR < NumBadValues; badR++ {
2848 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2849 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2850 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2851 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2852 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2853 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2854 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2855 Bugs: ProtocolBugs{
2856 BadECDSAR: badR,
2857 BadECDSAS: badS,
2858 },
2859 },
2860 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2861 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2862 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2863 testCases = append(testCases, testCase{
2864 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2865 config: Config{
2866 MaxVersion: VersionTLS13,
2867 Certificates: []Certificate{ecdsaP256Certificate},
2868 Bugs: ProtocolBugs{
2869 BadECDSAR: badR,
2870 BadECDSAS: badS,
2871 },
2872 },
2873 shouldFail: true,
2874 expectedError: ":BAD_SIGNATURE:",
2875 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2876 }
2877 }
2878}
2879
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2880func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2881 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2882 name: "MaxCBCPadding",
2883 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2884 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2885 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2886 Bugs: ProtocolBugs{
2887 MaxPadding: true,
2888 },
2889 },
2890 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2891 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2892 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2893 name: "BadCBCPadding",
2894 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2895 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2896 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2897 Bugs: ProtocolBugs{
2898 PaddingFirstByteBad: true,
2899 },
2900 },
2901 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2902 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2903 })
2904 // OpenSSL previously had an issue where the first byte of padding in
2905 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2906 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2907 name: "BadCBCPadding255",
2908 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2909 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2910 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2911 Bugs: ProtocolBugs{
2912 MaxPadding: true,
2913 PaddingFirstByteBadIf255: true,
2914 },
2915 },
2916 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2917 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2918 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2919 })
2920}
2921
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2922func addCBCSplittingTests() {
2923 testCases = append(testCases, testCase{
2924 name: "CBCRecordSplitting",
2925 config: Config{
2926 MaxVersion: VersionTLS10,
2927 MinVersion: VersionTLS10,
2928 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2929 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2930 messageLen: -1, // read until EOF
2931 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2932 flags: []string{
2933 "-async",
2934 "-write-different-record-sizes",
2935 "-cbc-record-splitting",
2936 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]2937 })
2938 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2939 name: "CBCRecordSplittingPartialWrite",
2940 config: Config{
2941 MaxVersion: VersionTLS10,
2942 MinVersion: VersionTLS10,
2943 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2944 },
2945 messageLen: -1, // read until EOF
2946 flags: []string{
2947 "-async",
2948 "-write-different-record-sizes",
2949 "-cbc-record-splitting",
2950 "-partial-write",
2951 },
2952 })
2953}
2954
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2955func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2956 // Add a dummy cert pool to stress certificate authority parsing.
2957 // TODO(davidben): Add tests that those values parse out correctly.
2958 certPool := x509.NewCertPool()
2959 cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
2960 if err != nil {
2961 panic(err)
2962 }
2963 certPool.AddCert(cert)
2964
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2965 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2966 testCases = append(testCases, testCase{
2967 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2968 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2969 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2970 MinVersion: ver.version,
2971 MaxVersion: ver.version,
2972 ClientAuth: RequireAnyClientCert,
2973 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2974 },
2975 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2976 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2977 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2978 },
2979 })
2980 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2981 testType: serverTest,
2982 name: ver.name + "-Server-ClientAuth-RSA",
2983 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2984 MinVersion: ver.version,
2985 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2986 Certificates: []Certificate{rsaCertificate},
2987 },
2988 flags: []string{"-require-any-client-certificate"},
2989 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2990 if ver.version != VersionSSL30 {
2991 testCases = append(testCases, testCase{
2992 testType: serverTest,
2993 name: ver.name + "-Server-ClientAuth-ECDSA",
2994 config: Config{
2995 MinVersion: ver.version,
2996 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2997 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2998 },
2999 flags: []string{"-require-any-client-certificate"},
3000 })
3001 testCases = append(testCases, testCase{
3002 testType: clientTest,
3003 name: ver.name + "-Client-ClientAuth-ECDSA",
3004 config: Config{
3005 MinVersion: ver.version,
3006 MaxVersion: ver.version,
3007 ClientAuth: RequireAnyClientCert,
3008 ClientCAs: certPool,
3009 },
3010 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3011 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3012 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3013 },
3014 })
3015 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3016
3017 testCases = append(testCases, testCase{
3018 name: "NoClientCertificate-" + ver.name,
3019 config: Config{
3020 MinVersion: ver.version,
3021 MaxVersion: ver.version,
3022 ClientAuth: RequireAnyClientCert,
3023 },
3024 shouldFail: true,
3025 expectedLocalError: "client didn't provide a certificate",
3026 })
3027
3028 testCases = append(testCases, testCase{
3029 // Even if not configured to expect a certificate, OpenSSL will
3030 // return X509_V_OK as the verify_result.
3031 testType: serverTest,
3032 name: "NoClientCertificateRequested-Server-" + ver.name,
3033 config: Config{
3034 MinVersion: ver.version,
3035 MaxVersion: ver.version,
3036 },
3037 flags: []string{
3038 "-expect-verify-result",
3039 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3040 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3041 })
3042
3043 testCases = append(testCases, testCase{
3044 // If a client certificate is not provided, OpenSSL will still
3045 // return X509_V_OK as the verify_result.
3046 testType: serverTest,
3047 name: "NoClientCertificate-Server-" + ver.name,
3048 config: Config{
3049 MinVersion: ver.version,
3050 MaxVersion: ver.version,
3051 },
3052 flags: []string{
3053 "-expect-verify-result",
3054 "-verify-peer",
3055 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3056 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3057 })
3058
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3059 certificateRequired := "remote error: certificate required"
3060 if ver.version < VersionTLS13 {
3061 // Prior to TLS 1.3, the generic handshake_failure alert
3062 // was used.
3063 certificateRequired = "remote error: handshake failure"
3064 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3065 testCases = append(testCases, testCase{
3066 testType: serverTest,
3067 name: "RequireAnyClientCertificate-" + ver.name,
3068 config: Config{
3069 MinVersion: ver.version,
3070 MaxVersion: ver.version,
3071 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3072 flags: []string{"-require-any-client-certificate"},
3073 shouldFail: true,
3074 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3075 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3076 })
3077
3078 if ver.version != VersionSSL30 {
3079 testCases = append(testCases, testCase{
3080 testType: serverTest,
3081 name: "SkipClientCertificate-" + ver.name,
3082 config: Config{
3083 MinVersion: ver.version,
3084 MaxVersion: ver.version,
3085 Bugs: ProtocolBugs{
3086 SkipClientCertificate: true,
3087 },
3088 },
3089 // Setting SSL_VERIFY_PEER allows anonymous clients.
3090 flags: []string{"-verify-peer"},
3091 shouldFail: true,
3092 expectedError: ":UNEXPECTED_MESSAGE:",
3093 })
3094 }
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3095 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3096
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3097 // Client auth is only legal in certificate-based ciphers.
3098 testCases = append(testCases, testCase{
3099 testType: clientTest,
3100 name: "ClientAuth-PSK",
3101 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3102 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3103 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3104 PreSharedKey: []byte("secret"),
3105 ClientAuth: RequireAnyClientCert,
3106 },
3107 flags: []string{
3108 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3109 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3110 "-psk", "secret",
3111 },
3112 shouldFail: true,
3113 expectedError: ":UNEXPECTED_MESSAGE:",
3114 })
3115 testCases = append(testCases, testCase{
3116 testType: clientTest,
3117 name: "ClientAuth-ECDHE_PSK",
3118 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3119 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3120 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3121 PreSharedKey: []byte("secret"),
3122 ClientAuth: RequireAnyClientCert,
3123 },
3124 flags: []string{
3125 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3126 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3127 "-psk", "secret",
3128 },
3129 shouldFail: true,
3130 expectedError: ":UNEXPECTED_MESSAGE:",
3131 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3132
3133 // Regression test for a bug where the client CA list, if explicitly
3134 // set to NULL, was mis-encoded.
3135 testCases = append(testCases, testCase{
3136 testType: serverTest,
3137 name: "Null-Client-CA-List",
3138 config: Config{
3139 MaxVersion: VersionTLS12,
3140 Certificates: []Certificate{rsaCertificate},
3141 },
3142 flags: []string{
3143 "-require-any-client-certificate",
3144 "-use-null-client-ca-list",
3145 },
3146 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3147}
3148
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3149func addExtendedMasterSecretTests() {
3150 const expectEMSFlag = "-expect-extended-master-secret"
3151
3152 for _, with := range []bool{false, true} {
3153 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3154 if with {
3155 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3156 }
3157
3158 for _, isClient := range []bool{false, true} {
3159 suffix := "-Server"
3160 testType := serverTest
3161 if isClient {
3162 suffix = "-Client"
3163 testType = clientTest
3164 }
3165
3166 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3167 // In TLS 1.3, the extension is irrelevant and
3168 // always reports as enabled.
3169 var flags []string
3170 if with || ver.version >= VersionTLS13 {
3171 flags = []string{expectEMSFlag}
3172 }
3173
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3174 test := testCase{
3175 testType: testType,
3176 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3177 config: Config{
3178 MinVersion: ver.version,
3179 MaxVersion: ver.version,
3180 Bugs: ProtocolBugs{
3181 NoExtendedMasterSecret: !with,
3182 RequireExtendedMasterSecret: with,
3183 },
3184 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3185 flags: flags,
3186 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3187 }
3188 if test.shouldFail {
3189 test.expectedLocalError = "extended master secret required but not supported by peer"
3190 }
3191 testCases = append(testCases, test)
3192 }
3193 }
3194 }
3195
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3196 for _, isClient := range []bool{false, true} {
3197 for _, supportedInFirstConnection := range []bool{false, true} {
3198 for _, supportedInResumeConnection := range []bool{false, true} {
3199 boolToWord := func(b bool) string {
3200 if b {
3201 return "Yes"
3202 }
3203 return "No"
3204 }
3205 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3206 if isClient {
3207 suffix += "Client"
3208 } else {
3209 suffix += "Server"
3210 }
3211
3212 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3213 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3214 Bugs: ProtocolBugs{
3215 RequireExtendedMasterSecret: true,
3216 },
3217 }
3218
3219 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3220 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3221 Bugs: ProtocolBugs{
3222 NoExtendedMasterSecret: true,
3223 },
3224 }
3225
3226 test := testCase{
3227 name: "ExtendedMasterSecret-" + suffix,
3228 resumeSession: true,
3229 }
3230
3231 if !isClient {
3232 test.testType = serverTest
3233 }
3234
3235 if supportedInFirstConnection {
3236 test.config = supportedConfig
3237 } else {
3238 test.config = noSupportConfig
3239 }
3240
3241 if supportedInResumeConnection {
3242 test.resumeConfig = &supportedConfig
3243 } else {
3244 test.resumeConfig = &noSupportConfig
3245 }
3246
3247 switch suffix {
3248 case "YesToYes-Client", "YesToYes-Server":
3249 // When a session is resumed, it should
3250 // still be aware that its master
3251 // secret was generated via EMS and
3252 // thus it's safe to use tls-unique.
3253 test.flags = []string{expectEMSFlag}
3254 case "NoToYes-Server":
3255 // If an original connection did not
3256 // contain EMS, but a resumption
3257 // handshake does, then a server should
3258 // not resume the session.
3259 test.expectResumeRejected = true
3260 case "YesToNo-Server":
3261 // Resuming an EMS session without the
3262 // EMS extension should cause the
3263 // server to abort the connection.
3264 test.shouldFail = true
3265 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3266 case "NoToYes-Client":
3267 // A client should abort a connection
3268 // where the server resumed a non-EMS
3269 // session but echoed the EMS
3270 // extension.
3271 test.shouldFail = true
3272 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3273 case "YesToNo-Client":
3274 // A client should abort a connection
3275 // where the server didn't echo EMS
3276 // when the session used it.
3277 test.shouldFail = true
3278 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3279 }
3280
3281 testCases = append(testCases, test)
3282 }
3283 }
3284 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3285
3286 // Switching EMS on renegotiation is forbidden.
3287 testCases = append(testCases, testCase{
3288 name: "ExtendedMasterSecret-Renego-NoEMS",
3289 config: Config{
3290 MaxVersion: VersionTLS12,
3291 Bugs: ProtocolBugs{
3292 NoExtendedMasterSecret: true,
3293 NoExtendedMasterSecretOnRenegotiation: true,
3294 },
3295 },
3296 renegotiate: 1,
3297 flags: []string{
3298 "-renegotiate-freely",
3299 "-expect-total-renegotiations", "1",
3300 },
3301 })
3302
3303 testCases = append(testCases, testCase{
3304 name: "ExtendedMasterSecret-Renego-Upgrade",
3305 config: Config{
3306 MaxVersion: VersionTLS12,
3307 Bugs: ProtocolBugs{
3308 NoExtendedMasterSecret: true,
3309 },
3310 },
3311 renegotiate: 1,
3312 flags: []string{
3313 "-renegotiate-freely",
3314 "-expect-total-renegotiations", "1",
3315 },
3316 shouldFail: true,
3317 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3318 })
3319
3320 testCases = append(testCases, testCase{
3321 name: "ExtendedMasterSecret-Renego-Downgrade",
3322 config: Config{
3323 MaxVersion: VersionTLS12,
3324 Bugs: ProtocolBugs{
3325 NoExtendedMasterSecretOnRenegotiation: true,
3326 },
3327 },
3328 renegotiate: 1,
3329 flags: []string{
3330 "-renegotiate-freely",
3331 "-expect-total-renegotiations", "1",
3332 },
3333 shouldFail: true,
3334 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3335 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3336}
3337
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3338type stateMachineTestConfig struct {
3339 protocol protocol
3340 async bool
3341 splitHandshake, packHandshakeFlight bool
3342}
3343
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3344// Adds tests that try to cover the range of the handshake state machine, under
3345// various conditions. Some of these are redundant with other tests, but they
3346// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3347func addAllStateMachineCoverageTests() {
3348 for _, async := range []bool{false, true} {
3349 for _, protocol := range []protocol{tls, dtls} {
3350 addStateMachineCoverageTests(stateMachineTestConfig{
3351 protocol: protocol,
3352 async: async,
3353 })
3354 addStateMachineCoverageTests(stateMachineTestConfig{
3355 protocol: protocol,
3356 async: async,
3357 splitHandshake: true,
3358 })
3359 if protocol == tls {
3360 addStateMachineCoverageTests(stateMachineTestConfig{
3361 protocol: protocol,
3362 async: async,
3363 packHandshakeFlight: true,
3364 })
3365 }
3366 }
3367 }
3368}
3369
3370func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3371 var tests []testCase
3372
3373 // Basic handshake, with resumption. Client and server,
3374 // session ID and session ticket.
3375 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3376 name: "Basic-Client",
3377 config: Config{
3378 MaxVersion: VersionTLS12,
3379 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3380 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3381 // Ensure session tickets are used, not session IDs.
3382 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3383 })
3384 tests = append(tests, testCase{
3385 name: "Basic-Client-RenewTicket",
3386 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3387 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3388 Bugs: ProtocolBugs{
3389 RenewTicketOnResume: true,
3390 },
3391 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3392 flags: []string{"-expect-ticket-renewal"},
3393 resumeSession: true,
3394 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3395 })
3396 tests = append(tests, testCase{
3397 name: "Basic-Client-NoTicket",
3398 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3399 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3400 SessionTicketsDisabled: true,
3401 },
3402 resumeSession: true,
3403 })
3404 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3405 name: "Basic-Client-Implicit",
3406 config: Config{
3407 MaxVersion: VersionTLS12,
3408 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3409 flags: []string{"-implicit-handshake"},
3410 resumeSession: true,
3411 })
3412 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3413 testType: serverTest,
3414 name: "Basic-Server",
3415 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3416 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3417 Bugs: ProtocolBugs{
3418 RequireSessionTickets: true,
3419 },
3420 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3421 resumeSession: true,
3422 })
3423 tests = append(tests, testCase{
3424 testType: serverTest,
3425 name: "Basic-Server-NoTickets",
3426 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3427 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3428 SessionTicketsDisabled: true,
3429 },
3430 resumeSession: true,
3431 })
3432 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3433 testType: serverTest,
3434 name: "Basic-Server-Implicit",
3435 config: Config{
3436 MaxVersion: VersionTLS12,
3437 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3438 flags: []string{"-implicit-handshake"},
3439 resumeSession: true,
3440 })
3441 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3442 testType: serverTest,
3443 name: "Basic-Server-EarlyCallback",
3444 config: Config{
3445 MaxVersion: VersionTLS12,
3446 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3447 flags: []string{"-use-early-callback"},
3448 resumeSession: true,
3449 })
3450
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3451 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3452 if config.protocol == tls {
3453 tests = append(tests, testCase{
3454 name: "TLS13-1RTT-Client",
3455 config: Config{
3456 MaxVersion: VersionTLS13,
3457 MinVersion: VersionTLS13,
3458 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3459 resumeSession: true,
3460 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3461 })
3462
3463 tests = append(tests, testCase{
3464 testType: serverTest,
3465 name: "TLS13-1RTT-Server",
3466 config: Config{
3467 MaxVersion: VersionTLS13,
3468 MinVersion: VersionTLS13,
3469 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3470 resumeSession: true,
3471 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3472 })
3473
3474 tests = append(tests, testCase{
3475 name: "TLS13-HelloRetryRequest-Client",
3476 config: Config{
3477 MaxVersion: VersionTLS13,
3478 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3479 // P-384 requires a HelloRetryRequest against BoringSSL's default
3480 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3481 CurvePreferences: []CurveID{CurveP384},
3482 Bugs: ProtocolBugs{
3483 ExpectMissingKeyShare: true,
3484 },
3485 },
3486 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3487 resumeSession: true,
3488 })
3489
3490 tests = append(tests, testCase{
3491 testType: serverTest,
3492 name: "TLS13-HelloRetryRequest-Server",
3493 config: Config{
3494 MaxVersion: VersionTLS13,
3495 MinVersion: VersionTLS13,
3496 // Require a HelloRetryRequest for every curve.
3497 DefaultCurves: []CurveID{},
3498 },
3499 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3500 resumeSession: true,
3501 })
3502 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3503
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3504 // TLS client auth.
3505 tests = append(tests, testCase{
3506 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3507 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3508 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3509 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3510 ClientAuth: RequestClientCert,
3511 },
3512 })
3513 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3514 testType: serverTest,
3515 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3516 config: Config{
3517 MaxVersion: VersionTLS12,
3518 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3519 // Setting SSL_VERIFY_PEER allows anonymous clients.
3520 flags: []string{"-verify-peer"},
3521 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3522 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3523 tests = append(tests, testCase{
3524 testType: clientTest,
3525 name: "ClientAuth-NoCertificate-Client-SSL3",
3526 config: Config{
3527 MaxVersion: VersionSSL30,
3528 ClientAuth: RequestClientCert,
3529 },
3530 })
3531 tests = append(tests, testCase{
3532 testType: serverTest,
3533 name: "ClientAuth-NoCertificate-Server-SSL3",
3534 config: Config{
3535 MaxVersion: VersionSSL30,
3536 },
3537 // Setting SSL_VERIFY_PEER allows anonymous clients.
3538 flags: []string{"-verify-peer"},
3539 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3540 tests = append(tests, testCase{
3541 testType: clientTest,
3542 name: "ClientAuth-NoCertificate-Client-TLS13",
3543 config: Config{
3544 MaxVersion: VersionTLS13,
3545 ClientAuth: RequestClientCert,
3546 },
3547 })
3548 tests = append(tests, testCase{
3549 testType: serverTest,
3550 name: "ClientAuth-NoCertificate-Server-TLS13",
3551 config: Config{
3552 MaxVersion: VersionTLS13,
3553 },
3554 // Setting SSL_VERIFY_PEER allows anonymous clients.
3555 flags: []string{"-verify-peer"},
3556 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3557 }
3558 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3559 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3560 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3561 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3562 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3563 ClientAuth: RequireAnyClientCert,
3564 },
3565 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3566 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3567 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3568 },
3569 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3570 tests = append(tests, testCase{
3571 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3572 name: "ClientAuth-RSA-Client-TLS13",
3573 config: Config{
3574 MaxVersion: VersionTLS13,
3575 ClientAuth: RequireAnyClientCert,
3576 },
3577 flags: []string{
3578 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3579 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3580 },
3581 })
3582 tests = append(tests, testCase{
3583 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3584 name: "ClientAuth-ECDSA-Client",
3585 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3586 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3587 ClientAuth: RequireAnyClientCert,
3588 },
3589 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3590 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3591 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3592 },
3593 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3594 tests = append(tests, testCase{
3595 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3596 name: "ClientAuth-ECDSA-Client-TLS13",
3597 config: Config{
3598 MaxVersion: VersionTLS13,
3599 ClientAuth: RequireAnyClientCert,
3600 },
3601 flags: []string{
3602 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3603 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3604 },
3605 })
3606 tests = append(tests, testCase{
3607 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3608 name: "ClientAuth-NoCertificate-OldCallback",
3609 config: Config{
3610 MaxVersion: VersionTLS12,
3611 ClientAuth: RequestClientCert,
3612 },
3613 flags: []string{"-use-old-client-cert-callback"},
3614 })
3615 tests = append(tests, testCase{
3616 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3617 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3618 config: Config{
3619 MaxVersion: VersionTLS13,
3620 ClientAuth: RequestClientCert,
3621 },
3622 flags: []string{"-use-old-client-cert-callback"},
3623 })
3624 tests = append(tests, testCase{
3625 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3626 name: "ClientAuth-OldCallback",
3627 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3628 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3629 ClientAuth: RequireAnyClientCert,
3630 },
3631 flags: []string{
3632 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3633 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3634 "-use-old-client-cert-callback",
3635 },
3636 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3637 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3638 testType: clientTest,
3639 name: "ClientAuth-OldCallback-TLS13",
3640 config: Config{
3641 MaxVersion: VersionTLS13,
3642 ClientAuth: RequireAnyClientCert,
3643 },
3644 flags: []string{
3645 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3646 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3647 "-use-old-client-cert-callback",
3648 },
3649 })
3650 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3651 testType: serverTest,
3652 name: "ClientAuth-Server",
3653 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3654 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3655 Certificates: []Certificate{rsaCertificate},
3656 },
3657 flags: []string{"-require-any-client-certificate"},
3658 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3659 tests = append(tests, testCase{
3660 testType: serverTest,
3661 name: "ClientAuth-Server-TLS13",
3662 config: Config{
3663 MaxVersion: VersionTLS13,
3664 Certificates: []Certificate{rsaCertificate},
3665 },
3666 flags: []string{"-require-any-client-certificate"},
3667 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3668
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3669 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3670 tests = append(tests, testCase{
3671 testType: serverTest,
3672 name: "Basic-Server-RSA",
3673 config: Config{
3674 MaxVersion: VersionTLS12,
3675 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3676 },
3677 flags: []string{
3678 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3679 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3680 },
3681 })
3682 tests = append(tests, testCase{
3683 testType: serverTest,
3684 name: "Basic-Server-ECDHE-RSA",
3685 config: Config{
3686 MaxVersion: VersionTLS12,
3687 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3688 },
3689 flags: []string{
3690 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3691 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3692 },
3693 })
3694 tests = append(tests, testCase{
3695 testType: serverTest,
3696 name: "Basic-Server-ECDHE-ECDSA",
3697 config: Config{
3698 MaxVersion: VersionTLS12,
3699 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3700 },
3701 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3702 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3703 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3704 },
3705 })
3706
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3707 // No session ticket support; server doesn't send NewSessionTicket.
3708 tests = append(tests, testCase{
3709 name: "SessionTicketsDisabled-Client",
3710 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3711 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3712 SessionTicketsDisabled: true,
3713 },
3714 })
3715 tests = append(tests, testCase{
3716 testType: serverTest,
3717 name: "SessionTicketsDisabled-Server",
3718 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3719 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3720 SessionTicketsDisabled: true,
3721 },
3722 })
3723
3724 // Skip ServerKeyExchange in PSK key exchange if there's no
3725 // identity hint.
3726 tests = append(tests, testCase{
3727 name: "EmptyPSKHint-Client",
3728 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3729 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3730 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3731 PreSharedKey: []byte("secret"),
3732 },
3733 flags: []string{"-psk", "secret"},
3734 })
3735 tests = append(tests, testCase{
3736 testType: serverTest,
3737 name: "EmptyPSKHint-Server",
3738 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3739 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3740 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3741 PreSharedKey: []byte("secret"),
3742 },
3743 flags: []string{"-psk", "secret"},
3744 })
3745
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3746 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3747 tests = append(tests, testCase{
3748 testType: clientTest,
3749 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3750 config: Config{
3751 MaxVersion: VersionTLS12,
3752 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3753 flags: []string{
3754 "-enable-ocsp-stapling",
3755 "-expect-ocsp-response",
3756 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3757 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3758 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3759 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3760 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3761 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3762 testType: serverTest,
3763 name: "OCSPStapling-Server",
3764 config: Config{
3765 MaxVersion: VersionTLS12,
3766 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3767 expectedOCSPResponse: testOCSPResponse,
3768 flags: []string{
3769 "-ocsp-response",
3770 base64.StdEncoding.EncodeToString(testOCSPResponse),
3771 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3772 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3773 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3774 tests = append(tests, testCase{
3775 testType: clientTest,
3776 name: "OCSPStapling-Client-TLS13",
3777 config: Config{
3778 MaxVersion: VersionTLS13,
3779 },
3780 flags: []string{
3781 "-enable-ocsp-stapling",
3782 "-expect-ocsp-response",
3783 base64.StdEncoding.EncodeToString(testOCSPResponse),
3784 "-verify-peer",
3785 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3786 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3787 })
3788 tests = append(tests, testCase{
3789 testType: serverTest,
3790 name: "OCSPStapling-Server-TLS13",
3791 config: Config{
3792 MaxVersion: VersionTLS13,
3793 },
3794 expectedOCSPResponse: testOCSPResponse,
3795 flags: []string{
3796 "-ocsp-response",
3797 base64.StdEncoding.EncodeToString(testOCSPResponse),
3798 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3799 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3800 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3801
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3802 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3803 for _, vers := range tlsVersions {
3804 if config.protocol == dtls && !vers.hasDTLS {
3805 continue
3806 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3807 for _, testType := range []testType{clientTest, serverTest} {
3808 suffix := "-Client"
3809 if testType == serverTest {
3810 suffix = "-Server"
3811 }
3812 suffix += "-" + vers.name
3813
3814 flag := "-verify-peer"
3815 if testType == serverTest {
3816 flag = "-require-any-client-certificate"
3817 }
3818
3819 tests = append(tests, testCase{
3820 testType: testType,
3821 name: "CertificateVerificationSucceed" + suffix,
3822 config: Config{
3823 MaxVersion: vers.version,
3824 Certificates: []Certificate{rsaCertificate},
3825 },
3826 flags: []string{
3827 flag,
3828 "-expect-verify-result",
3829 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3830 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3831 })
3832 tests = append(tests, testCase{
3833 testType: testType,
3834 name: "CertificateVerificationFail" + suffix,
3835 config: Config{
3836 MaxVersion: vers.version,
3837 Certificates: []Certificate{rsaCertificate},
3838 },
3839 flags: []string{
3840 flag,
3841 "-verify-fail",
3842 },
3843 shouldFail: true,
3844 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3845 })
3846 }
3847
3848 // By default, the client is in a soft fail mode where the peer
3849 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3850 tests = append(tests, testCase{
3851 testType: clientTest,
3852 name: "CertificateVerificationSoftFail-" + vers.name,
3853 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3854 MaxVersion: vers.version,
3855 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3856 },
3857 flags: []string{
3858 "-verify-fail",
3859 "-expect-verify-result",
3860 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3861 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3862 })
3863 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3864
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]3865 tests = append(tests, testCase{
3866 name: "ShimSendAlert",
3867 flags: []string{"-send-alert"},
3868 shimWritesFirst: true,
3869 shouldFail: true,
3870 expectedLocalError: "remote error: decompression failure",
3871 })
3872
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3873 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3874 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3875 name: "Renegotiate-Client",
3876 config: Config{
3877 MaxVersion: VersionTLS12,
3878 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]3879 renegotiate: 1,
3880 flags: []string{
3881 "-renegotiate-freely",
3882 "-expect-total-renegotiations", "1",
3883 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3884 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3885
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]3886 tests = append(tests, testCase{
3887 name: "SendHalfHelloRequest",
3888 config: Config{
3889 MaxVersion: VersionTLS12,
3890 Bugs: ProtocolBugs{
3891 PackHelloRequestWithFinished: config.packHandshakeFlight,
3892 },
3893 },
3894 sendHalfHelloRequest: true,
3895 flags: []string{"-renegotiate-ignore"},
3896 shouldFail: true,
3897 expectedError: ":UNEXPECTED_RECORD:",
3898 })
3899
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3900 // NPN on client and server; results in post-handshake message.
3901 tests = append(tests, testCase{
3902 name: "NPN-Client",
3903 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3904 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3905 NextProtos: []string{"foo"},
3906 },
3907 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3908 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3909 expectedNextProto: "foo",
3910 expectedNextProtoType: npn,
3911 })
3912 tests = append(tests, testCase{
3913 testType: serverTest,
3914 name: "NPN-Server",
3915 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3916 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3917 NextProtos: []string{"bar"},
3918 },
3919 flags: []string{
3920 "-advertise-npn", "\x03foo\x03bar\x03baz",
3921 "-expect-next-proto", "bar",
3922 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3923 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3924 expectedNextProto: "bar",
3925 expectedNextProtoType: npn,
3926 })
3927
3928 // TODO(davidben): Add tests for when False Start doesn't trigger.
3929
3930 // Client does False Start and negotiates NPN.
3931 tests = append(tests, testCase{
3932 name: "FalseStart",
3933 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3934 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3935 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3936 NextProtos: []string{"foo"},
3937 Bugs: ProtocolBugs{
3938 ExpectFalseStart: true,
3939 },
3940 },
3941 flags: []string{
3942 "-false-start",
3943 "-select-next-proto", "foo",
3944 },
3945 shimWritesFirst: true,
3946 resumeSession: true,
3947 })
3948
3949 // Client does False Start and negotiates ALPN.
3950 tests = append(tests, testCase{
3951 name: "FalseStart-ALPN",
3952 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3953 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3954 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3955 NextProtos: []string{"foo"},
3956 Bugs: ProtocolBugs{
3957 ExpectFalseStart: true,
3958 },
3959 },
3960 flags: []string{
3961 "-false-start",
3962 "-advertise-alpn", "\x03foo",
3963 },
3964 shimWritesFirst: true,
3965 resumeSession: true,
3966 })
3967
3968 // Client does False Start but doesn't explicitly call
3969 // SSL_connect.
3970 tests = append(tests, testCase{
3971 name: "FalseStart-Implicit",
3972 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3973 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3974 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3975 NextProtos: []string{"foo"},
3976 },
3977 flags: []string{
3978 "-implicit-handshake",
3979 "-false-start",
3980 "-advertise-alpn", "\x03foo",
3981 },
3982 })
3983
3984 // False Start without session tickets.
3985 tests = append(tests, testCase{
3986 name: "FalseStart-SessionTicketsDisabled",
3987 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3988 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3989 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3990 NextProtos: []string{"foo"},
3991 SessionTicketsDisabled: true,
3992 Bugs: ProtocolBugs{
3993 ExpectFalseStart: true,
3994 },
3995 },
3996 flags: []string{
3997 "-false-start",
3998 "-select-next-proto", "foo",
3999 },
4000 shimWritesFirst: true,
4001 })
4002
4003 // Server parses a V2ClientHello.
4004 tests = append(tests, testCase{
4005 testType: serverTest,
4006 name: "SendV2ClientHello",
4007 config: Config{
4008 // Choose a cipher suite that does not involve
4009 // elliptic curves, so no extensions are
4010 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4011 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4012 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4013 Bugs: ProtocolBugs{
4014 SendV2ClientHello: true,
4015 },
4016 },
4017 })
4018
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4019 // Test Channel ID
4020 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4021 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4022 continue
4023 }
4024 // Client sends a Channel ID.
4025 tests = append(tests, testCase{
4026 name: "ChannelID-Client-" + ver.name,
4027 config: Config{
4028 MaxVersion: ver.version,
4029 RequestChannelID: true,
4030 },
4031 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4032 resumeSession: true,
4033 expectChannelID: true,
4034 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4035
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4036 // Server accepts a Channel ID.
4037 tests = append(tests, testCase{
4038 testType: serverTest,
4039 name: "ChannelID-Server-" + ver.name,
4040 config: Config{
4041 MaxVersion: ver.version,
4042 ChannelID: channelIDKey,
4043 },
4044 flags: []string{
4045 "-expect-channel-id",
4046 base64.StdEncoding.EncodeToString(channelIDBytes),
4047 },
4048 resumeSession: true,
4049 expectChannelID: true,
4050 })
4051
4052 tests = append(tests, testCase{
4053 testType: serverTest,
4054 name: "InvalidChannelIDSignature-" + ver.name,
4055 config: Config{
4056 MaxVersion: ver.version,
4057 ChannelID: channelIDKey,
4058 Bugs: ProtocolBugs{
4059 InvalidChannelIDSignature: true,
4060 },
4061 },
4062 flags: []string{"-enable-channel-id"},
4063 shouldFail: true,
4064 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4065 })
4066 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4067
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4068 // Channel ID and NPN at the same time, to ensure their relative
4069 // ordering is correct.
4070 tests = append(tests, testCase{
4071 name: "ChannelID-NPN-Client",
4072 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4073 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4074 RequestChannelID: true,
4075 NextProtos: []string{"foo"},
4076 },
4077 flags: []string{
4078 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4079 "-select-next-proto", "foo",
4080 },
4081 resumeSession: true,
4082 expectChannelID: true,
4083 expectedNextProto: "foo",
4084 expectedNextProtoType: npn,
4085 })
4086 tests = append(tests, testCase{
4087 testType: serverTest,
4088 name: "ChannelID-NPN-Server",
4089 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4090 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4091 ChannelID: channelIDKey,
4092 NextProtos: []string{"bar"},
4093 },
4094 flags: []string{
4095 "-expect-channel-id",
4096 base64.StdEncoding.EncodeToString(channelIDBytes),
4097 "-advertise-npn", "\x03foo\x03bar\x03baz",
4098 "-expect-next-proto", "bar",
4099 },
4100 resumeSession: true,
4101 expectChannelID: true,
4102 expectedNextProto: "bar",
4103 expectedNextProtoType: npn,
4104 })
4105
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4106 // Bidirectional shutdown with the runner initiating.
4107 tests = append(tests, testCase{
4108 name: "Shutdown-Runner",
4109 config: Config{
4110 Bugs: ProtocolBugs{
4111 ExpectCloseNotify: true,
4112 },
4113 },
4114 flags: []string{"-check-close-notify"},
4115 })
4116
4117 // Bidirectional shutdown with the shim initiating. The runner,
4118 // in the meantime, sends garbage before the close_notify which
4119 // the shim must ignore.
4120 tests = append(tests, testCase{
4121 name: "Shutdown-Shim",
4122 config: Config{
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]4123 MaxVersion: VersionTLS12,
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4124 Bugs: ProtocolBugs{
4125 ExpectCloseNotify: true,
4126 },
4127 },
4128 shimShutsDown: true,
4129 sendEmptyRecords: 1,
4130 sendWarningAlerts: 1,
4131 flags: []string{"-check-close-notify"},
4132 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4133 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4134 // TODO(davidben): DTLS 1.3 will want a similar thing for
4135 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4136 tests = append(tests, testCase{
4137 name: "SkipHelloVerifyRequest",
4138 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4139 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4140 Bugs: ProtocolBugs{
4141 SkipHelloVerifyRequest: true,
4142 },
4143 },
4144 })
4145 }
4146
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4147 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4148 test.protocol = config.protocol
4149 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4150 test.name += "-DTLS"
4151 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4152 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4153 test.name += "-Async"
4154 test.flags = append(test.flags, "-async")
4155 } else {
4156 test.name += "-Sync"
4157 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4158 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4159 test.name += "-SplitHandshakeRecords"
4160 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4161 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4162 test.config.Bugs.MaxPacketLength = 256
4163 test.flags = append(test.flags, "-mtu", "256")
4164 }
4165 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4166 if config.packHandshakeFlight {
4167 test.name += "-PackHandshakeFlight"
4168 test.config.Bugs.PackHandshakeFlight = true
4169 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4170 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4171 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4172}
4173
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4174func addDDoSCallbackTests() {
4175 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4176 for _, resume := range []bool{false, true} {
4177 suffix := "Resume"
4178 if resume {
4179 suffix = "No" + suffix
4180 }
4181
4182 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4183 testType: serverTest,
4184 name: "Server-DDoS-OK-" + suffix,
4185 config: Config{
4186 MaxVersion: VersionTLS12,
4187 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4188 flags: []string{"-install-ddos-callback"},
4189 resumeSession: resume,
4190 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4191 testCases = append(testCases, testCase{
4192 testType: serverTest,
4193 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4194 config: Config{
4195 MaxVersion: VersionTLS13,
4196 },
4197 flags: []string{"-install-ddos-callback"},
4198 resumeSession: resume,
4199 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4200
4201 failFlag := "-fail-ddos-callback"
4202 if resume {
4203 failFlag = "-fail-second-ddos-callback"
4204 }
4205 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4206 testType: serverTest,
4207 name: "Server-DDoS-Reject-" + suffix,
4208 config: Config{
4209 MaxVersion: VersionTLS12,
4210 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4211 flags: []string{"-install-ddos-callback", failFlag},
4212 resumeSession: resume,
4213 shouldFail: true,
4214 expectedError: ":CONNECTION_REJECTED:",
4215 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4216 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4217 testCases = append(testCases, testCase{
4218 testType: serverTest,
4219 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4220 config: Config{
4221 MaxVersion: VersionTLS13,
4222 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4223 flags: []string{"-install-ddos-callback", failFlag},
4224 resumeSession: resume,
4225 shouldFail: true,
4226 expectedError: ":CONNECTION_REJECTED:",
4227 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4228 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4229 }
4230}
4231
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4232func addVersionNegotiationTests() {
4233 for i, shimVers := range tlsVersions {
4234 // Assemble flags to disable all newer versions on the shim.
4235 var flags []string
4236 for _, vers := range tlsVersions[i+1:] {
4237 flags = append(flags, vers.flag)
4238 }
4239
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4240 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4241 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4242 protocols := []protocol{tls}
4243 if runnerVers.hasDTLS && shimVers.hasDTLS {
4244 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4245 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4246 for _, protocol := range protocols {
4247 expectedVersion := shimVers.version
4248 if runnerVers.version < shimVers.version {
4249 expectedVersion = runnerVers.version
4250 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4251
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4252 suffix := shimVers.name + "-" + runnerVers.name
4253 if protocol == dtls {
4254 suffix += "-DTLS"
4255 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4256
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4257 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4258
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4259 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4260 clientVers := shimVers.version
4261 if clientVers > VersionTLS10 {
4262 clientVers = VersionTLS10
4263 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4264 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4265 serverVers := expectedVersion
4266 if expectedVersion >= VersionTLS13 {
4267 serverVers = VersionTLS10
4268 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4269 serverVers = versionToWire(serverVers, protocol == dtls)
4270
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4271 testCases = append(testCases, testCase{
4272 protocol: protocol,
4273 testType: clientTest,
4274 name: "VersionNegotiation-Client-" + suffix,
4275 config: Config{
4276 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4277 Bugs: ProtocolBugs{
4278 ExpectInitialRecordVersion: clientVers,
4279 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4280 },
4281 flags: flags,
4282 expectedVersion: expectedVersion,
4283 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4284 testCases = append(testCases, testCase{
4285 protocol: protocol,
4286 testType: clientTest,
4287 name: "VersionNegotiation-Client2-" + suffix,
4288 config: Config{
4289 MaxVersion: runnerVers.version,
4290 Bugs: ProtocolBugs{
4291 ExpectInitialRecordVersion: clientVers,
4292 },
4293 },
4294 flags: []string{"-max-version", shimVersFlag},
4295 expectedVersion: expectedVersion,
4296 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4297
4298 testCases = append(testCases, testCase{
4299 protocol: protocol,
4300 testType: serverTest,
4301 name: "VersionNegotiation-Server-" + suffix,
4302 config: Config{
4303 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4304 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4305 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4306 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4307 },
4308 flags: flags,
4309 expectedVersion: expectedVersion,
4310 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4311 testCases = append(testCases, testCase{
4312 protocol: protocol,
4313 testType: serverTest,
4314 name: "VersionNegotiation-Server2-" + suffix,
4315 config: Config{
4316 MaxVersion: runnerVers.version,
4317 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4318 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4319 },
4320 },
4321 flags: []string{"-max-version", shimVersFlag},
4322 expectedVersion: expectedVersion,
4323 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4324 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4325 }
4326 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4327
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4328 // Test the version extension at all versions.
4329 for _, vers := range tlsVersions {
4330 protocols := []protocol{tls}
4331 if vers.hasDTLS {
4332 protocols = append(protocols, dtls)
4333 }
4334 for _, protocol := range protocols {
4335 suffix := vers.name
4336 if protocol == dtls {
4337 suffix += "-DTLS"
4338 }
4339
4340 wireVersion := versionToWire(vers.version, protocol == dtls)
4341 testCases = append(testCases, testCase{
4342 protocol: protocol,
4343 testType: serverTest,
4344 name: "VersionNegotiationExtension-" + suffix,
4345 config: Config{
4346 Bugs: ProtocolBugs{
4347 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4348 },
4349 },
4350 expectedVersion: vers.version,
4351 })
4352 }
4353
4354 }
4355
4356 // If all versions are unknown, negotiation fails.
4357 testCases = append(testCases, testCase{
4358 testType: serverTest,
4359 name: "NoSupportedVersions",
4360 config: Config{
4361 Bugs: ProtocolBugs{
4362 SendSupportedVersions: []uint16{0x1111},
4363 },
4364 },
4365 shouldFail: true,
4366 expectedError: ":UNSUPPORTED_PROTOCOL:",
4367 })
4368 testCases = append(testCases, testCase{
4369 protocol: dtls,
4370 testType: serverTest,
4371 name: "NoSupportedVersions-DTLS",
4372 config: Config{
4373 Bugs: ProtocolBugs{
4374 SendSupportedVersions: []uint16{0x1111},
4375 },
4376 },
4377 shouldFail: true,
4378 expectedError: ":UNSUPPORTED_PROTOCOL:",
4379 })
4380
4381 testCases = append(testCases, testCase{
4382 testType: serverTest,
4383 name: "ClientHelloVersionTooHigh",
4384 config: Config{
4385 MaxVersion: VersionTLS13,
4386 Bugs: ProtocolBugs{
4387 SendClientVersion: 0x0304,
4388 OmitSupportedVersions: true,
4389 },
4390 },
4391 expectedVersion: VersionTLS12,
4392 })
4393
4394 testCases = append(testCases, testCase{
4395 testType: serverTest,
4396 name: "ConflictingVersionNegotiation",
4397 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4398 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4399 SendClientVersion: VersionTLS12,
4400 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4401 },
4402 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4403 // The extension takes precedence over the ClientHello version.
4404 expectedVersion: VersionTLS11,
4405 })
4406
4407 testCases = append(testCases, testCase{
4408 testType: serverTest,
4409 name: "ConflictingVersionNegotiation-2",
4410 config: Config{
4411 Bugs: ProtocolBugs{
4412 SendClientVersion: VersionTLS11,
4413 SendSupportedVersions: []uint16{VersionTLS12},
4414 },
4415 },
4416 // The extension takes precedence over the ClientHello version.
4417 expectedVersion: VersionTLS12,
4418 })
4419
4420 testCases = append(testCases, testCase{
4421 testType: serverTest,
4422 name: "RejectFinalTLS13",
4423 config: Config{
4424 Bugs: ProtocolBugs{
4425 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4426 },
4427 },
4428 // We currently implement a draft TLS 1.3 version. Ensure that
4429 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4430 expectedVersion: VersionTLS12,
4431 })
4432
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4433 // Test that the maximum version is selected regardless of the
4434 // client-sent order.
4435 testCases = append(testCases, testCase{
4436 testType: serverTest,
4437 name: "IgnoreClientVersionOrder",
4438 config: Config{
4439 Bugs: ProtocolBugs{
4440 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4441 },
4442 },
4443 expectedVersion: VersionTLS13,
4444 })
4445
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4446 // Test for version tolerance.
4447 testCases = append(testCases, testCase{
4448 testType: serverTest,
4449 name: "MinorVersionTolerance",
4450 config: Config{
4451 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4452 SendClientVersion: 0x03ff,
4453 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4454 },
4455 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4456 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4457 })
4458 testCases = append(testCases, testCase{
4459 testType: serverTest,
4460 name: "MajorVersionTolerance",
4461 config: Config{
4462 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4463 SendClientVersion: 0x0400,
4464 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4465 },
4466 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4467 // TLS 1.3 must be negotiated with the supported_versions
4468 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4469 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4470 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4471 testCases = append(testCases, testCase{
4472 testType: serverTest,
4473 name: "VersionTolerance-TLS13",
4474 config: Config{
4475 Bugs: ProtocolBugs{
4476 // Although TLS 1.3 does not use
4477 // ClientHello.version, it still tolerates high
4478 // values there.
4479 SendClientVersion: 0x0400,
4480 },
4481 },
4482 expectedVersion: VersionTLS13,
4483 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4484
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4485 testCases = append(testCases, testCase{
4486 protocol: dtls,
4487 testType: serverTest,
4488 name: "MinorVersionTolerance-DTLS",
4489 config: Config{
4490 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4491 SendClientVersion: 0xfe00,
4492 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4493 },
4494 },
4495 expectedVersion: VersionTLS12,
4496 })
4497 testCases = append(testCases, testCase{
4498 protocol: dtls,
4499 testType: serverTest,
4500 name: "MajorVersionTolerance-DTLS",
4501 config: Config{
4502 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4503 SendClientVersion: 0xfdff,
4504 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4505 },
4506 },
4507 expectedVersion: VersionTLS12,
4508 })
4509
4510 // Test that versions below 3.0 are rejected.
4511 testCases = append(testCases, testCase{
4512 testType: serverTest,
4513 name: "VersionTooLow",
4514 config: Config{
4515 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4516 SendClientVersion: 0x0200,
4517 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4518 },
4519 },
4520 shouldFail: true,
4521 expectedError: ":UNSUPPORTED_PROTOCOL:",
4522 })
4523 testCases = append(testCases, testCase{
4524 protocol: dtls,
4525 testType: serverTest,
4526 name: "VersionTooLow-DTLS",
4527 config: Config{
4528 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4529 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4530 },
4531 },
4532 shouldFail: true,
4533 expectedError: ":UNSUPPORTED_PROTOCOL:",
4534 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4535
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4536 testCases = append(testCases, testCase{
4537 name: "ServerBogusVersion",
4538 config: Config{
4539 Bugs: ProtocolBugs{
4540 SendServerHelloVersion: 0x1234,
4541 },
4542 },
4543 shouldFail: true,
4544 expectedError: ":UNSUPPORTED_PROTOCOL:",
4545 })
4546
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4547 // Test TLS 1.3's downgrade signal.
4548 testCases = append(testCases, testCase{
4549 name: "Downgrade-TLS12-Client",
4550 config: Config{
4551 Bugs: ProtocolBugs{
4552 NegotiateVersion: VersionTLS12,
4553 },
4554 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4555 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4556 // TODO(davidben): This test should fail once TLS 1.3 is final
4557 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4558 })
4559 testCases = append(testCases, testCase{
4560 testType: serverTest,
4561 name: "Downgrade-TLS12-Server",
4562 config: Config{
4563 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4564 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4565 },
4566 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4567 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4568 // TODO(davidben): This test should fail once TLS 1.3 is final
4569 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4570 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4571}
4572
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4573func addMinimumVersionTests() {
4574 for i, shimVers := range tlsVersions {
4575 // Assemble flags to disable all older versions on the shim.
4576 var flags []string
4577 for _, vers := range tlsVersions[:i] {
4578 flags = append(flags, vers.flag)
4579 }
4580
4581 for _, runnerVers := range tlsVersions {
4582 protocols := []protocol{tls}
4583 if runnerVers.hasDTLS && shimVers.hasDTLS {
4584 protocols = append(protocols, dtls)
4585 }
4586 for _, protocol := range protocols {
4587 suffix := shimVers.name + "-" + runnerVers.name
4588 if protocol == dtls {
4589 suffix += "-DTLS"
4590 }
4591 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4592
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4593 var expectedVersion uint16
4594 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4595 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4596 if runnerVers.version >= shimVers.version {
4597 expectedVersion = runnerVers.version
4598 } else {
4599 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4600 expectedError = ":UNSUPPORTED_PROTOCOL:"
4601 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4602 }
4603
4604 testCases = append(testCases, testCase{
4605 protocol: protocol,
4606 testType: clientTest,
4607 name: "MinimumVersion-Client-" + suffix,
4608 config: Config{
4609 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4610 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4611 // Ensure the server does not decline to
4612 // select a version (versions extension) or
4613 // cipher (some ciphers depend on versions).
4614 NegotiateVersion: runnerVers.version,
4615 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4616 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4617 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4618 flags: flags,
4619 expectedVersion: expectedVersion,
4620 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4621 expectedError: expectedError,
4622 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4623 })
4624 testCases = append(testCases, testCase{
4625 protocol: protocol,
4626 testType: clientTest,
4627 name: "MinimumVersion-Client2-" + suffix,
4628 config: Config{
4629 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4630 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4631 // Ensure the server does not decline to
4632 // select a version (versions extension) or
4633 // cipher (some ciphers depend on versions).
4634 NegotiateVersion: runnerVers.version,
4635 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4636 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4637 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4638 flags: []string{"-min-version", shimVersFlag},
4639 expectedVersion: expectedVersion,
4640 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4641 expectedError: expectedError,
4642 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4643 })
4644
4645 testCases = append(testCases, testCase{
4646 protocol: protocol,
4647 testType: serverTest,
4648 name: "MinimumVersion-Server-" + suffix,
4649 config: Config{
4650 MaxVersion: runnerVers.version,
4651 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4652 flags: flags,
4653 expectedVersion: expectedVersion,
4654 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4655 expectedError: expectedError,
4656 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4657 })
4658 testCases = append(testCases, testCase{
4659 protocol: protocol,
4660 testType: serverTest,
4661 name: "MinimumVersion-Server2-" + suffix,
4662 config: Config{
4663 MaxVersion: runnerVers.version,
4664 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4665 flags: []string{"-min-version", shimVersFlag},
4666 expectedVersion: expectedVersion,
4667 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4668 expectedError: expectedError,
4669 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4670 })
4671 }
4672 }
4673 }
4674}
4675
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4676func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4677 // TODO(davidben): Extensions, where applicable, all move their server
4678 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4679 // tests for both. Also test interaction with 0-RTT when implemented.
4680
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4681 // Repeat extensions tests all versions except SSL 3.0.
4682 for _, ver := range tlsVersions {
4683 if ver.version == VersionSSL30 {
4684 continue
4685 }
4686
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4687 // Test that duplicate extensions are rejected.
4688 testCases = append(testCases, testCase{
4689 testType: clientTest,
4690 name: "DuplicateExtensionClient-" + ver.name,
4691 config: Config{
4692 MaxVersion: ver.version,
4693 Bugs: ProtocolBugs{
4694 DuplicateExtension: true,
4695 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4696 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4697 shouldFail: true,
4698 expectedLocalError: "remote error: error decoding message",
4699 })
4700 testCases = append(testCases, testCase{
4701 testType: serverTest,
4702 name: "DuplicateExtensionServer-" + ver.name,
4703 config: Config{
4704 MaxVersion: ver.version,
4705 Bugs: ProtocolBugs{
4706 DuplicateExtension: true,
4707 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4708 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4709 shouldFail: true,
4710 expectedLocalError: "remote error: error decoding message",
4711 })
4712
4713 // Test SNI.
4714 testCases = append(testCases, testCase{
4715 testType: clientTest,
4716 name: "ServerNameExtensionClient-" + ver.name,
4717 config: Config{
4718 MaxVersion: ver.version,
4719 Bugs: ProtocolBugs{
4720 ExpectServerName: "example.com",
4721 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4722 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4723 flags: []string{"-host-name", "example.com"},
4724 })
4725 testCases = append(testCases, testCase{
4726 testType: clientTest,
4727 name: "ServerNameExtensionClientMismatch-" + ver.name,
4728 config: Config{
4729 MaxVersion: ver.version,
4730 Bugs: ProtocolBugs{
4731 ExpectServerName: "mismatch.com",
4732 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4733 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4734 flags: []string{"-host-name", "example.com"},
4735 shouldFail: true,
4736 expectedLocalError: "tls: unexpected server name",
4737 })
4738 testCases = append(testCases, testCase{
4739 testType: clientTest,
4740 name: "ServerNameExtensionClientMissing-" + ver.name,
4741 config: Config{
4742 MaxVersion: ver.version,
4743 Bugs: ProtocolBugs{
4744 ExpectServerName: "missing.com",
4745 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4746 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4747 shouldFail: true,
4748 expectedLocalError: "tls: unexpected server name",
4749 })
4750 testCases = append(testCases, testCase{
4751 testType: serverTest,
4752 name: "ServerNameExtensionServer-" + ver.name,
4753 config: Config{
4754 MaxVersion: ver.version,
4755 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4756 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4757 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4758 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4759 })
4760
4761 // Test ALPN.
4762 testCases = append(testCases, testCase{
4763 testType: clientTest,
4764 name: "ALPNClient-" + ver.name,
4765 config: Config{
4766 MaxVersion: ver.version,
4767 NextProtos: []string{"foo"},
4768 },
4769 flags: []string{
4770 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4771 "-expect-alpn", "foo",
4772 },
4773 expectedNextProto: "foo",
4774 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4775 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4776 })
4777 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4778 testType: clientTest,
4779 name: "ALPNClient-Mismatch-" + ver.name,
4780 config: Config{
4781 MaxVersion: ver.version,
4782 Bugs: ProtocolBugs{
4783 SendALPN: "baz",
4784 },
4785 },
4786 flags: []string{
4787 "-advertise-alpn", "\x03foo\x03bar",
4788 },
4789 shouldFail: true,
4790 expectedError: ":INVALID_ALPN_PROTOCOL:",
4791 expectedLocalError: "remote error: illegal parameter",
4792 })
4793 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4794 testType: serverTest,
4795 name: "ALPNServer-" + ver.name,
4796 config: Config{
4797 MaxVersion: ver.version,
4798 NextProtos: []string{"foo", "bar", "baz"},
4799 },
4800 flags: []string{
4801 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4802 "-select-alpn", "foo",
4803 },
4804 expectedNextProto: "foo",
4805 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4806 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4807 })
4808 testCases = append(testCases, testCase{
4809 testType: serverTest,
4810 name: "ALPNServer-Decline-" + ver.name,
4811 config: Config{
4812 MaxVersion: ver.version,
4813 NextProtos: []string{"foo", "bar", "baz"},
4814 },
4815 flags: []string{"-decline-alpn"},
4816 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4817 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4818 })
4819
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4820 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4821 // called once.
4822 testCases = append(testCases, testCase{
4823 testType: serverTest,
4824 name: "ALPNServer-Async-" + ver.name,
4825 config: Config{
4826 MaxVersion: ver.version,
4827 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]4828 // Prior to TLS 1.3, exercise the asynchronous session callback.
4829 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4830 },
4831 flags: []string{
4832 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4833 "-select-alpn", "foo",
4834 "-async",
4835 },
4836 expectedNextProto: "foo",
4837 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4838 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4839 })
4840
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4841 var emptyString string
4842 testCases = append(testCases, testCase{
4843 testType: clientTest,
4844 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4845 config: Config{
4846 MaxVersion: ver.version,
4847 NextProtos: []string{""},
4848 Bugs: ProtocolBugs{
4849 // A server returning an empty ALPN protocol
4850 // should be rejected.
4851 ALPNProtocol: &emptyString,
4852 },
4853 },
4854 flags: []string{
4855 "-advertise-alpn", "\x03foo",
4856 },
4857 shouldFail: true,
4858 expectedError: ":PARSE_TLSEXT:",
4859 })
4860 testCases = append(testCases, testCase{
4861 testType: serverTest,
4862 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4863 config: Config{
4864 MaxVersion: ver.version,
4865 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4866 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4867 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4868 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4869 flags: []string{
4870 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]4871 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4872 shouldFail: true,
4873 expectedError: ":PARSE_TLSEXT:",
4874 })
4875
4876 // Test NPN and the interaction with ALPN.
4877 if ver.version < VersionTLS13 {
4878 // Test that the server prefers ALPN over NPN.
4879 testCases = append(testCases, testCase{
4880 testType: serverTest,
4881 name: "ALPNServer-Preferred-" + ver.name,
4882 config: Config{
4883 MaxVersion: ver.version,
4884 NextProtos: []string{"foo", "bar", "baz"},
4885 },
4886 flags: []string{
4887 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4888 "-select-alpn", "foo",
4889 "-advertise-npn", "\x03foo\x03bar\x03baz",
4890 },
4891 expectedNextProto: "foo",
4892 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4893 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4894 })
4895 testCases = append(testCases, testCase{
4896 testType: serverTest,
4897 name: "ALPNServer-Preferred-Swapped-" + ver.name,
4898 config: Config{
4899 MaxVersion: ver.version,
4900 NextProtos: []string{"foo", "bar", "baz"},
4901 Bugs: ProtocolBugs{
4902 SwapNPNAndALPN: true,
4903 },
4904 },
4905 flags: []string{
4906 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4907 "-select-alpn", "foo",
4908 "-advertise-npn", "\x03foo\x03bar\x03baz",
4909 },
4910 expectedNextProto: "foo",
4911 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4912 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4913 })
4914
4915 // Test that negotiating both NPN and ALPN is forbidden.
4916 testCases = append(testCases, testCase{
4917 name: "NegotiateALPNAndNPN-" + ver.name,
4918 config: Config{
4919 MaxVersion: ver.version,
4920 NextProtos: []string{"foo", "bar", "baz"},
4921 Bugs: ProtocolBugs{
4922 NegotiateALPNAndNPN: true,
4923 },
4924 },
4925 flags: []string{
4926 "-advertise-alpn", "\x03foo",
4927 "-select-next-proto", "foo",
4928 },
4929 shouldFail: true,
4930 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4931 })
4932 testCases = append(testCases, testCase{
4933 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
4934 config: Config{
4935 MaxVersion: ver.version,
4936 NextProtos: []string{"foo", "bar", "baz"},
4937 Bugs: ProtocolBugs{
4938 NegotiateALPNAndNPN: true,
4939 SwapNPNAndALPN: true,
4940 },
4941 },
4942 flags: []string{
4943 "-advertise-alpn", "\x03foo",
4944 "-select-next-proto", "foo",
4945 },
4946 shouldFail: true,
4947 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
4948 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4949 }
4950
4951 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4952
4953 // Resume with a corrupt ticket.
4954 testCases = append(testCases, testCase{
4955 testType: serverTest,
4956 name: "CorruptTicket-" + ver.name,
4957 config: Config{
4958 MaxVersion: ver.version,
4959 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]4960 FilterTicket: func(in []byte) ([]byte, error) {
4961 in[len(in)-1] ^= 1
4962 return in, nil
4963 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4964 },
4965 },
4966 resumeSession: true,
4967 expectResumeRejected: true,
4968 })
4969 // Test the ticket callback, with and without renewal.
4970 testCases = append(testCases, testCase{
4971 testType: serverTest,
4972 name: "TicketCallback-" + ver.name,
4973 config: Config{
4974 MaxVersion: ver.version,
4975 },
4976 resumeSession: true,
4977 flags: []string{"-use-ticket-callback"},
4978 })
4979 testCases = append(testCases, testCase{
4980 testType: serverTest,
4981 name: "TicketCallback-Renew-" + ver.name,
4982 config: Config{
4983 MaxVersion: ver.version,
4984 Bugs: ProtocolBugs{
4985 ExpectNewTicket: true,
4986 },
4987 },
4988 flags: []string{"-use-ticket-callback", "-renew-ticket"},
4989 resumeSession: true,
4990 })
4991
4992 // Test that the ticket callback is only called once when everything before
4993 // it in the ClientHello is asynchronous. This corrupts the ticket so
4994 // certificate selection callbacks run.
4995 testCases = append(testCases, testCase{
4996 testType: serverTest,
4997 name: "TicketCallback-SingleCall-" + ver.name,
4998 config: Config{
4999 MaxVersion: ver.version,
5000 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5001 FilterTicket: func(in []byte) ([]byte, error) {
5002 in[len(in)-1] ^= 1
5003 return in, nil
5004 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5005 },
5006 },
5007 resumeSession: true,
5008 expectResumeRejected: true,
5009 flags: []string{
5010 "-use-ticket-callback",
5011 "-async",
5012 },
5013 })
5014
5015 // Resume with an oversized session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5016 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5017 testCases = append(testCases, testCase{
5018 testType: serverTest,
5019 name: "OversizedSessionId-" + ver.name,
5020 config: Config{
5021 MaxVersion: ver.version,
5022 Bugs: ProtocolBugs{
5023 OversizedSessionId: true,
5024 },
5025 },
5026 resumeSession: true,
5027 shouldFail: true,
5028 expectedError: ":DECODE_ERROR:",
5029 })
5030 }
5031
5032 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5033 // are ignored.
5034 if ver.hasDTLS {
5035 testCases = append(testCases, testCase{
5036 protocol: dtls,
5037 name: "SRTP-Client-" + ver.name,
5038 config: Config{
5039 MaxVersion: ver.version,
5040 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5041 },
5042 flags: []string{
5043 "-srtp-profiles",
5044 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5045 },
5046 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5047 })
5048 testCases = append(testCases, testCase{
5049 protocol: dtls,
5050 testType: serverTest,
5051 name: "SRTP-Server-" + ver.name,
5052 config: Config{
5053 MaxVersion: ver.version,
5054 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5055 },
5056 flags: []string{
5057 "-srtp-profiles",
5058 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5059 },
5060 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5061 })
5062 // Test that the MKI is ignored.
5063 testCases = append(testCases, testCase{
5064 protocol: dtls,
5065 testType: serverTest,
5066 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5067 config: Config{
5068 MaxVersion: ver.version,
5069 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5070 Bugs: ProtocolBugs{
5071 SRTPMasterKeyIdentifer: "bogus",
5072 },
5073 },
5074 flags: []string{
5075 "-srtp-profiles",
5076 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5077 },
5078 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5079 })
5080 // Test that SRTP isn't negotiated on the server if there were
5081 // no matching profiles.
5082 testCases = append(testCases, testCase{
5083 protocol: dtls,
5084 testType: serverTest,
5085 name: "SRTP-Server-NoMatch-" + ver.name,
5086 config: Config{
5087 MaxVersion: ver.version,
5088 SRTPProtectionProfiles: []uint16{100, 101, 102},
5089 },
5090 flags: []string{
5091 "-srtp-profiles",
5092 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5093 },
5094 expectedSRTPProtectionProfile: 0,
5095 })
5096 // Test that the server returning an invalid SRTP profile is
5097 // flagged as an error by the client.
5098 testCases = append(testCases, testCase{
5099 protocol: dtls,
5100 name: "SRTP-Client-NoMatch-" + ver.name,
5101 config: Config{
5102 MaxVersion: ver.version,
5103 Bugs: ProtocolBugs{
5104 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5105 },
5106 },
5107 flags: []string{
5108 "-srtp-profiles",
5109 "SRTP_AES128_CM_SHA1_80",
5110 },
5111 shouldFail: true,
5112 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5113 })
5114 }
5115
5116 // Test SCT list.
5117 testCases = append(testCases, testCase{
5118 name: "SignedCertificateTimestampList-Client-" + ver.name,
5119 testType: clientTest,
5120 config: Config{
5121 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5122 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5123 flags: []string{
5124 "-enable-signed-cert-timestamps",
5125 "-expect-signed-cert-timestamps",
5126 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5127 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5128 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5129 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5130
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5131 var differentSCTList []byte
5132 differentSCTList = append(differentSCTList, testSCTList...)
5133 differentSCTList[len(differentSCTList)-1] ^= 1
5134
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5135 // The SCT extension did not specify that it must only be sent on resumption as it
5136 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5137 testCases = append(testCases, testCase{
5138 name: "SendSCTListOnResume-" + ver.name,
5139 config: Config{
5140 MaxVersion: ver.version,
5141 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5142 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5143 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5144 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5145 flags: []string{
5146 "-enable-signed-cert-timestamps",
5147 "-expect-signed-cert-timestamps",
5148 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5149 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5150 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5151 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5152
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5153 testCases = append(testCases, testCase{
5154 name: "SignedCertificateTimestampList-Server-" + ver.name,
5155 testType: serverTest,
5156 config: Config{
5157 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5158 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5159 flags: []string{
5160 "-signed-cert-timestamps",
5161 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5162 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5163 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5164 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5165 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5166
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5167 emptySCTListCert := *testCerts[0].cert
5168 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5169
5170 // Test empty SCT list.
5171 testCases = append(testCases, testCase{
5172 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5173 testType: clientTest,
5174 config: Config{
5175 MaxVersion: ver.version,
5176 Certificates: []Certificate{emptySCTListCert},
5177 },
5178 flags: []string{
5179 "-enable-signed-cert-timestamps",
5180 },
5181 shouldFail: true,
5182 expectedError: ":ERROR_PARSING_EXTENSION:",
5183 })
5184
5185 emptySCTCert := *testCerts[0].cert
5186 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5187
5188 // Test empty SCT in non-empty list.
5189 testCases = append(testCases, testCase{
5190 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5191 testType: clientTest,
5192 config: Config{
5193 MaxVersion: ver.version,
5194 Certificates: []Certificate{emptySCTCert},
5195 },
5196 flags: []string{
5197 "-enable-signed-cert-timestamps",
5198 },
5199 shouldFail: true,
5200 expectedError: ":ERROR_PARSING_EXTENSION:",
5201 })
5202
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5203 // Test that certificate-related extensions are not sent unsolicited.
5204 testCases = append(testCases, testCase{
5205 testType: serverTest,
5206 name: "UnsolicitedCertificateExtensions-" + ver.name,
5207 config: Config{
5208 MaxVersion: ver.version,
5209 Bugs: ProtocolBugs{
5210 NoOCSPStapling: true,
5211 NoSignedCertificateTimestamps: true,
5212 },
5213 },
5214 flags: []string{
5215 "-ocsp-response",
5216 base64.StdEncoding.EncodeToString(testOCSPResponse),
5217 "-signed-cert-timestamps",
5218 base64.StdEncoding.EncodeToString(testSCTList),
5219 },
5220 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5221 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5222
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5223 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5224 testType: clientTest,
5225 name: "ClientHelloPadding",
5226 config: Config{
5227 Bugs: ProtocolBugs{
5228 RequireClientHelloSize: 512,
5229 },
5230 },
5231 // This hostname just needs to be long enough to push the
5232 // ClientHello into F5's danger zone between 256 and 511 bytes
5233 // long.
5234 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5235 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5236
5237 // Extensions should not function in SSL 3.0.
5238 testCases = append(testCases, testCase{
5239 testType: serverTest,
5240 name: "SSLv3Extensions-NoALPN",
5241 config: Config{
5242 MaxVersion: VersionSSL30,
5243 NextProtos: []string{"foo", "bar", "baz"},
5244 },
5245 flags: []string{
5246 "-select-alpn", "foo",
5247 },
5248 expectNoNextProto: true,
5249 })
5250
5251 // Test session tickets separately as they follow a different codepath.
5252 testCases = append(testCases, testCase{
5253 testType: serverTest,
5254 name: "SSLv3Extensions-NoTickets",
5255 config: Config{
5256 MaxVersion: VersionSSL30,
5257 Bugs: ProtocolBugs{
5258 // Historically, session tickets in SSL 3.0
5259 // failed in different ways depending on whether
5260 // the client supported renegotiation_info.
5261 NoRenegotiationInfo: true,
5262 },
5263 },
5264 resumeSession: true,
5265 })
5266 testCases = append(testCases, testCase{
5267 testType: serverTest,
5268 name: "SSLv3Extensions-NoTickets2",
5269 config: Config{
5270 MaxVersion: VersionSSL30,
5271 },
5272 resumeSession: true,
5273 })
5274
5275 // But SSL 3.0 does send and process renegotiation_info.
5276 testCases = append(testCases, testCase{
5277 testType: serverTest,
5278 name: "SSLv3Extensions-RenegotiationInfo",
5279 config: Config{
5280 MaxVersion: VersionSSL30,
5281 Bugs: ProtocolBugs{
5282 RequireRenegotiationInfo: true,
5283 },
5284 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5285 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5286 })
5287 testCases = append(testCases, testCase{
5288 testType: serverTest,
5289 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5290 config: Config{
5291 MaxVersion: VersionSSL30,
5292 Bugs: ProtocolBugs{
5293 NoRenegotiationInfo: true,
5294 SendRenegotiationSCSV: true,
5295 RequireRenegotiationInfo: true,
5296 },
5297 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5298 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5299 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5300
5301 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5302 // in ServerHello.
5303 testCases = append(testCases, testCase{
5304 name: "NPN-Forbidden-TLS13",
5305 config: Config{
5306 MaxVersion: VersionTLS13,
5307 NextProtos: []string{"foo"},
5308 Bugs: ProtocolBugs{
5309 NegotiateNPNAtAllVersions: true,
5310 },
5311 },
5312 flags: []string{"-select-next-proto", "foo"},
5313 shouldFail: true,
5314 expectedError: ":ERROR_PARSING_EXTENSION:",
5315 })
5316 testCases = append(testCases, testCase{
5317 name: "EMS-Forbidden-TLS13",
5318 config: Config{
5319 MaxVersion: VersionTLS13,
5320 Bugs: ProtocolBugs{
5321 NegotiateEMSAtAllVersions: true,
5322 },
5323 },
5324 shouldFail: true,
5325 expectedError: ":ERROR_PARSING_EXTENSION:",
5326 })
5327 testCases = append(testCases, testCase{
5328 name: "RenegotiationInfo-Forbidden-TLS13",
5329 config: Config{
5330 MaxVersion: VersionTLS13,
5331 Bugs: ProtocolBugs{
5332 NegotiateRenegotiationInfoAtAllVersions: true,
5333 },
5334 },
5335 shouldFail: true,
5336 expectedError: ":ERROR_PARSING_EXTENSION:",
5337 })
5338 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5339 name: "Ticket-Forbidden-TLS13",
5340 config: Config{
5341 MaxVersion: VersionTLS12,
5342 },
5343 resumeConfig: &Config{
5344 MaxVersion: VersionTLS13,
5345 Bugs: ProtocolBugs{
5346 AdvertiseTicketExtension: true,
5347 },
5348 },
5349 resumeSession: true,
5350 shouldFail: true,
5351 expectedError: ":ERROR_PARSING_EXTENSION:",
5352 })
5353
5354 // Test that illegal extensions in TLS 1.3 are declined by the server if
5355 // offered in ClientHello. The runner's server will fail if this occurs,
5356 // so we exercise the offering path. (EMS and Renegotiation Info are
5357 // implicit in every test.)
5358 testCases = append(testCases, testCase{
5359 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5360 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5361 config: Config{
5362 MaxVersion: VersionTLS13,
5363 NextProtos: []string{"bar"},
5364 },
5365 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5366 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5367
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5368 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5369 // tolerated.
5370 testCases = append(testCases, testCase{
5371 name: "SendOCSPResponseOnResume-TLS12",
5372 config: Config{
5373 MaxVersion: VersionTLS12,
5374 Bugs: ProtocolBugs{
5375 SendOCSPResponseOnResume: []byte("bogus"),
5376 },
5377 },
5378 flags: []string{
5379 "-enable-ocsp-stapling",
5380 "-expect-ocsp-response",
5381 base64.StdEncoding.EncodeToString(testOCSPResponse),
5382 },
5383 resumeSession: true,
5384 })
5385
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5386 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5387 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5388 config: Config{
5389 MaxVersion: VersionTLS13,
5390 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5391 SendExtensionOnCertificate: testOCSPExtension,
5392 },
5393 },
5394 shouldFail: true,
5395 expectedError: ":UNEXPECTED_EXTENSION:",
5396 })
5397
5398 testCases = append(testCases, testCase{
5399 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5400 config: Config{
5401 MaxVersion: VersionTLS13,
5402 Bugs: ProtocolBugs{
5403 SendExtensionOnCertificate: testSCTExtension,
5404 },
5405 },
5406 shouldFail: true,
5407 expectedError: ":UNEXPECTED_EXTENSION:",
5408 })
5409
5410 // Test that extensions on client certificates are never accepted.
5411 testCases = append(testCases, testCase{
5412 name: "SendExtensionOnClientCertificate-TLS13",
5413 testType: serverTest,
5414 config: Config{
5415 MaxVersion: VersionTLS13,
5416 Certificates: []Certificate{rsaCertificate},
5417 Bugs: ProtocolBugs{
5418 SendExtensionOnCertificate: testOCSPExtension,
5419 },
5420 },
5421 flags: []string{
5422 "-enable-ocsp-stapling",
5423 "-require-any-client-certificate",
5424 },
5425 shouldFail: true,
5426 expectedError: ":UNEXPECTED_EXTENSION:",
5427 })
5428
5429 testCases = append(testCases, testCase{
5430 name: "SendUnknownExtensionOnCertificate-TLS13",
5431 config: Config{
5432 MaxVersion: VersionTLS13,
5433 Bugs: ProtocolBugs{
5434 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5435 },
5436 },
5437 shouldFail: true,
5438 expectedError: ":UNEXPECTED_EXTENSION:",
5439 })
5440
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5441 var differentSCTList []byte
5442 differentSCTList = append(differentSCTList, testSCTList...)
5443 differentSCTList[len(differentSCTList)-1] ^= 1
5444
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5445 // Test that extensions on intermediates are allowed but ignored.
5446 testCases = append(testCases, testCase{
5447 name: "IgnoreExtensionsOnIntermediates-TLS13",
5448 config: Config{
5449 MaxVersion: VersionTLS13,
5450 Certificates: []Certificate{rsaChainCertificate},
5451 Bugs: ProtocolBugs{
5452 // Send different values on the intermediate. This tests
5453 // the intermediate's extensions do not override the
5454 // leaf's.
5455 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5456 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5457 },
5458 },
5459 flags: []string{
5460 "-enable-ocsp-stapling",
5461 "-expect-ocsp-response",
5462 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5463 "-enable-signed-cert-timestamps",
5464 "-expect-signed-cert-timestamps",
5465 base64.StdEncoding.EncodeToString(testSCTList),
5466 },
5467 resumeSession: true,
5468 })
5469
5470 // Test that extensions are not sent on intermediates when configured
5471 // only for a leaf.
5472 testCases = append(testCases, testCase{
5473 testType: serverTest,
5474 name: "SendNoExtensionsOnIntermediate-TLS13",
5475 config: Config{
5476 MaxVersion: VersionTLS13,
5477 Bugs: ProtocolBugs{
5478 ExpectNoExtensionsOnIntermediate: true,
5479 },
5480 },
5481 flags: []string{
5482 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5483 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5484 "-ocsp-response",
5485 base64.StdEncoding.EncodeToString(testOCSPResponse),
5486 "-signed-cert-timestamps",
5487 base64.StdEncoding.EncodeToString(testSCTList),
5488 },
5489 })
5490
5491 // Test that extensions are not sent on client certificates.
5492 testCases = append(testCases, testCase{
5493 name: "SendNoClientCertificateExtensions-TLS13",
5494 config: Config{
5495 MaxVersion: VersionTLS13,
5496 ClientAuth: RequireAnyClientCert,
5497 },
5498 flags: []string{
5499 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5500 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5501 "-ocsp-response",
5502 base64.StdEncoding.EncodeToString(testOCSPResponse),
5503 "-signed-cert-timestamps",
5504 base64.StdEncoding.EncodeToString(testSCTList),
5505 },
5506 })
5507
5508 testCases = append(testCases, testCase{
5509 name: "SendDuplicateExtensionsOnCerts-TLS13",
5510 config: Config{
5511 MaxVersion: VersionTLS13,
5512 Bugs: ProtocolBugs{
5513 SendDuplicateCertExtensions: true,
5514 },
5515 },
5516 flags: []string{
5517 "-enable-ocsp-stapling",
5518 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5519 },
5520 resumeSession: true,
5521 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5522 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5523 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5524
5525 testCases = append(testCases, testCase{
5526 name: "SignedCertificateTimestampListInvalid-Server",
5527 testType: serverTest,
5528 flags: []string{
5529 "-signed-cert-timestamps",
5530 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5531 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5532 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5533 expectedError: ":INVALID_SCT_LIST:",
5534 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5535}
5536
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5537func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5538 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5539 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5540 // SSL 3.0 does not have tickets and TLS 1.3 does not
5541 // have session IDs, so skip their cross-resumption
5542 // tests.
5543 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5544 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5545 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5546 }
5547
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5548 protocols := []protocol{tls}
5549 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5550 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5551 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5552 for _, protocol := range protocols {
5553 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5554 if protocol == dtls {
5555 suffix += "-DTLS"
5556 }
5557
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5558 if sessionVers.version == resumeVers.version {
5559 testCases = append(testCases, testCase{
5560 protocol: protocol,
5561 name: "Resume-Client" + suffix,
5562 resumeSession: true,
5563 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5564 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5565 Bugs: ProtocolBugs{
5566 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5567 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5568 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5569 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5570 expectedVersion: sessionVers.version,
5571 expectedResumeVersion: resumeVers.version,
5572 })
5573 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5574 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5575
5576 // Offering a TLS 1.3 session sends an empty session ID, so
5577 // there is no way to convince a non-lookahead client the
5578 // session was resumed. It will appear to the client that a
5579 // stray ChangeCipherSpec was sent.
5580 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5581 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5582 }
5583
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5584 testCases = append(testCases, testCase{
5585 protocol: protocol,
5586 name: "Resume-Client-Mismatch" + suffix,
5587 resumeSession: true,
5588 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5589 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5590 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5591 expectedVersion: sessionVers.version,
5592 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5593 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5594 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5595 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5596 },
5597 },
5598 expectedResumeVersion: resumeVers.version,
5599 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5600 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5601 })
5602 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5603
5604 testCases = append(testCases, testCase{
5605 protocol: protocol,
5606 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5607 resumeSession: true,
5608 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5609 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5610 },
5611 expectedVersion: sessionVers.version,
5612 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5613 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5614 },
5615 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5616 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5617 expectedResumeVersion: resumeVers.version,
5618 })
5619
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5620 testCases = append(testCases, testCase{
5621 protocol: protocol,
5622 testType: serverTest,
5623 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5624 resumeSession: true,
5625 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5626 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5627 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5628 expectedVersion: sessionVers.version,
5629 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5630 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5631 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5632 Bugs: ProtocolBugs{
5633 SendBothTickets: true,
5634 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5635 },
5636 expectedResumeVersion: resumeVers.version,
5637 })
5638 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5639 }
5640 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5641
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5642 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5643 testCases = append(testCases, testCase{
5644 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5645 name: "ShimTicketRewritable",
5646 resumeSession: true,
5647 config: Config{
5648 MaxVersion: VersionTLS12,
5649 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5650 Bugs: ProtocolBugs{
5651 FilterTicket: func(in []byte) ([]byte, error) {
5652 in, err := SetShimTicketVersion(in, VersionTLS12)
5653 if err != nil {
5654 return nil, err
5655 }
5656 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5657 },
5658 },
5659 },
5660 flags: []string{
5661 "-ticket-key",
5662 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5663 },
5664 })
5665
5666 // Resumptions are declined if the version does not match.
5667 testCases = append(testCases, testCase{
5668 testType: serverTest,
5669 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5670 resumeSession: true,
5671 config: Config{
5672 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5673 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5674 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5675 FilterTicket: func(in []byte) ([]byte, error) {
5676 return SetShimTicketVersion(in, VersionTLS13)
5677 },
5678 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5679 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5680 flags: []string{
5681 "-ticket-key",
5682 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5683 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5684 expectResumeRejected: true,
5685 })
5686
5687 testCases = append(testCases, testCase{
5688 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5689 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5690 resumeSession: true,
5691 config: Config{
5692 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5693 Bugs: ProtocolBugs{
5694 FilterTicket: func(in []byte) ([]byte, error) {
5695 return SetShimTicketVersion(in, VersionTLS12)
5696 },
5697 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5698 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5699 flags: []string{
5700 "-ticket-key",
5701 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5702 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5703 expectResumeRejected: true,
5704 })
5705
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5706 // Resumptions are declined if the cipher is invalid or disabled.
5707 testCases = append(testCases, testCase{
5708 testType: serverTest,
5709 name: "Resume-Server-DeclineBadCipher",
5710 resumeSession: true,
5711 config: Config{
5712 MaxVersion: VersionTLS12,
5713 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5714 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5715 FilterTicket: func(in []byte) ([]byte, error) {
5716 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5717 },
5718 },
5719 },
5720 flags: []string{
5721 "-ticket-key",
5722 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5723 },
5724 expectResumeRejected: true,
5725 })
5726
5727 testCases = append(testCases, testCase{
5728 testType: serverTest,
5729 name: "Resume-Server-DeclineBadCipher-2",
5730 resumeSession: true,
5731 config: Config{
5732 MaxVersion: VersionTLS12,
5733 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5734 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5735 FilterTicket: func(in []byte) ([]byte, error) {
5736 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5737 },
5738 },
5739 },
5740 flags: []string{
5741 "-cipher", "AES128",
5742 "-ticket-key",
5743 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5744 },
5745 expectResumeRejected: true,
5746 })
5747
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5748 // Sessions are not resumed if they do not use the preferred cipher.
5749 testCases = append(testCases, testCase{
5750 testType: serverTest,
5751 name: "Resume-Server-CipherNotPreferred",
5752 resumeSession: true,
5753 config: Config{
5754 MaxVersion: VersionTLS12,
5755 Bugs: ProtocolBugs{
5756 ExpectNewTicket: true,
5757 FilterTicket: func(in []byte) ([]byte, error) {
5758 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5759 },
5760 },
5761 },
5762 flags: []string{
5763 "-ticket-key",
5764 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5765 },
5766 shouldFail: false,
5767 expectResumeRejected: true,
5768 })
5769
5770 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5771 // PRF hashes match, but BoringSSL will always decline such resumptions.
5772 testCases = append(testCases, testCase{
5773 testType: serverTest,
5774 name: "Resume-Server-CipherNotPreferred-TLS13",
5775 resumeSession: true,
5776 config: Config{
5777 MaxVersion: VersionTLS13,
5778 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5779 Bugs: ProtocolBugs{
5780 FilterTicket: func(in []byte) ([]byte, error) {
5781 // If the client (runner) offers ChaCha20-Poly1305 first, the
5782 // server (shim) always prefers it. Switch it to AES-GCM.
5783 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5784 },
5785 },
5786 },
5787 flags: []string{
5788 "-ticket-key",
5789 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5790 },
5791 shouldFail: false,
5792 expectResumeRejected: true,
5793 })
5794
5795 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5796 testCases = append(testCases, testCase{
5797 testType: serverTest,
5798 name: "Resume-Server-DeclineBadCipher-TLS13",
5799 resumeSession: true,
5800 config: Config{
5801 MaxVersion: VersionTLS13,
5802 Bugs: ProtocolBugs{
5803 FilterTicket: func(in []byte) ([]byte, error) {
5804 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5805 },
5806 },
5807 },
5808 flags: []string{
5809 "-ticket-key",
5810 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5811 },
5812 expectResumeRejected: true,
5813 })
5814
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5815 // If the client does not offer the cipher from the session, decline to
5816 // resume. Clients are forbidden from doing this, but BoringSSL selects
5817 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5818 testCases = append(testCases, testCase{
5819 testType: serverTest,
5820 name: "Resume-Server-UnofferedCipher",
5821 resumeSession: true,
5822 config: Config{
5823 MaxVersion: VersionTLS12,
5824 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5825 },
5826 resumeConfig: &Config{
5827 MaxVersion: VersionTLS12,
5828 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5829 Bugs: ProtocolBugs{
5830 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5831 },
5832 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5833 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5834 })
5835
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5836 // In TLS 1.3, clients may advertise a cipher list which does not
5837 // include the selected cipher. Test that we tolerate this. Servers may
5838 // resume at another cipher if the PRF matches, but BoringSSL will
5839 // always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5840 testCases = append(testCases, testCase{
5841 testType: serverTest,
5842 name: "Resume-Server-UnofferedCipher-TLS13",
5843 resumeSession: true,
5844 config: Config{
5845 MaxVersion: VersionTLS13,
5846 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5847 },
5848 resumeConfig: &Config{
5849 MaxVersion: VersionTLS13,
5850 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5851 Bugs: ProtocolBugs{
5852 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5853 },
5854 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5855 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5856 })
5857
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5858 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5859 testCases = append(testCases, testCase{
5860 name: "Resume-Client-CipherMismatch",
5861 resumeSession: true,
5862 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5863 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5864 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5865 },
5866 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5867 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5868 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
5869 Bugs: ProtocolBugs{
5870 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
5871 },
5872 },
5873 shouldFail: true,
5874 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
5875 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5876
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5877 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
5878 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5879 testCases = append(testCases, testCase{
5880 name: "Resume-Client-CipherMismatch-TLS13",
5881 resumeSession: true,
5882 config: Config{
5883 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5884 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5885 },
5886 resumeConfig: &Config{
5887 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5888 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5889 },
5890 })
5891
5892 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
5893 testCases = append(testCases, testCase{
5894 name: "Resume-Client-PRFMismatch-TLS13",
5895 resumeSession: true,
5896 config: Config{
5897 MaxVersion: VersionTLS13,
5898 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5899 },
5900 resumeConfig: &Config{
5901 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5902 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5903 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5904 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5905 },
5906 },
5907 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]5908 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5909 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5910
5911 testCases = append(testCases, testCase{
5912 testType: serverTest,
5913 name: "Resume-Server-BinderWrongLength",
5914 resumeSession: true,
5915 config: Config{
5916 MaxVersion: VersionTLS13,
5917 Bugs: ProtocolBugs{
5918 SendShortPSKBinder: true,
5919 },
5920 },
5921 shouldFail: true,
5922 expectedLocalError: "remote error: error decrypting message",
5923 expectedError: ":DIGEST_CHECK_FAILED:",
5924 })
5925
5926 testCases = append(testCases, testCase{
5927 testType: serverTest,
5928 name: "Resume-Server-NoPSKBinder",
5929 resumeSession: true,
5930 config: Config{
5931 MaxVersion: VersionTLS13,
5932 Bugs: ProtocolBugs{
5933 SendNoPSKBinder: true,
5934 },
5935 },
5936 shouldFail: true,
5937 expectedLocalError: "remote error: error decoding message",
5938 expectedError: ":DECODE_ERROR:",
5939 })
5940
5941 testCases = append(testCases, testCase{
5942 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]5943 name: "Resume-Server-ExtraPSKBinder",
5944 resumeSession: true,
5945 config: Config{
5946 MaxVersion: VersionTLS13,
5947 Bugs: ProtocolBugs{
5948 SendExtraPSKBinder: true,
5949 },
5950 },
5951 shouldFail: true,
5952 expectedLocalError: "remote error: illegal parameter",
5953 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
5954 })
5955
5956 testCases = append(testCases, testCase{
5957 testType: serverTest,
5958 name: "Resume-Server-ExtraIdentityNoBinder",
5959 resumeSession: true,
5960 config: Config{
5961 MaxVersion: VersionTLS13,
5962 Bugs: ProtocolBugs{
5963 ExtraPSKIdentity: true,
5964 },
5965 },
5966 shouldFail: true,
5967 expectedLocalError: "remote error: illegal parameter",
5968 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
5969 })
5970
5971 testCases = append(testCases, testCase{
5972 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5973 name: "Resume-Server-InvalidPSKBinder",
5974 resumeSession: true,
5975 config: Config{
5976 MaxVersion: VersionTLS13,
5977 Bugs: ProtocolBugs{
5978 SendInvalidPSKBinder: true,
5979 },
5980 },
5981 shouldFail: true,
5982 expectedLocalError: "remote error: error decrypting message",
5983 expectedError: ":DIGEST_CHECK_FAILED:",
5984 })
5985
5986 testCases = append(testCases, testCase{
5987 testType: serverTest,
5988 name: "Resume-Server-PSKBinderFirstExtension",
5989 resumeSession: true,
5990 config: Config{
5991 MaxVersion: VersionTLS13,
5992 Bugs: ProtocolBugs{
5993 PSKBinderFirst: true,
5994 },
5995 },
5996 shouldFail: true,
5997 expectedLocalError: "remote error: illegal parameter",
5998 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
5999 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6000}
6001
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6002func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6003 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6004 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6005 testType: serverTest,
6006 name: "Renegotiate-Server-Forbidden",
6007 config: Config{
6008 MaxVersion: VersionTLS12,
6009 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6010 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6011 shouldFail: true,
6012 expectedError: ":NO_RENEGOTIATION:",
6013 expectedLocalError: "remote error: no renegotiation",
6014 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6015 // The server shouldn't echo the renegotiation extension unless
6016 // requested by the client.
6017 testCases = append(testCases, testCase{
6018 testType: serverTest,
6019 name: "Renegotiate-Server-NoExt",
6020 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6021 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6022 Bugs: ProtocolBugs{
6023 NoRenegotiationInfo: true,
6024 RequireRenegotiationInfo: true,
6025 },
6026 },
6027 shouldFail: true,
6028 expectedLocalError: "renegotiation extension missing",
6029 })
6030 // The renegotiation SCSV should be sufficient for the server to echo
6031 // the extension.
6032 testCases = append(testCases, testCase{
6033 testType: serverTest,
6034 name: "Renegotiate-Server-NoExt-SCSV",
6035 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6036 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6037 Bugs: ProtocolBugs{
6038 NoRenegotiationInfo: true,
6039 SendRenegotiationSCSV: true,
6040 RequireRenegotiationInfo: true,
6041 },
6042 },
6043 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6044 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6045 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6046 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6047 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6048 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6049 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6050 },
6051 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6052 renegotiate: 1,
6053 flags: []string{
6054 "-renegotiate-freely",
6055 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6056 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6057 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6058 })
6059 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6060 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6061 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6062 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6063 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6064 Bugs: ProtocolBugs{
6065 EmptyRenegotiationInfo: true,
6066 },
6067 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6068 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6069 shouldFail: true,
6070 expectedError: ":RENEGOTIATION_MISMATCH:",
6071 })
6072 testCases = append(testCases, testCase{
6073 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6074 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6075 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6076 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6077 Bugs: ProtocolBugs{
6078 BadRenegotiationInfo: true,
6079 },
6080 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6081 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6082 shouldFail: true,
6083 expectedError: ":RENEGOTIATION_MISMATCH:",
6084 })
6085 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6086 name: "Renegotiate-Client-Downgrade",
6087 renegotiate: 1,
6088 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6089 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6090 Bugs: ProtocolBugs{
6091 NoRenegotiationInfoAfterInitial: true,
6092 },
6093 },
6094 flags: []string{"-renegotiate-freely"},
6095 shouldFail: true,
6096 expectedError: ":RENEGOTIATION_MISMATCH:",
6097 })
6098 testCases = append(testCases, testCase{
6099 name: "Renegotiate-Client-Upgrade",
6100 renegotiate: 1,
6101 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6102 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6103 Bugs: ProtocolBugs{
6104 NoRenegotiationInfoInInitial: true,
6105 },
6106 },
6107 flags: []string{"-renegotiate-freely"},
6108 shouldFail: true,
6109 expectedError: ":RENEGOTIATION_MISMATCH:",
6110 })
6111 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6112 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6113 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6114 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6115 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6116 Bugs: ProtocolBugs{
6117 NoRenegotiationInfo: true,
6118 },
6119 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6120 flags: []string{
6121 "-renegotiate-freely",
6122 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6123 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6124 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6125 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6126
6127 // Test that the server may switch ciphers on renegotiation without
6128 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6129 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6130 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6131 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6132 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6133 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6134 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6135 },
6136 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6137 flags: []string{
6138 "-renegotiate-freely",
6139 "-expect-total-renegotiations", "1",
6140 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6141 })
6142 testCases = append(testCases, testCase{
6143 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6144 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6145 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6146 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6147 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6148 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6149 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6150 flags: []string{
6151 "-renegotiate-freely",
6152 "-expect-total-renegotiations", "1",
6153 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6154 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6155
6156 // Test that the server may not switch versions on renegotiation.
6157 testCases = append(testCases, testCase{
6158 name: "Renegotiate-Client-SwitchVersion",
6159 config: Config{
6160 MaxVersion: VersionTLS12,
6161 // Pick a cipher which exists at both versions.
6162 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6163 Bugs: ProtocolBugs{
6164 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6165 // Avoid failing early at the record layer.
6166 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6167 },
6168 },
6169 renegotiate: 1,
6170 flags: []string{
6171 "-renegotiate-freely",
6172 "-expect-total-renegotiations", "1",
6173 },
6174 shouldFail: true,
6175 expectedError: ":WRONG_SSL_VERSION:",
6176 })
6177
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6178 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6179 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6180 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6181 config: Config{
6182 MaxVersion: VersionTLS10,
6183 Bugs: ProtocolBugs{
6184 RequireSameRenegoClientVersion: true,
6185 },
6186 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6187 flags: []string{
6188 "-renegotiate-freely",
6189 "-expect-total-renegotiations", "1",
6190 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6191 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6192 testCases = append(testCases, testCase{
6193 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6194 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6195 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6196 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6197 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6198 NextProtos: []string{"foo"},
6199 },
6200 flags: []string{
6201 "-false-start",
6202 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6203 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6204 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6205 },
6206 shimWritesFirst: true,
6207 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6208
6209 // Client-side renegotiation controls.
6210 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6211 name: "Renegotiate-Client-Forbidden-1",
6212 config: Config{
6213 MaxVersion: VersionTLS12,
6214 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6215 renegotiate: 1,
6216 shouldFail: true,
6217 expectedError: ":NO_RENEGOTIATION:",
6218 expectedLocalError: "remote error: no renegotiation",
6219 })
6220 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6221 name: "Renegotiate-Client-Once-1",
6222 config: Config{
6223 MaxVersion: VersionTLS12,
6224 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6225 renegotiate: 1,
6226 flags: []string{
6227 "-renegotiate-once",
6228 "-expect-total-renegotiations", "1",
6229 },
6230 })
6231 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6232 name: "Renegotiate-Client-Freely-1",
6233 config: Config{
6234 MaxVersion: VersionTLS12,
6235 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6236 renegotiate: 1,
6237 flags: []string{
6238 "-renegotiate-freely",
6239 "-expect-total-renegotiations", "1",
6240 },
6241 })
6242 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6243 name: "Renegotiate-Client-Once-2",
6244 config: Config{
6245 MaxVersion: VersionTLS12,
6246 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6247 renegotiate: 2,
6248 flags: []string{"-renegotiate-once"},
6249 shouldFail: true,
6250 expectedError: ":NO_RENEGOTIATION:",
6251 expectedLocalError: "remote error: no renegotiation",
6252 })
6253 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6254 name: "Renegotiate-Client-Freely-2",
6255 config: Config{
6256 MaxVersion: VersionTLS12,
6257 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6258 renegotiate: 2,
6259 flags: []string{
6260 "-renegotiate-freely",
6261 "-expect-total-renegotiations", "2",
6262 },
6263 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6264 testCases = append(testCases, testCase{
6265 name: "Renegotiate-Client-NoIgnore",
6266 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6267 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6268 Bugs: ProtocolBugs{
6269 SendHelloRequestBeforeEveryAppDataRecord: true,
6270 },
6271 },
6272 shouldFail: true,
6273 expectedError: ":NO_RENEGOTIATION:",
6274 })
6275 testCases = append(testCases, testCase{
6276 name: "Renegotiate-Client-Ignore",
6277 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6278 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6279 Bugs: ProtocolBugs{
6280 SendHelloRequestBeforeEveryAppDataRecord: true,
6281 },
6282 },
6283 flags: []string{
6284 "-renegotiate-ignore",
6285 "-expect-total-renegotiations", "0",
6286 },
6287 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6288
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6289 // Renegotiation is not allowed at SSL 3.0.
6290 testCases = append(testCases, testCase{
6291 name: "Renegotiate-Client-SSL3",
6292 config: Config{
6293 MaxVersion: VersionSSL30,
6294 },
6295 renegotiate: 1,
6296 flags: []string{
6297 "-renegotiate-freely",
6298 "-expect-total-renegotiations", "1",
6299 },
6300 shouldFail: true,
6301 expectedError: ":NO_RENEGOTIATION:",
6302 expectedLocalError: "remote error: no renegotiation",
6303 })
6304
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6305 // Renegotiation is not allowed when there is an unfinished write.
6306 testCases = append(testCases, testCase{
6307 name: "Renegotiate-Client-UnfinishedWrite",
6308 config: Config{
6309 MaxVersion: VersionTLS12,
6310 },
6311 renegotiate: 1,
6312 flags: []string{
6313 "-async",
6314 "-renegotiate-freely",
6315 "-read-with-unfinished-write",
6316 },
6317 shouldFail: true,
6318 expectedError: ":NO_RENEGOTIATION:",
6319 // We do not successfully send the no_renegotiation alert in
6320 // this case. https://crbug.com/boringssl/130
6321 })
6322
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6323 // Stray HelloRequests during the handshake are ignored in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6324 testCases = append(testCases, testCase{
6325 name: "StrayHelloRequest",
6326 config: Config{
6327 MaxVersion: VersionTLS12,
6328 Bugs: ProtocolBugs{
6329 SendHelloRequestBeforeEveryHandshakeMessage: true,
6330 },
6331 },
6332 })
6333 testCases = append(testCases, testCase{
6334 name: "StrayHelloRequest-Packed",
6335 config: Config{
6336 MaxVersion: VersionTLS12,
6337 Bugs: ProtocolBugs{
6338 PackHandshakeFlight: true,
6339 SendHelloRequestBeforeEveryHandshakeMessage: true,
6340 },
6341 },
6342 })
6343
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6344 // Test renegotiation works if HelloRequest and server Finished come in
6345 // the same record.
6346 testCases = append(testCases, testCase{
6347 name: "Renegotiate-Client-Packed",
6348 config: Config{
6349 MaxVersion: VersionTLS12,
6350 Bugs: ProtocolBugs{
6351 PackHandshakeFlight: true,
6352 PackHelloRequestWithFinished: true,
6353 },
6354 },
6355 renegotiate: 1,
6356 flags: []string{
6357 "-renegotiate-freely",
6358 "-expect-total-renegotiations", "1",
6359 },
6360 })
6361
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6362 // Renegotiation is forbidden in TLS 1.3.
6363 testCases = append(testCases, testCase{
6364 name: "Renegotiate-Client-TLS13",
6365 config: Config{
6366 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6367 Bugs: ProtocolBugs{
6368 SendHelloRequestBeforeEveryAppDataRecord: true,
6369 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6370 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6371 flags: []string{
6372 "-renegotiate-freely",
6373 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6374 shouldFail: true,
6375 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6376 })
6377
6378 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6379 testCases = append(testCases, testCase{
6380 name: "StrayHelloRequest-TLS13",
6381 config: Config{
6382 MaxVersion: VersionTLS13,
6383 Bugs: ProtocolBugs{
6384 SendHelloRequestBeforeEveryHandshakeMessage: true,
6385 },
6386 },
6387 shouldFail: true,
6388 expectedError: ":UNEXPECTED_MESSAGE:",
6389 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6390
6391 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6392 // always reads as supporting it, regardless of whether it was
6393 // negotiated.
6394 testCases = append(testCases, testCase{
6395 name: "AlwaysReportRenegotiationInfo-TLS13",
6396 config: Config{
6397 MaxVersion: VersionTLS13,
6398 Bugs: ProtocolBugs{
6399 NoRenegotiationInfo: true,
6400 },
6401 },
6402 flags: []string{
6403 "-expect-secure-renegotiation",
6404 },
6405 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6406}
6407
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6408func addDTLSReplayTests() {
6409 // Test that sequence number replays are detected.
6410 testCases = append(testCases, testCase{
6411 protocol: dtls,
6412 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6413 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6414 replayWrites: true,
6415 })
6416
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6417 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6418 // than the retransmit window.
6419 testCases = append(testCases, testCase{
6420 protocol: dtls,
6421 name: "DTLS-Replay-LargeGaps",
6422 config: Config{
6423 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6424 SequenceNumberMapping: func(in uint64) uint64 {
6425 return in * 127
6426 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6427 },
6428 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6429 messageCount: 200,
6430 replayWrites: true,
6431 })
6432
6433 // Test the incoming sequence number changing non-monotonically.
6434 testCases = append(testCases, testCase{
6435 protocol: dtls,
6436 name: "DTLS-Replay-NonMonotonic",
6437 config: Config{
6438 Bugs: ProtocolBugs{
6439 SequenceNumberMapping: func(in uint64) uint64 {
6440 return in ^ 31
6441 },
6442 },
6443 },
6444 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6445 replayWrites: true,
6446 })
6447}
6448
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6449var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6450 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6451 id signatureAlgorithm
6452 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6453}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6454 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6455 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6456 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6457 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6458 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6459 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6460 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6461 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6462 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6463 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6464 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6465 // Tests for key types prior to TLS 1.2.
6466 {"RSA", 0, testCertRSA},
6467 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6468}
6469
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6470const fakeSigAlg1 signatureAlgorithm = 0x2a01
6471const fakeSigAlg2 signatureAlgorithm = 0xff01
6472
6473func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6474 // Not all ciphers involve a signature. Advertise a list which gives all
6475 // versions a signing cipher.
6476 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6477 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6478 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6479 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6480 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6481 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
6482 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
6483 }
6484
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6485 var allAlgorithms []signatureAlgorithm
6486 for _, alg := range testSignatureAlgorithms {
6487 if alg.id != 0 {
6488 allAlgorithms = append(allAlgorithms, alg.id)
6489 }
6490 }
6491
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6492 // Make sure each signature algorithm works. Include some fake values in
6493 // the list and ensure they're ignored.
6494 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6495 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6496 if (ver.version < VersionTLS12) != (alg.id == 0) {
6497 continue
6498 }
6499
6500 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6501 // or remove it in C.
6502 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6503 continue
6504 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6505
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6506 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6507 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6508 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6509 shouldSignFail = true
6510 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6511 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6512 // RSA-PKCS1 does not exist in TLS 1.3.
6513 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6514 shouldSignFail = true
6515 shouldVerifyFail = true
6516 }
6517
6518 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6519 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6520 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6521 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6522
6523 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6524 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6525 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6526 }
6527 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6528 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6529 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6530
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6531 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6532
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6533 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6534 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6535 config: Config{
6536 MaxVersion: ver.version,
6537 ClientAuth: RequireAnyClientCert,
6538 VerifySignatureAlgorithms: []signatureAlgorithm{
6539 fakeSigAlg1,
6540 alg.id,
6541 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6542 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6543 },
6544 flags: []string{
6545 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6546 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6547 "-enable-all-curves",
6548 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6549 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6550 expectedError: signError,
6551 expectedPeerSignatureAlgorithm: alg.id,
6552 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6553
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6554 testCases = append(testCases, testCase{
6555 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6556 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6557 config: Config{
6558 MaxVersion: ver.version,
6559 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6560 SignSignatureAlgorithms: []signatureAlgorithm{
6561 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6562 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6563 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6564 SkipECDSACurveCheck: shouldVerifyFail,
6565 IgnoreSignatureVersionChecks: shouldVerifyFail,
6566 // Some signature algorithms may not be advertised.
6567 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6568 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6569 },
6570 flags: []string{
6571 "-require-any-client-certificate",
6572 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6573 "-enable-all-curves",
6574 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6575 // Resume the session to assert the peer signature
6576 // algorithm is reported on both handshakes.
6577 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6578 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6579 expectedError: verifyError,
6580 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6581
6582 testCases = append(testCases, testCase{
6583 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6584 name: "ServerAuth-Sign" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6585 config: Config{
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6586 MaxVersion: ver.version,
6587 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6588 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6589 fakeSigAlg1,
6590 alg.id,
6591 fakeSigAlg2,
6592 },
6593 },
6594 flags: []string{
6595 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6596 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6597 "-enable-all-curves",
6598 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6599 shouldFail: shouldSignFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6600 expectedError: signError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6601 expectedPeerSignatureAlgorithm: alg.id,
6602 })
6603
6604 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6605 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6606 config: Config{
6607 MaxVersion: ver.version,
6608 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6609 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6610 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6611 alg.id,
6612 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6613 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6614 SkipECDSACurveCheck: shouldVerifyFail,
6615 IgnoreSignatureVersionChecks: shouldVerifyFail,
6616 // Some signature algorithms may not be advertised.
6617 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6618 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6619 },
6620 flags: []string{
6621 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6622 "-enable-all-curves",
6623 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6624 // Resume the session to assert the peer signature
6625 // algorithm is reported on both handshakes.
6626 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6627 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6628 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6629 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6630
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6631 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6632 testCases = append(testCases, testCase{
6633 testType: serverTest,
6634 name: "ClientAuth-InvalidSignature" + suffix,
6635 config: Config{
6636 MaxVersion: ver.version,
6637 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6638 SignSignatureAlgorithms: []signatureAlgorithm{
6639 alg.id,
6640 },
6641 Bugs: ProtocolBugs{
6642 InvalidSignature: true,
6643 },
6644 },
6645 flags: []string{
6646 "-require-any-client-certificate",
6647 "-enable-all-curves",
6648 },
6649 shouldFail: true,
6650 expectedError: ":BAD_SIGNATURE:",
6651 })
6652
6653 testCases = append(testCases, testCase{
6654 name: "ServerAuth-InvalidSignature" + suffix,
6655 config: Config{
6656 MaxVersion: ver.version,
6657 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6658 CipherSuites: signingCiphers,
6659 SignSignatureAlgorithms: []signatureAlgorithm{
6660 alg.id,
6661 },
6662 Bugs: ProtocolBugs{
6663 InvalidSignature: true,
6664 },
6665 },
6666 flags: []string{"-enable-all-curves"},
6667 shouldFail: true,
6668 expectedError: ":BAD_SIGNATURE:",
6669 })
6670 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6671
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6672 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6673 testCases = append(testCases, testCase{
6674 name: "ClientAuth-Sign-Negotiate" + suffix,
6675 config: Config{
6676 MaxVersion: ver.version,
6677 ClientAuth: RequireAnyClientCert,
6678 VerifySignatureAlgorithms: allAlgorithms,
6679 },
6680 flags: []string{
6681 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6682 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6683 "-enable-all-curves",
6684 "-signing-prefs", strconv.Itoa(int(alg.id)),
6685 },
6686 expectedPeerSignatureAlgorithm: alg.id,
6687 })
6688
6689 testCases = append(testCases, testCase{
6690 testType: serverTest,
6691 name: "ServerAuth-Sign-Negotiate" + suffix,
6692 config: Config{
6693 MaxVersion: ver.version,
6694 CipherSuites: signingCiphers,
6695 VerifySignatureAlgorithms: allAlgorithms,
6696 },
6697 flags: []string{
6698 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6699 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6700 "-enable-all-curves",
6701 "-signing-prefs", strconv.Itoa(int(alg.id)),
6702 },
6703 expectedPeerSignatureAlgorithm: alg.id,
6704 })
6705 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6706 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6707 }
6708
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6709 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6710 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6711 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6712 config: Config{
6713 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6714 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6715 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6716 signatureECDSAWithP521AndSHA512,
6717 signatureRSAPKCS1WithSHA384,
6718 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6719 },
6720 },
6721 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6722 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6723 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6724 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6725 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6726 })
6727
6728 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6729 name: "ClientAuth-SignatureType-TLS13",
6730 config: Config{
6731 ClientAuth: RequireAnyClientCert,
6732 MaxVersion: VersionTLS13,
6733 VerifySignatureAlgorithms: []signatureAlgorithm{
6734 signatureECDSAWithP521AndSHA512,
6735 signatureRSAPKCS1WithSHA384,
6736 signatureRSAPSSWithSHA384,
6737 signatureECDSAWithSHA1,
6738 },
6739 },
6740 flags: []string{
6741 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6742 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6743 },
6744 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6745 })
6746
6747 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6748 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6749 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6750 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6751 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6752 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6753 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6754 signatureECDSAWithP521AndSHA512,
6755 signatureRSAPKCS1WithSHA384,
6756 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6757 },
6758 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6759 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6760 })
6761
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6762 testCases = append(testCases, testCase{
6763 testType: serverTest,
6764 name: "ServerAuth-SignatureType-TLS13",
6765 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6766 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6767 VerifySignatureAlgorithms: []signatureAlgorithm{
6768 signatureECDSAWithP521AndSHA512,
6769 signatureRSAPKCS1WithSHA384,
6770 signatureRSAPSSWithSHA384,
6771 signatureECDSAWithSHA1,
6772 },
6773 },
6774 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6775 })
6776
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6777 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6778 testCases = append(testCases, testCase{
6779 testType: serverTest,
6780 name: "Verify-ClientAuth-SignatureType",
6781 config: Config{
6782 MaxVersion: VersionTLS12,
6783 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6784 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6785 signatureRSAPKCS1WithSHA256,
6786 },
6787 Bugs: ProtocolBugs{
6788 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6789 },
6790 },
6791 flags: []string{
6792 "-require-any-client-certificate",
6793 },
6794 shouldFail: true,
6795 expectedError: ":WRONG_SIGNATURE_TYPE:",
6796 })
6797
6798 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6799 testType: serverTest,
6800 name: "Verify-ClientAuth-SignatureType-TLS13",
6801 config: Config{
6802 MaxVersion: VersionTLS13,
6803 Certificates: []Certificate{rsaCertificate},
6804 SignSignatureAlgorithms: []signatureAlgorithm{
6805 signatureRSAPSSWithSHA256,
6806 },
6807 Bugs: ProtocolBugs{
6808 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6809 },
6810 },
6811 flags: []string{
6812 "-require-any-client-certificate",
6813 },
6814 shouldFail: true,
6815 expectedError: ":WRONG_SIGNATURE_TYPE:",
6816 })
6817
6818 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6819 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6820 config: Config{
6821 MaxVersion: VersionTLS12,
6822 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6823 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6824 signatureRSAPKCS1WithSHA256,
6825 },
6826 Bugs: ProtocolBugs{
6827 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6828 },
6829 },
6830 shouldFail: true,
6831 expectedError: ":WRONG_SIGNATURE_TYPE:",
6832 })
6833
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6834 testCases = append(testCases, testCase{
6835 name: "Verify-ServerAuth-SignatureType-TLS13",
6836 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6837 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6838 SignSignatureAlgorithms: []signatureAlgorithm{
6839 signatureRSAPSSWithSHA256,
6840 },
6841 Bugs: ProtocolBugs{
6842 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6843 },
6844 },
6845 shouldFail: true,
6846 expectedError: ":WRONG_SIGNATURE_TYPE:",
6847 })
6848
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6849 // Test that, if the list is missing, the peer falls back to SHA-1 in
6850 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6851 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6852 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6853 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6854 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6855 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6856 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6857 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6858 },
6859 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6860 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6861 },
6862 },
6863 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6864 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6865 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6866 },
6867 })
6868
6869 testCases = append(testCases, testCase{
6870 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6871 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6872 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6873 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6874 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6875 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6876 },
6877 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6878 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6879 },
6880 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]6881 flags: []string{
6882 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6883 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6884 },
6885 })
6886
6887 testCases = append(testCases, testCase{
6888 name: "ClientAuth-SHA1-Fallback-ECDSA",
6889 config: Config{
6890 MaxVersion: VersionTLS12,
6891 ClientAuth: RequireAnyClientCert,
6892 VerifySignatureAlgorithms: []signatureAlgorithm{
6893 signatureECDSAWithSHA1,
6894 },
6895 Bugs: ProtocolBugs{
6896 NoSignatureAlgorithms: true,
6897 },
6898 },
6899 flags: []string{
6900 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6901 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6902 },
6903 })
6904
6905 testCases = append(testCases, testCase{
6906 testType: serverTest,
6907 name: "ServerAuth-SHA1-Fallback-ECDSA",
6908 config: Config{
6909 MaxVersion: VersionTLS12,
6910 VerifySignatureAlgorithms: []signatureAlgorithm{
6911 signatureECDSAWithSHA1,
6912 },
6913 Bugs: ProtocolBugs{
6914 NoSignatureAlgorithms: true,
6915 },
6916 },
6917 flags: []string{
6918 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
6919 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
6920 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6921 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6922
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6923 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6924 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6925 config: Config{
6926 MaxVersion: VersionTLS13,
6927 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6928 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6929 signatureRSAPKCS1WithSHA1,
6930 },
6931 Bugs: ProtocolBugs{
6932 NoSignatureAlgorithms: true,
6933 },
6934 },
6935 flags: []string{
6936 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6937 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6938 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]6939 shouldFail: true,
6940 // An empty CertificateRequest signature algorithm list is a
6941 // syntax error in TLS 1.3.
6942 expectedError: ":DECODE_ERROR:",
6943 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6944 })
6945
6946 testCases = append(testCases, testCase{
6947 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6948 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6949 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6950 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6951 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]6952 signatureRSAPKCS1WithSHA1,
6953 },
6954 Bugs: ProtocolBugs{
6955 NoSignatureAlgorithms: true,
6956 },
6957 },
6958 shouldFail: true,
6959 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
6960 })
6961
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]6962 // Test that hash preferences are enforced. BoringSSL does not implement
6963 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6964 testCases = append(testCases, testCase{
6965 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6966 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6967 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6968 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6969 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6970 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6971 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6972 },
6973 Bugs: ProtocolBugs{
6974 IgnorePeerSignatureAlgorithmPreferences: true,
6975 },
6976 },
6977 flags: []string{"-require-any-client-certificate"},
6978 shouldFail: true,
6979 expectedError: ":WRONG_SIGNATURE_TYPE:",
6980 })
6981
6982 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6983 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6984 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6985 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6986 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6987 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6988 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]6989 },
6990 Bugs: ProtocolBugs{
6991 IgnorePeerSignatureAlgorithmPreferences: true,
6992 },
6993 },
6994 shouldFail: true,
6995 expectedError: ":WRONG_SIGNATURE_TYPE:",
6996 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]6997 testCases = append(testCases, testCase{
6998 testType: serverTest,
6999 name: "ClientAuth-Enforced-TLS13",
7000 config: Config{
7001 MaxVersion: VersionTLS13,
7002 Certificates: []Certificate{rsaCertificate},
7003 SignSignatureAlgorithms: []signatureAlgorithm{
7004 signatureRSAPKCS1WithMD5,
7005 },
7006 Bugs: ProtocolBugs{
7007 IgnorePeerSignatureAlgorithmPreferences: true,
7008 IgnoreSignatureVersionChecks: true,
7009 },
7010 },
7011 flags: []string{"-require-any-client-certificate"},
7012 shouldFail: true,
7013 expectedError: ":WRONG_SIGNATURE_TYPE:",
7014 })
7015
7016 testCases = append(testCases, testCase{
7017 name: "ServerAuth-Enforced-TLS13",
7018 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7019 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7020 SignSignatureAlgorithms: []signatureAlgorithm{
7021 signatureRSAPKCS1WithMD5,
7022 },
7023 Bugs: ProtocolBugs{
7024 IgnorePeerSignatureAlgorithmPreferences: true,
7025 IgnoreSignatureVersionChecks: true,
7026 },
7027 },
7028 shouldFail: true,
7029 expectedError: ":WRONG_SIGNATURE_TYPE:",
7030 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7031
7032 // Test that the agreed upon digest respects the client preferences and
7033 // the server digests.
7034 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7035 name: "NoCommonAlgorithms-Digests",
7036 config: Config{
7037 MaxVersion: VersionTLS12,
7038 ClientAuth: RequireAnyClientCert,
7039 VerifySignatureAlgorithms: []signatureAlgorithm{
7040 signatureRSAPKCS1WithSHA512,
7041 signatureRSAPKCS1WithSHA1,
7042 },
7043 },
7044 flags: []string{
7045 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7046 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7047 "-digest-prefs", "SHA256",
7048 },
7049 shouldFail: true,
7050 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7051 })
7052 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7053 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7054 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7055 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7056 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7057 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7058 signatureRSAPKCS1WithSHA512,
7059 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7060 },
7061 },
7062 flags: []string{
7063 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7064 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7065 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7066 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7067 shouldFail: true,
7068 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7069 })
7070 testCases = append(testCases, testCase{
7071 name: "NoCommonAlgorithms-TLS13",
7072 config: Config{
7073 MaxVersion: VersionTLS13,
7074 ClientAuth: RequireAnyClientCert,
7075 VerifySignatureAlgorithms: []signatureAlgorithm{
7076 signatureRSAPSSWithSHA512,
7077 signatureRSAPSSWithSHA384,
7078 },
7079 },
7080 flags: []string{
7081 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7082 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7083 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7084 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7085 shouldFail: true,
7086 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7087 })
7088 testCases = append(testCases, testCase{
7089 name: "Agree-Digest-SHA256",
7090 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7091 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7092 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7093 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7094 signatureRSAPKCS1WithSHA1,
7095 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7096 },
7097 },
7098 flags: []string{
7099 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7100 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7101 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7102 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7103 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7104 })
7105 testCases = append(testCases, testCase{
7106 name: "Agree-Digest-SHA1",
7107 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7108 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7109 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7110 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7111 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7112 },
7113 },
7114 flags: []string{
7115 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7116 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7117 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7118 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7119 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7120 })
7121 testCases = append(testCases, testCase{
7122 name: "Agree-Digest-Default",
7123 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7124 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7125 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7126 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7127 signatureRSAPKCS1WithSHA256,
7128 signatureECDSAWithP256AndSHA256,
7129 signatureRSAPKCS1WithSHA1,
7130 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7131 },
7132 },
7133 flags: []string{
7134 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7135 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7136 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7137 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7138 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7139
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7140 // Test that the signing preference list may include extra algorithms
7141 // without negotiation problems.
7142 testCases = append(testCases, testCase{
7143 testType: serverTest,
7144 name: "FilterExtraAlgorithms",
7145 config: Config{
7146 MaxVersion: VersionTLS12,
7147 VerifySignatureAlgorithms: []signatureAlgorithm{
7148 signatureRSAPKCS1WithSHA256,
7149 },
7150 },
7151 flags: []string{
7152 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7153 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7154 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7155 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7156 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7157 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7158 },
7159 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7160 })
7161
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7162 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7163 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7164 testCases = append(testCases, testCase{
7165 name: "CheckLeafCurve",
7166 config: Config{
7167 MaxVersion: VersionTLS12,
7168 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7169 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7170 },
7171 flags: []string{"-p384-only"},
7172 shouldFail: true,
7173 expectedError: ":BAD_ECC_CERT:",
7174 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7175
7176 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7177 testCases = append(testCases, testCase{
7178 name: "CheckLeafCurve-TLS13",
7179 config: Config{
7180 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7181 Certificates: []Certificate{ecdsaP256Certificate},
7182 },
7183 flags: []string{"-p384-only"},
7184 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7185
7186 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7187 testCases = append(testCases, testCase{
7188 name: "ECDSACurveMismatch-Verify-TLS12",
7189 config: Config{
7190 MaxVersion: VersionTLS12,
7191 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7192 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7193 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7194 signatureECDSAWithP384AndSHA384,
7195 },
7196 },
7197 })
7198
7199 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7200 testCases = append(testCases, testCase{
7201 name: "ECDSACurveMismatch-Verify-TLS13",
7202 config: Config{
7203 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7204 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7205 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7206 signatureECDSAWithP384AndSHA384,
7207 },
7208 Bugs: ProtocolBugs{
7209 SkipECDSACurveCheck: true,
7210 },
7211 },
7212 shouldFail: true,
7213 expectedError: ":WRONG_SIGNATURE_TYPE:",
7214 })
7215
7216 // Signature algorithm selection in TLS 1.3 should take the curve into
7217 // account.
7218 testCases = append(testCases, testCase{
7219 testType: serverTest,
7220 name: "ECDSACurveMismatch-Sign-TLS13",
7221 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7222 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7223 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7224 signatureECDSAWithP384AndSHA384,
7225 signatureECDSAWithP256AndSHA256,
7226 },
7227 },
7228 flags: []string{
7229 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7230 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7231 },
7232 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7233 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7234
7235 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7236 // server does not attempt to sign in that case.
7237 testCases = append(testCases, testCase{
7238 testType: serverTest,
7239 name: "RSA-PSS-Large",
7240 config: Config{
7241 MaxVersion: VersionTLS13,
7242 VerifySignatureAlgorithms: []signatureAlgorithm{
7243 signatureRSAPSSWithSHA512,
7244 },
7245 },
7246 flags: []string{
7247 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7248 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7249 },
7250 shouldFail: true,
7251 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7252 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7253
7254 // Test that RSA-PSS is enabled by default for TLS 1.2.
7255 testCases = append(testCases, testCase{
7256 testType: clientTest,
7257 name: "RSA-PSS-Default-Verify",
7258 config: Config{
7259 MaxVersion: VersionTLS12,
7260 SignSignatureAlgorithms: []signatureAlgorithm{
7261 signatureRSAPSSWithSHA256,
7262 },
7263 },
7264 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7265 })
7266
7267 testCases = append(testCases, testCase{
7268 testType: serverTest,
7269 name: "RSA-PSS-Default-Sign",
7270 config: Config{
7271 MaxVersion: VersionTLS12,
7272 VerifySignatureAlgorithms: []signatureAlgorithm{
7273 signatureRSAPSSWithSHA256,
7274 },
7275 },
7276 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7277 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7278}
7279
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7280// timeouts is the retransmit schedule for BoringSSL. It doubles and
7281// caps at 60 seconds. On the 13th timeout, it gives up.
7282var timeouts = []time.Duration{
7283 1 * time.Second,
7284 2 * time.Second,
7285 4 * time.Second,
7286 8 * time.Second,
7287 16 * time.Second,
7288 32 * time.Second,
7289 60 * time.Second,
7290 60 * time.Second,
7291 60 * time.Second,
7292 60 * time.Second,
7293 60 * time.Second,
7294 60 * time.Second,
7295 60 * time.Second,
7296}
7297
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7298// shortTimeouts is an alternate set of timeouts which would occur if the
7299// initial timeout duration was set to 250ms.
7300var shortTimeouts = []time.Duration{
7301 250 * time.Millisecond,
7302 500 * time.Millisecond,
7303 1 * time.Second,
7304 2 * time.Second,
7305 4 * time.Second,
7306 8 * time.Second,
7307 16 * time.Second,
7308 32 * time.Second,
7309 60 * time.Second,
7310 60 * time.Second,
7311 60 * time.Second,
7312 60 * time.Second,
7313 60 * time.Second,
7314}
7315
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7316func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7317 // These tests work by coordinating some behavior on both the shim and
7318 // the runner.
7319 //
7320 // TimeoutSchedule configures the runner to send a series of timeout
7321 // opcodes to the shim (see packetAdaptor) immediately before reading
7322 // each peer handshake flight N. The timeout opcode both simulates a
7323 // timeout in the shim and acts as a synchronization point to help the
7324 // runner bracket each handshake flight.
7325 //
7326 // We assume the shim does not read from the channel eagerly. It must
7327 // first wait until it has sent flight N and is ready to receive
7328 // handshake flight N+1. At this point, it will process the timeout
7329 // opcode. It must then immediately respond with a timeout ACK and act
7330 // as if the shim was idle for the specified amount of time.
7331 //
7332 // The runner then drops all packets received before the ACK and
7333 // continues waiting for flight N. This ordering results in one attempt
7334 // at sending flight N to be dropped. For the test to complete, the
7335 // shim must send flight N again, testing that the shim implements DTLS
7336 // retransmit on a timeout.
7337
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7338 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7339 // likely be more epochs to cross and the final message's retransmit may
7340 // be more complex.
7341
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7342 for _, async := range []bool{true, false} {
7343 var tests []testCase
7344
7345 // Test that this is indeed the timeout schedule. Stress all
7346 // four patterns of handshake.
7347 for i := 1; i < len(timeouts); i++ {
7348 number := strconv.Itoa(i)
7349 tests = append(tests, testCase{
7350 protocol: dtls,
7351 name: "DTLS-Retransmit-Client-" + number,
7352 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7353 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7354 Bugs: ProtocolBugs{
7355 TimeoutSchedule: timeouts[:i],
7356 },
7357 },
7358 resumeSession: true,
7359 })
7360 tests = append(tests, testCase{
7361 protocol: dtls,
7362 testType: serverTest,
7363 name: "DTLS-Retransmit-Server-" + number,
7364 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7365 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7366 Bugs: ProtocolBugs{
7367 TimeoutSchedule: timeouts[:i],
7368 },
7369 },
7370 resumeSession: true,
7371 })
7372 }
7373
7374 // Test that exceeding the timeout schedule hits a read
7375 // timeout.
7376 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7377 protocol: dtls,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7378 name: "DTLS-Retransmit-Timeout",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7379 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7380 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7381 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7382 TimeoutSchedule: timeouts,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7383 },
7384 },
7385 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7386 shouldFail: true,
7387 expectedError: ":READ_TIMEOUT_EXPIRED:",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7388 })
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7389
7390 if async {
7391 // Test that timeout handling has a fudge factor, due to API
7392 // problems.
7393 tests = append(tests, testCase{
7394 protocol: dtls,
7395 name: "DTLS-Retransmit-Fudge",
7396 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7397 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7398 Bugs: ProtocolBugs{
7399 TimeoutSchedule: []time.Duration{
7400 timeouts[0] - 10*time.Millisecond,
7401 },
7402 },
7403 },
7404 resumeSession: true,
7405 })
7406 }
7407
7408 // Test that the final Finished retransmitting isn't
7409 // duplicated if the peer badly fragments everything.
7410 tests = append(tests, testCase{
7411 testType: serverTest,
7412 protocol: dtls,
7413 name: "DTLS-Retransmit-Fragmented",
7414 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7415 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7416 Bugs: ProtocolBugs{
7417 TimeoutSchedule: []time.Duration{timeouts[0]},
7418 MaxHandshakeRecordLength: 2,
7419 },
7420 },
7421 })
7422
7423 // Test the timeout schedule when a shorter initial timeout duration is set.
7424 tests = append(tests, testCase{
7425 protocol: dtls,
7426 name: "DTLS-Retransmit-Short-Client",
7427 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7428 MaxVersion: VersionTLS12,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7429 Bugs: ProtocolBugs{
7430 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7431 },
7432 },
7433 resumeSession: true,
7434 flags: []string{"-initial-timeout-duration-ms", "250"},
7435 })
7436 tests = append(tests, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7437 protocol: dtls,
7438 testType: serverTest,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7439 name: "DTLS-Retransmit-Short-Server",
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7440 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7441 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7442 Bugs: ProtocolBugs{
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7443 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7444 },
7445 },
7446 resumeSession: true,
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7447 flags: []string{"-initial-timeout-duration-ms", "250"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7448 })
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7449
7450 for _, test := range tests {
7451 if async {
7452 test.name += "-Async"
7453 test.flags = append(test.flags, "-async")
7454 }
7455
7456 testCases = append(testCases, test)
7457 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7458 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7459}
7460
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7461func addExportKeyingMaterialTests() {
7462 for _, vers := range tlsVersions {
7463 if vers.version == VersionSSL30 {
7464 continue
7465 }
7466 testCases = append(testCases, testCase{
7467 name: "ExportKeyingMaterial-" + vers.name,
7468 config: Config{
7469 MaxVersion: vers.version,
7470 },
7471 exportKeyingMaterial: 1024,
7472 exportLabel: "label",
7473 exportContext: "context",
7474 useExportContext: true,
7475 })
7476 testCases = append(testCases, testCase{
7477 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7478 config: Config{
7479 MaxVersion: vers.version,
7480 },
7481 exportKeyingMaterial: 1024,
7482 })
7483 testCases = append(testCases, testCase{
7484 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7485 config: Config{
7486 MaxVersion: vers.version,
7487 },
7488 exportKeyingMaterial: 1024,
7489 useExportContext: true,
7490 })
7491 testCases = append(testCases, testCase{
7492 name: "ExportKeyingMaterial-Small-" + vers.name,
7493 config: Config{
7494 MaxVersion: vers.version,
7495 },
7496 exportKeyingMaterial: 1,
7497 exportLabel: "label",
7498 exportContext: "context",
7499 useExportContext: true,
7500 })
7501 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7502
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7503 testCases = append(testCases, testCase{
7504 name: "ExportKeyingMaterial-SSL3",
7505 config: Config{
7506 MaxVersion: VersionSSL30,
7507 },
7508 exportKeyingMaterial: 1024,
7509 exportLabel: "label",
7510 exportContext: "context",
7511 useExportContext: true,
7512 shouldFail: true,
7513 expectedError: "failed to export keying material",
7514 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7515
7516 // Exporters work during a False Start.
7517 testCases = append(testCases, testCase{
7518 name: "ExportKeyingMaterial-FalseStart",
7519 config: Config{
7520 MaxVersion: VersionTLS12,
7521 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7522 NextProtos: []string{"foo"},
7523 Bugs: ProtocolBugs{
7524 ExpectFalseStart: true,
7525 },
7526 },
7527 flags: []string{
7528 "-false-start",
7529 "-advertise-alpn", "\x03foo",
7530 },
7531 shimWritesFirst: true,
7532 exportKeyingMaterial: 1024,
7533 exportLabel: "label",
7534 exportContext: "context",
7535 useExportContext: true,
7536 })
7537
7538 // Exporters do not work in the middle of a renegotiation. Test this by
7539 // triggering the exporter after every SSL_read call and configuring the
7540 // shim to run asynchronously.
7541 testCases = append(testCases, testCase{
7542 name: "ExportKeyingMaterial-Renegotiate",
7543 config: Config{
7544 MaxVersion: VersionTLS12,
7545 },
7546 renegotiate: 1,
7547 flags: []string{
7548 "-async",
7549 "-use-exporter-between-reads",
7550 "-renegotiate-freely",
7551 "-expect-total-renegotiations", "1",
7552 },
7553 shouldFail: true,
7554 expectedError: "failed to export keying material",
7555 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7556}
7557
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7558func addTLSUniqueTests() {
7559 for _, isClient := range []bool{false, true} {
7560 for _, isResumption := range []bool{false, true} {
7561 for _, hasEMS := range []bool{false, true} {
7562 var suffix string
7563 if isResumption {
7564 suffix = "Resume-"
7565 } else {
7566 suffix = "Full-"
7567 }
7568
7569 if hasEMS {
7570 suffix += "EMS-"
7571 } else {
7572 suffix += "NoEMS-"
7573 }
7574
7575 if isClient {
7576 suffix += "Client"
7577 } else {
7578 suffix += "Server"
7579 }
7580
7581 test := testCase{
7582 name: "TLSUnique-" + suffix,
7583 testTLSUnique: true,
7584 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7585 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7586 Bugs: ProtocolBugs{
7587 NoExtendedMasterSecret: !hasEMS,
7588 },
7589 },
7590 }
7591
7592 if isResumption {
7593 test.resumeSession = true
7594 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7595 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7596 Bugs: ProtocolBugs{
7597 NoExtendedMasterSecret: !hasEMS,
7598 },
7599 }
7600 }
7601
7602 if isResumption && !hasEMS {
7603 test.shouldFail = true
7604 test.expectedError = "failed to get tls-unique"
7605 }
7606
7607 testCases = append(testCases, test)
7608 }
7609 }
7610 }
7611}
7612
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7613func addCustomExtensionTests() {
7614 expectedContents := "custom extension"
7615 emptyString := ""
7616
7617 for _, isClient := range []bool{false, true} {
7618 suffix := "Server"
7619 flag := "-enable-server-custom-extension"
7620 testType := serverTest
7621 if isClient {
7622 suffix = "Client"
7623 flag = "-enable-client-custom-extension"
7624 testType = clientTest
7625 }
7626
7627 testCases = append(testCases, testCase{
7628 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7629 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7630 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7631 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7632 Bugs: ProtocolBugs{
7633 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7634 ExpectedCustomExtension: &expectedContents,
7635 },
7636 },
7637 flags: []string{flag},
7638 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7639 testCases = append(testCases, testCase{
7640 testType: testType,
7641 name: "CustomExtensions-" + suffix + "-TLS13",
7642 config: Config{
7643 MaxVersion: VersionTLS13,
7644 Bugs: ProtocolBugs{
7645 CustomExtension: expectedContents,
7646 ExpectedCustomExtension: &expectedContents,
7647 },
7648 },
7649 flags: []string{flag},
7650 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7651
7652 // If the parse callback fails, the handshake should also fail.
7653 testCases = append(testCases, testCase{
7654 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7655 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7656 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7657 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7658 Bugs: ProtocolBugs{
7659 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7660 ExpectedCustomExtension: &expectedContents,
7661 },
7662 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7663 flags: []string{flag},
7664 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7665 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7666 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7667 testCases = append(testCases, testCase{
7668 testType: testType,
7669 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7670 config: Config{
7671 MaxVersion: VersionTLS13,
7672 Bugs: ProtocolBugs{
7673 CustomExtension: expectedContents + "foo",
7674 ExpectedCustomExtension: &expectedContents,
7675 },
7676 },
7677 flags: []string{flag},
7678 shouldFail: true,
7679 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7680 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7681
7682 // If the add callback fails, the handshake should also fail.
7683 testCases = append(testCases, testCase{
7684 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7685 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7686 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7687 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7688 Bugs: ProtocolBugs{
7689 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7690 ExpectedCustomExtension: &expectedContents,
7691 },
7692 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7693 flags: []string{flag, "-custom-extension-fail-add"},
7694 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7695 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7696 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7697 testCases = append(testCases, testCase{
7698 testType: testType,
7699 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7700 config: Config{
7701 MaxVersion: VersionTLS13,
7702 Bugs: ProtocolBugs{
7703 CustomExtension: expectedContents,
7704 ExpectedCustomExtension: &expectedContents,
7705 },
7706 },
7707 flags: []string{flag, "-custom-extension-fail-add"},
7708 shouldFail: true,
7709 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7710 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7711
7712 // If the add callback returns zero, no extension should be
7713 // added.
7714 skipCustomExtension := expectedContents
7715 if isClient {
7716 // For the case where the client skips sending the
7717 // custom extension, the server must not “echo” it.
7718 skipCustomExtension = ""
7719 }
7720 testCases = append(testCases, testCase{
7721 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7722 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7723 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7724 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7725 Bugs: ProtocolBugs{
7726 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7727 ExpectedCustomExtension: &emptyString,
7728 },
7729 },
7730 flags: []string{flag, "-custom-extension-skip"},
7731 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7732 testCases = append(testCases, testCase{
7733 testType: testType,
7734 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7735 config: Config{
7736 MaxVersion: VersionTLS13,
7737 Bugs: ProtocolBugs{
7738 CustomExtension: skipCustomExtension,
7739 ExpectedCustomExtension: &emptyString,
7740 },
7741 },
7742 flags: []string{flag, "-custom-extension-skip"},
7743 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7744 }
7745
7746 // The custom extension add callback should not be called if the client
7747 // doesn't send the extension.
7748 testCases = append(testCases, testCase{
7749 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7750 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7751 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7752 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7753 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7754 ExpectedCustomExtension: &emptyString,
7755 },
7756 },
7757 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7758 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7759
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7760 testCases = append(testCases, testCase{
7761 testType: serverTest,
7762 name: "CustomExtensions-NotCalled-Server-TLS13",
7763 config: Config{
7764 MaxVersion: VersionTLS13,
7765 Bugs: ProtocolBugs{
7766 ExpectedCustomExtension: &emptyString,
7767 },
7768 },
7769 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7770 })
7771
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7772 // Test an unknown extension from the server.
7773 testCases = append(testCases, testCase{
7774 testType: clientTest,
7775 name: "UnknownExtension-Client",
7776 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7777 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7778 Bugs: ProtocolBugs{
7779 CustomExtension: expectedContents,
7780 },
7781 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7782 shouldFail: true,
7783 expectedError: ":UNEXPECTED_EXTENSION:",
7784 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7785 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7786 testCases = append(testCases, testCase{
7787 testType: clientTest,
7788 name: "UnknownExtension-Client-TLS13",
7789 config: Config{
7790 MaxVersion: VersionTLS13,
7791 Bugs: ProtocolBugs{
7792 CustomExtension: expectedContents,
7793 },
7794 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7795 shouldFail: true,
7796 expectedError: ":UNEXPECTED_EXTENSION:",
7797 expectedLocalError: "remote error: unsupported extension",
7798 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]7799 testCases = append(testCases, testCase{
7800 testType: clientTest,
7801 name: "UnknownUnencryptedExtension-Client-TLS13",
7802 config: Config{
7803 MaxVersion: VersionTLS13,
7804 Bugs: ProtocolBugs{
7805 CustomUnencryptedExtension: expectedContents,
7806 },
7807 },
7808 shouldFail: true,
7809 expectedError: ":UNEXPECTED_EXTENSION:",
7810 // The shim must send an alert, but alerts at this point do not
7811 // get successfully decrypted by the runner.
7812 expectedLocalError: "local error: bad record MAC",
7813 })
7814 testCases = append(testCases, testCase{
7815 testType: clientTest,
7816 name: "UnexpectedUnencryptedExtension-Client-TLS13",
7817 config: Config{
7818 MaxVersion: VersionTLS13,
7819 Bugs: ProtocolBugs{
7820 SendUnencryptedALPN: "foo",
7821 },
7822 },
7823 flags: []string{
7824 "-advertise-alpn", "\x03foo\x03bar",
7825 },
7826 shouldFail: true,
7827 expectedError: ":UNEXPECTED_EXTENSION:",
7828 // The shim must send an alert, but alerts at this point do not
7829 // get successfully decrypted by the runner.
7830 expectedLocalError: "local error: bad record MAC",
7831 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]7832
7833 // Test a known but unoffered extension from the server.
7834 testCases = append(testCases, testCase{
7835 testType: clientTest,
7836 name: "UnofferedExtension-Client",
7837 config: Config{
7838 MaxVersion: VersionTLS12,
7839 Bugs: ProtocolBugs{
7840 SendALPN: "alpn",
7841 },
7842 },
7843 shouldFail: true,
7844 expectedError: ":UNEXPECTED_EXTENSION:",
7845 expectedLocalError: "remote error: unsupported extension",
7846 })
7847 testCases = append(testCases, testCase{
7848 testType: clientTest,
7849 name: "UnofferedExtension-Client-TLS13",
7850 config: Config{
7851 MaxVersion: VersionTLS13,
7852 Bugs: ProtocolBugs{
7853 SendALPN: "alpn",
7854 },
7855 },
7856 shouldFail: true,
7857 expectedError: ":UNEXPECTED_EXTENSION:",
7858 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7859 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7860}
7861
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7862func addRSAClientKeyExchangeTests() {
7863 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
7864 testCases = append(testCases, testCase{
7865 testType: serverTest,
7866 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
7867 config: Config{
7868 // Ensure the ClientHello version and final
7869 // version are different, to detect if the
7870 // server uses the wrong one.
7871 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]7872 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7873 Bugs: ProtocolBugs{
7874 BadRSAClientKeyExchange: bad,
7875 },
7876 },
7877 shouldFail: true,
7878 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
7879 })
7880 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]7881
7882 // The server must compare whatever was in ClientHello.version for the
7883 // RSA premaster.
7884 testCases = append(testCases, testCase{
7885 testType: serverTest,
7886 name: "SendClientVersion-RSA",
7887 config: Config{
7888 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
7889 Bugs: ProtocolBugs{
7890 SendClientVersion: 0x1234,
7891 },
7892 },
7893 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7894 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]7895}
7896
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7897var testCurves = []struct {
7898 name string
7899 id CurveID
7900}{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7901 {"P-256", CurveP256},
7902 {"P-384", CurveP384},
7903 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]7904 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7905}
7906
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7907const bogusCurve = 0x1234
7908
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7909func addCurveTests() {
7910 for _, curve := range testCurves {
7911 testCases = append(testCases, testCase{
7912 name: "CurveTest-Client-" + curve.name,
7913 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7914 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7915 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7916 CurvePreferences: []CurveID{curve.id},
7917 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7918 flags: []string{
7919 "-enable-all-curves",
7920 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7921 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7922 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7923 })
7924 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7925 name: "CurveTest-Client-" + curve.name + "-TLS13",
7926 config: Config{
7927 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7928 CurvePreferences: []CurveID{curve.id},
7929 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7930 flags: []string{
7931 "-enable-all-curves",
7932 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7933 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7934 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7935 })
7936 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7937 testType: serverTest,
7938 name: "CurveTest-Server-" + curve.name,
7939 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7940 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7941 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7942 CurvePreferences: []CurveID{curve.id},
7943 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7944 flags: []string{
7945 "-enable-all-curves",
7946 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7947 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7948 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7949 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7950 testCases = append(testCases, testCase{
7951 testType: serverTest,
7952 name: "CurveTest-Server-" + curve.name + "-TLS13",
7953 config: Config{
7954 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7955 CurvePreferences: []CurveID{curve.id},
7956 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]7957 flags: []string{
7958 "-enable-all-curves",
7959 "-expect-curve-id", strconv.Itoa(int(curve.id)),
7960 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]7961 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7962 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]7963 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7964
7965 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7966 testCases = append(testCases, testCase{
7967 testType: serverTest,
7968 name: "UnknownCurve",
7969 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7970 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]7971 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7972 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7973 },
7974 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7975
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7976 // The server must be tolerant to bogus curves.
7977 testCases = append(testCases, testCase{
7978 testType: serverTest,
7979 name: "UnknownCurve-TLS13",
7980 config: Config{
7981 MaxVersion: VersionTLS13,
7982 CurvePreferences: []CurveID{bogusCurve, CurveP256},
7983 },
7984 })
7985
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7986 // The server must not consider ECDHE ciphers when there are no
7987 // supported curves.
7988 testCases = append(testCases, testCase{
7989 testType: serverTest,
7990 name: "NoSupportedCurves",
7991 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7992 MaxVersion: VersionTLS12,
7993 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7994 Bugs: ProtocolBugs{
7995 NoSupportedCurves: true,
7996 },
7997 },
7998 shouldFail: true,
7999 expectedError: ":NO_SHARED_CIPHER:",
8000 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8001 testCases = append(testCases, testCase{
8002 testType: serverTest,
8003 name: "NoSupportedCurves-TLS13",
8004 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8005 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8006 Bugs: ProtocolBugs{
8007 NoSupportedCurves: true,
8008 },
8009 },
8010 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8011 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8012 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8013
8014 // The server must fall back to another cipher when there are no
8015 // supported curves.
8016 testCases = append(testCases, testCase{
8017 testType: serverTest,
8018 name: "NoCommonCurves",
8019 config: Config{
8020 MaxVersion: VersionTLS12,
8021 CipherSuites: []uint16{
8022 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
8023 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
8024 },
8025 CurvePreferences: []CurveID{CurveP224},
8026 },
8027 expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
8028 })
8029
8030 // The client must reject bogus curves and disabled curves.
8031 testCases = append(testCases, testCase{
8032 name: "BadECDHECurve",
8033 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8034 MaxVersion: VersionTLS12,
8035 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8036 Bugs: ProtocolBugs{
8037 SendCurve: bogusCurve,
8038 },
8039 },
8040 shouldFail: true,
8041 expectedError: ":WRONG_CURVE:",
8042 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8043 testCases = append(testCases, testCase{
8044 name: "BadECDHECurve-TLS13",
8045 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8046 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8047 Bugs: ProtocolBugs{
8048 SendCurve: bogusCurve,
8049 },
8050 },
8051 shouldFail: true,
8052 expectedError: ":WRONG_CURVE:",
8053 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8054
8055 testCases = append(testCases, testCase{
8056 name: "UnsupportedCurve",
8057 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8058 MaxVersion: VersionTLS12,
8059 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8060 CurvePreferences: []CurveID{CurveP256},
8061 Bugs: ProtocolBugs{
8062 IgnorePeerCurvePreferences: true,
8063 },
8064 },
8065 flags: []string{"-p384-only"},
8066 shouldFail: true,
8067 expectedError: ":WRONG_CURVE:",
8068 })
8069
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8070 testCases = append(testCases, testCase{
8071 // TODO(davidben): Add a TLS 1.3 version where
8072 // HelloRetryRequest requests an unsupported curve.
8073 name: "UnsupportedCurve-ServerHello-TLS13",
8074 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8075 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8076 CurvePreferences: []CurveID{CurveP384},
8077 Bugs: ProtocolBugs{
8078 SendCurve: CurveP256,
8079 },
8080 },
8081 flags: []string{"-p384-only"},
8082 shouldFail: true,
8083 expectedError: ":WRONG_CURVE:",
8084 })
8085
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8086 // Test invalid curve points.
8087 testCases = append(testCases, testCase{
8088 name: "InvalidECDHPoint-Client",
8089 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8090 MaxVersion: VersionTLS12,
8091 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8092 CurvePreferences: []CurveID{CurveP256},
8093 Bugs: ProtocolBugs{
8094 InvalidECDHPoint: true,
8095 },
8096 },
8097 shouldFail: true,
8098 expectedError: ":INVALID_ENCODING:",
8099 })
8100 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8101 name: "InvalidECDHPoint-Client-TLS13",
8102 config: Config{
8103 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8104 CurvePreferences: []CurveID{CurveP256},
8105 Bugs: ProtocolBugs{
8106 InvalidECDHPoint: true,
8107 },
8108 },
8109 shouldFail: true,
8110 expectedError: ":INVALID_ENCODING:",
8111 })
8112 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8113 testType: serverTest,
8114 name: "InvalidECDHPoint-Server",
8115 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8116 MaxVersion: VersionTLS12,
8117 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8118 CurvePreferences: []CurveID{CurveP256},
8119 Bugs: ProtocolBugs{
8120 InvalidECDHPoint: true,
8121 },
8122 },
8123 shouldFail: true,
8124 expectedError: ":INVALID_ENCODING:",
8125 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8126 testCases = append(testCases, testCase{
8127 testType: serverTest,
8128 name: "InvalidECDHPoint-Server-TLS13",
8129 config: Config{
8130 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8131 CurvePreferences: []CurveID{CurveP256},
8132 Bugs: ProtocolBugs{
8133 InvalidECDHPoint: true,
8134 },
8135 },
8136 shouldFail: true,
8137 expectedError: ":INVALID_ENCODING:",
8138 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8139
8140 // The previous curve ID should be reported on TLS 1.2 resumption.
8141 testCases = append(testCases, testCase{
8142 name: "CurveID-Resume-Client",
8143 config: Config{
8144 MaxVersion: VersionTLS12,
8145 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8146 CurvePreferences: []CurveID{CurveX25519},
8147 },
8148 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8149 resumeSession: true,
8150 })
8151 testCases = append(testCases, testCase{
8152 testType: serverTest,
8153 name: "CurveID-Resume-Server",
8154 config: Config{
8155 MaxVersion: VersionTLS12,
8156 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8157 CurvePreferences: []CurveID{CurveX25519},
8158 },
8159 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8160 resumeSession: true,
8161 })
8162
8163 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8164 // one should be reported.
8165 testCases = append(testCases, testCase{
8166 name: "CurveID-Resume-Client-TLS13",
8167 config: Config{
8168 MaxVersion: VersionTLS13,
8169 CurvePreferences: []CurveID{CurveX25519},
8170 },
8171 resumeConfig: &Config{
8172 MaxVersion: VersionTLS13,
8173 CurvePreferences: []CurveID{CurveP256},
8174 },
8175 flags: []string{
8176 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8177 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8178 },
8179 resumeSession: true,
8180 })
8181 testCases = append(testCases, testCase{
8182 testType: serverTest,
8183 name: "CurveID-Resume-Server-TLS13",
8184 config: Config{
8185 MaxVersion: VersionTLS13,
8186 CurvePreferences: []CurveID{CurveX25519},
8187 },
8188 resumeConfig: &Config{
8189 MaxVersion: VersionTLS13,
8190 CurvePreferences: []CurveID{CurveP256},
8191 },
8192 flags: []string{
8193 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8194 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8195 },
8196 resumeSession: true,
8197 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8198
8199 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8200 testCases = append(testCases, testCase{
8201 name: "PointFormat-ServerHello-TLS12",
8202 config: Config{
8203 MaxVersion: VersionTLS12,
8204 Bugs: ProtocolBugs{
8205 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8206 },
8207 },
8208 })
8209 testCases = append(testCases, testCase{
8210 name: "PointFormat-EncryptedExtensions-TLS13",
8211 config: Config{
8212 MaxVersion: VersionTLS13,
8213 Bugs: ProtocolBugs{
8214 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8215 },
8216 },
8217 shouldFail: true,
8218 expectedError: ":ERROR_PARSING_EXTENSION:",
8219 })
8220
8221 // Test that we tolerate unknown point formats, as long as
8222 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8223 // check they are still functional.
8224 testCases = append(testCases, testCase{
8225 name: "PointFormat-Client-Tolerance",
8226 config: Config{
8227 MaxVersion: VersionTLS12,
8228 Bugs: ProtocolBugs{
8229 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8230 },
8231 },
8232 })
8233 testCases = append(testCases, testCase{
8234 testType: serverTest,
8235 name: "PointFormat-Server-Tolerance",
8236 config: Config{
8237 MaxVersion: VersionTLS12,
8238 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8239 Bugs: ProtocolBugs{
8240 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8241 },
8242 },
8243 })
8244
8245 // Test TLS 1.2 does not require the point format extension to be
8246 // present.
8247 testCases = append(testCases, testCase{
8248 name: "PointFormat-Client-Missing",
8249 config: Config{
8250 MaxVersion: VersionTLS12,
8251 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8252 Bugs: ProtocolBugs{
8253 SendSupportedPointFormats: []byte{},
8254 },
8255 },
8256 })
8257 testCases = append(testCases, testCase{
8258 testType: serverTest,
8259 name: "PointFormat-Server-Missing",
8260 config: Config{
8261 MaxVersion: VersionTLS12,
8262 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8263 Bugs: ProtocolBugs{
8264 SendSupportedPointFormats: []byte{},
8265 },
8266 },
8267 })
8268
8269 // If the point format extension is present, uncompressed points must be
8270 // offered. BoringSSL requires this whether or not ECDHE is used.
8271 testCases = append(testCases, testCase{
8272 name: "PointFormat-Client-MissingUncompressed",
8273 config: Config{
8274 MaxVersion: VersionTLS12,
8275 Bugs: ProtocolBugs{
8276 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8277 },
8278 },
8279 shouldFail: true,
8280 expectedError: ":ERROR_PARSING_EXTENSION:",
8281 })
8282 testCases = append(testCases, testCase{
8283 testType: serverTest,
8284 name: "PointFormat-Server-MissingUncompressed",
8285 config: Config{
8286 MaxVersion: VersionTLS12,
8287 Bugs: ProtocolBugs{
8288 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8289 },
8290 },
8291 shouldFail: true,
8292 expectedError: ":ERROR_PARSING_EXTENSION:",
8293 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8294}
8295
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8296func addTLS13RecordTests() {
8297 testCases = append(testCases, testCase{
8298 name: "TLS13-RecordPadding",
8299 config: Config{
8300 MaxVersion: VersionTLS13,
8301 MinVersion: VersionTLS13,
8302 Bugs: ProtocolBugs{
8303 RecordPadding: 10,
8304 },
8305 },
8306 })
8307
8308 testCases = append(testCases, testCase{
8309 name: "TLS13-EmptyRecords",
8310 config: Config{
8311 MaxVersion: VersionTLS13,
8312 MinVersion: VersionTLS13,
8313 Bugs: ProtocolBugs{
8314 OmitRecordContents: true,
8315 },
8316 },
8317 shouldFail: true,
8318 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8319 })
8320
8321 testCases = append(testCases, testCase{
8322 name: "TLS13-OnlyPadding",
8323 config: Config{
8324 MaxVersion: VersionTLS13,
8325 MinVersion: VersionTLS13,
8326 Bugs: ProtocolBugs{
8327 OmitRecordContents: true,
8328 RecordPadding: 10,
8329 },
8330 },
8331 shouldFail: true,
8332 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8333 })
8334
8335 testCases = append(testCases, testCase{
8336 name: "TLS13-WrongOuterRecord",
8337 config: Config{
8338 MaxVersion: VersionTLS13,
8339 MinVersion: VersionTLS13,
8340 Bugs: ProtocolBugs{
8341 OuterRecordType: recordTypeHandshake,
8342 },
8343 },
8344 shouldFail: true,
8345 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8346 })
8347}
8348
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8349func addSessionTicketTests() {
8350 testCases = append(testCases, testCase{
8351 // In TLS 1.2 and below, empty NewSessionTicket messages
8352 // mean the server changed its mind on sending a ticket.
8353 name: "SendEmptySessionTicket",
8354 config: Config{
8355 MaxVersion: VersionTLS12,
8356 Bugs: ProtocolBugs{
8357 SendEmptySessionTicket: true,
8358 },
8359 },
8360 flags: []string{"-expect-no-session"},
8361 })
8362
8363 // Test that the server ignores unknown PSK modes.
8364 testCases = append(testCases, testCase{
8365 testType: serverTest,
8366 name: "TLS13-SendUnknownModeSessionTicket-Server",
8367 config: Config{
8368 MaxVersion: VersionTLS13,
8369 Bugs: ProtocolBugs{
8370 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8371 },
8372 },
8373 resumeSession: true,
8374 expectedResumeVersion: VersionTLS13,
8375 })
8376
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8377 // Test that the server does not send session tickets with no matching key exchange mode.
8378 testCases = append(testCases, testCase{
8379 testType: serverTest,
8380 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8381 config: Config{
8382 MaxVersion: VersionTLS13,
8383 Bugs: ProtocolBugs{
8384 SendPSKKeyExchangeModes: []byte{0x1a},
8385 ExpectNoNewSessionTicket: true,
8386 },
8387 },
8388 })
8389
8390 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8391 testCases = append(testCases, testCase{
8392 testType: serverTest,
8393 name: "TLS13-SendBadKEModeSessionTicket-Server",
8394 config: Config{
8395 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8396 },
8397 resumeConfig: &Config{
8398 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8399 Bugs: ProtocolBugs{
8400 SendPSKKeyExchangeModes: []byte{0x1a},
8401 },
8402 },
8403 resumeSession: true,
8404 expectResumeRejected: true,
8405 })
8406
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8407 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8408 testCases = append(testCases, testCase{
8409 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8410 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8411 config: Config{
8412 MaxVersion: VersionTLS13,
8413 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8414 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8415 },
8416 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8417 resumeSession: true,
8418 flags: []string{
8419 "-resumption-delay", "10",
8420 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8421 })
8422
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8423 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8424 testCases = append(testCases, testCase{
8425 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8426 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8427 config: Config{
8428 MaxVersion: VersionTLS13,
8429 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8430 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8431 },
8432 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8433 resumeSession: true,
8434 shouldFail: true,
8435 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8436 })
8437
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8438 testCases = append(testCases, testCase{
8439 testType: clientTest,
8440 name: "TLS13-SendTicketEarlyDataInfo",
8441 config: Config{
8442 MaxVersion: VersionTLS13,
8443 Bugs: ProtocolBugs{
8444 SendTicketEarlyDataInfo: 16384,
8445 },
8446 },
8447 flags: []string{
8448 "-expect-early-data-info",
8449 },
8450 })
8451
8452 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8453 testType: clientTest,
8454 name: "TLS13-DuplicateTicketEarlyDataInfo",
8455 config: Config{
8456 MaxVersion: VersionTLS13,
8457 Bugs: ProtocolBugs{
8458 SendTicketEarlyDataInfo: 16384,
8459 DuplicateTicketEarlyDataInfo: true,
8460 },
8461 },
8462 shouldFail: true,
8463 expectedError: ":DUPLICATE_EXTENSION:",
8464 expectedLocalError: "remote error: illegal parameter",
8465 })
8466
8467 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8468 testType: serverTest,
8469 name: "TLS13-ExpectTicketEarlyDataInfo",
8470 config: Config{
8471 MaxVersion: VersionTLS13,
8472 Bugs: ProtocolBugs{
8473 ExpectTicketEarlyDataInfo: true,
8474 },
8475 },
8476 flags: []string{
8477 "-enable-early-data",
8478 },
8479 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8480}
8481
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8482func addChangeCipherSpecTests() {
8483 // Test missing ChangeCipherSpecs.
8484 testCases = append(testCases, testCase{
8485 name: "SkipChangeCipherSpec-Client",
8486 config: Config{
8487 MaxVersion: VersionTLS12,
8488 Bugs: ProtocolBugs{
8489 SkipChangeCipherSpec: true,
8490 },
8491 },
8492 shouldFail: true,
8493 expectedError: ":UNEXPECTED_RECORD:",
8494 })
8495 testCases = append(testCases, testCase{
8496 testType: serverTest,
8497 name: "SkipChangeCipherSpec-Server",
8498 config: Config{
8499 MaxVersion: VersionTLS12,
8500 Bugs: ProtocolBugs{
8501 SkipChangeCipherSpec: true,
8502 },
8503 },
8504 shouldFail: true,
8505 expectedError: ":UNEXPECTED_RECORD:",
8506 })
8507 testCases = append(testCases, testCase{
8508 testType: serverTest,
8509 name: "SkipChangeCipherSpec-Server-NPN",
8510 config: Config{
8511 MaxVersion: VersionTLS12,
8512 NextProtos: []string{"bar"},
8513 Bugs: ProtocolBugs{
8514 SkipChangeCipherSpec: true,
8515 },
8516 },
8517 flags: []string{
8518 "-advertise-npn", "\x03foo\x03bar\x03baz",
8519 },
8520 shouldFail: true,
8521 expectedError: ":UNEXPECTED_RECORD:",
8522 })
8523
8524 // Test synchronization between the handshake and ChangeCipherSpec.
8525 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8526 // rejected. Test both with and without handshake packing to handle both
8527 // when the partial post-CCS message is in its own record and when it is
8528 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8529 for _, packed := range []bool{false, true} {
8530 var suffix string
8531 if packed {
8532 suffix = "-Packed"
8533 }
8534
8535 testCases = append(testCases, testCase{
8536 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
8537 config: Config{
8538 MaxVersion: VersionTLS12,
8539 Bugs: ProtocolBugs{
8540 FragmentAcrossChangeCipherSpec: true,
8541 PackHandshakeFlight: packed,
8542 },
8543 },
8544 shouldFail: true,
8545 expectedError: ":UNEXPECTED_RECORD:",
8546 })
8547 testCases = append(testCases, testCase{
8548 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
8549 config: Config{
8550 MaxVersion: VersionTLS12,
8551 },
8552 resumeSession: true,
8553 resumeConfig: &Config{
8554 MaxVersion: VersionTLS12,
8555 Bugs: ProtocolBugs{
8556 FragmentAcrossChangeCipherSpec: true,
8557 PackHandshakeFlight: packed,
8558 },
8559 },
8560 shouldFail: true,
8561 expectedError: ":UNEXPECTED_RECORD:",
8562 })
8563 testCases = append(testCases, testCase{
8564 testType: serverTest,
8565 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
8566 config: Config{
8567 MaxVersion: VersionTLS12,
8568 Bugs: ProtocolBugs{
8569 FragmentAcrossChangeCipherSpec: true,
8570 PackHandshakeFlight: packed,
8571 },
8572 },
8573 shouldFail: true,
8574 expectedError: ":UNEXPECTED_RECORD:",
8575 })
8576 testCases = append(testCases, testCase{
8577 testType: serverTest,
8578 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
8579 config: Config{
8580 MaxVersion: VersionTLS12,
8581 },
8582 resumeSession: true,
8583 resumeConfig: &Config{
8584 MaxVersion: VersionTLS12,
8585 Bugs: ProtocolBugs{
8586 FragmentAcrossChangeCipherSpec: true,
8587 PackHandshakeFlight: packed,
8588 },
8589 },
8590 shouldFail: true,
8591 expectedError: ":UNEXPECTED_RECORD:",
8592 })
8593 testCases = append(testCases, testCase{
8594 testType: serverTest,
8595 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
8596 config: Config{
8597 MaxVersion: VersionTLS12,
8598 NextProtos: []string{"bar"},
8599 Bugs: ProtocolBugs{
8600 FragmentAcrossChangeCipherSpec: true,
8601 PackHandshakeFlight: packed,
8602 },
8603 },
8604 flags: []string{
8605 "-advertise-npn", "\x03foo\x03bar\x03baz",
8606 },
8607 shouldFail: true,
8608 expectedError: ":UNEXPECTED_RECORD:",
8609 })
8610 }
8611
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]8612 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
8613 // messages in the handshake queue. Do this by testing the server
8614 // reading the client Finished, reversing the flight so Finished comes
8615 // first.
8616 testCases = append(testCases, testCase{
8617 protocol: dtls,
8618 testType: serverTest,
8619 name: "SendUnencryptedFinished-DTLS",
8620 config: Config{
8621 MaxVersion: VersionTLS12,
8622 Bugs: ProtocolBugs{
8623 SendUnencryptedFinished: true,
8624 ReverseHandshakeFragments: true,
8625 },
8626 },
8627 shouldFail: true,
8628 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8629 })
8630
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8631 // Test synchronization between encryption changes and the handshake in
8632 // TLS 1.3, where ChangeCipherSpec is implicit.
8633 testCases = append(testCases, testCase{
8634 name: "PartialEncryptedExtensionsWithServerHello",
8635 config: Config{
8636 MaxVersion: VersionTLS13,
8637 Bugs: ProtocolBugs{
8638 PartialEncryptedExtensionsWithServerHello: true,
8639 },
8640 },
8641 shouldFail: true,
8642 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8643 })
8644 testCases = append(testCases, testCase{
8645 testType: serverTest,
8646 name: "PartialClientFinishedWithClientHello",
8647 config: Config{
8648 MaxVersion: VersionTLS13,
8649 Bugs: ProtocolBugs{
8650 PartialClientFinishedWithClientHello: true,
8651 },
8652 },
8653 shouldFail: true,
8654 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8655 })
8656
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8657 // Test that early ChangeCipherSpecs are handled correctly.
8658 testCases = append(testCases, testCase{
8659 testType: serverTest,
8660 name: "EarlyChangeCipherSpec-server-1",
8661 config: Config{
8662 MaxVersion: VersionTLS12,
8663 Bugs: ProtocolBugs{
8664 EarlyChangeCipherSpec: 1,
8665 },
8666 },
8667 shouldFail: true,
8668 expectedError: ":UNEXPECTED_RECORD:",
8669 })
8670 testCases = append(testCases, testCase{
8671 testType: serverTest,
8672 name: "EarlyChangeCipherSpec-server-2",
8673 config: Config{
8674 MaxVersion: VersionTLS12,
8675 Bugs: ProtocolBugs{
8676 EarlyChangeCipherSpec: 2,
8677 },
8678 },
8679 shouldFail: true,
8680 expectedError: ":UNEXPECTED_RECORD:",
8681 })
8682 testCases = append(testCases, testCase{
8683 protocol: dtls,
8684 name: "StrayChangeCipherSpec",
8685 config: Config{
8686 // TODO(davidben): Once DTLS 1.3 exists, test
8687 // that stray ChangeCipherSpec messages are
8688 // rejected.
8689 MaxVersion: VersionTLS12,
8690 Bugs: ProtocolBugs{
8691 StrayChangeCipherSpec: true,
8692 },
8693 },
8694 })
8695
8696 // Test that the contents of ChangeCipherSpec are checked.
8697 testCases = append(testCases, testCase{
8698 name: "BadChangeCipherSpec-1",
8699 config: Config{
8700 MaxVersion: VersionTLS12,
8701 Bugs: ProtocolBugs{
8702 BadChangeCipherSpec: []byte{2},
8703 },
8704 },
8705 shouldFail: true,
8706 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8707 })
8708 testCases = append(testCases, testCase{
8709 name: "BadChangeCipherSpec-2",
8710 config: Config{
8711 MaxVersion: VersionTLS12,
8712 Bugs: ProtocolBugs{
8713 BadChangeCipherSpec: []byte{1, 1},
8714 },
8715 },
8716 shouldFail: true,
8717 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8718 })
8719 testCases = append(testCases, testCase{
8720 protocol: dtls,
8721 name: "BadChangeCipherSpec-DTLS-1",
8722 config: Config{
8723 MaxVersion: VersionTLS12,
8724 Bugs: ProtocolBugs{
8725 BadChangeCipherSpec: []byte{2},
8726 },
8727 },
8728 shouldFail: true,
8729 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8730 })
8731 testCases = append(testCases, testCase{
8732 protocol: dtls,
8733 name: "BadChangeCipherSpec-DTLS-2",
8734 config: Config{
8735 MaxVersion: VersionTLS12,
8736 Bugs: ProtocolBugs{
8737 BadChangeCipherSpec: []byte{1, 1},
8738 },
8739 },
8740 shouldFail: true,
8741 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
8742 })
8743}
8744
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8745type perMessageTest struct {
8746 messageType uint8
8747 test testCase
8748}
8749
8750// makePerMessageTests returns a series of test templates which cover each
8751// message in the TLS handshake. These may be used with bugs like
8752// WrongMessageType to fully test a per-message bug.
8753func makePerMessageTests() []perMessageTest {
8754 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8755 for _, protocol := range []protocol{tls, dtls} {
8756 var suffix string
8757 if protocol == dtls {
8758 suffix = "-DTLS"
8759 }
8760
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8761 ret = append(ret, perMessageTest{
8762 messageType: typeClientHello,
8763 test: testCase{
8764 protocol: protocol,
8765 testType: serverTest,
8766 name: "ClientHello" + suffix,
8767 config: Config{
8768 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8769 },
8770 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8771 })
8772
8773 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8774 ret = append(ret, perMessageTest{
8775 messageType: typeHelloVerifyRequest,
8776 test: testCase{
8777 protocol: protocol,
8778 name: "HelloVerifyRequest" + suffix,
8779 config: Config{
8780 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8781 },
8782 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8783 })
8784 }
8785
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8786 ret = append(ret, perMessageTest{
8787 messageType: typeServerHello,
8788 test: testCase{
8789 protocol: protocol,
8790 name: "ServerHello" + suffix,
8791 config: Config{
8792 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8793 },
8794 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8795 })
8796
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8797 ret = append(ret, perMessageTest{
8798 messageType: typeCertificate,
8799 test: testCase{
8800 protocol: protocol,
8801 name: "ServerCertificate" + suffix,
8802 config: Config{
8803 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8804 },
8805 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8806 })
8807
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8808 ret = append(ret, perMessageTest{
8809 messageType: typeCertificateStatus,
8810 test: testCase{
8811 protocol: protocol,
8812 name: "CertificateStatus" + suffix,
8813 config: Config{
8814 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8815 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8816 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8817 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8818 })
8819
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8820 ret = append(ret, perMessageTest{
8821 messageType: typeServerKeyExchange,
8822 test: testCase{
8823 protocol: protocol,
8824 name: "ServerKeyExchange" + suffix,
8825 config: Config{
8826 MaxVersion: VersionTLS12,
8827 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8828 },
8829 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8830 })
8831
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8832 ret = append(ret, perMessageTest{
8833 messageType: typeCertificateRequest,
8834 test: testCase{
8835 protocol: protocol,
8836 name: "CertificateRequest" + suffix,
8837 config: Config{
8838 MaxVersion: VersionTLS12,
8839 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8840 },
8841 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8842 })
8843
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8844 ret = append(ret, perMessageTest{
8845 messageType: typeServerHelloDone,
8846 test: testCase{
8847 protocol: protocol,
8848 name: "ServerHelloDone" + suffix,
8849 config: Config{
8850 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8851 },
8852 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8853 })
8854
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8855 ret = append(ret, perMessageTest{
8856 messageType: typeCertificate,
8857 test: testCase{
8858 testType: serverTest,
8859 protocol: protocol,
8860 name: "ClientCertificate" + suffix,
8861 config: Config{
8862 Certificates: []Certificate{rsaCertificate},
8863 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8864 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8865 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8866 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8867 })
8868
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8869 ret = append(ret, perMessageTest{
8870 messageType: typeCertificateVerify,
8871 test: testCase{
8872 testType: serverTest,
8873 protocol: protocol,
8874 name: "CertificateVerify" + suffix,
8875 config: Config{
8876 Certificates: []Certificate{rsaCertificate},
8877 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8878 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8879 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8880 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8881 })
8882
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8883 ret = append(ret, perMessageTest{
8884 messageType: typeClientKeyExchange,
8885 test: testCase{
8886 testType: serverTest,
8887 protocol: protocol,
8888 name: "ClientKeyExchange" + suffix,
8889 config: Config{
8890 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8891 },
8892 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8893 })
8894
8895 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8896 ret = append(ret, perMessageTest{
8897 messageType: typeNextProtocol,
8898 test: testCase{
8899 testType: serverTest,
8900 protocol: protocol,
8901 name: "NextProtocol" + suffix,
8902 config: Config{
8903 MaxVersion: VersionTLS12,
8904 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8905 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8906 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8907 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8908 })
8909
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8910 ret = append(ret, perMessageTest{
8911 messageType: typeChannelID,
8912 test: testCase{
8913 testType: serverTest,
8914 protocol: protocol,
8915 name: "ChannelID" + suffix,
8916 config: Config{
8917 MaxVersion: VersionTLS12,
8918 ChannelID: channelIDKey,
8919 },
8920 flags: []string{
8921 "-expect-channel-id",
8922 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8923 },
8924 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8925 })
8926 }
8927
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8928 ret = append(ret, perMessageTest{
8929 messageType: typeFinished,
8930 test: testCase{
8931 testType: serverTest,
8932 protocol: protocol,
8933 name: "ClientFinished" + suffix,
8934 config: Config{
8935 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8936 },
8937 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8938 })
8939
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8940 ret = append(ret, perMessageTest{
8941 messageType: typeNewSessionTicket,
8942 test: testCase{
8943 protocol: protocol,
8944 name: "NewSessionTicket" + suffix,
8945 config: Config{
8946 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8947 },
8948 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8949 })
8950
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8951 ret = append(ret, perMessageTest{
8952 messageType: typeFinished,
8953 test: testCase{
8954 protocol: protocol,
8955 name: "ServerFinished" + suffix,
8956 config: Config{
8957 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8958 },
8959 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]8960 })
8961
8962 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]8963
8964 ret = append(ret, perMessageTest{
8965 messageType: typeClientHello,
8966 test: testCase{
8967 testType: serverTest,
8968 name: "TLS13-ClientHello",
8969 config: Config{
8970 MaxVersion: VersionTLS13,
8971 },
8972 },
8973 })
8974
8975 ret = append(ret, perMessageTest{
8976 messageType: typeServerHello,
8977 test: testCase{
8978 name: "TLS13-ServerHello",
8979 config: Config{
8980 MaxVersion: VersionTLS13,
8981 },
8982 },
8983 })
8984
8985 ret = append(ret, perMessageTest{
8986 messageType: typeEncryptedExtensions,
8987 test: testCase{
8988 name: "TLS13-EncryptedExtensions",
8989 config: Config{
8990 MaxVersion: VersionTLS13,
8991 },
8992 },
8993 })
8994
8995 ret = append(ret, perMessageTest{
8996 messageType: typeCertificateRequest,
8997 test: testCase{
8998 name: "TLS13-CertificateRequest",
8999 config: Config{
9000 MaxVersion: VersionTLS13,
9001 ClientAuth: RequireAnyClientCert,
9002 },
9003 },
9004 })
9005
9006 ret = append(ret, perMessageTest{
9007 messageType: typeCertificate,
9008 test: testCase{
9009 name: "TLS13-ServerCertificate",
9010 config: Config{
9011 MaxVersion: VersionTLS13,
9012 },
9013 },
9014 })
9015
9016 ret = append(ret, perMessageTest{
9017 messageType: typeCertificateVerify,
9018 test: testCase{
9019 name: "TLS13-ServerCertificateVerify",
9020 config: Config{
9021 MaxVersion: VersionTLS13,
9022 },
9023 },
9024 })
9025
9026 ret = append(ret, perMessageTest{
9027 messageType: typeFinished,
9028 test: testCase{
9029 name: "TLS13-ServerFinished",
9030 config: Config{
9031 MaxVersion: VersionTLS13,
9032 },
9033 },
9034 })
9035
9036 ret = append(ret, perMessageTest{
9037 messageType: typeCertificate,
9038 test: testCase{
9039 testType: serverTest,
9040 name: "TLS13-ClientCertificate",
9041 config: Config{
9042 Certificates: []Certificate{rsaCertificate},
9043 MaxVersion: VersionTLS13,
9044 },
9045 flags: []string{"-require-any-client-certificate"},
9046 },
9047 })
9048
9049 ret = append(ret, perMessageTest{
9050 messageType: typeCertificateVerify,
9051 test: testCase{
9052 testType: serverTest,
9053 name: "TLS13-ClientCertificateVerify",
9054 config: Config{
9055 Certificates: []Certificate{rsaCertificate},
9056 MaxVersion: VersionTLS13,
9057 },
9058 flags: []string{"-require-any-client-certificate"},
9059 },
9060 })
9061
9062 ret = append(ret, perMessageTest{
9063 messageType: typeFinished,
9064 test: testCase{
9065 testType: serverTest,
9066 name: "TLS13-ClientFinished",
9067 config: Config{
9068 MaxVersion: VersionTLS13,
9069 },
9070 },
9071 })
9072
9073 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9074}
9075
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9076func addWrongMessageTypeTests() {
9077 for _, t := range makePerMessageTests() {
9078 t.test.name = "WrongMessageType-" + t.test.name
9079 t.test.config.Bugs.SendWrongMessageType = t.messageType
9080 t.test.shouldFail = true
9081 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9082 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9083
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9084 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9085 // In TLS 1.3, a bad ServerHello means the client sends
9086 // an unencrypted alert while the server expects
9087 // encryption, so the alert is not readable by runner.
9088 t.test.expectedLocalError = "local error: bad record MAC"
9089 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9090
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9091 testCases = append(testCases, t.test)
9092 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9093}
9094
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9095func addTrailingMessageDataTests() {
9096 for _, t := range makePerMessageTests() {
9097 t.test.name = "TrailingMessageData-" + t.test.name
9098 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9099 t.test.shouldFail = true
9100 t.test.expectedError = ":DECODE_ERROR:"
9101 t.test.expectedLocalError = "remote error: error decoding message"
9102
9103 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9104 // In TLS 1.3, a bad ServerHello means the client sends
9105 // an unencrypted alert while the server expects
9106 // encryption, so the alert is not readable by runner.
9107 t.test.expectedLocalError = "local error: bad record MAC"
9108 }
9109
9110 if t.messageType == typeFinished {
9111 // Bad Finished messages read as the verify data having
9112 // the wrong length.
9113 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9114 t.test.expectedLocalError = "remote error: error decrypting message"
9115 }
9116
9117 testCases = append(testCases, t.test)
9118 }
9119}
9120
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9121func addTLS13HandshakeTests() {
9122 testCases = append(testCases, testCase{
9123 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9124 name: "NegotiatePSKResumption-TLS13",
9125 config: Config{
9126 MaxVersion: VersionTLS13,
9127 Bugs: ProtocolBugs{
9128 NegotiatePSKResumption: true,
9129 },
9130 },
9131 resumeSession: true,
9132 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9133 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9134 })
9135
9136 testCases = append(testCases, testCase{
9137 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9138 name: "MissingKeyShare-Client",
9139 config: Config{
9140 MaxVersion: VersionTLS13,
9141 Bugs: ProtocolBugs{
9142 MissingKeyShare: true,
9143 },
9144 },
9145 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9146 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9147 })
9148
9149 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9150 testType: serverTest,
9151 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9152 config: Config{
9153 MaxVersion: VersionTLS13,
9154 Bugs: ProtocolBugs{
9155 MissingKeyShare: true,
9156 },
9157 },
9158 shouldFail: true,
9159 expectedError: ":MISSING_KEY_SHARE:",
9160 })
9161
9162 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9163 testType: serverTest,
9164 name: "DuplicateKeyShares",
9165 config: Config{
9166 MaxVersion: VersionTLS13,
9167 Bugs: ProtocolBugs{
9168 DuplicateKeyShares: true,
9169 },
9170 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9171 shouldFail: true,
9172 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9173 })
9174
9175 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9176 testType: serverTest,
9177 name: "SkipEarlyData",
9178 config: Config{
9179 MaxVersion: VersionTLS13,
9180 Bugs: ProtocolBugs{
9181 SendEarlyDataLength: 4,
9182 },
9183 },
9184 })
9185
9186 testCases = append(testCases, testCase{
9187 testType: serverTest,
9188 name: "SkipEarlyData-OmitEarlyDataExtension",
9189 config: Config{
9190 MaxVersion: VersionTLS13,
9191 Bugs: ProtocolBugs{
9192 SendEarlyDataLength: 4,
9193 OmitEarlyDataExtension: true,
9194 },
9195 },
9196 shouldFail: true,
9197 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9198 })
9199
9200 testCases = append(testCases, testCase{
9201 testType: serverTest,
9202 name: "SkipEarlyData-TooMuchData",
9203 config: Config{
9204 MaxVersion: VersionTLS13,
9205 Bugs: ProtocolBugs{
9206 SendEarlyDataLength: 16384 + 1,
9207 },
9208 },
9209 shouldFail: true,
9210 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9211 })
9212
9213 testCases = append(testCases, testCase{
9214 testType: serverTest,
9215 name: "SkipEarlyData-Interleaved",
9216 config: Config{
9217 MaxVersion: VersionTLS13,
9218 Bugs: ProtocolBugs{
9219 SendEarlyDataLength: 4,
9220 InterleaveEarlyData: true,
9221 },
9222 },
9223 shouldFail: true,
9224 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9225 })
9226
9227 testCases = append(testCases, testCase{
9228 testType: serverTest,
9229 name: "SkipEarlyData-EarlyDataInTLS12",
9230 config: Config{
9231 MaxVersion: VersionTLS13,
9232 Bugs: ProtocolBugs{
9233 SendEarlyDataLength: 4,
9234 },
9235 },
9236 shouldFail: true,
9237 expectedError: ":UNEXPECTED_RECORD:",
9238 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9239 })
9240
9241 testCases = append(testCases, testCase{
9242 testType: serverTest,
9243 name: "SkipEarlyData-HRR",
9244 config: Config{
9245 MaxVersion: VersionTLS13,
9246 Bugs: ProtocolBugs{
9247 SendEarlyDataLength: 4,
9248 },
9249 DefaultCurves: []CurveID{},
9250 },
9251 })
9252
9253 testCases = append(testCases, testCase{
9254 testType: serverTest,
9255 name: "SkipEarlyData-HRR-Interleaved",
9256 config: Config{
9257 MaxVersion: VersionTLS13,
9258 Bugs: ProtocolBugs{
9259 SendEarlyDataLength: 4,
9260 InterleaveEarlyData: true,
9261 },
9262 DefaultCurves: []CurveID{},
9263 },
9264 shouldFail: true,
9265 expectedError: ":UNEXPECTED_RECORD:",
9266 })
9267
9268 testCases = append(testCases, testCase{
9269 testType: serverTest,
9270 name: "SkipEarlyData-HRR-TooMuchData",
9271 config: Config{
9272 MaxVersion: VersionTLS13,
9273 Bugs: ProtocolBugs{
9274 SendEarlyDataLength: 16384 + 1,
9275 },
9276 DefaultCurves: []CurveID{},
9277 },
9278 shouldFail: true,
9279 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9280 })
9281
9282 // Test that skipping early data looking for cleartext correctly
9283 // processes an alert record.
9284 testCases = append(testCases, testCase{
9285 testType: serverTest,
9286 name: "SkipEarlyData-HRR-FatalAlert",
9287 config: Config{
9288 MaxVersion: VersionTLS13,
9289 Bugs: ProtocolBugs{
9290 SendEarlyAlert: true,
9291 SendEarlyDataLength: 4,
9292 },
9293 DefaultCurves: []CurveID{},
9294 },
9295 shouldFail: true,
9296 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9297 })
9298
9299 testCases = append(testCases, testCase{
9300 testType: serverTest,
9301 name: "SkipEarlyData-SecondClientHelloEarlyData",
9302 config: Config{
9303 MaxVersion: VersionTLS13,
9304 Bugs: ProtocolBugs{
9305 SendEarlyDataOnSecondClientHello: true,
9306 },
9307 DefaultCurves: []CurveID{},
9308 },
9309 shouldFail: true,
9310 expectedLocalError: "remote error: bad record MAC",
9311 })
9312
9313 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9314 testType: clientTest,
9315 name: "EmptyEncryptedExtensions",
9316 config: Config{
9317 MaxVersion: VersionTLS13,
9318 Bugs: ProtocolBugs{
9319 EmptyEncryptedExtensions: true,
9320 },
9321 },
9322 shouldFail: true,
9323 expectedLocalError: "remote error: error decoding message",
9324 })
9325
9326 testCases = append(testCases, testCase{
9327 testType: clientTest,
9328 name: "EncryptedExtensionsWithKeyShare",
9329 config: Config{
9330 MaxVersion: VersionTLS13,
9331 Bugs: ProtocolBugs{
9332 EncryptedExtensionsWithKeyShare: true,
9333 },
9334 },
9335 shouldFail: true,
9336 expectedLocalError: "remote error: unsupported extension",
9337 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9338
9339 testCases = append(testCases, testCase{
9340 testType: serverTest,
9341 name: "SendHelloRetryRequest",
9342 config: Config{
9343 MaxVersion: VersionTLS13,
9344 // Require a HelloRetryRequest for every curve.
9345 DefaultCurves: []CurveID{},
9346 },
9347 expectedCurveID: CurveX25519,
9348 })
9349
9350 testCases = append(testCases, testCase{
9351 testType: serverTest,
9352 name: "SendHelloRetryRequest-2",
9353 config: Config{
9354 MaxVersion: VersionTLS13,
9355 DefaultCurves: []CurveID{CurveP384},
9356 },
9357 // Although the ClientHello did not predict our preferred curve,
9358 // we always select it whether it is predicted or not.
9359 expectedCurveID: CurveX25519,
9360 })
9361
9362 testCases = append(testCases, testCase{
9363 name: "UnknownCurve-HelloRetryRequest",
9364 config: Config{
9365 MaxVersion: VersionTLS13,
9366 // P-384 requires HelloRetryRequest in BoringSSL.
9367 CurvePreferences: []CurveID{CurveP384},
9368 Bugs: ProtocolBugs{
9369 SendHelloRetryRequestCurve: bogusCurve,
9370 },
9371 },
9372 shouldFail: true,
9373 expectedError: ":WRONG_CURVE:",
9374 })
9375
9376 testCases = append(testCases, testCase{
9377 name: "DisabledCurve-HelloRetryRequest",
9378 config: Config{
9379 MaxVersion: VersionTLS13,
9380 CurvePreferences: []CurveID{CurveP256},
9381 Bugs: ProtocolBugs{
9382 IgnorePeerCurvePreferences: true,
9383 },
9384 },
9385 flags: []string{"-p384-only"},
9386 shouldFail: true,
9387 expectedError: ":WRONG_CURVE:",
9388 })
9389
9390 testCases = append(testCases, testCase{
9391 name: "UnnecessaryHelloRetryRequest",
9392 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9393 MaxVersion: VersionTLS13,
9394 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9395 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9396 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9397 },
9398 },
9399 shouldFail: true,
9400 expectedError: ":WRONG_CURVE:",
9401 })
9402
9403 testCases = append(testCases, testCase{
9404 name: "SecondHelloRetryRequest",
9405 config: Config{
9406 MaxVersion: VersionTLS13,
9407 // P-384 requires HelloRetryRequest in BoringSSL.
9408 CurvePreferences: []CurveID{CurveP384},
9409 Bugs: ProtocolBugs{
9410 SecondHelloRetryRequest: true,
9411 },
9412 },
9413 shouldFail: true,
9414 expectedError: ":UNEXPECTED_MESSAGE:",
9415 })
9416
9417 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9418 name: "HelloRetryRequest-Empty",
9419 config: Config{
9420 MaxVersion: VersionTLS13,
9421 Bugs: ProtocolBugs{
9422 AlwaysSendHelloRetryRequest: true,
9423 },
9424 },
9425 shouldFail: true,
9426 expectedError: ":DECODE_ERROR:",
9427 })
9428
9429 testCases = append(testCases, testCase{
9430 name: "HelloRetryRequest-DuplicateCurve",
9431 config: Config{
9432 MaxVersion: VersionTLS13,
9433 // P-384 requires a HelloRetryRequest against BoringSSL's default
9434 // configuration. Assert this ExpectMissingKeyShare.
9435 CurvePreferences: []CurveID{CurveP384},
9436 Bugs: ProtocolBugs{
9437 ExpectMissingKeyShare: true,
9438 DuplicateHelloRetryRequestExtensions: true,
9439 },
9440 },
9441 shouldFail: true,
9442 expectedError: ":DUPLICATE_EXTENSION:",
9443 expectedLocalError: "remote error: illegal parameter",
9444 })
9445
9446 testCases = append(testCases, testCase{
9447 name: "HelloRetryRequest-Cookie",
9448 config: Config{
9449 MaxVersion: VersionTLS13,
9450 Bugs: ProtocolBugs{
9451 SendHelloRetryRequestCookie: []byte("cookie"),
9452 },
9453 },
9454 })
9455
9456 testCases = append(testCases, testCase{
9457 name: "HelloRetryRequest-DuplicateCookie",
9458 config: Config{
9459 MaxVersion: VersionTLS13,
9460 Bugs: ProtocolBugs{
9461 SendHelloRetryRequestCookie: []byte("cookie"),
9462 DuplicateHelloRetryRequestExtensions: true,
9463 },
9464 },
9465 shouldFail: true,
9466 expectedError: ":DUPLICATE_EXTENSION:",
9467 expectedLocalError: "remote error: illegal parameter",
9468 })
9469
9470 testCases = append(testCases, testCase{
9471 name: "HelloRetryRequest-EmptyCookie",
9472 config: Config{
9473 MaxVersion: VersionTLS13,
9474 Bugs: ProtocolBugs{
9475 SendHelloRetryRequestCookie: []byte{},
9476 },
9477 },
9478 shouldFail: true,
9479 expectedError: ":DECODE_ERROR:",
9480 })
9481
9482 testCases = append(testCases, testCase{
9483 name: "HelloRetryRequest-Cookie-Curve",
9484 config: Config{
9485 MaxVersion: VersionTLS13,
9486 // P-384 requires HelloRetryRequest in BoringSSL.
9487 CurvePreferences: []CurveID{CurveP384},
9488 Bugs: ProtocolBugs{
9489 SendHelloRetryRequestCookie: []byte("cookie"),
9490 ExpectMissingKeyShare: true,
9491 },
9492 },
9493 })
9494
9495 testCases = append(testCases, testCase{
9496 name: "HelloRetryRequest-Unknown",
9497 config: Config{
9498 MaxVersion: VersionTLS13,
9499 Bugs: ProtocolBugs{
9500 CustomHelloRetryRequestExtension: "extension",
9501 },
9502 },
9503 shouldFail: true,
9504 expectedError: ":UNEXPECTED_EXTENSION:",
9505 expectedLocalError: "remote error: unsupported extension",
9506 })
9507
9508 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9509 testType: serverTest,
9510 name: "SecondClientHelloMissingKeyShare",
9511 config: Config{
9512 MaxVersion: VersionTLS13,
9513 DefaultCurves: []CurveID{},
9514 Bugs: ProtocolBugs{
9515 SecondClientHelloMissingKeyShare: true,
9516 },
9517 },
9518 shouldFail: true,
9519 expectedError: ":MISSING_KEY_SHARE:",
9520 })
9521
9522 testCases = append(testCases, testCase{
9523 testType: serverTest,
9524 name: "SecondClientHelloWrongCurve",
9525 config: Config{
9526 MaxVersion: VersionTLS13,
9527 DefaultCurves: []CurveID{},
9528 Bugs: ProtocolBugs{
9529 MisinterpretHelloRetryRequestCurve: CurveP521,
9530 },
9531 },
9532 shouldFail: true,
9533 expectedError: ":WRONG_CURVE:",
9534 })
9535
9536 testCases = append(testCases, testCase{
9537 name: "HelloRetryRequestVersionMismatch",
9538 config: Config{
9539 MaxVersion: VersionTLS13,
9540 // P-384 requires HelloRetryRequest in BoringSSL.
9541 CurvePreferences: []CurveID{CurveP384},
9542 Bugs: ProtocolBugs{
9543 SendServerHelloVersion: 0x0305,
9544 },
9545 },
9546 shouldFail: true,
9547 expectedError: ":WRONG_VERSION_NUMBER:",
9548 })
9549
9550 testCases = append(testCases, testCase{
9551 name: "HelloRetryRequestCurveMismatch",
9552 config: Config{
9553 MaxVersion: VersionTLS13,
9554 // P-384 requires HelloRetryRequest in BoringSSL.
9555 CurvePreferences: []CurveID{CurveP384},
9556 Bugs: ProtocolBugs{
9557 // Send P-384 (correct) in the HelloRetryRequest.
9558 SendHelloRetryRequestCurve: CurveP384,
9559 // But send P-256 in the ServerHello.
9560 SendCurve: CurveP256,
9561 },
9562 },
9563 shouldFail: true,
9564 expectedError: ":WRONG_CURVE:",
9565 })
9566
9567 // Test the server selecting a curve that requires a HelloRetryRequest
9568 // without sending it.
9569 testCases = append(testCases, testCase{
9570 name: "SkipHelloRetryRequest",
9571 config: Config{
9572 MaxVersion: VersionTLS13,
9573 // P-384 requires HelloRetryRequest in BoringSSL.
9574 CurvePreferences: []CurveID{CurveP384},
9575 Bugs: ProtocolBugs{
9576 SkipHelloRetryRequest: true,
9577 },
9578 },
9579 shouldFail: true,
9580 expectedError: ":WRONG_CURVE:",
9581 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]9582
9583 testCases = append(testCases, testCase{
9584 name: "TLS13-RequestContextInHandshake",
9585 config: Config{
9586 MaxVersion: VersionTLS13,
9587 MinVersion: VersionTLS13,
9588 ClientAuth: RequireAnyClientCert,
9589 Bugs: ProtocolBugs{
9590 SendRequestContext: []byte("request context"),
9591 },
9592 },
9593 flags: []string{
9594 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9595 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9596 },
9597 shouldFail: true,
9598 expectedError: ":DECODE_ERROR:",
9599 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9600
9601 testCases = append(testCases, testCase{
9602 testType: serverTest,
9603 name: "TLS13-TrailingKeyShareData",
9604 config: Config{
9605 MaxVersion: VersionTLS13,
9606 Bugs: ProtocolBugs{
9607 TrailingKeyShareData: true,
9608 },
9609 },
9610 shouldFail: true,
9611 expectedError: ":DECODE_ERROR:",
9612 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]9613
9614 testCases = append(testCases, testCase{
9615 name: "TLS13-AlwaysSelectPSKIdentity",
9616 config: Config{
9617 MaxVersion: VersionTLS13,
9618 Bugs: ProtocolBugs{
9619 AlwaysSelectPSKIdentity: true,
9620 },
9621 },
9622 shouldFail: true,
9623 expectedError: ":UNEXPECTED_EXTENSION:",
9624 })
9625
9626 testCases = append(testCases, testCase{
9627 name: "TLS13-InvalidPSKIdentity",
9628 config: Config{
9629 MaxVersion: VersionTLS13,
9630 Bugs: ProtocolBugs{
9631 SelectPSKIdentityOnResume: 1,
9632 },
9633 },
9634 resumeSession: true,
9635 shouldFail: true,
9636 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
9637 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9638
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9639 testCases = append(testCases, testCase{
9640 testType: serverTest,
9641 name: "TLS13-ExtraPSKIdentity",
9642 config: Config{
9643 MaxVersion: VersionTLS13,
9644 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]9645 ExtraPSKIdentity: true,
9646 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9647 },
9648 },
9649 resumeSession: true,
9650 })
9651
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9652 // Test that unknown NewSessionTicket extensions are tolerated.
9653 testCases = append(testCases, testCase{
9654 name: "TLS13-CustomTicketExtension",
9655 config: Config{
9656 MaxVersion: VersionTLS13,
9657 Bugs: ProtocolBugs{
9658 CustomTicketExtension: "1234",
9659 },
9660 },
9661 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9662}
9663
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]9664func addTLS13CipherPreferenceTests() {
9665 // Test that client preference is honored if the shim has AES hardware
9666 // and ChaCha20-Poly1305 is preferred otherwise.
9667 testCases = append(testCases, testCase{
9668 testType: serverTest,
9669 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
9670 config: Config{
9671 MaxVersion: VersionTLS13,
9672 CipherSuites: []uint16{
9673 TLS_CHACHA20_POLY1305_SHA256,
9674 TLS_AES_128_GCM_SHA256,
9675 },
9676 },
9677 flags: []string{
9678 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9679 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9680 },
9681 })
9682
9683 testCases = append(testCases, testCase{
9684 testType: serverTest,
9685 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
9686 config: Config{
9687 MaxVersion: VersionTLS13,
9688 CipherSuites: []uint16{
9689 TLS_AES_128_GCM_SHA256,
9690 TLS_CHACHA20_POLY1305_SHA256,
9691 },
9692 },
9693 flags: []string{
9694 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9695 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9696 },
9697 })
9698
9699 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
9700 // whether it has AES hardware.
9701 testCases = append(testCases, testCase{
9702 name: "TLS13-CipherPreference-Client",
9703 config: Config{
9704 MaxVersion: VersionTLS13,
9705 // Use the client cipher order. (This is the default but
9706 // is listed to be explicit.)
9707 PreferServerCipherSuites: false,
9708 },
9709 flags: []string{
9710 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
9711 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
9712 },
9713 })
9714}
9715
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9716func addPeekTests() {
9717 // Test SSL_peek works, including on empty records.
9718 testCases = append(testCases, testCase{
9719 name: "Peek-Basic",
9720 sendEmptyRecords: 1,
9721 flags: []string{"-peek-then-read"},
9722 })
9723
9724 // Test SSL_peek can drive the initial handshake.
9725 testCases = append(testCases, testCase{
9726 name: "Peek-ImplicitHandshake",
9727 flags: []string{
9728 "-peek-then-read",
9729 "-implicit-handshake",
9730 },
9731 })
9732
9733 // Test SSL_peek can discover and drive a renegotiation.
9734 testCases = append(testCases, testCase{
9735 name: "Peek-Renegotiate",
9736 config: Config{
9737 MaxVersion: VersionTLS12,
9738 },
9739 renegotiate: 1,
9740 flags: []string{
9741 "-peek-then-read",
9742 "-renegotiate-freely",
9743 "-expect-total-renegotiations", "1",
9744 },
9745 })
9746
9747 // Test SSL_peek can discover a close_notify.
9748 testCases = append(testCases, testCase{
9749 name: "Peek-Shutdown",
9750 config: Config{
9751 Bugs: ProtocolBugs{
9752 ExpectCloseNotify: true,
9753 },
9754 },
9755 flags: []string{
9756 "-peek-then-read",
9757 "-check-close-notify",
9758 },
9759 })
9760
9761 // Test SSL_peek can discover an alert.
9762 testCases = append(testCases, testCase{
9763 name: "Peek-Alert",
9764 config: Config{
9765 Bugs: ProtocolBugs{
9766 SendSpuriousAlert: alertRecordOverflow,
9767 },
9768 },
9769 flags: []string{"-peek-then-read"},
9770 shouldFail: true,
9771 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
9772 })
9773
9774 // Test SSL_peek can handle KeyUpdate.
9775 testCases = append(testCases, testCase{
9776 name: "Peek-KeyUpdate",
9777 config: Config{
9778 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9779 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]9780 sendKeyUpdates: 1,
9781 keyUpdateRequest: keyUpdateNotRequested,
9782 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]9783 })
9784}
9785
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]9786func addRecordVersionTests() {
9787 for _, ver := range tlsVersions {
9788 // Test that the record version is enforced.
9789 testCases = append(testCases, testCase{
9790 name: "CheckRecordVersion-" + ver.name,
9791 config: Config{
9792 MinVersion: ver.version,
9793 MaxVersion: ver.version,
9794 Bugs: ProtocolBugs{
9795 SendRecordVersion: 0x03ff,
9796 },
9797 },
9798 shouldFail: true,
9799 expectedError: ":WRONG_VERSION_NUMBER:",
9800 })
9801
9802 // Test that the ClientHello may use any record version, for
9803 // compatibility reasons.
9804 testCases = append(testCases, testCase{
9805 testType: serverTest,
9806 name: "LooseInitialRecordVersion-" + ver.name,
9807 config: Config{
9808 MinVersion: ver.version,
9809 MaxVersion: ver.version,
9810 Bugs: ProtocolBugs{
9811 SendInitialRecordVersion: 0x03ff,
9812 },
9813 },
9814 })
9815
9816 // Test that garbage ClientHello record versions are rejected.
9817 testCases = append(testCases, testCase{
9818 testType: serverTest,
9819 name: "GarbageInitialRecordVersion-" + ver.name,
9820 config: Config{
9821 MinVersion: ver.version,
9822 MaxVersion: ver.version,
9823 Bugs: ProtocolBugs{
9824 SendInitialRecordVersion: 0xffff,
9825 },
9826 },
9827 shouldFail: true,
9828 expectedError: ":WRONG_VERSION_NUMBER:",
9829 })
9830 }
9831}
9832
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9833func addCertificateTests() {
9834 // Test that a certificate chain with intermediate may be sent and
9835 // received as both client and server.
9836 for _, ver := range tlsVersions {
9837 testCases = append(testCases, testCase{
9838 testType: clientTest,
9839 name: "SendReceiveIntermediate-Client-" + ver.name,
9840 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]9841 MinVersion: ver.version,
9842 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9843 Certificates: []Certificate{rsaChainCertificate},
9844 ClientAuth: RequireAnyClientCert,
9845 },
9846 expectPeerCertificate: &rsaChainCertificate,
9847 flags: []string{
9848 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9849 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9850 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9851 },
9852 })
9853
9854 testCases = append(testCases, testCase{
9855 testType: serverTest,
9856 name: "SendReceiveIntermediate-Server-" + ver.name,
9857 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]9858 MinVersion: ver.version,
9859 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]9860 Certificates: []Certificate{rsaChainCertificate},
9861 },
9862 expectPeerCertificate: &rsaChainCertificate,
9863 flags: []string{
9864 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9865 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
9866 "-require-any-client-certificate",
9867 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
9868 },
9869 })
9870 }
9871}
9872
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]9873func addRetainOnlySHA256ClientCertTests() {
9874 for _, ver := range tlsVersions {
9875 // Test that enabling
9876 // SSL_CTX_set_retain_only_sha256_of_client_certs without
9877 // actually requesting a client certificate is a no-op.
9878 testCases = append(testCases, testCase{
9879 testType: serverTest,
9880 name: "RetainOnlySHA256-NoCert-" + ver.name,
9881 config: Config{
9882 MinVersion: ver.version,
9883 MaxVersion: ver.version,
9884 },
9885 flags: []string{
9886 "-retain-only-sha256-client-cert-initial",
9887 "-retain-only-sha256-client-cert-resume",
9888 },
9889 resumeSession: true,
9890 })
9891
9892 // Test that when retaining only a SHA-256 certificate is
9893 // enabled, the hash appears as expected.
9894 testCases = append(testCases, testCase{
9895 testType: serverTest,
9896 name: "RetainOnlySHA256-Cert-" + ver.name,
9897 config: Config{
9898 MinVersion: ver.version,
9899 MaxVersion: ver.version,
9900 Certificates: []Certificate{rsaCertificate},
9901 },
9902 flags: []string{
9903 "-verify-peer",
9904 "-retain-only-sha256-client-cert-initial",
9905 "-retain-only-sha256-client-cert-resume",
9906 "-expect-sha256-client-cert-initial",
9907 "-expect-sha256-client-cert-resume",
9908 },
9909 resumeSession: true,
9910 })
9911
9912 // Test that when the config changes from on to off, a
9913 // resumption is rejected because the server now wants the full
9914 // certificate chain.
9915 testCases = append(testCases, testCase{
9916 testType: serverTest,
9917 name: "RetainOnlySHA256-OnOff-" + ver.name,
9918 config: Config{
9919 MinVersion: ver.version,
9920 MaxVersion: ver.version,
9921 Certificates: []Certificate{rsaCertificate},
9922 },
9923 flags: []string{
9924 "-verify-peer",
9925 "-retain-only-sha256-client-cert-initial",
9926 "-expect-sha256-client-cert-initial",
9927 },
9928 resumeSession: true,
9929 expectResumeRejected: true,
9930 })
9931
9932 // Test that when the config changes from off to on, a
9933 // resumption is rejected because the server now wants just the
9934 // hash.
9935 testCases = append(testCases, testCase{
9936 testType: serverTest,
9937 name: "RetainOnlySHA256-OffOn-" + ver.name,
9938 config: Config{
9939 MinVersion: ver.version,
9940 MaxVersion: ver.version,
9941 Certificates: []Certificate{rsaCertificate},
9942 },
9943 flags: []string{
9944 "-verify-peer",
9945 "-retain-only-sha256-client-cert-resume",
9946 "-expect-sha256-client-cert-resume",
9947 },
9948 resumeSession: true,
9949 expectResumeRejected: true,
9950 })
9951 }
9952}
9953
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]9954func addECDSAKeyUsageTests() {
9955 p256 := elliptic.P256()
9956 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
9957 if err != nil {
9958 panic(err)
9959 }
9960
9961 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
9962 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
9963 if err != nil {
9964 panic(err)
9965 }
9966
9967 template := x509.Certificate{
9968 SerialNumber: serialNumber,
9969 Subject: pkix.Name{
9970 Organization: []string{"Acme Co"},
9971 },
9972 NotBefore: time.Now(),
9973 NotAfter: time.Now(),
9974
9975 // An ECC certificate with only the keyAgreement key usgae may
9976 // be used with ECDH, but not ECDSA.
9977 KeyUsage: x509.KeyUsageKeyAgreement,
9978 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
9979 BasicConstraintsValid: true,
9980 }
9981
9982 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
9983 if err != nil {
9984 panic(err)
9985 }
9986
9987 cert := Certificate{
9988 Certificate: [][]byte{derBytes},
9989 PrivateKey: priv,
9990 }
9991
9992 for _, ver := range tlsVersions {
9993 if ver.version < VersionTLS12 {
9994 continue
9995 }
9996
9997 testCases = append(testCases, testCase{
9998 testType: clientTest,
9999 name: "ECDSAKeyUsage-" + ver.name,
10000 config: Config{
10001 MinVersion: ver.version,
10002 MaxVersion: ver.version,
10003 Certificates: []Certificate{cert},
10004 },
10005 shouldFail: true,
10006 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
10007 })
10008 }
10009}
10010
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]10011func addShortHeaderTests() {
10012 // The short header extension may be negotiated as either client or
10013 // server.
10014 testCases = append(testCases, testCase{
10015 name: "ShortHeader-Client",
10016 config: Config{
10017 MaxVersion: VersionTLS13,
10018 Bugs: ProtocolBugs{
10019 EnableShortHeader: true,
10020 },
10021 },
10022 flags: []string{"-enable-short-header"},
10023 expectShortHeader: true,
10024 })
10025 testCases = append(testCases, testCase{
10026 testType: serverTest,
10027 name: "ShortHeader-Server",
10028 config: Config{
10029 MaxVersion: VersionTLS13,
10030 Bugs: ProtocolBugs{
10031 EnableShortHeader: true,
10032 },
10033 },
10034 flags: []string{"-enable-short-header"},
10035 expectShortHeader: true,
10036 })
10037
10038 // If the peer doesn't support it, it will not be negotiated.
10039 testCases = append(testCases, testCase{
10040 name: "ShortHeader-No-Yes-Client",
10041 config: Config{
10042 MaxVersion: VersionTLS13,
10043 },
10044 flags: []string{"-enable-short-header"},
10045 })
10046 testCases = append(testCases, testCase{
10047 testType: serverTest,
10048 name: "ShortHeader-No-Yes-Server",
10049 config: Config{
10050 MaxVersion: VersionTLS13,
10051 },
10052 flags: []string{"-enable-short-header"},
10053 })
10054
10055 // If we don't support it, it will not be negotiated.
10056 testCases = append(testCases, testCase{
10057 name: "ShortHeader-Yes-No-Client",
10058 config: Config{
10059 MaxVersion: VersionTLS13,
10060 Bugs: ProtocolBugs{
10061 EnableShortHeader: true,
10062 },
10063 },
10064 })
10065 testCases = append(testCases, testCase{
10066 testType: serverTest,
10067 name: "ShortHeader-Yes-No-Server",
10068 config: Config{
10069 MaxVersion: VersionTLS13,
10070 Bugs: ProtocolBugs{
10071 EnableShortHeader: true,
10072 },
10073 },
10074 })
10075
10076 // It will not be negotiated at TLS 1.2.
10077 testCases = append(testCases, testCase{
10078 name: "ShortHeader-TLS12-Client",
10079 config: Config{
10080 MaxVersion: VersionTLS12,
10081 Bugs: ProtocolBugs{
10082 EnableShortHeader: true,
10083 },
10084 },
10085 flags: []string{"-enable-short-header"},
10086 })
10087 testCases = append(testCases, testCase{
10088 testType: serverTest,
10089 name: "ShortHeader-TLS12-Server",
10090 config: Config{
10091 MaxVersion: VersionTLS12,
10092 Bugs: ProtocolBugs{
10093 EnableShortHeader: true,
10094 },
10095 },
10096 flags: []string{"-enable-short-header"},
10097 })
10098
10099 // Servers reject early data and short header sent together.
10100 testCases = append(testCases, testCase{
10101 testType: serverTest,
10102 name: "ShortHeader-EarlyData",
10103 config: Config{
10104 MaxVersion: VersionTLS13,
10105 Bugs: ProtocolBugs{
10106 EnableShortHeader: true,
10107 SendEarlyDataLength: 1,
10108 },
10109 },
10110 flags: []string{"-enable-short-header"},
10111 shouldFail: true,
10112 expectedError: ":UNEXPECTED_EXTENSION:",
10113 })
10114
10115 // Clients reject unsolicited short header extensions.
10116 testCases = append(testCases, testCase{
10117 name: "ShortHeader-Unsolicited",
10118 config: Config{
10119 MaxVersion: VersionTLS13,
10120 Bugs: ProtocolBugs{
10121 AlwaysNegotiateShortHeader: true,
10122 },
10123 },
10124 shouldFail: true,
10125 expectedError: ":UNEXPECTED_EXTENSION:",
10126 })
10127 testCases = append(testCases, testCase{
10128 name: "ShortHeader-Unsolicited-TLS12",
10129 config: Config{
10130 MaxVersion: VersionTLS12,
10131 Bugs: ProtocolBugs{
10132 AlwaysNegotiateShortHeader: true,
10133 },
10134 },
10135 shouldFail: true,
10136 expectedError: ":UNEXPECTED_EXTENSION:",
10137 })
10138
10139 // The high bit must be checked in short headers.
10140 testCases = append(testCases, testCase{
10141 name: "ShortHeader-ClearShortHeaderBit",
10142 config: Config{
10143 Bugs: ProtocolBugs{
10144 EnableShortHeader: true,
10145 ClearShortHeaderBit: true,
10146 },
10147 },
10148 flags: []string{"-enable-short-header"},
10149 shouldFail: true,
10150 expectedError: ":DECODE_ERROR:",
10151 expectedLocalError: "remote error: error decoding message",
10152 })
10153}
10154
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10155func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10156 defer wg.Done()
10157
10158 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10159 var err error
10160
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10161 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10162 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
10163 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10164 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10165 if err != nil {
10166 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
10167 }
10168 break
10169 }
10170 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10171 } else if *repeatUntilFailure {
10172 for err == nil {
10173 statusChan <- statusMsg{test: test, started: true}
10174 err = runTest(test, shimPath, -1)
10175 }
10176 } else {
10177 statusChan <- statusMsg{test: test, started: true}
10178 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10179 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10180 statusChan <- statusMsg{test: test, err: err}
10181 }
10182}
10183
10184type statusMsg struct {
10185 test *testCase
10186 started bool
10187 err error
10188}
10189
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10190func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10191 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10192
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10193 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10194 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10195 if !*pipe {
10196 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]10197 var erase string
10198 for i := 0; i < lineLen; i++ {
10199 erase += "\b \b"
10200 }
10201 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10202 }
10203
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10204 if msg.started {
10205 started++
10206 } else {
10207 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10208
10209 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10210 if msg.err == errUnimplemented {
10211 if *pipe {
10212 // Print each test instead of a status line.
10213 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
10214 }
10215 unimplemented++
10216 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
10217 } else {
10218 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
10219 failed++
10220 testOutput.addResult(msg.test.name, "FAIL")
10221 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10222 } else {
10223 if *pipe {
10224 // Print each test instead of a status line.
10225 fmt.Printf("PASSED (%s)\n", msg.test.name)
10226 }
10227 testOutput.addResult(msg.test.name, "PASS")
10228 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10229 }
10230
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10231 if !*pipe {
10232 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10233 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10234 lineLen = len(line)
10235 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10236 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10237 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10238
10239 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10240}
10241
10242func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10243 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10244 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]10245 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10246
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10247 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10248 addCipherSuiteTests()
10249 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]10250 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]10251 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]10252 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]10253 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]10254 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]10255 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]10256 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]10257 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]10258 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]10259 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]10260 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]10261 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]10262 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]10263 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]10264 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]10265 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]10266 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]10267 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]10268 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]10269 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]10270 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]10271 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10272 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]10273 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10274 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10275 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10276 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10277 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10278 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10279 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10280 addECDSAKeyUsageTests()
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]10281 addShortHeaderTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10282
10283 var wg sync.WaitGroup
10284
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10285 statusChan := make(chan statusMsg, *numWorkers)
10286 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10287 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10288
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10289 if len(*shimConfigFile) != 0 {
10290 encoded, err := ioutil.ReadFile(*shimConfigFile)
10291 if err != nil {
10292 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
10293 os.Exit(1)
10294 }
10295
10296 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
10297 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
10298 os.Exit(1)
10299 }
10300 }
10301
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10302 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10303
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10304 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10305 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10306 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10307 }
10308
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10309 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10310 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10311 matched := true
10312 if len(*testToRun) != 0 {
10313 var err error
10314 matched, err = filepath.Match(*testToRun, testCases[i].name)
10315 if err != nil {
10316 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
10317 os.Exit(1)
10318 }
10319 }
10320
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10321 if !*includeDisabled {
10322 for pattern := range shimConfig.DisabledTests {
10323 isDisabled, err := filepath.Match(pattern, testCases[i].name)
10324 if err != nil {
10325 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
10326 os.Exit(1)
10327 }
10328
10329 if isDisabled {
10330 matched = false
10331 break
10332 }
10333 }
10334 }
10335
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10336 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10337 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10338 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10339
10340 // Only run one test if repeating until failure.
10341 if *repeatUntilFailure {
10342 break
10343 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10344 }
10345 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10346
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10347 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10348 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10349 os.Exit(1)
10350 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10351
10352 close(testChan)
10353 wg.Wait()
10354 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10355 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10356
10357 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10358
10359 if *jsonOutput != "" {
10360 if err := testOutput.writeTo(*jsonOutput); err != nil {
10361 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
10362 }
10363 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10364
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10365 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
10366 os.Exit(1)
10367 }
10368
10369 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10370 os.Exit(1)
10371 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10372}