Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / dd42a613176ed39d12be02cf21aeae057d9ef6e6 / . / src / ssl / test / runner / runner.go
blob: 8461bd869cfcadd5a9af1fac763842749718f0e9 [file] [log] [blame]
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]14
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]15package runner
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]16
17import (
18 "bytes"
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]19 "crypto"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]20 "crypto/ecdsa"
21 "crypto/elliptic"
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]22 "crypto/rand"
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]23 "crypto/rsa"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]24 "crypto/x509"
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]25 "crypto/x509/pkix"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]26 "encoding/base64"
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]27 "encoding/binary"
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]28 "encoding/hex"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]29 "encoding/json"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]30 "encoding/pem"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]31 "errors"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]32 "flag"
33 "fmt"
34 "io"
35 "io/ioutil"
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]36 "math/big"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]37 "net"
38 "os"
39 "os/exec"
40 "path"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]41 "path/filepath"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]42 "runtime"
43 "strconv"
44 "strings"
45 "sync"
46 "syscall"
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]47 "time"
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]48
49 "boringssl.googlesource.com/boringssl/util/testresult"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]50)
51
52var (
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]53 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
54 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
55 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
56 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
57 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
58 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
59 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
60 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
61 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
62 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
63 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]64 handshakerPath = flag.String("handshaker-path", "../../../build/ssl/test/handshaker", "The location of the handshaker binary.")
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]65 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
66 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
67 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
68 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
69 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
70 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
71 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
72 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
73 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]74 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]75)
76
77// ShimConfigurations is used with the “json” package and represents a shim
78// config file.
79type ShimConfiguration struct {
80 // DisabledTests maps from a glob-based pattern to a freeform string.
81 // The glob pattern is used to exclude tests from being run and the
82 // freeform string is unparsed but expected to explain why the test is
83 // disabled.
84 DisabledTests map[string]string
85
86 // ErrorMap maps from expected error strings to the correct error
87 // string for the shim in question. For example, it might map
88 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
89 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
90 ErrorMap map[string]string
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]91
92 // HalfRTTTickets is the number of half-RTT tickets the client should
93 // expect before half-RTT data when testing 0-RTT.
94 HalfRTTTickets int
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]95}
96
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]97// Setup shimConfig defaults aligning with BoringSSL.
98var shimConfig ShimConfiguration = ShimConfiguration{
99 HalfRTTTickets: 2,
100}
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]101
102type testCert int
103
104const (
105 testCertRSA testCert = iota
106 testCertRSA1024
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]107 testCertRSAChain
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]108 testCertECDSAP224
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]109 testCertECDSAP256
110 testCertECDSAP384
111 testCertECDSAP521
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]112 testCertEd25519
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]113)
114
115const (
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]116 rsaCertificateFile = "cert.pem"
117 rsa1024CertificateFile = "rsa_1024_cert.pem"
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]118 rsaChainCertificateFile = "rsa_chain_cert.pem"
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]119 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]120 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
121 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
122 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]123 ed25519CertificateFile = "ed25519_cert.pem"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]124)
125
126const (
127 rsaKeyFile = "key.pem"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]128 rsa1024KeyFile = "rsa_1024_key.pem"
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]129 rsaChainKeyFile = "rsa_chain_key.pem"
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]130 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]131 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
132 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
133 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]134 ed25519KeyFile = "ed25519_key.pem"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]135 channelIDKeyFile = "channel_id_key.pem"
136)
137
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]138var (
139 rsaCertificate Certificate
140 rsa1024Certificate Certificate
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]141 rsaChainCertificate Certificate
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]142 ecdsaP224Certificate Certificate
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]143 ecdsaP256Certificate Certificate
144 ecdsaP384Certificate Certificate
145 ecdsaP521Certificate Certificate
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]146 ed25519Certificate Certificate
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]147 garbageCertificate Certificate
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]148)
149
150var testCerts = []struct {
151 id testCert
152 certFile, keyFile string
153 cert *Certificate
154}{
155 {
156 id: testCertRSA,
157 certFile: rsaCertificateFile,
158 keyFile: rsaKeyFile,
159 cert: &rsaCertificate,
160 },
161 {
162 id: testCertRSA1024,
163 certFile: rsa1024CertificateFile,
164 keyFile: rsa1024KeyFile,
165 cert: &rsa1024Certificate,
166 },
167 {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]168 id: testCertRSAChain,
169 certFile: rsaChainCertificateFile,
170 keyFile: rsaChainKeyFile,
171 cert: &rsaChainCertificate,
172 },
173 {
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]174 id: testCertECDSAP224,
175 certFile: ecdsaP224CertificateFile,
176 keyFile: ecdsaP224KeyFile,
177 cert: &ecdsaP224Certificate,
178 },
179 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]180 id: testCertECDSAP256,
181 certFile: ecdsaP256CertificateFile,
182 keyFile: ecdsaP256KeyFile,
183 cert: &ecdsaP256Certificate,
184 },
185 {
186 id: testCertECDSAP384,
187 certFile: ecdsaP384CertificateFile,
188 keyFile: ecdsaP384KeyFile,
189 cert: &ecdsaP384Certificate,
190 },
191 {
192 id: testCertECDSAP521,
193 certFile: ecdsaP521CertificateFile,
194 keyFile: ecdsaP521KeyFile,
195 cert: &ecdsaP521Certificate,
196 },
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]197 {
198 id: testCertEd25519,
199 certFile: ed25519CertificateFile,
200 keyFile: ed25519KeyFile,
201 cert: &ed25519Certificate,
202 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]203}
204
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]205var channelIDKey *ecdsa.PrivateKey
206var channelIDBytes []byte
207
208var testOCSPResponse = []byte{1, 2, 3, 4}
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]209var testOCSPResponse2 = []byte{5, 6, 7, 8}
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]210var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]211var testSCTList2 = []byte{0, 6, 0, 4, 1, 2, 3, 4}
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]212
213var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
214var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]215
216func initCertificates() {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]217 for i := range testCerts {
218 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
219 if err != nil {
220 panic(err)
221 }
222 cert.OCSPStaple = testOCSPResponse
223 cert.SignedCertificateTimestampList = testSCTList
224 *testCerts[i].cert = cert
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]225 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]226
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]227 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]228 if err != nil {
229 panic(err)
230 }
231 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
232 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
233 panic("bad key type")
234 }
235 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
236 if err != nil {
237 panic(err)
238 }
239 if channelIDKey.Curve != elliptic.P256() {
240 panic("bad curve")
241 }
242
243 channelIDBytes = make([]byte, 64)
244 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
245 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]246
247 garbageCertificate.Certificate = [][]byte{[]byte("GARBAGE")}
248 garbageCertificate.PrivateKey = rsaCertificate.PrivateKey
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]249}
250
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]251// delegatedCredentialConfig specifies the shape of a delegated credential, not
252// including the keys themselves.
253type delegatedCredentialConfig struct {
254 // lifetime is the amount of time, from the notBefore of the parent
255 // certificate, that the delegated credential is valid for. If zero, then 24
256 // hours is assumed.
257 lifetime time.Duration
258 // expectedAlgo is the signature scheme that should be used with this
259 // delegated credential. If zero, ECDSA with P-256 is assumed.
260 expectedAlgo signatureAlgorithm
261 // tlsVersion is the version of TLS that should be used with this delegated
262 // credential. If zero, TLS 1.3 is assumed.
263 tlsVersion uint16
264 // algo is the signature algorithm that the delegated credential itself is
265 // signed with. Cannot be zero.
266 algo signatureAlgorithm
267}
268
269func loadRSAPrivateKey(filename string) (priv *rsa.PrivateKey, privPKCS8 []byte, err error) {
270 pemPath := path.Join(*resourceDir, filename)
271 pemBytes, err := ioutil.ReadFile(pemPath)
272 if err != nil {
273 return nil, nil, err
274 }
275
276 block, _ := pem.Decode(pemBytes)
277 if block == nil {
278 return nil, nil, fmt.Errorf("no PEM block found in %q", pemPath)
279 }
280 privPKCS8 = block.Bytes
281
282 parsed, err := x509.ParsePKCS8PrivateKey(privPKCS8)
283 if err != nil {
284 return nil, nil, fmt.Errorf("failed to parse PKCS#8 key from %q", pemPath)
285 }
286
287 priv, ok := parsed.(*rsa.PrivateKey)
288 if !ok {
289 return nil, nil, fmt.Errorf("found %T in %q rather than an RSA private key", parsed, pemPath)
290 }
291
292 return priv, privPKCS8, nil
293}
294
295func createDelegatedCredential(config delegatedCredentialConfig, parentDER []byte, parentPriv crypto.PrivateKey) (dc, privPKCS8 []uint8, err error) {
296 expectedAlgo := config.expectedAlgo
297 if expectedAlgo == signatureAlgorithm(0) {
298 expectedAlgo = signatureECDSAWithP256AndSHA256
299 }
300
301 var pub crypto.PublicKey
302
303 switch expectedAlgo {
304 case signatureRSAPKCS1WithMD5, signatureRSAPKCS1WithSHA1, signatureRSAPKCS1WithSHA256, signatureRSAPKCS1WithSHA384, signatureRSAPKCS1WithSHA512, signatureRSAPSSWithSHA256, signatureRSAPSSWithSHA384, signatureRSAPSSWithSHA512:
305 // RSA keys are expensive to generate so load from disk instead.
306 var priv *rsa.PrivateKey
307 if priv, privPKCS8, err = loadRSAPrivateKey(rsaKeyFile); err != nil {
308 return nil, nil, err
309 }
310
311 pub = &priv.PublicKey
312
313 case signatureECDSAWithSHA1, signatureECDSAWithP256AndSHA256, signatureECDSAWithP384AndSHA384, signatureECDSAWithP521AndSHA512:
314 var curve elliptic.Curve
315 switch expectedAlgo {
316 case signatureECDSAWithSHA1, signatureECDSAWithP256AndSHA256:
317 curve = elliptic.P256()
318 case signatureECDSAWithP384AndSHA384:
319 curve = elliptic.P384()
320 case signatureECDSAWithP521AndSHA512:
321 curve = elliptic.P521()
322 default:
323 panic("internal error")
324 }
325
326 priv, err := ecdsa.GenerateKey(curve, rand.Reader)
327 if err != nil {
328 return nil, nil, err
329 }
330
331 if privPKCS8, err = x509.MarshalPKCS8PrivateKey(priv); err != nil {
332 return nil, nil, err
333 }
334
335 pub = &priv.PublicKey
336
337 default:
338 return nil, nil, fmt.Errorf("unsupported expected signature algorithm: %x", expectedAlgo)
339 }
340
341 lifetime := config.lifetime
342 if lifetime == 0 {
343 lifetime = 24 * time.Hour
344 }
345 lifetimeSecs := int64(lifetime.Seconds())
346 if lifetimeSecs > 1<<32 {
347 return nil, nil, fmt.Errorf("lifetime %s is too long to be expressed", lifetime)
348 }
349 tlsVersion := config.tlsVersion
350 if tlsVersion == 0 {
351 tlsVersion = VersionTLS13
352 }
353
354 if tlsVersion < VersionTLS13 {
355 return nil, nil, fmt.Errorf("delegated credentials require TLS 1.3")
356 }
357
358 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3
359 dc = append(dc, byte(lifetimeSecs>>24), byte(lifetimeSecs>>16), byte(lifetimeSecs>>8), byte(lifetimeSecs))
360 dc = append(dc, byte(expectedAlgo>>8), byte(expectedAlgo))
361
362 pubBytes, err := x509.MarshalPKIXPublicKey(pub)
363 if err != nil {
364 return nil, nil, err
365 }
366
367 dc = append(dc, byte(len(pubBytes)>>16), byte(len(pubBytes)>>8), byte(len(pubBytes)))
368 dc = append(dc, pubBytes...)
369
370 var dummyConfig Config
371 parentSigner, err := getSigner(tlsVersion, parentPriv, &dummyConfig, config.algo, false /* not for verification */)
372 if err != nil {
373 return nil, nil, err
374 }
375
376 parentSignature, err := parentSigner.signMessage(parentPriv, &dummyConfig, delegatedCredentialSignedMessage(dc, config.algo, parentDER))
377 if err != nil {
378 return nil, nil, err
379 }
380
381 dc = append(dc, byte(config.algo>>8), byte(config.algo))
382 dc = append(dc, byte(len(parentSignature)>>8), byte(len(parentSignature)))
383 dc = append(dc, parentSignature...)
384
385 return dc, privPKCS8, nil
386}
387
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]388func getRunnerCertificate(t testCert) Certificate {
389 for _, cert := range testCerts {
390 if cert.id == t {
391 return *cert.cert
392 }
393 }
394 panic("Unknown test certificate")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]395}
396
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]397func getShimCertificate(t testCert) string {
398 for _, cert := range testCerts {
399 if cert.id == t {
400 return cert.certFile
401 }
402 }
403 panic("Unknown test certificate")
404}
405
406func getShimKey(t testCert) string {
407 for _, cert := range testCerts {
408 if cert.id == t {
409 return cert.keyFile
410 }
411 }
412 panic("Unknown test certificate")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]413}
414
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]415// recordVersionToWire maps a record-layer protocol version to its wire
416// representation.
417func recordVersionToWire(vers uint16, protocol protocol) uint16 {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]418 if protocol == dtls {
419 switch vers {
420 case VersionTLS12:
421 return VersionDTLS12
422 case VersionTLS10:
423 return VersionDTLS10
424 }
425 } else {
426 switch vers {
427 case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
428 return vers
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]429 }
430 }
431
432 panic("unknown version")
433}
434
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]435// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
436func encodeDERValues(values [][]byte) string {
437 var ret string
438 for i, v := range values {
439 if i > 0 {
440 ret += ","
441 }
442 ret += hex.EncodeToString(v)
443 }
444
445 return ret
446}
447
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]448func decodeHexOrPanic(in string) []byte {
449 ret, err := hex.DecodeString(in)
450 if err != nil {
451 panic(err)
452 }
453 return ret
454}
455
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]456type testType int
457
458const (
459 clientTest testType = iota
460 serverTest
461)
462
463type protocol int
464
465const (
466 tls protocol = iota
467 dtls
468)
469
470const (
471 alpn = 1
472 npn = 2
473)
474
475type testCase struct {
476 testType testType
477 protocol protocol
478 name string
479 config Config
480 shouldFail bool
481 expectedError string
482 // expectedLocalError, if not empty, contains a substring that must be
483 // found in the local error.
484 expectedLocalError string
485 // expectedVersion, if non-zero, specifies the TLS version that must be
486 // negotiated.
487 expectedVersion uint16
488 // expectedResumeVersion, if non-zero, specifies the TLS version that
489 // must be negotiated on resumption. If zero, expectedVersion is used.
490 expectedResumeVersion uint16
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]491 // expectedCipher, if non-zero, specifies the TLS cipher suite that
492 // should be negotiated.
493 expectedCipher uint16
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]494 // expectChannelID controls whether the connection should have
495 // negotiated a Channel ID with channelIDKey.
496 expectChannelID bool
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]497 // expectTokenBinding controls whether the connection should have
498 // negotiated Token Binding.
499 expectTokenBinding bool
500 // expectedTokenBindingParam is the Token Binding parameter that should
501 // have been negotiated (if expectTokenBinding is true).
502 expectedTokenBindingParam uint8
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]503 // expectedNextProto controls whether the connection should
504 // negotiate a next protocol via NPN or ALPN.
505 expectedNextProto string
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]506 // expectNoNextProto, if true, means that no next protocol should be
507 // negotiated.
508 expectNoNextProto bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]509 // expectedNextProtoType, if non-zero, is the expected next
510 // protocol negotiation mechanism.
511 expectedNextProtoType int
512 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
513 // should be negotiated. If zero, none should be negotiated.
514 expectedSRTPProtectionProfile uint16
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]515 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
516 expectedOCSPResponse []uint8
517 // expectedSCTList, if not nil, is the expected SCT list to be received.
518 expectedSCTList []uint8
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]519 // expectedPeerSignatureAlgorithm, if not zero, is the signature
520 // algorithm that the peer should have used in the handshake.
521 expectedPeerSignatureAlgorithm signatureAlgorithm
522 // expectedCurveID, if not zero, is the curve that the handshake should
523 // have used.
524 expectedCurveID CurveID
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]525 // messageLen is the length, in bytes, of the test message that will be
526 // sent.
527 messageLen int
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]528 // messageCount is the number of test messages that will be sent.
529 messageCount int
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]530 // certFile is the path to the certificate to use for the server.
531 certFile string
532 // keyFile is the path to the private key to use for the server.
533 keyFile string
534 // resumeSession controls whether a second connection should be tested
535 // which attempts to resume the first session.
536 resumeSession bool
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]537 // resumeRenewedSession controls whether a third connection should be
538 // tested which attempts to resume the second connection's session.
539 resumeRenewedSession bool
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]540 // expectResumeRejected, if true, specifies that the attempted
541 // resumption must be rejected by the client. This is only valid for a
542 // serverTest.
543 expectResumeRejected bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]544 // resumeConfig, if not nil, points to a Config to be used on
545 // resumption. Unless newSessionsOnResume is set,
546 // SessionTicketKey, ServerSessionCache, and
547 // ClientSessionCache are copied from the initial connection's
548 // config. If nil, the initial connection's config is used.
549 resumeConfig *Config
550 // newSessionsOnResume, if true, will cause resumeConfig to
551 // use a different session resumption context.
552 newSessionsOnResume bool
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]553 // noSessionCache, if true, will cause the server to run without a
554 // session cache.
555 noSessionCache bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]556 // sendPrefix sends a prefix on the socket before actually performing a
557 // handshake.
558 sendPrefix string
559 // shimWritesFirst controls whether the shim sends an initial "hello"
560 // message before doing a roundtrip with the runner.
561 shimWritesFirst bool
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]562 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
563 // does not complete the write until responding to the first runner
564 // message.
565 readWithUnfinishedWrite bool
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]566 // shimShutsDown, if true, runs a test where the shim shuts down the
567 // connection immediately after the handshake rather than echoing
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]568 // messages from the runner. The runner will default to not sending
569 // application data.
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]570 shimShutsDown bool
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]571 // renegotiate indicates the number of times the connection should be
572 // renegotiated during the exchange.
573 renegotiate int
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]574 // sendHalfHelloRequest, if true, causes the server to send half a
575 // HelloRequest when the handshake completes.
576 sendHalfHelloRequest bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]577 // renegotiateCiphers is a list of ciphersuite ids that will be
578 // switched in just before renegotiation.
579 renegotiateCiphers []uint16
580 // replayWrites, if true, configures the underlying transport
581 // to replay every write it makes in DTLS tests.
582 replayWrites bool
583 // damageFirstWrite, if true, configures the underlying transport to
584 // damage the final byte of the first application data write.
585 damageFirstWrite bool
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]586 // exportKeyingMaterial, if non-zero, configures the test to exchange
587 // keying material and verify they match.
588 exportKeyingMaterial int
589 exportLabel string
590 exportContext string
591 useExportContext bool
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]592 // exportEarlyKeyingMaterial, if non-zero, behaves like
593 // exportKeyingMaterial, but for the early exporter.
594 exportEarlyKeyingMaterial int
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]595 // flags, if not empty, contains a list of command-line flags that will
596 // be passed to the shim program.
597 flags []string
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]598 // testTLSUnique, if true, causes the shim to send the tls-unique value
599 // which will be compared against the expected value.
600 testTLSUnique bool
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]601 // sendEmptyRecords is the number of consecutive empty records to send
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]602 // before each test message.
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]603 sendEmptyRecords int
604 // sendWarningAlerts is the number of consecutive warning alerts to send
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]605 // before each test message.
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]606 sendWarningAlerts int
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]607 // sendBogusAlertType, if true, causes a bogus alert of invalid type to
608 // be sent before each test message.
609 sendBogusAlertType bool
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]610 // sendKeyUpdates is the number of consecutive key updates to send
611 // before and after the test message.
612 sendKeyUpdates int
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]613 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
614 keyUpdateRequest byte
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]615 // expectUnsolicitedKeyUpdate makes the test expect a one or more KeyUpdate
616 // messages while reading data from the shim. Don't use this in combination
617 // with any of the fields that send a KeyUpdate otherwise any received
618 // KeyUpdate might not be as unsolicited as expected.
619 expectUnsolicitedKeyUpdate bool
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]620 // expectMessageDropped, if true, means the test message is expected to
621 // be dropped by the client rather than echoed back.
622 expectMessageDropped bool
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]623 // expectPeerCertificate, if not nil, is the certificate chain the peer
624 // is expected to send.
625 expectPeerCertificate *Certificate
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]626 // shimPrefix is the prefix that the shim will send to the server.
627 shimPrefix string
628 // resumeShimPrefix is the prefix that the shim will send to the server on a
629 // resumption.
630 resumeShimPrefix string
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]631 // expectedQUICTransportParams contains the QUIC transport
632 // parameters that are expected to be sent by the peer.
633 expectedQUICTransportParams []byte
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]634 // exportTrafficSecrets, if true, configures the test to export the TLS 1.3
635 // traffic secrets and confirms that they match.
636 exportTrafficSecrets bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]637}
638
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]639var testCases []testCase
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]640
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]641func appendTranscript(path string, data []byte) error {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]642 if len(data) == 0 {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]643 return nil
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]644 }
645
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]646 settings, err := ioutil.ReadFile(path)
647 if err != nil {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]648 if !os.IsNotExist(err) {
649 return err
650 }
651 // If the shim aborted before writing a file, use a default
652 // settings block, so the transcript is still somewhat valid.
653 settings = []byte{0, 0} // kDataTag
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]654 }
655
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]656 settings = append(settings, data...)
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]657 return ioutil.WriteFile(path, settings, 0644)
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]658}
659
660// A timeoutConn implements an idle timeout on each Read and Write operation.
661type timeoutConn struct {
662 net.Conn
663 timeout time.Duration
664}
665
666func (t *timeoutConn) Read(b []byte) (int, error) {
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]667 if !*useGDB {
668 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
669 return 0, err
670 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]671 }
672 return t.Conn.Read(b)
673}
674
675func (t *timeoutConn) Write(b []byte) (int, error) {
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]676 if !*useGDB {
677 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
678 return 0, err
679 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]680 }
681 return t.Conn.Write(b)
682}
683
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]684func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, transcripts *[][]byte, num int) error {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]685 if !test.noSessionCache {
686 if config.ClientSessionCache == nil {
687 config.ClientSessionCache = NewLRUClientSessionCache(1)
688 }
689 if config.ServerSessionCache == nil {
690 config.ServerSessionCache = NewLRUServerSessionCache(1)
691 }
692 }
693 if test.testType == clientTest {
694 if len(config.Certificates) == 0 {
695 config.Certificates = []Certificate{rsaCertificate}
696 }
697 } else {
698 // Supply a ServerName to ensure a constant session cache key,
699 // rather than falling back to net.Conn.RemoteAddr.
700 if len(config.ServerName) == 0 {
701 config.ServerName = "test"
702 }
703 }
704 if *fuzzer {
705 config.Bugs.NullAllCiphers = true
706 }
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]707 if *deterministic {
708 config.Time = func() time.Time { return time.Unix(1234, 1234) }
709 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]710
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]711 conn = &timeoutConn{conn, *idleTimeout}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]712
713 if test.protocol == dtls {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]714 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
715 conn = config.Bugs.PacketAdaptor
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]716 }
717
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]718 if *flagDebug || len(*transcriptDir) != 0 {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]719 local, peer := "client", "server"
720 if test.testType == clientTest {
721 local, peer = peer, local
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]722 }
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]723 connDebug := &recordingConn{
724 Conn: conn,
725 isDatagram: test.protocol == dtls,
726 local: local,
727 peer: peer,
728 }
729 conn = connDebug
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]730 if *flagDebug {
731 defer connDebug.WriteTo(os.Stdout)
732 }
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]733 if len(*transcriptDir) != 0 {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]734 defer func() {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]735 if num == len(*transcripts) {
736 *transcripts = append(*transcripts, connDebug.Transcript())
737 } else {
738 panic("transcripts are out of sync")
739 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]740 }()
741 }
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]742
743 if config.Bugs.PacketAdaptor != nil {
744 config.Bugs.PacketAdaptor.debug = connDebug
745 }
746 }
747
748 if test.replayWrites {
749 conn = newReplayAdaptor(conn)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]750 }
751
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]752 var connDamage *damageAdaptor
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]753 if test.damageFirstWrite {
754 connDamage = newDamageAdaptor(conn)
755 conn = connDamage
756 }
757
758 if test.sendPrefix != "" {
759 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
760 return err
761 }
762 }
763
764 var tlsConn *Conn
765 if test.testType == clientTest {
766 if test.protocol == dtls {
767 tlsConn = DTLSServer(conn, config)
768 } else {
769 tlsConn = Server(conn, config)
770 }
771 } else {
772 config.InsecureSkipVerify = true
773 if test.protocol == dtls {
774 tlsConn = DTLSClient(conn, config)
775 } else {
776 tlsConn = Client(conn, config)
777 }
778 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]779 defer tlsConn.Close()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]780
781 if err := tlsConn.Handshake(); err != nil {
782 return err
783 }
784
785 // TODO(davidben): move all per-connection expectations into a dedicated
786 // expectations struct that can be specified separately for the two
787 // legs.
788 expectedVersion := test.expectedVersion
789 if isResume && test.expectedResumeVersion != 0 {
790 expectedVersion = test.expectedResumeVersion
791 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]792 connState := tlsConn.ConnectionState()
793 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]794 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
795 }
796
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]797 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]798 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
799 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]800 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
801 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
802 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]803
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]804 if test.expectChannelID {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]805 channelID := connState.ChannelID
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]806 if channelID == nil {
807 return fmt.Errorf("no channel ID negotiated")
808 }
809 if channelID.Curve != channelIDKey.Curve ||
810 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
811 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
812 return fmt.Errorf("incorrect channel ID")
813 }
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]814 } else if connState.ChannelID != nil {
815 return fmt.Errorf("channel ID unexpectedly negotiated")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]816 }
817
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]818 if test.expectTokenBinding {
819 if !connState.TokenBindingNegotiated {
820 return errors.New("no Token Binding negotiated")
821 }
822 if connState.TokenBindingParam != test.expectedTokenBindingParam {
823 return fmt.Errorf("expected param %02x, but got %02x", test.expectedTokenBindingParam, connState.TokenBindingParam)
824 }
825 } else if connState.TokenBindingNegotiated {
826 return errors.New("Token Binding unexpectedly negotiated")
827 }
828
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]829 if expected := test.expectedNextProto; expected != "" {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]830 if actual := connState.NegotiatedProtocol; actual != expected {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]831 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
832 }
833 }
834
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]835 if test.expectNoNextProto {
836 if actual := connState.NegotiatedProtocol; actual != "" {
837 return fmt.Errorf("got unexpected next proto %s", actual)
838 }
839 }
840
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]841 if test.expectedNextProtoType != 0 {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]842 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]843 return fmt.Errorf("next proto type mismatch")
844 }
845 }
846
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]847 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]848 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
849 }
850
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]851 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]852 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]853 }
854
855 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
856 return fmt.Errorf("SCT list mismatch")
857 }
858
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]859 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
860 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
861 }
862
863 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
864 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]865 }
866
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]867 if test.expectPeerCertificate != nil {
868 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
869 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
870 }
871 for i, cert := range connState.PeerCertificates {
872 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
873 return fmt.Errorf("peer certificate %d did not match", i+1)
874 }
875 }
876 }
877
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]878 if len(test.expectedQUICTransportParams) > 0 {
879 if !bytes.Equal(test.expectedQUICTransportParams, connState.QUICTransportParams) {
880 return errors.New("Peer did not send expected QUIC transport params")
881 }
882 }
883
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]884 if isResume && test.exportEarlyKeyingMaterial > 0 {
885 actual := make([]byte, test.exportEarlyKeyingMaterial)
886 if _, err := io.ReadFull(tlsConn, actual); err != nil {
887 return err
888 }
889 expected, err := tlsConn.ExportEarlyKeyingMaterial(test.exportEarlyKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext))
890 if err != nil {
891 return err
892 }
893 if !bytes.Equal(actual, expected) {
894 return fmt.Errorf("early keying material mismatch; got %x, wanted %x", actual, expected)
895 }
896 }
897
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]898 if test.exportKeyingMaterial > 0 {
899 actual := make([]byte, test.exportKeyingMaterial)
900 if _, err := io.ReadFull(tlsConn, actual); err != nil {
901 return err
902 }
903 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
904 if err != nil {
905 return err
906 }
907 if !bytes.Equal(actual, expected) {
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]908 return fmt.Errorf("keying material mismatch; got %x, wanted %x", actual, expected)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]909 }
910 }
911
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]912 if test.exportTrafficSecrets {
913 secretLenBytes := make([]byte, 2)
914 if _, err := io.ReadFull(tlsConn, secretLenBytes); err != nil {
915 return err
916 }
917 secretLen := binary.LittleEndian.Uint16(secretLenBytes)
918
919 theirReadSecret := make([]byte, secretLen)
920 theirWriteSecret := make([]byte, secretLen)
921 if _, err := io.ReadFull(tlsConn, theirReadSecret); err != nil {
922 return err
923 }
924 if _, err := io.ReadFull(tlsConn, theirWriteSecret); err != nil {
925 return err
926 }
927
928 myReadSecret := tlsConn.in.trafficSecret
929 myWriteSecret := tlsConn.out.trafficSecret
930 if !bytes.Equal(myWriteSecret, theirReadSecret) {
931 return fmt.Errorf("read traffic-secret mismatch; got %x, wanted %x", theirReadSecret, myWriteSecret)
932 }
933 if !bytes.Equal(myReadSecret, theirWriteSecret) {
934 return fmt.Errorf("write traffic-secret mismatch; got %x, wanted %x", theirWriteSecret, myReadSecret)
935 }
936 }
937
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]938 if test.testTLSUnique {
939 var peersValue [12]byte
940 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
941 return err
942 }
943 expected := tlsConn.ConnectionState().TLSUnique
944 if !bytes.Equal(peersValue[:], expected) {
945 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
946 }
947 }
948
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]949 if test.sendHalfHelloRequest {
950 tlsConn.SendHalfHelloRequest()
951 }
952
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]953 shimPrefix := test.shimPrefix
954 if isResume {
955 shimPrefix = test.resumeShimPrefix
956 }
957 if test.shimWritesFirst || test.readWithUnfinishedWrite {
958 shimPrefix = "hello"
959 }
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]960 if test.renegotiate > 0 {
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]961 // If readWithUnfinishedWrite is set, the shim prefix will be
962 // available later.
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]963 if shimPrefix != "" && !test.readWithUnfinishedWrite {
964 var buf = make([]byte, len(shimPrefix))
965 _, err := io.ReadFull(tlsConn, buf)
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]966 if err != nil {
967 return err
968 }
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]969 if string(buf) != shimPrefix {
970 return fmt.Errorf("bad initial message %v vs %v", string(buf), shimPrefix)
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]971 }
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]972 shimPrefix = ""
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]973 }
974
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]975 if test.renegotiateCiphers != nil {
976 config.CipherSuites = test.renegotiateCiphers
977 }
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]978 for i := 0; i < test.renegotiate; i++ {
979 if err := tlsConn.Renegotiate(); err != nil {
980 return err
981 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]982 }
983 } else if test.renegotiateCiphers != nil {
984 panic("renegotiateCiphers without renegotiate")
985 }
986
987 if test.damageFirstWrite {
988 connDamage.setDamage(true)
989 tlsConn.Write([]byte("DAMAGED WRITE"))
990 connDamage.setDamage(false)
991 }
992
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]993 messageLen := test.messageLen
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]994 if messageLen < 0 {
995 if test.protocol == dtls {
996 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
997 }
998 // Read until EOF.
999 _, err := io.Copy(ioutil.Discard, tlsConn)
1000 return err
1001 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1002 if messageLen == 0 {
1003 messageLen = 32
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1004 }
1005
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1006 messageCount := test.messageCount
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1007 // shimShutsDown sets the default message count to zero.
1008 if messageCount == 0 && !test.shimShutsDown {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1009 messageCount = 1
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1010 }
1011
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1012 for j := 0; j < messageCount; j++ {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]1013 for i := 0; i < test.sendKeyUpdates; i++ {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]1014 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]1015 }
1016
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1017 for i := 0; i < test.sendEmptyRecords; i++ {
1018 tlsConn.Write(nil)
1019 }
1020
1021 for i := 0; i < test.sendWarningAlerts; i++ {
1022 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
1023 }
1024
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]1025 if test.sendBogusAlertType {
1026 tlsConn.SendAlert(0x42, alertUnexpectedMessage)
1027 }
1028
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1029 testMessage := make([]byte, messageLen)
1030 for i := range testMessage {
1031 testMessage[i] = 0x42 ^ byte(j)
1032 }
1033 tlsConn.Write(testMessage)
1034
1035 // Consume the shim prefix if needed.
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]1036 if shimPrefix != "" {
1037 var buf = make([]byte, len(shimPrefix))
1038 _, err := io.ReadFull(tlsConn, buf)
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1039 if err != nil {
1040 return err
1041 }
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]1042 if string(buf) != shimPrefix {
1043 return fmt.Errorf("bad initial message %v vs %v", string(buf), shimPrefix)
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1044 }
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]1045 shimPrefix = ""
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1046 }
1047
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1048 if test.shimShutsDown || test.expectMessageDropped {
1049 // The shim will not respond.
1050 continue
1051 }
1052
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1053 // Process the KeyUpdate ACK. However many KeyUpdates the runner
1054 // sends, the shim should respond only once.
1055 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
1056 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
1057 return err
1058 }
1059 }
1060
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1061 buf := make([]byte, len(testMessage))
1062 if test.protocol == dtls {
1063 bufTmp := make([]byte, len(buf)+1)
1064 n, err := tlsConn.Read(bufTmp)
1065 if err != nil {
1066 return err
1067 }
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]1068 if config.Bugs.SplitAndPackAppData {
1069 m, err := tlsConn.Read(bufTmp[n:])
1070 if err != nil {
1071 return err
1072 }
1073 n += m
1074 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1075 if n != len(buf) {
1076 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
1077 }
1078 copy(buf, bufTmp)
1079 } else {
1080 _, err := io.ReadFull(tlsConn, buf)
1081 if err != nil {
1082 return err
1083 }
1084 }
1085
1086 for i, v := range buf {
1087 if v != testMessage[i]^0xff {
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]1088 return fmt.Errorf("bad reply contents at byte %d; got %q and wanted %q", i, buf, testMessage)
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1089 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1090 }
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]1091
1092 if seen := tlsConn.keyUpdateSeen; seen != test.expectUnsolicitedKeyUpdate {
1093 return fmt.Errorf("keyUpdateSeen (%t) != expectUnsolicitedKeyUpdate", seen)
1094 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1095 }
1096
1097 return nil
1098}
1099
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]1100const xtermSize = "140x50"
1101
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1102func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1103 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1104 if dbAttach {
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]1105 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -geometry "+xtermSize+" -e gdb -nw %f %p")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1106 }
1107 valgrindArgs = append(valgrindArgs, path)
1108 valgrindArgs = append(valgrindArgs, args...)
1109
1110 return exec.Command("valgrind", valgrindArgs...)
1111}
1112
1113func gdbOf(path string, args ...string) *exec.Cmd {
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]1114 xtermArgs := []string{"-geometry", xtermSize, "-e", "gdb", "--args"}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1115 xtermArgs = append(xtermArgs, path)
1116 xtermArgs = append(xtermArgs, args...)
1117
1118 return exec.Command("xterm", xtermArgs...)
1119}
1120
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]1121func lldbOf(path string, args ...string) *exec.Cmd {
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]1122 xtermArgs := []string{"-geometry", xtermSize, "-e", "lldb", "--"}
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]1123 xtermArgs = append(xtermArgs, path)
1124 xtermArgs = append(xtermArgs, args...)
1125
1126 return exec.Command("xterm", xtermArgs...)
1127}
1128
Robert Sloan0db7f542018-01-16 15:48:33 -0800[diff] [blame]1129func removeFirstLineIfSuffix(s, suffix string) string {
1130 idx := strings.IndexByte(s, '\n')
1131 if idx < 0 {
1132 return s
1133 }
1134 if strings.HasSuffix(s[:idx], suffix) {
1135 return s[idx+1:]
1136 }
1137 return s
1138}
1139
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1140var (
1141 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
1142 errUnimplemented = errors.New("child process does not implement needed flags")
1143)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1144
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1145// accept accepts a connection from listener, unless waitChan signals a process
1146// exit first.
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]1147func acceptOrWait(listener *net.TCPListener, waitChan chan error) (net.Conn, error) {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1148 type connOrError struct {
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]1149 conn net.Conn
1150 err error
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1151 }
1152 connChan := make(chan connOrError, 1)
1153 go func() {
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]1154 if !*useGDB {
1155 listener.SetDeadline(time.Now().Add(*idleTimeout))
1156 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1157 conn, err := listener.Accept()
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]1158 connChan <- connOrError{conn, err}
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1159 close(connChan)
1160 }()
1161 select {
1162 case result := <-connChan:
1163 return result.conn, result.err
1164 case childErr := <-waitChan:
1165 waitChan <- childErr
1166 return nil, fmt.Errorf("child exited early: %s", childErr)
1167 }
1168}
1169
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1170func translateExpectedError(errorStr string) string {
1171 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
1172 return translated
1173 }
1174
1175 if *looseErrors {
1176 return ""
1177 }
1178
1179 return errorStr
1180}
1181
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1182func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]1183 // Help debugging panics on the Go side.
1184 defer func() {
1185 if r := recover(); r != nil {
1186 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
1187 panic(r)
1188 }
1189 }()
1190
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1191 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
1192 panic("Error expected without shouldFail in " + test.name)
1193 }
1194
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]1195 if test.expectResumeRejected && !test.resumeSession {
1196 panic("expectResumeRejected without resumeSession in " + test.name)
1197 }
1198
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]1199 for _, ver := range tlsVersions {
1200 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
1201 continue
1202 }
1203
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]1204 if test.config.MaxVersion == 0 && test.config.MinVersion == 0 && test.expectedVersion == 0 {
1205 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]1206 }
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]1207 }
1208
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]1209 listener, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv6loopback})
1210 if err != nil {
1211 listener, err = net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
1212 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1213 if err != nil {
1214 panic(err)
1215 }
1216 defer func() {
1217 if listener != nil {
1218 listener.Close()
1219 }
1220 }()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1221
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1222 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1223 if test.testType == serverTest {
1224 flags = append(flags, "-server")
1225
1226 flags = append(flags, "-key-file")
1227 if test.keyFile == "" {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1228 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1229 } else {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1230 flags = append(flags, path.Join(*resourceDir, test.keyFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1231 }
1232
1233 flags = append(flags, "-cert-file")
1234 if test.certFile == "" {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1235 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1236 } else {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1237 flags = append(flags, path.Join(*resourceDir, test.certFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1238 }
1239 }
1240
1241 if test.protocol == dtls {
1242 flags = append(flags, "-dtls")
1243 }
1244
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]1245 var resumeCount int
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1246 if test.resumeSession {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]1247 resumeCount++
1248 if test.resumeRenewedSession {
1249 resumeCount++
1250 }
1251 }
1252
1253 if resumeCount > 0 {
1254 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1255 }
1256
1257 if test.shimWritesFirst {
1258 flags = append(flags, "-shim-writes-first")
1259 }
1260
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1261 if test.readWithUnfinishedWrite {
1262 flags = append(flags, "-read-with-unfinished-write")
1263 }
1264
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1265 if test.shimShutsDown {
1266 flags = append(flags, "-shim-shuts-down")
1267 }
1268
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1269 if test.exportKeyingMaterial > 0 {
1270 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1271 if test.useExportContext {
1272 flags = append(flags, "-use-export-context")
1273 }
1274 }
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]1275 if test.exportEarlyKeyingMaterial > 0 {
1276 flags = append(flags, "-on-resume-export-early-keying-material", strconv.Itoa(test.exportEarlyKeyingMaterial))
1277 }
1278 if test.exportKeyingMaterial > 0 || test.exportEarlyKeyingMaterial > 0 {
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]1279 flags = append(flags, "-export-label", test.exportLabel)
1280 flags = append(flags, "-export-context", test.exportContext)
1281 }
1282
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]1283 if test.exportTrafficSecrets {
1284 flags = append(flags, "-export-traffic-secrets")
1285 }
1286
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]1287 if test.expectResumeRejected {
1288 flags = append(flags, "-expect-session-miss")
1289 }
1290
1291 if test.testTLSUnique {
1292 flags = append(flags, "-tls-unique")
1293 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1294
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1295 flags = append(flags, "-handshaker-path", *handshakerPath)
1296
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]1297 var transcriptPrefix string
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1298 var transcripts [][]byte
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]1299 if len(*transcriptDir) != 0 {
1300 protocol := "tls"
1301 if test.protocol == dtls {
1302 protocol = "dtls"
1303 }
1304
1305 side := "client"
1306 if test.testType == serverTest {
1307 side = "server"
1308 }
1309
1310 dir := filepath.Join(*transcriptDir, protocol, side)
1311 if err := os.MkdirAll(dir, 0755); err != nil {
1312 return err
1313 }
1314 transcriptPrefix = filepath.Join(dir, test.name+"-")
1315 flags = append(flags, "-write-settings", transcriptPrefix)
1316 }
1317
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1318 flags = append(flags, test.flags...)
1319
1320 var shim *exec.Cmd
1321 if *useValgrind {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1322 shim = valgrindOf(false, shimPath, flags...)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1323 } else if *useGDB {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1324 shim = gdbOf(shimPath, flags...)
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]1325 } else if *useLLDB {
1326 shim = lldbOf(shimPath, flags...)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1327 } else {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1328 shim = exec.Command(shimPath, flags...)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1329 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1330 shim.Stdin = os.Stdin
1331 var stdoutBuf, stderrBuf bytes.Buffer
1332 shim.Stdout = &stdoutBuf
1333 shim.Stderr = &stderrBuf
1334 if mallocNumToFail >= 0 {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1335 shim.Env = os.Environ()
1336 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1337 if *mallocTestDebug {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1338 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1339 }
1340 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1341 }
1342
1343 if err := shim.Start(); err != nil {
1344 panic(err)
1345 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1346 waitChan := make(chan error, 1)
1347 go func() { waitChan <- shim.Wait() }()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1348
1349 config := test.config
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1350
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1351 if *deterministic {
1352 config.Rand = &deterministicRand{}
1353 }
1354
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1355 conn, err := acceptOrWait(listener, waitChan)
1356 if err == nil {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1357 err = doExchange(test, &config, conn, false /* not a resumption */, &transcripts, 0)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1358 conn.Close()
1359 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1360
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]1361 for i := 0; err == nil && i < resumeCount; i++ {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1362 var resumeConfig Config
1363 if test.resumeConfig != nil {
1364 resumeConfig = *test.resumeConfig
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]1365 if !test.newSessionsOnResume {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1366 resumeConfig.SessionTicketKey = config.SessionTicketKey
1367 resumeConfig.ClientSessionCache = config.ClientSessionCache
1368 resumeConfig.ServerSessionCache = config.ServerSessionCache
1369 }
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]1370 resumeConfig.Rand = config.Rand
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1371 } else {
1372 resumeConfig = config
1373 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1374 var connResume net.Conn
1375 connResume, err = acceptOrWait(listener, waitChan)
1376 if err == nil {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1377 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, &transcripts, i+1)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1378 connResume.Close()
1379 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1380 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1381
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1382 // Close the listener now. This is to avoid hangs should the shim try to
1383 // open more connections than expected.
1384 listener.Close()
1385 listener = nil
1386
Robert Sloan73fa5d62017-10-09 13:53:06 -0700[diff] [blame]1387 var childErr error
1388 if *useGDB {
1389 childErr = <-waitChan
1390 } else {
Robert Sloan73fa5d62017-10-09 13:53:06 -0700[diff] [blame]1391 waitTimeout := time.AfterFunc(*idleTimeout, func() {
Robert Sloan73fa5d62017-10-09 13:53:06 -0700[diff] [blame]1392 shim.Process.Kill()
1393 })
1394 childErr = <-waitChan
1395 waitTimeout.Stop()
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]1396 }
Robert Sloan73fa5d62017-10-09 13:53:06 -0700[diff] [blame]1397
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1398 // Now that the shim has exitted, all the settings files have been
1399 // written. Append the saved transcripts.
1400 for i, transcript := range transcripts {
1401 if err := appendTranscript(transcriptPrefix+strconv.Itoa(i), transcript); err != nil {
1402 return err
1403 }
1404 }
1405
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]1406 var isValgrindError, mustFail bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1407 if exitError, ok := childErr.(*exec.ExitError); ok {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1408 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1409 case 88:
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1410 return errMoreMallocs
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1411 case 89:
1412 return errUnimplemented
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]1413 case 90:
1414 mustFail = true
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1415 case 99:
1416 isValgrindError = true
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1417 }
1418 }
1419
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]1420 // Account for Windows line endings.
1421 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1422 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
1423
Robert Sloan0db7f542018-01-16 15:48:33 -0800[diff] [blame]1424 // Work around an NDK / Android bug. The NDK r16 sometimes generates
1425 // binaries with the DF_1_PIE, which the runtime linker on Android N
1426 // complains about. The next NDK revision should work around this but,
1427 // in the meantime, strip its error out.
1428 //
1429 // https://github.com/android-ndk/ndk/issues/602
1430 // https://android-review.googlesource.com/c/platform/bionic/+/259790
1431 // https://android-review.googlesource.com/c/toolchain/binutils/+/571550
1432 //
1433 // Remove this after switching to the r17 NDK.
1434 stderr = removeFirstLineIfSuffix(stderr, ": unsupported flags DT_FLAGS_1=0x8000001")
1435
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]1436 // Separate the errors from the shim and those from tools like
1437 // AddressSanitizer.
1438 var extraStderr string
1439 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1440 stderr = stderrParts[0]
1441 extraStderr = stderrParts[1]
1442 }
1443
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1444 failed := err != nil || childErr != nil
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1445 expectedError := translateExpectedError(test.expectedError)
1446 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
1447
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1448 localError := "none"
1449 if err != nil {
1450 localError = err.Error()
1451 }
1452 if len(test.expectedLocalError) != 0 {
1453 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1454 }
1455
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]1456 if failed != test.shouldFail || failed && !correctFailure || mustFail {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1457 childError := "none"
1458 if childErr != nil {
1459 childError = childErr.Error()
1460 }
1461
1462 var msg string
1463 switch {
1464 case failed && !test.shouldFail:
1465 msg = "unexpected failure"
1466 case !failed && test.shouldFail:
1467 msg = "unexpected success"
1468 case failed && !correctFailure:
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1469 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]1470 case mustFail:
1471 msg = "test failure"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1472 default:
1473 panic("internal error")
1474 }
1475
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1476 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1477 }
1478
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1479 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
Robert Sloan2424d842017-05-01 07:46:28 -0700[diff] [blame]1480 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1481 }
1482
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1483 if *useValgrind && isValgrindError {
1484 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1485 }
1486
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1487 return nil
1488}
1489
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]1490type tlsVersion struct {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]1491 name string
1492 // version is the protocol version.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1493 version uint16
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]1494 // excludeFlag is the legacy shim flag to disable the version.
1495 excludeFlag string
1496 hasDTLS bool
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]1497 // versionDTLS, if non-zero, is the DTLS-specific representation of the version.
1498 versionDTLS uint16
1499 // versionWire, if non-zero, is the wire representation of the
1500 // version. Otherwise the wire version is the protocol version or
1501 // versionDTLS.
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]1502 versionWire uint16
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]1503}
1504
1505func (vers tlsVersion) shimFlag(protocol protocol) string {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]1506 // The shim uses the protocol version in its public API, but uses the
1507 // DTLS-specific version if it exists.
1508 if protocol == dtls && vers.versionDTLS != 0 {
1509 return strconv.Itoa(int(vers.versionDTLS))
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]1510 }
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]1511 return strconv.Itoa(int(vers.version))
1512}
1513
1514func (vers tlsVersion) wire(protocol protocol) uint16 {
1515 if protocol == dtls && vers.versionDTLS != 0 {
1516 return vers.versionDTLS
1517 }
1518 if vers.versionWire != 0 {
1519 return vers.versionWire
1520 }
1521 return vers.version
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]1522}
1523
1524var tlsVersions = []tlsVersion{
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]1525 {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]1526 name: "TLS1",
1527 version: VersionTLS10,
1528 excludeFlag: "-no-tls1",
1529 hasDTLS: true,
1530 versionDTLS: VersionDTLS10,
1531 },
1532 {
1533 name: "TLS11",
1534 version: VersionTLS11,
1535 excludeFlag: "-no-tls11",
1536 },
1537 {
1538 name: "TLS12",
1539 version: VersionTLS12,
1540 excludeFlag: "-no-tls12",
1541 hasDTLS: true,
1542 versionDTLS: VersionDTLS12,
1543 },
1544 {
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]1545 name: "TLS13",
1546 version: VersionTLS13,
1547 excludeFlag: "-no-tls13",
1548 versionWire: VersionTLS13,
Robert Sloandc2f6092018-04-10 10:22:33 -0700[diff] [blame]1549 },
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]1550}
1551
1552func allVersions(protocol protocol) []tlsVersion {
1553 if protocol == tls {
1554 return tlsVersions
1555 }
1556
1557 var ret []tlsVersion
1558 for _, vers := range tlsVersions {
1559 if vers.hasDTLS {
1560 ret = append(ret, vers)
1561 }
1562 }
1563 return ret
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1564}
1565
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]1566type testCipherSuite struct {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1567 name string
1568 id uint16
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]1569}
1570
1571var testCipherSuites = []testCipherSuite{
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]1572 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
1573 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
1574 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
1575 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
1576 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
1577 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1578 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
1579 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
1580 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
1581 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
1582 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1583 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1584 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
1585 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
1586 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
1587 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1588 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
1589 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1590 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
1591 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
1592 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1593 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1594 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
1595 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1596}
1597
1598func hasComponent(suiteName, component string) bool {
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]1599 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1600}
1601
1602func isTLS12Only(suiteName string) bool {
1603 return hasComponent(suiteName, "GCM") ||
1604 hasComponent(suiteName, "SHA256") ||
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1605 hasComponent(suiteName, "SHA384") ||
1606 hasComponent(suiteName, "POLY1305")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1607}
1608
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1609func isTLS13Suite(suiteName string) bool {
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]1610 return strings.HasPrefix(suiteName, "AEAD-")
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1611}
1612
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]1613func bigFromHex(hex string) *big.Int {
1614 ret, ok := new(big.Int).SetString(hex, 16)
1615 if !ok {
1616 panic("failed to parse hex number 0x" + hex)
1617 }
1618 return ret
1619}
1620
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]1621func convertToSplitHandshakeTests(tests []testCase) (splitHandshakeTests []testCase) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1622 var stdout bytes.Buffer
1623 shim := exec.Command(*shimPath, "-is-handshaker-supported")
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]1624 shim.Stdout = &stdout
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1625 if err := shim.Run(); err != nil {
1626 panic(err)
1627 }
1628
1629 switch strings.TrimSpace(string(stdout.Bytes())) {
1630 case "No":
1631 return
1632 case "Yes":
1633 break
1634 default:
1635 panic("Unknown output from shim: 0x" + hex.EncodeToString(stdout.Bytes()))
1636 }
1637
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]1638NextTest:
1639 for _, test := range tests {
1640 if test.protocol != tls ||
1641 test.testType != serverTest ||
1642 test.config.MaxVersion >= VersionTLS13 ||
1643 test.config.MaxVersion < VersionTLS10 ||
1644 (test.resumeConfig != nil && (test.resumeConfig.MaxVersion < VersionTLS10 || test.resumeConfig.MaxVersion >= VersionTLS13)) ||
1645 strings.HasPrefix(test.name, "VersionNegotiation-") {
1646 continue
1647 }
1648
1649 for _, flag := range test.flags {
1650 if flag == "-implicit-handshake" {
1651 continue NextTest
1652 }
1653 }
1654
1655 shTest := test
1656 shTest.name += "-Split"
1657 shTest.flags = make([]string, len(test.flags), len(test.flags)+1)
1658 copy(shTest.flags, test.flags)
1659 shTest.flags = append(shTest.flags, "-handoff")
1660
1661 splitHandshakeTests = append(splitHandshakeTests, shTest)
1662 }
1663
1664 return splitHandshakeTests
1665}
1666
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1667func addBasicTests() {
1668 basicTests := []testCase{
1669 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1670 name: "NoFallbackSCSV",
1671 config: Config{
1672 Bugs: ProtocolBugs{
1673 FailIfNotFallbackSCSV: true,
1674 },
1675 },
1676 shouldFail: true,
1677 expectedLocalError: "no fallback SCSV found",
1678 },
1679 {
1680 name: "SendFallbackSCSV",
1681 config: Config{
1682 Bugs: ProtocolBugs{
1683 FailIfNotFallbackSCSV: true,
1684 },
1685 },
1686 flags: []string{"-fallback-scsv"},
1687 },
1688 {
1689 name: "ClientCertificateTypes",
1690 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1691 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1692 ClientAuth: RequestClientCert,
1693 ClientCertificateTypes: []byte{
1694 CertTypeDSSSign,
1695 CertTypeRSASign,
1696 CertTypeECDSASign,
1697 },
1698 },
1699 flags: []string{
1700 "-expect-certificate-types",
1701 base64.StdEncoding.EncodeToString([]byte{
1702 CertTypeDSSSign,
1703 CertTypeRSASign,
1704 CertTypeECDSASign,
1705 }),
1706 },
1707 },
1708 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1709 name: "UnauthenticatedECDH",
1710 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1711 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1712 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1713 Bugs: ProtocolBugs{
1714 UnauthenticatedECDH: true,
1715 },
1716 },
1717 shouldFail: true,
1718 expectedError: ":UNEXPECTED_MESSAGE:",
1719 },
1720 {
1721 name: "SkipCertificateStatus",
1722 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1723 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1724 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1725 Bugs: ProtocolBugs{
1726 SkipCertificateStatus: true,
1727 },
1728 },
1729 flags: []string{
1730 "-enable-ocsp-stapling",
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]1731 // This test involves an optional message. Test the message callback
1732 // trace to ensure we do not miss or double-report any.
1733 "-expect-msg-callback",
1734 `write hs 1
1735read hs 2
1736read hs 11
1737read hs 12
1738read hs 14
1739write hs 16
1740write ccs
1741write hs 20
1742read hs 4
1743read ccs
1744read hs 20
1745read alert 1 0
1746`,
1747 },
1748 },
1749 {
1750 protocol: dtls,
1751 name: "SkipCertificateStatus-DTLS",
1752 config: Config{
1753 MaxVersion: VersionTLS12,
1754 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1755 Bugs: ProtocolBugs{
1756 SkipCertificateStatus: true,
1757 },
1758 },
1759 flags: []string{
1760 "-enable-ocsp-stapling",
1761 // This test involves an optional message. Test the message callback
1762 // trace to ensure we do not miss or double-report any.
1763 "-expect-msg-callback",
1764 `write hs 1
1765read hs 3
1766write hs 1
1767read hs 2
1768read hs 11
1769read hs 12
1770read hs 14
1771write hs 16
1772write ccs
1773write hs 20
1774read hs 4
1775read ccs
1776read hs 20
1777read alert 1 0
1778`,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1779 },
1780 },
1781 {
1782 name: "SkipServerKeyExchange",
1783 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1784 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1785 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1786 Bugs: ProtocolBugs{
1787 SkipServerKeyExchange: true,
1788 },
1789 },
1790 shouldFail: true,
1791 expectedError: ":UNEXPECTED_MESSAGE:",
1792 },
1793 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1794 testType: serverTest,
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]1795 name: "ServerSkipCertificateVerify",
1796 config: Config{
1797 MaxVersion: VersionTLS12,
1798 Certificates: []Certificate{rsaChainCertificate},
1799 Bugs: ProtocolBugs{
1800 SkipCertificateVerify: true,
1801 },
1802 },
1803 expectPeerCertificate: &rsaChainCertificate,
1804 flags: []string{
1805 "-require-any-client-certificate",
1806 },
1807 shouldFail: true,
1808 expectedError: ":UNEXPECTED_RECORD:",
1809 expectedLocalError: "remote error: unexpected message",
1810 },
1811 {
1812 testType: serverTest,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1813 name: "Alert",
1814 config: Config{
1815 Bugs: ProtocolBugs{
1816 SendSpuriousAlert: alertRecordOverflow,
1817 },
1818 },
1819 shouldFail: true,
1820 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1821 },
1822 {
1823 protocol: dtls,
1824 testType: serverTest,
1825 name: "Alert-DTLS",
1826 config: Config{
1827 Bugs: ProtocolBugs{
1828 SendSpuriousAlert: alertRecordOverflow,
1829 },
1830 },
1831 shouldFail: true,
1832 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1833 },
1834 {
1835 testType: serverTest,
1836 name: "FragmentAlert",
1837 config: Config{
1838 Bugs: ProtocolBugs{
1839 FragmentAlert: true,
1840 SendSpuriousAlert: alertRecordOverflow,
1841 },
1842 },
1843 shouldFail: true,
1844 expectedError: ":BAD_ALERT:",
1845 },
1846 {
1847 protocol: dtls,
1848 testType: serverTest,
1849 name: "FragmentAlert-DTLS",
1850 config: Config{
1851 Bugs: ProtocolBugs{
1852 FragmentAlert: true,
1853 SendSpuriousAlert: alertRecordOverflow,
1854 },
1855 },
1856 shouldFail: true,
1857 expectedError: ":BAD_ALERT:",
1858 },
1859 {
1860 testType: serverTest,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]1861 name: "DoubleAlert",
1862 config: Config{
1863 Bugs: ProtocolBugs{
1864 DoubleAlert: true,
1865 SendSpuriousAlert: alertRecordOverflow,
1866 },
1867 },
1868 shouldFail: true,
1869 expectedError: ":BAD_ALERT:",
1870 },
1871 {
1872 protocol: dtls,
1873 testType: serverTest,
1874 name: "DoubleAlert-DTLS",
1875 config: Config{
1876 Bugs: ProtocolBugs{
1877 DoubleAlert: true,
1878 SendSpuriousAlert: alertRecordOverflow,
1879 },
1880 },
1881 shouldFail: true,
1882 expectedError: ":BAD_ALERT:",
1883 },
1884 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1885 name: "SkipNewSessionTicket",
1886 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1887 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1888 Bugs: ProtocolBugs{
1889 SkipNewSessionTicket: true,
1890 },
1891 },
1892 shouldFail: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]1893 expectedError: ":UNEXPECTED_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1894 },
1895 {
1896 testType: serverTest,
1897 name: "FallbackSCSV",
1898 config: Config{
1899 MaxVersion: VersionTLS11,
1900 Bugs: ProtocolBugs{
1901 SendFallbackSCSV: true,
1902 },
1903 },
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]1904 shouldFail: true,
1905 expectedError: ":INAPPROPRIATE_FALLBACK:",
1906 expectedLocalError: "remote error: inappropriate fallback",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1907 },
1908 {
1909 testType: serverTest,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]1910 name: "FallbackSCSV-VersionMatch-TLS13",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1911 config: Config{
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]1912 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1913 Bugs: ProtocolBugs{
1914 SendFallbackSCSV: true,
1915 },
1916 },
1917 },
1918 {
1919 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1920 name: "FallbackSCSV-VersionMatch-TLS12",
1921 config: Config{
1922 MaxVersion: VersionTLS12,
1923 Bugs: ProtocolBugs{
1924 SendFallbackSCSV: true,
1925 },
1926 },
1927 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1928 },
1929 {
1930 testType: serverTest,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1931 name: "FragmentedClientVersion",
1932 config: Config{
1933 Bugs: ProtocolBugs{
1934 MaxHandshakeRecordLength: 1,
1935 FragmentClientVersion: true,
1936 },
1937 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1938 expectedVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1939 },
1940 {
1941 testType: serverTest,
1942 name: "HttpGET",
1943 sendPrefix: "GET / HTTP/1.0\n",
1944 shouldFail: true,
1945 expectedError: ":HTTP_REQUEST:",
1946 },
1947 {
1948 testType: serverTest,
1949 name: "HttpPOST",
1950 sendPrefix: "POST / HTTP/1.0\n",
1951 shouldFail: true,
1952 expectedError: ":HTTP_REQUEST:",
1953 },
1954 {
1955 testType: serverTest,
1956 name: "HttpHEAD",
1957 sendPrefix: "HEAD / HTTP/1.0\n",
1958 shouldFail: true,
1959 expectedError: ":HTTP_REQUEST:",
1960 },
1961 {
1962 testType: serverTest,
1963 name: "HttpPUT",
1964 sendPrefix: "PUT / HTTP/1.0\n",
1965 shouldFail: true,
1966 expectedError: ":HTTP_REQUEST:",
1967 },
1968 {
1969 testType: serverTest,
1970 name: "HttpCONNECT",
1971 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1972 shouldFail: true,
1973 expectedError: ":HTTPS_PROXY_REQUEST:",
1974 },
1975 {
1976 testType: serverTest,
1977 name: "Garbage",
1978 sendPrefix: "blah",
1979 shouldFail: true,
1980 expectedError: ":WRONG_VERSION_NUMBER:",
1981 },
1982 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1983 name: "RSAEphemeralKey",
1984 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1985 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1986 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1987 Bugs: ProtocolBugs{
1988 RSAEphemeralKey: true,
1989 },
1990 },
1991 shouldFail: true,
1992 expectedError: ":UNEXPECTED_MESSAGE:",
1993 },
1994 {
1995 name: "DisableEverything",
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]1996 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1"},
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1997 shouldFail: true,
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1998 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1999 },
2000 {
2001 protocol: dtls,
2002 name: "DisableEverything-DTLS",
2003 flags: []string{"-no-tls12", "-no-tls1"},
2004 shouldFail: true,
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]2005 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2006 },
2007 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2008 protocol: dtls,
2009 testType: serverTest,
2010 name: "MTU",
2011 config: Config{
2012 Bugs: ProtocolBugs{
2013 MaxPacketLength: 256,
2014 },
2015 },
2016 flags: []string{"-mtu", "256"},
2017 },
2018 {
2019 protocol: dtls,
2020 testType: serverTest,
2021 name: "MTUExceeded",
2022 config: Config{
2023 Bugs: ProtocolBugs{
2024 MaxPacketLength: 255,
2025 },
2026 },
2027 flags: []string{"-mtu", "256"},
2028 shouldFail: true,
2029 expectedLocalError: "dtls: exceeded maximum packet length",
2030 },
2031 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2032 name: "EmptyCertificateList",
2033 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2034 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2035 Bugs: ProtocolBugs{
2036 EmptyCertificateList: true,
2037 },
2038 },
2039 shouldFail: true,
2040 expectedError: ":DECODE_ERROR:",
2041 },
2042 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2043 name: "EmptyCertificateList-TLS13",
2044 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2045 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2046 Bugs: ProtocolBugs{
2047 EmptyCertificateList: true,
2048 },
2049 },
2050 shouldFail: true,
2051 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
2052 },
2053 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2054 name: "TLSFatalBadPackets",
2055 damageFirstWrite: true,
2056 shouldFail: true,
2057 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
2058 },
2059 {
2060 protocol: dtls,
2061 name: "DTLSIgnoreBadPackets",
2062 damageFirstWrite: true,
2063 },
2064 {
2065 protocol: dtls,
2066 name: "DTLSIgnoreBadPackets-Async",
2067 damageFirstWrite: true,
2068 flags: []string{"-async"},
2069 },
2070 {
2071 name: "AppDataBeforeHandshake",
2072 config: Config{
2073 Bugs: ProtocolBugs{
2074 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
2075 },
2076 },
2077 shouldFail: true,
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]2078 expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2079 },
2080 {
2081 name: "AppDataBeforeHandshake-Empty",
2082 config: Config{
2083 Bugs: ProtocolBugs{
2084 AppDataBeforeHandshake: []byte{},
2085 },
2086 },
2087 shouldFail: true,
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]2088 expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2089 },
2090 {
2091 protocol: dtls,
2092 name: "AppDataBeforeHandshake-DTLS",
2093 config: Config{
2094 Bugs: ProtocolBugs{
2095 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
2096 },
2097 },
2098 shouldFail: true,
2099 expectedError: ":UNEXPECTED_RECORD:",
2100 },
2101 {
2102 protocol: dtls,
2103 name: "AppDataBeforeHandshake-DTLS-Empty",
2104 config: Config{
2105 Bugs: ProtocolBugs{
2106 AppDataBeforeHandshake: []byte{},
2107 },
2108 },
2109 shouldFail: true,
2110 expectedError: ":UNEXPECTED_RECORD:",
2111 },
2112 {
2113 name: "AppDataAfterChangeCipherSpec",
2114 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2115 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2116 Bugs: ProtocolBugs{
2117 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
2118 },
2119 },
2120 shouldFail: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2121 expectedError: ":UNEXPECTED_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2122 },
2123 {
2124 name: "AppDataAfterChangeCipherSpec-Empty",
2125 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2126 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2127 Bugs: ProtocolBugs{
2128 AppDataAfterChangeCipherSpec: []byte{},
2129 },
2130 },
2131 shouldFail: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2132 expectedError: ":UNEXPECTED_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2133 },
2134 {
2135 protocol: dtls,
2136 name: "AppDataAfterChangeCipherSpec-DTLS",
2137 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2138 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2139 Bugs: ProtocolBugs{
2140 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
2141 },
2142 },
2143 // BoringSSL's DTLS implementation will drop the out-of-order
2144 // application data.
2145 },
2146 {
2147 protocol: dtls,
2148 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
2149 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2150 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2151 Bugs: ProtocolBugs{
2152 AppDataAfterChangeCipherSpec: []byte{},
2153 },
2154 },
2155 // BoringSSL's DTLS implementation will drop the out-of-order
2156 // application data.
2157 },
2158 {
2159 name: "AlertAfterChangeCipherSpec",
2160 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2161 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2162 Bugs: ProtocolBugs{
2163 AlertAfterChangeCipherSpec: alertRecordOverflow,
2164 },
2165 },
2166 shouldFail: true,
2167 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
2168 },
2169 {
2170 protocol: dtls,
2171 name: "AlertAfterChangeCipherSpec-DTLS",
2172 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2173 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2174 Bugs: ProtocolBugs{
2175 AlertAfterChangeCipherSpec: alertRecordOverflow,
2176 },
2177 },
2178 shouldFail: true,
2179 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
2180 },
2181 {
2182 protocol: dtls,
2183 name: "ReorderHandshakeFragments-Small-DTLS",
2184 config: Config{
2185 Bugs: ProtocolBugs{
2186 ReorderHandshakeFragments: true,
2187 // Small enough that every handshake message is
2188 // fragmented.
2189 MaxHandshakeRecordLength: 2,
2190 },
2191 },
2192 },
2193 {
2194 protocol: dtls,
2195 name: "ReorderHandshakeFragments-Large-DTLS",
2196 config: Config{
2197 Bugs: ProtocolBugs{
2198 ReorderHandshakeFragments: true,
2199 // Large enough that no handshake message is
2200 // fragmented.
2201 MaxHandshakeRecordLength: 2048,
2202 },
2203 },
2204 },
2205 {
2206 protocol: dtls,
2207 name: "MixCompleteMessageWithFragments-DTLS",
2208 config: Config{
2209 Bugs: ProtocolBugs{
2210 ReorderHandshakeFragments: true,
2211 MixCompleteMessageWithFragments: true,
2212 MaxHandshakeRecordLength: 2,
2213 },
2214 },
2215 },
2216 {
2217 name: "SendInvalidRecordType",
2218 config: Config{
2219 Bugs: ProtocolBugs{
2220 SendInvalidRecordType: true,
2221 },
2222 },
2223 shouldFail: true,
2224 expectedError: ":UNEXPECTED_RECORD:",
2225 },
2226 {
2227 protocol: dtls,
2228 name: "SendInvalidRecordType-DTLS",
2229 config: Config{
2230 Bugs: ProtocolBugs{
2231 SendInvalidRecordType: true,
2232 },
2233 },
2234 shouldFail: true,
2235 expectedError: ":UNEXPECTED_RECORD:",
2236 },
2237 {
2238 name: "FalseStart-SkipServerSecondLeg",
2239 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2240 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2241 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2242 NextProtos: []string{"foo"},
2243 Bugs: ProtocolBugs{
2244 SkipNewSessionTicket: true,
2245 SkipChangeCipherSpec: true,
2246 SkipFinished: true,
2247 ExpectFalseStart: true,
2248 },
2249 },
2250 flags: []string{
2251 "-false-start",
2252 "-handshake-never-done",
2253 "-advertise-alpn", "\x03foo",
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]2254 "-expect-alpn", "foo",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2255 },
2256 shimWritesFirst: true,
2257 shouldFail: true,
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]2258 expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2259 },
2260 {
2261 name: "FalseStart-SkipServerSecondLeg-Implicit",
2262 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2263 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2264 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2265 NextProtos: []string{"foo"},
2266 Bugs: ProtocolBugs{
2267 SkipNewSessionTicket: true,
2268 SkipChangeCipherSpec: true,
2269 SkipFinished: true,
2270 },
2271 },
2272 flags: []string{
2273 "-implicit-handshake",
2274 "-false-start",
2275 "-handshake-never-done",
2276 "-advertise-alpn", "\x03foo",
2277 },
2278 shouldFail: true,
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]2279 expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2280 },
2281 {
2282 testType: serverTest,
2283 name: "FailEarlyCallback",
2284 flags: []string{"-fail-early-callback"},
2285 shouldFail: true,
2286 expectedError: ":CONNECTION_REJECTED:",
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]2287 expectedLocalError: "remote error: handshake failure",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2288 },
2289 {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]2290 name: "FailCertCallback-Client-TLS12",
2291 config: Config{
2292 MaxVersion: VersionTLS12,
2293 ClientAuth: RequestClientCert,
2294 },
2295 flags: []string{"-fail-cert-callback"},
2296 shouldFail: true,
2297 expectedError: ":CERT_CB_ERROR:",
2298 expectedLocalError: "remote error: internal error",
2299 },
2300 {
2301 testType: serverTest,
2302 name: "FailCertCallback-Server-TLS12",
2303 config: Config{
2304 MaxVersion: VersionTLS12,
2305 },
2306 flags: []string{"-fail-cert-callback"},
2307 shouldFail: true,
2308 expectedError: ":CERT_CB_ERROR:",
2309 expectedLocalError: "remote error: internal error",
2310 },
2311 {
2312 name: "FailCertCallback-Client-TLS13",
2313 config: Config{
2314 MaxVersion: VersionTLS13,
2315 ClientAuth: RequestClientCert,
2316 },
2317 flags: []string{"-fail-cert-callback"},
2318 shouldFail: true,
2319 expectedError: ":CERT_CB_ERROR:",
2320 expectedLocalError: "remote error: internal error",
2321 },
2322 {
2323 testType: serverTest,
2324 name: "FailCertCallback-Server-TLS13",
2325 config: Config{
2326 MaxVersion: VersionTLS13,
2327 },
2328 flags: []string{"-fail-cert-callback"},
2329 shouldFail: true,
2330 expectedError: ":CERT_CB_ERROR:",
2331 expectedLocalError: "remote error: internal error",
2332 },
2333 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2334 protocol: dtls,
2335 name: "FragmentMessageTypeMismatch-DTLS",
2336 config: Config{
2337 Bugs: ProtocolBugs{
2338 MaxHandshakeRecordLength: 2,
2339 FragmentMessageTypeMismatch: true,
2340 },
2341 },
2342 shouldFail: true,
2343 expectedError: ":FRAGMENT_MISMATCH:",
2344 },
2345 {
2346 protocol: dtls,
2347 name: "FragmentMessageLengthMismatch-DTLS",
2348 config: Config{
2349 Bugs: ProtocolBugs{
2350 MaxHandshakeRecordLength: 2,
2351 FragmentMessageLengthMismatch: true,
2352 },
2353 },
2354 shouldFail: true,
2355 expectedError: ":FRAGMENT_MISMATCH:",
2356 },
2357 {
2358 protocol: dtls,
2359 name: "SplitFragments-Header-DTLS",
2360 config: Config{
2361 Bugs: ProtocolBugs{
2362 SplitFragments: 2,
2363 },
2364 },
2365 shouldFail: true,
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]2366 expectedError: ":BAD_HANDSHAKE_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2367 },
2368 {
2369 protocol: dtls,
2370 name: "SplitFragments-Boundary-DTLS",
2371 config: Config{
2372 Bugs: ProtocolBugs{
2373 SplitFragments: dtlsRecordHeaderLen,
2374 },
2375 },
2376 shouldFail: true,
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]2377 expectedError: ":BAD_HANDSHAKE_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2378 },
2379 {
2380 protocol: dtls,
2381 name: "SplitFragments-Body-DTLS",
2382 config: Config{
2383 Bugs: ProtocolBugs{
2384 SplitFragments: dtlsRecordHeaderLen + 1,
2385 },
2386 },
2387 shouldFail: true,
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]2388 expectedError: ":BAD_HANDSHAKE_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2389 },
2390 {
2391 protocol: dtls,
2392 name: "SendEmptyFragments-DTLS",
2393 config: Config{
2394 Bugs: ProtocolBugs{
2395 SendEmptyFragments: true,
2396 },
2397 },
2398 },
2399 {
Robert Sloand1d118f2017-09-11 09:00:48 -0700[diff] [blame]2400 testType: serverTest,
2401 protocol: dtls,
2402 name: "SendEmptyFragments-Padded-DTLS",
2403 config: Config{
2404 Bugs: ProtocolBugs{
2405 // Test empty fragments for a message with a
2406 // nice power-of-two length.
2407 PadClientHello: 64,
2408 SendEmptyFragments: true,
2409 },
2410 },
2411 },
2412 {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2413 name: "BadFinished-Client",
2414 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2415 MaxVersion: VersionTLS12,
2416 Bugs: ProtocolBugs{
2417 BadFinished: true,
2418 },
2419 },
2420 shouldFail: true,
2421 expectedError: ":DIGEST_CHECK_FAILED:",
2422 },
2423 {
2424 name: "BadFinished-Client-TLS13",
2425 config: Config{
2426 MaxVersion: VersionTLS13,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2427 Bugs: ProtocolBugs{
2428 BadFinished: true,
2429 },
2430 },
2431 shouldFail: true,
2432 expectedError: ":DIGEST_CHECK_FAILED:",
2433 },
2434 {
2435 testType: serverTest,
2436 name: "BadFinished-Server",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2437 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2438 MaxVersion: VersionTLS12,
2439 Bugs: ProtocolBugs{
2440 BadFinished: true,
2441 },
2442 },
2443 shouldFail: true,
2444 expectedError: ":DIGEST_CHECK_FAILED:",
2445 },
2446 {
2447 testType: serverTest,
2448 name: "BadFinished-Server-TLS13",
2449 config: Config{
2450 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2451 Bugs: ProtocolBugs{
2452 BadFinished: true,
2453 },
2454 },
2455 shouldFail: true,
2456 expectedError: ":DIGEST_CHECK_FAILED:",
2457 },
2458 {
2459 name: "FalseStart-BadFinished",
2460 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2461 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2462 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2463 NextProtos: []string{"foo"},
2464 Bugs: ProtocolBugs{
2465 BadFinished: true,
2466 ExpectFalseStart: true,
2467 },
2468 },
2469 flags: []string{
2470 "-false-start",
2471 "-handshake-never-done",
2472 "-advertise-alpn", "\x03foo",
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]2473 "-expect-alpn", "foo",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2474 },
2475 shimWritesFirst: true,
2476 shouldFail: true,
2477 expectedError: ":DIGEST_CHECK_FAILED:",
2478 },
2479 {
2480 name: "NoFalseStart-NoALPN",
2481 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2482 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2483 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2484 Bugs: ProtocolBugs{
2485 ExpectFalseStart: true,
2486 AlertBeforeFalseStartTest: alertAccessDenied,
2487 },
2488 },
2489 flags: []string{
2490 "-false-start",
2491 },
2492 shimWritesFirst: true,
2493 shouldFail: true,
2494 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2495 expectedLocalError: "tls: peer did not false start: EOF",
2496 },
2497 {
Robert Sloancd79cde2017-12-11 09:06:12 -0800[diff] [blame]2498 name: "FalseStart-NoALPNAllowed",
2499 config: Config{
2500 MaxVersion: VersionTLS12,
2501 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2502 Bugs: ProtocolBugs{
2503 ExpectFalseStart: true,
2504 },
2505 },
2506 flags: []string{
2507 "-false-start",
2508 "-allow-false-start-without-alpn",
2509 },
2510 shimWritesFirst: true,
2511 },
2512 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2513 name: "NoFalseStart-NoAEAD",
2514 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2515 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2516 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2517 NextProtos: []string{"foo"},
2518 Bugs: ProtocolBugs{
2519 ExpectFalseStart: true,
2520 AlertBeforeFalseStartTest: alertAccessDenied,
2521 },
2522 },
2523 flags: []string{
2524 "-false-start",
2525 "-advertise-alpn", "\x03foo",
2526 },
2527 shimWritesFirst: true,
2528 shouldFail: true,
2529 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2530 expectedLocalError: "tls: peer did not false start: EOF",
2531 },
2532 {
2533 name: "NoFalseStart-RSA",
2534 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2535 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2536 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
2537 NextProtos: []string{"foo"},
2538 Bugs: ProtocolBugs{
2539 ExpectFalseStart: true,
2540 AlertBeforeFalseStartTest: alertAccessDenied,
2541 },
2542 },
2543 flags: []string{
2544 "-false-start",
2545 "-advertise-alpn", "\x03foo",
2546 },
2547 shimWritesFirst: true,
2548 shouldFail: true,
2549 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2550 expectedLocalError: "tls: peer did not false start: EOF",
2551 },
2552 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2553 protocol: dtls,
2554 name: "SendSplitAlert-Sync",
2555 config: Config{
2556 Bugs: ProtocolBugs{
2557 SendSplitAlert: true,
2558 },
2559 },
2560 },
2561 {
2562 protocol: dtls,
2563 name: "SendSplitAlert-Async",
2564 config: Config{
2565 Bugs: ProtocolBugs{
2566 SendSplitAlert: true,
2567 },
2568 },
2569 flags: []string{"-async"},
2570 },
2571 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2572 name: "SendEmptyRecords-Pass",
2573 sendEmptyRecords: 32,
2574 },
2575 {
2576 name: "SendEmptyRecords",
2577 sendEmptyRecords: 33,
2578 shouldFail: true,
2579 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2580 },
2581 {
2582 name: "SendEmptyRecords-Async",
2583 sendEmptyRecords: 33,
2584 flags: []string{"-async"},
2585 shouldFail: true,
2586 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2587 },
2588 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2589 name: "SendWarningAlerts-Pass",
2590 config: Config{
2591 MaxVersion: VersionTLS12,
2592 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2593 sendWarningAlerts: 4,
2594 },
2595 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2596 protocol: dtls,
2597 name: "SendWarningAlerts-DTLS-Pass",
2598 config: Config{
2599 MaxVersion: VersionTLS12,
2600 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2601 sendWarningAlerts: 4,
2602 },
2603 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2604 name: "SendWarningAlerts-TLS13",
2605 config: Config{
2606 MaxVersion: VersionTLS13,
2607 },
2608 sendWarningAlerts: 4,
2609 shouldFail: true,
2610 expectedError: ":BAD_ALERT:",
2611 expectedLocalError: "remote error: error decoding message",
2612 },
2613 {
2614 name: "SendWarningAlerts",
2615 config: Config{
2616 MaxVersion: VersionTLS12,
2617 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2618 sendWarningAlerts: 5,
2619 shouldFail: true,
2620 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2621 },
2622 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2623 name: "SendWarningAlerts-Async",
2624 config: Config{
2625 MaxVersion: VersionTLS12,
2626 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2627 sendWarningAlerts: 5,
2628 flags: []string{"-async"},
2629 shouldFail: true,
2630 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2631 },
2632 {
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]2633 name: "SendBogusAlertType",
2634 sendBogusAlertType: true,
2635 shouldFail: true,
2636 expectedError: ":UNKNOWN_ALERT_TYPE:",
2637 expectedLocalError: "remote error: illegal parameter",
2638 },
2639 {
2640 protocol: dtls,
2641 name: "SendBogusAlertType-DTLS",
2642 sendBogusAlertType: true,
2643 shouldFail: true,
2644 expectedError: ":UNKNOWN_ALERT_TYPE:",
2645 expectedLocalError: "remote error: illegal parameter",
2646 },
2647 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2648 name: "TooManyKeyUpdates",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2649 config: Config{
2650 MaxVersion: VersionTLS13,
2651 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2652 sendKeyUpdates: 33,
2653 keyUpdateRequest: keyUpdateNotRequested,
2654 shouldFail: true,
2655 expectedError: ":TOO_MANY_KEY_UPDATES:",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2656 },
2657 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2658 name: "EmptySessionID",
2659 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2660 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2661 SessionTicketsDisabled: true,
2662 },
2663 noSessionCache: true,
2664 flags: []string{"-expect-no-session"},
2665 },
2666 {
2667 name: "Unclean-Shutdown",
2668 config: Config{
2669 Bugs: ProtocolBugs{
2670 NoCloseNotify: true,
2671 ExpectCloseNotify: true,
2672 },
2673 },
2674 shimShutsDown: true,
2675 flags: []string{"-check-close-notify"},
2676 shouldFail: true,
2677 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2678 },
2679 {
2680 name: "Unclean-Shutdown-Ignored",
2681 config: Config{
2682 Bugs: ProtocolBugs{
2683 NoCloseNotify: true,
2684 },
2685 },
2686 shimShutsDown: true,
2687 },
2688 {
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]2689 name: "Unclean-Shutdown-Alert",
2690 config: Config{
2691 Bugs: ProtocolBugs{
2692 SendAlertOnShutdown: alertDecompressionFailure,
2693 ExpectCloseNotify: true,
2694 },
2695 },
2696 shimShutsDown: true,
2697 flags: []string{"-check-close-notify"},
2698 shouldFail: true,
2699 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2700 },
2701 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2702 name: "LargePlaintext",
2703 config: Config{
2704 Bugs: ProtocolBugs{
2705 SendLargeRecords: true,
2706 },
2707 },
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]2708 messageLen: maxPlaintext + 1,
2709 shouldFail: true,
2710 expectedError: ":DATA_LENGTH_TOO_LONG:",
2711 expectedLocalError: "remote error: record overflow",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2712 },
2713 {
2714 protocol: dtls,
2715 name: "LargePlaintext-DTLS",
2716 config: Config{
2717 Bugs: ProtocolBugs{
2718 SendLargeRecords: true,
2719 },
2720 },
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]2721 messageLen: maxPlaintext + 1,
2722 shouldFail: true,
2723 expectedError: ":DATA_LENGTH_TOO_LONG:",
2724 expectedLocalError: "remote error: record overflow",
2725 },
2726 {
2727 name: "LargePlaintext-TLS13-Padded-8192-8192",
2728 config: Config{
2729 MinVersion: VersionTLS13,
2730 MaxVersion: VersionTLS13,
2731 Bugs: ProtocolBugs{
2732 RecordPadding: 8192,
2733 SendLargeRecords: true,
2734 },
2735 },
2736 messageLen: 8192,
2737 },
2738 {
2739 name: "LargePlaintext-TLS13-Padded-8193-8192",
2740 config: Config{
2741 MinVersion: VersionTLS13,
2742 MaxVersion: VersionTLS13,
2743 Bugs: ProtocolBugs{
2744 RecordPadding: 8193,
2745 SendLargeRecords: true,
2746 },
2747 },
2748 messageLen: 8192,
2749 shouldFail: true,
2750 expectedError: ":DATA_LENGTH_TOO_LONG:",
2751 expectedLocalError: "remote error: record overflow",
2752 },
2753 {
2754 name: "LargePlaintext-TLS13-Padded-16383-1",
2755 config: Config{
2756 MinVersion: VersionTLS13,
2757 MaxVersion: VersionTLS13,
2758 Bugs: ProtocolBugs{
2759 RecordPadding: 1,
2760 SendLargeRecords: true,
2761 },
2762 },
2763 messageLen: 16383,
2764 },
2765 {
2766 name: "LargePlaintext-TLS13-Padded-16384-1",
2767 config: Config{
2768 MinVersion: VersionTLS13,
2769 MaxVersion: VersionTLS13,
2770 Bugs: ProtocolBugs{
2771 RecordPadding: 1,
2772 SendLargeRecords: true,
2773 },
2774 },
2775 messageLen: 16384,
2776 shouldFail: true,
2777 expectedError: ":DATA_LENGTH_TOO_LONG:",
2778 expectedLocalError: "remote error: record overflow",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2779 },
2780 {
2781 name: "LargeCiphertext",
2782 config: Config{
2783 Bugs: ProtocolBugs{
2784 SendLargeRecords: true,
2785 },
2786 },
2787 messageLen: maxPlaintext * 2,
2788 shouldFail: true,
2789 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2790 },
2791 {
2792 protocol: dtls,
2793 name: "LargeCiphertext-DTLS",
2794 config: Config{
2795 Bugs: ProtocolBugs{
2796 SendLargeRecords: true,
2797 },
2798 },
2799 messageLen: maxPlaintext * 2,
2800 // Unlike the other four cases, DTLS drops records which
2801 // are invalid before authentication, so the connection
2802 // does not fail.
2803 expectMessageDropped: true,
2804 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]2805 {
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2806 name: "BadHelloRequest-1",
2807 renegotiate: 1,
2808 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2809 MaxVersion: VersionTLS12,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2810 Bugs: ProtocolBugs{
2811 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2812 },
2813 },
2814 flags: []string{
2815 "-renegotiate-freely",
2816 "-expect-total-renegotiations", "1",
2817 },
2818 shouldFail: true,
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]2819 expectedError: ":BAD_HELLO_REQUEST:",
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2820 },
2821 {
2822 name: "BadHelloRequest-2",
2823 renegotiate: 1,
2824 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2825 MaxVersion: VersionTLS12,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2826 Bugs: ProtocolBugs{
2827 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2828 },
2829 },
2830 flags: []string{
2831 "-renegotiate-freely",
2832 "-expect-total-renegotiations", "1",
2833 },
2834 shouldFail: true,
2835 expectedError: ":BAD_HELLO_REQUEST:",
2836 },
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2837 {
2838 testType: serverTest,
2839 name: "SupportTicketsWithSessionID",
2840 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2841 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2842 SessionTicketsDisabled: true,
2843 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2844 resumeConfig: &Config{
2845 MaxVersion: VersionTLS12,
2846 },
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2847 resumeSession: true,
2848 },
2849 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2850 protocol: dtls,
2851 name: "DTLS-SendExtraFinished",
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2852 config: Config{
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2853 Bugs: ProtocolBugs{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2854 SendExtraFinished: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2855 },
2856 },
2857 shouldFail: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2858 expectedError: ":UNEXPECTED_RECORD:",
2859 },
2860 {
2861 protocol: dtls,
2862 name: "DTLS-SendExtraFinished-Reordered",
2863 config: Config{
2864 Bugs: ProtocolBugs{
2865 MaxHandshakeRecordLength: 2,
2866 ReorderHandshakeFragments: true,
2867 SendExtraFinished: true,
2868 },
2869 },
2870 shouldFail: true,
2871 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2872 },
2873 {
2874 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2875 name: "V2ClientHello-EmptyRecordPrefix",
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2876 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2877 // Choose a cipher suite that does not involve
2878 // elliptic curves, so no extensions are
2879 // involved.
2880 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2881 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2882 Bugs: ProtocolBugs{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2883 SendV2ClientHello: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2884 },
2885 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2886 sendPrefix: string([]byte{
2887 byte(recordTypeHandshake),
2888 3, 1, // version
2889 0, 0, // length
2890 }),
2891 // A no-op empty record may not be sent before V2ClientHello.
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2892 shouldFail: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2893 expectedError: ":WRONG_VERSION_NUMBER:",
2894 },
2895 {
2896 testType: serverTest,
2897 name: "V2ClientHello-WarningAlertPrefix",
2898 config: Config{
2899 // Choose a cipher suite that does not involve
2900 // elliptic curves, so no extensions are
2901 // involved.
2902 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2903 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2904 Bugs: ProtocolBugs{
2905 SendV2ClientHello: true,
2906 },
2907 },
2908 sendPrefix: string([]byte{
2909 byte(recordTypeAlert),
2910 3, 1, // version
2911 0, 2, // length
2912 alertLevelWarning, byte(alertDecompressionFailure),
2913 }),
2914 // A no-op warning alert may not be sent before V2ClientHello.
2915 shouldFail: true,
2916 expectedError: ":WRONG_VERSION_NUMBER:",
2917 },
2918 {
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]2919 name: "KeyUpdate-ToClient",
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]2920 config: Config{
2921 MaxVersion: VersionTLS13,
2922 },
2923 sendKeyUpdates: 1,
2924 keyUpdateRequest: keyUpdateNotRequested,
2925 },
2926 {
2927 testType: serverTest,
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]2928 name: "KeyUpdate-ToServer",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2929 config: Config{
2930 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2931 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2932 sendKeyUpdates: 1,
2933 keyUpdateRequest: keyUpdateNotRequested,
2934 },
2935 {
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]2936 name: "KeyUpdate-FromClient",
2937 config: Config{
2938 MaxVersion: VersionTLS13,
2939 },
2940 expectUnsolicitedKeyUpdate: true,
2941 flags: []string{"-key-update"},
2942 },
2943 {
2944 testType: serverTest,
2945 name: "KeyUpdate-FromServer",
2946 config: Config{
2947 MaxVersion: VersionTLS13,
2948 },
2949 expectUnsolicitedKeyUpdate: true,
2950 flags: []string{"-key-update"},
2951 },
2952 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2953 name: "KeyUpdate-InvalidRequestMode",
2954 config: Config{
2955 MaxVersion: VersionTLS13,
2956 },
2957 sendKeyUpdates: 1,
2958 keyUpdateRequest: 42,
2959 shouldFail: true,
2960 expectedError: ":DECODE_ERROR:",
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2961 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2962 {
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]2963 // Test that KeyUpdates are acknowledged properly.
2964 name: "KeyUpdate-RequestACK",
2965 config: Config{
2966 MaxVersion: VersionTLS13,
2967 Bugs: ProtocolBugs{
2968 RejectUnsolicitedKeyUpdate: true,
2969 },
2970 },
2971 // Test the shim receiving many KeyUpdates in a row.
2972 sendKeyUpdates: 5,
2973 messageCount: 5,
2974 keyUpdateRequest: keyUpdateRequested,
2975 },
2976 {
2977 // Test that KeyUpdates are acknowledged properly if the
2978 // peer's KeyUpdate is discovered while a write is
2979 // pending.
2980 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2981 config: Config{
2982 MaxVersion: VersionTLS13,
2983 Bugs: ProtocolBugs{
2984 RejectUnsolicitedKeyUpdate: true,
2985 },
2986 },
2987 // Test the shim receiving many KeyUpdates in a row.
2988 sendKeyUpdates: 5,
2989 messageCount: 5,
2990 keyUpdateRequest: keyUpdateRequested,
2991 readWithUnfinishedWrite: true,
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]2992 flags: []string{"-async"},
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]2993 },
2994 {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2995 name: "SendSNIWarningAlert",
2996 config: Config{
2997 MaxVersion: VersionTLS12,
2998 Bugs: ProtocolBugs{
2999 SendSNIWarningAlert: true,
3000 },
3001 },
3002 },
3003 {
3004 testType: serverTest,
3005 name: "ExtraCompressionMethods-TLS12",
3006 config: Config{
3007 MaxVersion: VersionTLS12,
3008 Bugs: ProtocolBugs{
3009 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
3010 },
3011 },
3012 },
3013 {
3014 testType: serverTest,
3015 name: "ExtraCompressionMethods-TLS13",
3016 config: Config{
3017 MaxVersion: VersionTLS13,
3018 Bugs: ProtocolBugs{
3019 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
3020 },
3021 },
3022 shouldFail: true,
3023 expectedError: ":INVALID_COMPRESSION_LIST:",
3024 expectedLocalError: "remote error: illegal parameter",
3025 },
3026 {
3027 testType: serverTest,
3028 name: "NoNullCompression-TLS12",
3029 config: Config{
3030 MaxVersion: VersionTLS12,
3031 Bugs: ProtocolBugs{
3032 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
3033 },
3034 },
3035 shouldFail: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]3036 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3037 expectedLocalError: "remote error: illegal parameter",
3038 },
3039 {
3040 testType: serverTest,
3041 name: "NoNullCompression-TLS13",
3042 config: Config{
3043 MaxVersion: VersionTLS13,
3044 Bugs: ProtocolBugs{
3045 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
3046 },
3047 },
3048 shouldFail: true,
3049 expectedError: ":INVALID_COMPRESSION_LIST:",
3050 expectedLocalError: "remote error: illegal parameter",
3051 },
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]3052 // Test that the client rejects invalid compression methods
3053 // from the server.
3054 {
3055 testType: clientTest,
3056 name: "InvalidCompressionMethod",
3057 config: Config{
3058 MaxVersion: VersionTLS12,
3059 Bugs: ProtocolBugs{
3060 SendCompressionMethod: 1,
3061 },
3062 },
3063 shouldFail: true,
3064 expectedError: ":UNSUPPORTED_COMPRESSION_ALGORITHM:",
3065 expectedLocalError: "remote error: illegal parameter",
3066 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3067 {
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]3068 testType: clientTest,
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]3069 name: "TLS13-InvalidCompressionMethod",
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]3070 config: Config{
3071 MaxVersion: VersionTLS13,
3072 Bugs: ProtocolBugs{
3073 SendCompressionMethod: 1,
3074 },
3075 },
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]3076 shouldFail: true,
3077 expectedError: ":DECODE_ERROR:",
3078 },
3079 {
3080 testType: clientTest,
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]3081 name: "TLS13-HRR-InvalidCompressionMethod",
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]3082 config: Config{
3083 MaxVersion: VersionTLS13,
3084 CurvePreferences: []CurveID{CurveP384},
3085 Bugs: ProtocolBugs{
3086 SendCompressionMethod: 1,
3087 },
3088 },
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]3089 shouldFail: true,
3090 expectedError: ":DECODE_ERROR:",
3091 expectedLocalError: "remote error: error decoding message",
3092 },
3093 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3094 name: "GREASE-Client-TLS12",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3095 config: Config{
3096 MaxVersion: VersionTLS12,
3097 Bugs: ProtocolBugs{
3098 ExpectGREASE: true,
3099 },
3100 },
3101 flags: []string{"-enable-grease"},
3102 },
3103 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3104 name: "GREASE-Client-TLS13",
3105 config: Config{
3106 MaxVersion: VersionTLS13,
3107 Bugs: ProtocolBugs{
3108 ExpectGREASE: true,
3109 },
3110 },
3111 flags: []string{"-enable-grease"},
3112 },
3113 {
3114 testType: serverTest,
3115 name: "GREASE-Server-TLS13",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3116 config: Config{
3117 MaxVersion: VersionTLS13,
3118 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]3119 // TLS 1.3 servers are expected to
3120 // always enable GREASE. TLS 1.3 is new,
3121 // so there is no existing ecosystem to
3122 // worry about.
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3123 ExpectGREASE: true,
3124 },
3125 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3126 },
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]3127 {
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]3128 // Test the TLS 1.2 server so there is a large
3129 // unencrypted certificate as well as application data.
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]3130 testType: serverTest,
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]3131 name: "MaxSendFragment-TLS12",
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]3132 config: Config{
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]3133 MaxVersion: VersionTLS12,
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]3134 Bugs: ProtocolBugs{
3135 MaxReceivePlaintext: 512,
3136 },
3137 },
3138 messageLen: 1024,
3139 flags: []string{
3140 "-max-send-fragment", "512",
3141 "-read-size", "1024",
3142 },
3143 },
3144 {
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]3145 // Test the TLS 1.2 server so there is a large
3146 // unencrypted certificate as well as application data.
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]3147 testType: serverTest,
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]3148 name: "MaxSendFragment-TLS12-TooLarge",
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]3149 config: Config{
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]3150 MaxVersion: VersionTLS12,
3151 Bugs: ProtocolBugs{
3152 // Ensure that some of the records are
3153 // 512.
3154 MaxReceivePlaintext: 511,
3155 },
3156 },
3157 messageLen: 1024,
3158 flags: []string{
3159 "-max-send-fragment", "512",
3160 "-read-size", "1024",
3161 },
3162 shouldFail: true,
3163 expectedLocalError: "local error: record overflow",
3164 },
3165 {
3166 // Test the TLS 1.3 server so there is a large encrypted
3167 // certificate as well as application data.
3168 testType: serverTest,
3169 name: "MaxSendFragment-TLS13",
3170 config: Config{
3171 MaxVersion: VersionTLS13,
3172 Bugs: ProtocolBugs{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3173 MaxReceivePlaintext: 512,
3174 ExpectPackedEncryptedHandshake: 512,
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]3175 },
3176 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]3177 messageLen: 1024,
Robert Sloan29c1d2c2017-10-30 14:10:28 -0700[diff] [blame]3178 flags: []string{
3179 "-max-send-fragment", "512",
3180 "-read-size", "1024",
3181 },
3182 },
3183 {
3184 // Test the TLS 1.3 server so there is a large encrypted
3185 // certificate as well as application data.
3186 testType: serverTest,
3187 name: "MaxSendFragment-TLS13-TooLarge",
3188 config: Config{
3189 MaxVersion: VersionTLS13,
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]3190 Bugs: ProtocolBugs{
3191 // Ensure that some of the records are
3192 // 512.
3193 MaxReceivePlaintext: 511,
3194 },
3195 },
3196 messageLen: 1024,
3197 flags: []string{
3198 "-max-send-fragment", "512",
3199 "-read-size", "1024",
3200 },
3201 shouldFail: true,
3202 expectedLocalError: "local error: record overflow",
3203 },
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]3204 {
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]3205 // Test that handshake data is tightly packed in TLS 1.3.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3206 testType: serverTest,
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]3207 name: "PackedEncryptedHandshake-TLS13",
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3208 config: Config{
3209 MaxVersion: VersionTLS13,
3210 Bugs: ProtocolBugs{
3211 ExpectPackedEncryptedHandshake: 16384,
3212 },
3213 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3214 },
3215 {
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]3216 // Test that DTLS can handle multiple application data
3217 // records in a single packet.
3218 protocol: dtls,
3219 name: "SplitAndPackAppData-DTLS",
3220 config: Config{
3221 Bugs: ProtocolBugs{
3222 SplitAndPackAppData: true,
3223 },
3224 },
3225 },
3226 {
3227 protocol: dtls,
3228 name: "SplitAndPackAppData-DTLS-Async",
3229 config: Config{
3230 Bugs: ProtocolBugs{
3231 SplitAndPackAppData: true,
3232 },
3233 },
3234 flags: []string{"-async"},
3235 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3236 }
3237 testCases = append(testCases, basicTests...)
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3238
3239 // Test that very large messages can be received.
3240 cert := rsaCertificate
3241 for i := 0; i < 50; i++ {
3242 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
3243 }
3244 testCases = append(testCases, testCase{
3245 name: "LargeMessage",
3246 config: Config{
3247 Certificates: []Certificate{cert},
3248 },
3249 })
3250 testCases = append(testCases, testCase{
3251 protocol: dtls,
3252 name: "LargeMessage-DTLS",
3253 config: Config{
3254 Certificates: []Certificate{cert},
3255 },
3256 })
3257
3258 // They are rejected if the maximum certificate chain length is capped.
3259 testCases = append(testCases, testCase{
3260 name: "LargeMessage-Reject",
3261 config: Config{
3262 Certificates: []Certificate{cert},
3263 },
3264 flags: []string{"-max-cert-list", "16384"},
3265 shouldFail: true,
3266 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
3267 })
3268 testCases = append(testCases, testCase{
3269 protocol: dtls,
3270 name: "LargeMessage-Reject-DTLS",
3271 config: Config{
3272 Certificates: []Certificate{cert},
3273 },
3274 flags: []string{"-max-cert-list", "16384"},
3275 shouldFail: true,
3276 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
3277 })
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]3278
3279 // Servers echoing the TLS 1.3 compatibility mode session ID should be
3280 // rejected.
3281 testCases = append(testCases, testCase{
3282 name: "EchoTLS13CompatibilitySessionID",
3283 config: Config{
3284 MaxVersion: VersionTLS12,
3285 Bugs: ProtocolBugs{
3286 EchoSessionIDInFullHandshake: true,
3287 },
3288 },
3289 shouldFail: true,
3290 expectedError: ":SERVER_ECHOED_INVALID_SESSION_ID:",
3291 expectedLocalError: "remote error: illegal parameter",
3292 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3293}
3294
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3295func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
3296 const psk = "12345"
3297 const pskIdentity = "luggage combo"
3298
3299 var prefix string
3300 if protocol == dtls {
3301 if !ver.hasDTLS {
3302 return
3303 }
3304 prefix = "D"
3305 }
3306
3307 var cert Certificate
3308 var certFile string
3309 var keyFile string
3310 if hasComponent(suite.name, "ECDSA") {
3311 cert = ecdsaP256Certificate
3312 certFile = ecdsaP256CertificateFile
3313 keyFile = ecdsaP256KeyFile
3314 } else {
3315 cert = rsaCertificate
3316 certFile = rsaCertificateFile
3317 keyFile = rsaKeyFile
3318 }
3319
3320 var flags []string
3321 if hasComponent(suite.name, "PSK") {
3322 flags = append(flags,
3323 "-psk", psk,
3324 "-psk-identity", pskIdentity)
3325 }
3326 if hasComponent(suite.name, "NULL") {
3327 // NULL ciphers must be explicitly enabled.
3328 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
3329 }
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3330
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3331 var shouldFail bool
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3332 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3333 shouldFail = true
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3334 }
3335 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3336 shouldFail = true
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3337 }
3338 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3339 shouldFail = true
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3340 }
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3341
3342 var sendCipherSuite uint16
3343 var expectedServerError, expectedClientError string
3344 serverCipherSuites := []uint16{suite.id}
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3345 if shouldFail {
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3346 expectedServerError = ":NO_SHARED_CIPHER:"
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3347 expectedClientError = ":WRONG_CIPHER_RETURNED:"
3348 // Configure the server to select ciphers as normal but
3349 // select an incompatible cipher in ServerHello.
3350 serverCipherSuites = nil
3351 sendCipherSuite = suite.id
3352 }
3353
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3354 // Verify exporters interoperate.
3355 exportKeyingMaterial := 1024
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]3356
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3357 testCases = append(testCases, testCase{
3358 testType: serverTest,
3359 protocol: protocol,
3360 name: prefix + ver.name + "-" + suite.name + "-server",
3361 config: Config{
3362 MinVersion: ver.version,
3363 MaxVersion: ver.version,
3364 CipherSuites: []uint16{suite.id},
3365 Certificates: []Certificate{cert},
3366 PreSharedKey: []byte(psk),
3367 PreSharedKeyIdentity: pskIdentity,
3368 Bugs: ProtocolBugs{
3369 AdvertiseAllConfiguredCiphers: true,
3370 },
3371 },
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]3372 certFile: certFile,
3373 keyFile: keyFile,
3374 flags: flags,
3375 resumeSession: true,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3376 shouldFail: shouldFail,
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]3377 expectedError: expectedServerError,
3378 exportKeyingMaterial: exportKeyingMaterial,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3379 })
3380
3381 testCases = append(testCases, testCase{
3382 testType: clientTest,
3383 protocol: protocol,
3384 name: prefix + ver.name + "-" + suite.name + "-client",
3385 config: Config{
3386 MinVersion: ver.version,
3387 MaxVersion: ver.version,
3388 CipherSuites: serverCipherSuites,
3389 Certificates: []Certificate{cert},
3390 PreSharedKey: []byte(psk),
3391 PreSharedKeyIdentity: pskIdentity,
3392 Bugs: ProtocolBugs{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3393 IgnorePeerCipherPreferences: shouldFail,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3394 SendCipherSuite: sendCipherSuite,
3395 },
3396 },
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]3397 flags: flags,
3398 resumeSession: true,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3399 shouldFail: shouldFail,
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]3400 expectedError: expectedClientError,
3401 exportKeyingMaterial: exportKeyingMaterial,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3402 })
3403
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3404 if shouldFail {
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]3405 return
3406 }
3407
3408 // Ensure the maximum record size is accepted.
3409 testCases = append(testCases, testCase{
3410 protocol: protocol,
3411 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
3412 config: Config{
3413 MinVersion: ver.version,
3414 MaxVersion: ver.version,
3415 CipherSuites: []uint16{suite.id},
3416 Certificates: []Certificate{cert},
3417 PreSharedKey: []byte(psk),
3418 PreSharedKeyIdentity: pskIdentity,
3419 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]3420 flags: flags,
3421 messageLen: maxPlaintext,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]3422 })
3423
3424 // Test bad records for all ciphers. Bad records are fatal in TLS
3425 // and ignored in DTLS.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3426 shouldFail = protocol == tls
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]3427 var expectedError string
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3428 if shouldFail {
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]3429 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
3430 }
3431
3432 testCases = append(testCases, testCase{
3433 protocol: protocol,
3434 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
3435 config: Config{
3436 MinVersion: ver.version,
3437 MaxVersion: ver.version,
3438 CipherSuites: []uint16{suite.id},
3439 Certificates: []Certificate{cert},
3440 PreSharedKey: []byte(psk),
3441 PreSharedKeyIdentity: pskIdentity,
3442 },
3443 flags: flags,
3444 damageFirstWrite: true,
3445 messageLen: maxPlaintext,
3446 shouldFail: shouldFail,
3447 expectedError: expectedError,
3448 })
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3449}
3450
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3451func addCipherSuiteTests() {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3452 const bogusCipher = 0xfe00
3453
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3454 for _, suite := range testCipherSuites {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3455 for _, ver := range tlsVersions {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3456 for _, protocol := range []protocol{tls, dtls} {
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]3457 addTestForCipherSuite(suite, ver, protocol)
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3458 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3459 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3460 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3461
3462 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3463 name: "NoSharedCipher",
3464 config: Config{
3465 MaxVersion: VersionTLS12,
3466 CipherSuites: []uint16{},
3467 },
3468 shouldFail: true,
3469 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
3470 })
3471
3472 testCases = append(testCases, testCase{
3473 name: "NoSharedCipher-TLS13",
3474 config: Config{
3475 MaxVersion: VersionTLS13,
3476 CipherSuites: []uint16{},
3477 },
3478 shouldFail: true,
3479 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
3480 })
3481
3482 testCases = append(testCases, testCase{
3483 name: "UnsupportedCipherSuite",
3484 config: Config{
3485 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3486 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3487 Bugs: ProtocolBugs{
3488 IgnorePeerCipherPreferences: true,
3489 },
3490 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3491 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3492 shouldFail: true,
3493 expectedError: ":WRONG_CIPHER_RETURNED:",
3494 })
3495
3496 testCases = append(testCases, testCase{
3497 name: "ServerHelloBogusCipher",
3498 config: Config{
3499 MaxVersion: VersionTLS12,
3500 Bugs: ProtocolBugs{
3501 SendCipherSuite: bogusCipher,
3502 },
3503 },
3504 shouldFail: true,
3505 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
3506 })
3507 testCases = append(testCases, testCase{
3508 name: "ServerHelloBogusCipher-TLS13",
3509 config: Config{
3510 MaxVersion: VersionTLS13,
3511 Bugs: ProtocolBugs{
3512 SendCipherSuite: bogusCipher,
3513 },
3514 },
3515 shouldFail: true,
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]3516 expectedError: ":WRONG_CIPHER_RETURNED:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3517 })
3518
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3519 // The server must be tolerant to bogus ciphers.
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3520 testCases = append(testCases, testCase{
3521 testType: serverTest,
3522 name: "UnknownCipher",
3523 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3524 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3525 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3526 Bugs: ProtocolBugs{
3527 AdvertiseAllConfiguredCiphers: true,
3528 },
3529 },
3530 })
3531
3532 // The server must be tolerant to bogus ciphers.
3533 testCases = append(testCases, testCase{
3534 testType: serverTest,
3535 name: "UnknownCipher-TLS13",
3536 config: Config{
3537 MaxVersion: VersionTLS13,
3538 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
3539 Bugs: ProtocolBugs{
3540 AdvertiseAllConfiguredCiphers: true,
3541 },
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3542 },
3543 })
3544
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]3545 // Test empty ECDHE_PSK identity hints work as expected.
3546 testCases = append(testCases, testCase{
3547 name: "EmptyECDHEPSKHint",
3548 config: Config{
3549 MaxVersion: VersionTLS12,
3550 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3551 PreSharedKey: []byte("secret"),
3552 },
3553 flags: []string{"-psk", "secret"},
3554 })
3555
3556 // Test empty PSK identity hints work as expected, even if an explicit
3557 // ServerKeyExchange is sent.
3558 testCases = append(testCases, testCase{
3559 name: "ExplicitEmptyPSKHint",
3560 config: Config{
3561 MaxVersion: VersionTLS12,
3562 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3563 PreSharedKey: []byte("secret"),
3564 Bugs: ProtocolBugs{
3565 AlwaysSendPreSharedKeyIdentityHint: true,
3566 },
3567 },
3568 flags: []string{"-psk", "secret"},
3569 })
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]3570
3571 // Test that clients enforce that the server-sent certificate and cipher
3572 // suite match in TLS 1.2.
3573 testCases = append(testCases, testCase{
3574 name: "CertificateCipherMismatch-RSA",
3575 config: Config{
3576 MaxVersion: VersionTLS12,
3577 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3578 Certificates: []Certificate{rsaCertificate},
3579 Bugs: ProtocolBugs{
3580 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
3581 },
3582 },
3583 shouldFail: true,
3584 expectedError: ":WRONG_CERTIFICATE_TYPE:",
3585 })
3586 testCases = append(testCases, testCase{
3587 name: "CertificateCipherMismatch-ECDSA",
3588 config: Config{
3589 MaxVersion: VersionTLS12,
3590 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3591 Certificates: []Certificate{ecdsaP256Certificate},
3592 Bugs: ProtocolBugs{
3593 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3594 },
3595 },
3596 shouldFail: true,
3597 expectedError: ":WRONG_CERTIFICATE_TYPE:",
3598 })
3599 testCases = append(testCases, testCase{
3600 name: "CertificateCipherMismatch-Ed25519",
3601 config: Config{
3602 MaxVersion: VersionTLS12,
3603 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3604 Certificates: []Certificate{ed25519Certificate},
3605 Bugs: ProtocolBugs{
3606 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3607 },
3608 },
3609 shouldFail: true,
3610 expectedError: ":WRONG_CERTIFICATE_TYPE:",
3611 })
3612
3613 // Test that servers decline to select a cipher suite which is
3614 // inconsistent with their configured certificate.
3615 testCases = append(testCases, testCase{
3616 testType: serverTest,
3617 name: "ServerCipherFilter-RSA",
3618 config: Config{
3619 MaxVersion: VersionTLS12,
3620 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3621 },
3622 flags: []string{
3623 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3624 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3625 },
3626 shouldFail: true,
3627 expectedError: ":NO_SHARED_CIPHER:",
3628 })
3629 testCases = append(testCases, testCase{
3630 testType: serverTest,
3631 name: "ServerCipherFilter-ECDSA",
3632 config: Config{
3633 MaxVersion: VersionTLS12,
3634 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3635 },
3636 flags: []string{
3637 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3638 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3639 },
3640 shouldFail: true,
3641 expectedError: ":NO_SHARED_CIPHER:",
3642 })
3643 testCases = append(testCases, testCase{
3644 testType: serverTest,
3645 name: "ServerCipherFilter-Ed25519",
3646 config: Config{
3647 MaxVersion: VersionTLS12,
3648 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3649 },
3650 flags: []string{
3651 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3652 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3653 },
3654 shouldFail: true,
3655 expectedError: ":NO_SHARED_CIPHER:",
3656 })
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]3657
3658 // Test cipher suite negotiation works as expected. Configure a
3659 // complicated cipher suite configuration.
3660 const negotiationTestCiphers = "" +
3661 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:" +
3662 "[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]:" +
3663 "TLS_RSA_WITH_AES_128_GCM_SHA256:" +
3664 "TLS_RSA_WITH_AES_128_CBC_SHA:" +
3665 "[TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_CBC_SHA]"
3666 negotiationTests := []struct {
3667 ciphers []uint16
3668 expected uint16
3669 }{
3670 // Server preferences are honored, including when
3671 // equipreference groups are involved.
3672 {
3673 []uint16{
3674 TLS_RSA_WITH_AES_256_GCM_SHA384,
3675 TLS_RSA_WITH_AES_128_CBC_SHA,
3676 TLS_RSA_WITH_AES_128_GCM_SHA256,
3677 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3678 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3679 },
3680 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3681 },
3682 {
3683 []uint16{
3684 TLS_RSA_WITH_AES_256_GCM_SHA384,
3685 TLS_RSA_WITH_AES_128_CBC_SHA,
3686 TLS_RSA_WITH_AES_128_GCM_SHA256,
3687 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3688 },
3689 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3690 },
3691 {
3692 []uint16{
3693 TLS_RSA_WITH_AES_256_GCM_SHA384,
3694 TLS_RSA_WITH_AES_128_CBC_SHA,
3695 TLS_RSA_WITH_AES_128_GCM_SHA256,
3696 },
3697 TLS_RSA_WITH_AES_128_GCM_SHA256,
3698 },
3699 {
3700 []uint16{
3701 TLS_RSA_WITH_AES_256_GCM_SHA384,
3702 TLS_RSA_WITH_AES_128_CBC_SHA,
3703 },
3704 TLS_RSA_WITH_AES_128_CBC_SHA,
3705 },
3706 // Equipreference groups use the client preference.
3707 {
3708 []uint16{
3709 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3710 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3711 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3712 },
3713 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3714 },
3715 {
3716 []uint16{
3717 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3718 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3719 },
3720 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3721 },
3722 {
3723 []uint16{
3724 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3725 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3726 },
3727 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3728 },
3729 {
3730 []uint16{
3731 TLS_RSA_WITH_AES_256_GCM_SHA384,
3732 TLS_RSA_WITH_AES_256_CBC_SHA,
3733 },
3734 TLS_RSA_WITH_AES_256_GCM_SHA384,
3735 },
3736 {
3737 []uint16{
3738 TLS_RSA_WITH_AES_256_CBC_SHA,
3739 TLS_RSA_WITH_AES_256_GCM_SHA384,
3740 },
3741 TLS_RSA_WITH_AES_256_CBC_SHA,
3742 },
3743 // If there are two equipreference groups, the preferred one
3744 // takes precedence.
3745 {
3746 []uint16{
3747 TLS_RSA_WITH_AES_256_GCM_SHA384,
3748 TLS_RSA_WITH_AES_256_CBC_SHA,
3749 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3750 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3751 },
3752 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3753 },
3754 }
3755 for i, t := range negotiationTests {
3756 testCases = append(testCases, testCase{
3757 testType: serverTest,
3758 name: "CipherNegotiation-" + strconv.Itoa(i),
3759 config: Config{
3760 MaxVersion: VersionTLS12,
3761 CipherSuites: t.ciphers,
3762 },
3763 flags: []string{"-cipher", negotiationTestCiphers},
3764 expectedCipher: t.expected,
3765 })
3766 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3767}
3768
3769func addBadECDSASignatureTests() {
3770 for badR := BadValue(1); badR < NumBadValues; badR++ {
3771 for badS := BadValue(1); badS < NumBadValues; badS++ {
3772 testCases = append(testCases, testCase{
3773 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
3774 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3775 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3776 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3777 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3778 Bugs: ProtocolBugs{
3779 BadECDSAR: badR,
3780 BadECDSAS: badS,
3781 },
3782 },
3783 shouldFail: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3784 expectedError: ":BAD_SIGNATURE:",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3785 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]3786 testCases = append(testCases, testCase{
3787 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
3788 config: Config{
3789 MaxVersion: VersionTLS13,
3790 Certificates: []Certificate{ecdsaP256Certificate},
3791 Bugs: ProtocolBugs{
3792 BadECDSAR: badR,
3793 BadECDSAS: badS,
3794 },
3795 },
3796 shouldFail: true,
3797 expectedError: ":BAD_SIGNATURE:",
3798 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3799 }
3800 }
3801}
3802
3803func addCBCPaddingTests() {
3804 testCases = append(testCases, testCase{
3805 name: "MaxCBCPadding",
3806 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3807 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3808 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3809 Bugs: ProtocolBugs{
3810 MaxPadding: true,
3811 },
3812 },
3813 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3814 })
3815 testCases = append(testCases, testCase{
3816 name: "BadCBCPadding",
3817 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3818 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3819 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3820 Bugs: ProtocolBugs{
3821 PaddingFirstByteBad: true,
3822 },
3823 },
3824 shouldFail: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3825 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3826 })
3827 // OpenSSL previously had an issue where the first byte of padding in
3828 // 255 bytes of padding wasn't checked.
3829 testCases = append(testCases, testCase{
3830 name: "BadCBCPadding255",
3831 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3832 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3833 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3834 Bugs: ProtocolBugs{
3835 MaxPadding: true,
3836 PaddingFirstByteBadIf255: true,
3837 },
3838 },
3839 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3840 shouldFail: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3841 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3842 })
3843}
3844
3845func addCBCSplittingTests() {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]3846 var cbcCiphers = []struct {
3847 name string
3848 cipher uint16
3849 }{
3850 {"3DES", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
3851 {"AES128", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3852 {"AES256", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
3853 }
3854 for _, t := range cbcCiphers {
3855 testCases = append(testCases, testCase{
3856 name: "CBCRecordSplitting-" + t.name,
3857 config: Config{
3858 MaxVersion: VersionTLS10,
3859 MinVersion: VersionTLS10,
3860 CipherSuites: []uint16{t.cipher},
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]3861 Bugs: ProtocolBugs{
3862 ExpectRecordSplitting: true,
3863 },
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]3864 },
3865 messageLen: -1, // read until EOF
3866 resumeSession: true,
3867 flags: []string{
3868 "-async",
3869 "-write-different-record-sizes",
3870 "-cbc-record-splitting",
3871 },
3872 })
3873 testCases = append(testCases, testCase{
3874 name: "CBCRecordSplittingPartialWrite-" + t.name,
3875 config: Config{
3876 MaxVersion: VersionTLS10,
3877 MinVersion: VersionTLS10,
3878 CipherSuites: []uint16{t.cipher},
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]3879 Bugs: ProtocolBugs{
3880 ExpectRecordSplitting: true,
3881 },
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]3882 },
3883 messageLen: -1, // read until EOF
3884 flags: []string{
3885 "-async",
3886 "-write-different-record-sizes",
3887 "-cbc-record-splitting",
3888 "-partial-write",
3889 },
3890 })
3891 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3892}
3893
3894func addClientAuthTests() {
3895 // Add a dummy cert pool to stress certificate authority parsing.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3896 certPool := x509.NewCertPool()
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]3897 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3898 cert, err := x509.ParseCertificate(cert.Certificate[0])
3899 if err != nil {
3900 panic(err)
3901 }
3902 certPool.AddCert(cert)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3903 }
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]3904 caNames := certPool.Subjects()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3905
3906 for _, ver := range tlsVersions {
3907 testCases = append(testCases, testCase{
3908 testType: clientTest,
3909 name: ver.name + "-Client-ClientAuth-RSA",
3910 config: Config{
3911 MinVersion: ver.version,
3912 MaxVersion: ver.version,
3913 ClientAuth: RequireAnyClientCert,
3914 ClientCAs: certPool,
3915 },
3916 flags: []string{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3917 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3918 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3919 },
3920 })
3921 testCases = append(testCases, testCase{
3922 testType: serverTest,
3923 name: ver.name + "-Server-ClientAuth-RSA",
3924 config: Config{
3925 MinVersion: ver.version,
3926 MaxVersion: ver.version,
3927 Certificates: []Certificate{rsaCertificate},
3928 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]3929 flags: []string{"-require-any-client-certificate"},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3930 })
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3931 testCases = append(testCases, testCase{
3932 testType: serverTest,
3933 name: ver.name + "-Server-ClientAuth-ECDSA",
3934 config: Config{
3935 MinVersion: ver.version,
3936 MaxVersion: ver.version,
3937 Certificates: []Certificate{ecdsaP256Certificate},
3938 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]3939 flags: []string{"-require-any-client-certificate"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3940 })
3941 testCases = append(testCases, testCase{
3942 testType: clientTest,
3943 name: ver.name + "-Client-ClientAuth-ECDSA",
3944 config: Config{
3945 MinVersion: ver.version,
3946 MaxVersion: ver.version,
3947 ClientAuth: RequireAnyClientCert,
3948 ClientCAs: certPool,
3949 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]3950 flags: []string{
3951 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3952 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3953 },
3954 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3955
3956 testCases = append(testCases, testCase{
3957 name: "NoClientCertificate-" + ver.name,
3958 config: Config{
3959 MinVersion: ver.version,
3960 MaxVersion: ver.version,
3961 ClientAuth: RequireAnyClientCert,
3962 },
3963 shouldFail: true,
3964 expectedLocalError: "client didn't provide a certificate",
3965 })
3966
3967 testCases = append(testCases, testCase{
3968 // Even if not configured to expect a certificate, OpenSSL will
3969 // return X509_V_OK as the verify_result.
3970 testType: serverTest,
3971 name: "NoClientCertificateRequested-Server-" + ver.name,
3972 config: Config{
3973 MinVersion: ver.version,
3974 MaxVersion: ver.version,
3975 },
3976 flags: []string{
3977 "-expect-verify-result",
3978 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3979 resumeSession: true,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3980 })
3981
3982 testCases = append(testCases, testCase{
3983 // If a client certificate is not provided, OpenSSL will still
3984 // return X509_V_OK as the verify_result.
3985 testType: serverTest,
3986 name: "NoClientCertificate-Server-" + ver.name,
3987 config: Config{
3988 MinVersion: ver.version,
3989 MaxVersion: ver.version,
3990 },
3991 flags: []string{
3992 "-expect-verify-result",
3993 "-verify-peer",
3994 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3995 resumeSession: true,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3996 })
3997
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3998 certificateRequired := "remote error: certificate required"
3999 if ver.version < VersionTLS13 {
4000 // Prior to TLS 1.3, the generic handshake_failure alert
4001 // was used.
4002 certificateRequired = "remote error: handshake failure"
4003 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4004 testCases = append(testCases, testCase{
4005 testType: serverTest,
4006 name: "RequireAnyClientCertificate-" + ver.name,
4007 config: Config{
4008 MinVersion: ver.version,
4009 MaxVersion: ver.version,
4010 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]4011 flags: []string{"-require-any-client-certificate"},
4012 shouldFail: true,
4013 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
4014 expectedLocalError: certificateRequired,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4015 })
4016
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4017 testCases = append(testCases, testCase{
4018 testType: serverTest,
4019 name: "SkipClientCertificate-" + ver.name,
4020 config: Config{
4021 MinVersion: ver.version,
4022 MaxVersion: ver.version,
4023 Bugs: ProtocolBugs{
4024 SkipClientCertificate: true,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4025 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4026 },
4027 // Setting SSL_VERIFY_PEER allows anonymous clients.
4028 flags: []string{"-verify-peer"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4029 shouldFail: true,
4030 expectedError: ":UNEXPECTED_MESSAGE:",
4031 })
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]4032
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4033 testCases = append(testCases, testCase{
4034 testType: serverTest,
4035 name: "VerifyPeerIfNoOBC-NoChannelID-" + ver.name,
4036 config: Config{
4037 MinVersion: ver.version,
4038 MaxVersion: ver.version,
4039 },
4040 flags: []string{
4041 "-enable-channel-id",
4042 "-verify-peer-if-no-obc",
4043 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4044 shouldFail: true,
4045 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
4046 expectedLocalError: certificateRequired,
4047 })
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]4048
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4049 testCases = append(testCases, testCase{
4050 testType: serverTest,
4051 name: "VerifyPeerIfNoOBC-ChannelID-" + ver.name,
4052 config: Config{
4053 MinVersion: ver.version,
4054 MaxVersion: ver.version,
4055 ChannelID: channelIDKey,
4056 },
4057 expectChannelID: true,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4058 flags: []string{
4059 "-enable-channel-id",
4060 "-verify-peer-if-no-obc",
4061 },
4062 })
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]4063
4064 testCases = append(testCases, testCase{
4065 testType: serverTest,
4066 name: ver.name + "-Server-CertReq-CA-List",
4067 config: Config{
4068 MinVersion: ver.version,
4069 MaxVersion: ver.version,
4070 Certificates: []Certificate{rsaCertificate},
4071 Bugs: ProtocolBugs{
4072 ExpectCertificateReqNames: caNames,
4073 },
4074 },
4075 flags: []string{
4076 "-require-any-client-certificate",
4077 "-use-client-ca-list", encodeDERValues(caNames),
4078 },
4079 })
4080
4081 testCases = append(testCases, testCase{
4082 testType: clientTest,
4083 name: ver.name + "-Client-CertReq-CA-List",
4084 config: Config{
4085 MinVersion: ver.version,
4086 MaxVersion: ver.version,
4087 Certificates: []Certificate{rsaCertificate},
4088 ClientAuth: RequireAnyClientCert,
4089 ClientCAs: certPool,
4090 },
4091 flags: []string{
4092 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4093 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4094 "-expect-client-ca-list", encodeDERValues(caNames),
4095 },
4096 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4097 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4098
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]4099 // Client auth is only legal in certificate-based ciphers.
4100 testCases = append(testCases, testCase{
4101 testType: clientTest,
4102 name: "ClientAuth-PSK",
4103 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4104 MaxVersion: VersionTLS12,
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]4105 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
4106 PreSharedKey: []byte("secret"),
4107 ClientAuth: RequireAnyClientCert,
4108 },
4109 flags: []string{
4110 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4111 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4112 "-psk", "secret",
4113 },
4114 shouldFail: true,
4115 expectedError: ":UNEXPECTED_MESSAGE:",
4116 })
4117 testCases = append(testCases, testCase{
4118 testType: clientTest,
4119 name: "ClientAuth-ECDHE_PSK",
4120 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4121 MaxVersion: VersionTLS12,
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]4122 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
4123 PreSharedKey: []byte("secret"),
4124 ClientAuth: RequireAnyClientCert,
4125 },
4126 flags: []string{
4127 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4128 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4129 "-psk", "secret",
4130 },
4131 shouldFail: true,
4132 expectedError: ":UNEXPECTED_MESSAGE:",
4133 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4134
4135 // Regression test for a bug where the client CA list, if explicitly
4136 // set to NULL, was mis-encoded.
4137 testCases = append(testCases, testCase{
4138 testType: serverTest,
4139 name: "Null-Client-CA-List",
4140 config: Config{
4141 MaxVersion: VersionTLS12,
4142 Certificates: []Certificate{rsaCertificate},
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]4143 Bugs: ProtocolBugs{
4144 ExpectCertificateReqNames: [][]byte{},
4145 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4146 },
4147 flags: []string{
4148 "-require-any-client-certificate",
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]4149 "-use-client-ca-list", "<NULL>",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4150 },
4151 })
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]4152
4153 // Test that an empty client CA list doesn't send a CA extension.
4154 testCases = append(testCases, testCase{
4155 testType: serverTest,
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]4156 name: "TLS13-Empty-Client-CA-List",
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]4157 config: Config{
4158 MaxVersion: VersionTLS13,
4159 Certificates: []Certificate{rsaCertificate},
4160 Bugs: ProtocolBugs{
4161 ExpectNoCertificateAuthoritiesExtension: true,
4162 },
4163 },
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]4164 flags: []string{
4165 "-require-any-client-certificate",
4166 "-use-client-ca-list", "<EMPTY>",
4167 },
4168 })
4169
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4170}
4171
4172func addExtendedMasterSecretTests() {
4173 const expectEMSFlag = "-expect-extended-master-secret"
4174
4175 for _, with := range []bool{false, true} {
4176 prefix := "No"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4177 if with {
4178 prefix = ""
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4179 }
4180
4181 for _, isClient := range []bool{false, true} {
4182 suffix := "-Server"
4183 testType := serverTest
4184 if isClient {
4185 suffix = "-Client"
4186 testType = clientTest
4187 }
4188
4189 for _, ver := range tlsVersions {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4190 // In TLS 1.3, the extension is irrelevant and
4191 // always reports as enabled.
4192 var flags []string
4193 if with || ver.version >= VersionTLS13 {
4194 flags = []string{expectEMSFlag}
4195 }
4196
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4197 testCases = append(testCases, testCase{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4198 testType: testType,
4199 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
4200 config: Config{
4201 MinVersion: ver.version,
4202 MaxVersion: ver.version,
4203 Bugs: ProtocolBugs{
4204 NoExtendedMasterSecret: !with,
4205 RequireExtendedMasterSecret: with,
4206 },
4207 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]4208 flags: flags,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4209 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4210 }
4211 }
4212 }
4213
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4214 for _, isClient := range []bool{false, true} {
4215 for _, supportedInFirstConnection := range []bool{false, true} {
4216 for _, supportedInResumeConnection := range []bool{false, true} {
4217 boolToWord := func(b bool) string {
4218 if b {
4219 return "Yes"
4220 }
4221 return "No"
4222 }
4223 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
4224 if isClient {
4225 suffix += "Client"
4226 } else {
4227 suffix += "Server"
4228 }
4229
4230 supportedConfig := Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4231 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4232 Bugs: ProtocolBugs{
4233 RequireExtendedMasterSecret: true,
4234 },
4235 }
4236
4237 noSupportConfig := Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4238 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4239 Bugs: ProtocolBugs{
4240 NoExtendedMasterSecret: true,
4241 },
4242 }
4243
4244 test := testCase{
4245 name: "ExtendedMasterSecret-" + suffix,
4246 resumeSession: true,
4247 }
4248
4249 if !isClient {
4250 test.testType = serverTest
4251 }
4252
4253 if supportedInFirstConnection {
4254 test.config = supportedConfig
4255 } else {
4256 test.config = noSupportConfig
4257 }
4258
4259 if supportedInResumeConnection {
4260 test.resumeConfig = &supportedConfig
4261 } else {
4262 test.resumeConfig = &noSupportConfig
4263 }
4264
4265 switch suffix {
4266 case "YesToYes-Client", "YesToYes-Server":
4267 // When a session is resumed, it should
4268 // still be aware that its master
4269 // secret was generated via EMS and
4270 // thus it's safe to use tls-unique.
4271 test.flags = []string{expectEMSFlag}
4272 case "NoToYes-Server":
4273 // If an original connection did not
4274 // contain EMS, but a resumption
4275 // handshake does, then a server should
4276 // not resume the session.
4277 test.expectResumeRejected = true
4278 case "YesToNo-Server":
4279 // Resuming an EMS session without the
4280 // EMS extension should cause the
4281 // server to abort the connection.
4282 test.shouldFail = true
4283 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
4284 case "NoToYes-Client":
4285 // A client should abort a connection
4286 // where the server resumed a non-EMS
4287 // session but echoed the EMS
4288 // extension.
4289 test.shouldFail = true
4290 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
4291 case "YesToNo-Client":
4292 // A client should abort a connection
4293 // where the server didn't echo EMS
4294 // when the session used it.
4295 test.shouldFail = true
4296 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
4297 }
4298
4299 testCases = append(testCases, test)
4300 }
4301 }
4302 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4303
4304 // Switching EMS on renegotiation is forbidden.
4305 testCases = append(testCases, testCase{
4306 name: "ExtendedMasterSecret-Renego-NoEMS",
4307 config: Config{
4308 MaxVersion: VersionTLS12,
4309 Bugs: ProtocolBugs{
4310 NoExtendedMasterSecret: true,
4311 NoExtendedMasterSecretOnRenegotiation: true,
4312 },
4313 },
4314 renegotiate: 1,
4315 flags: []string{
4316 "-renegotiate-freely",
4317 "-expect-total-renegotiations", "1",
4318 },
4319 })
4320
4321 testCases = append(testCases, testCase{
4322 name: "ExtendedMasterSecret-Renego-Upgrade",
4323 config: Config{
4324 MaxVersion: VersionTLS12,
4325 Bugs: ProtocolBugs{
4326 NoExtendedMasterSecret: true,
4327 },
4328 },
4329 renegotiate: 1,
4330 flags: []string{
4331 "-renegotiate-freely",
4332 "-expect-total-renegotiations", "1",
4333 },
4334 shouldFail: true,
4335 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
4336 })
4337
4338 testCases = append(testCases, testCase{
4339 name: "ExtendedMasterSecret-Renego-Downgrade",
4340 config: Config{
4341 MaxVersion: VersionTLS12,
4342 Bugs: ProtocolBugs{
4343 NoExtendedMasterSecretOnRenegotiation: true,
4344 },
4345 },
4346 renegotiate: 1,
4347 flags: []string{
4348 "-renegotiate-freely",
4349 "-expect-total-renegotiations", "1",
4350 },
4351 shouldFail: true,
4352 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
4353 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4354}
4355
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4356type stateMachineTestConfig struct {
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]4357 protocol protocol
4358 async bool
4359 splitHandshake bool
4360 packHandshake bool
4361 implicitHandshake bool
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4362}
4363
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4364// Adds tests that try to cover the range of the handshake state machine, under
4365// various conditions. Some of these are redundant with other tests, but they
4366// only cover the synchronous case.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4367func addAllStateMachineCoverageTests() {
4368 for _, async := range []bool{false, true} {
4369 for _, protocol := range []protocol{tls, dtls} {
4370 addStateMachineCoverageTests(stateMachineTestConfig{
4371 protocol: protocol,
4372 async: async,
4373 })
4374 addStateMachineCoverageTests(stateMachineTestConfig{
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]4375 protocol: protocol,
4376 async: async,
4377 implicitHandshake: true,
4378 })
4379 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4380 protocol: protocol,
4381 async: async,
4382 splitHandshake: true,
4383 })
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]4384 addStateMachineCoverageTests(stateMachineTestConfig{
4385 protocol: protocol,
4386 async: async,
4387 packHandshake: true,
4388 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4389 }
4390 }
4391}
4392
4393func addStateMachineCoverageTests(config stateMachineTestConfig) {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4394 var tests []testCase
4395
4396 // Basic handshake, with resumption. Client and server,
4397 // session ID and session ticket.
4398 tests = append(tests, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4399 name: "Basic-Client",
4400 config: Config{
4401 MaxVersion: VersionTLS12,
4402 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4403 resumeSession: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4404 // Ensure session tickets are used, not session IDs.
4405 noSessionCache: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4406 })
4407 tests = append(tests, testCase{
4408 name: "Basic-Client-RenewTicket",
4409 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4410 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4411 Bugs: ProtocolBugs{
4412 RenewTicketOnResume: true,
4413 },
4414 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4415 flags: []string{"-expect-ticket-renewal"},
4416 resumeSession: true,
4417 resumeRenewedSession: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4418 })
4419 tests = append(tests, testCase{
4420 name: "Basic-Client-NoTicket",
4421 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4422 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4423 SessionTicketsDisabled: true,
4424 },
4425 resumeSession: true,
4426 })
4427 tests = append(tests, testCase{
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4428 testType: serverTest,
4429 name: "Basic-Server",
4430 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4431 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4432 Bugs: ProtocolBugs{
4433 RequireSessionTickets: true,
4434 },
4435 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4436 resumeSession: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]4437 flags: []string{"-expect-no-session-id"},
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4438 })
4439 tests = append(tests, testCase{
4440 testType: serverTest,
4441 name: "Basic-Server-NoTickets",
4442 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4443 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4444 SessionTicketsDisabled: true,
4445 },
4446 resumeSession: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]4447 flags: []string{"-expect-session-id"},
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4448 })
4449 tests = append(tests, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4450 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4451 name: "Basic-Server-EarlyCallback",
4452 config: Config{
4453 MaxVersion: VersionTLS12,
4454 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4455 flags: []string{"-use-early-callback"},
4456 resumeSession: true,
4457 })
4458
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4459 // TLS 1.3 basic handshake shapes.
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4460 if config.protocol == tls {
4461 tests = append(tests, testCase{
4462 name: "TLS13-1RTT-Client",
4463 config: Config{
4464 MaxVersion: VersionTLS13,
4465 MinVersion: VersionTLS13,
4466 },
4467 resumeSession: true,
4468 resumeRenewedSession: true,
4469 })
4470
4471 tests = append(tests, testCase{
4472 testType: serverTest,
4473 name: "TLS13-1RTT-Server",
4474 config: Config{
4475 MaxVersion: VersionTLS13,
4476 MinVersion: VersionTLS13,
4477 },
4478 resumeSession: true,
4479 resumeRenewedSession: true,
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]4480 // TLS 1.3 uses tickets, so the session should not be
4481 // cached statefully.
4482 flags: []string{"-expect-no-session-id"},
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4483 })
4484
4485 tests = append(tests, testCase{
4486 name: "TLS13-HelloRetryRequest-Client",
4487 config: Config{
4488 MaxVersion: VersionTLS13,
4489 MinVersion: VersionTLS13,
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]4490 // P-384 requires a HelloRetryRequest against BoringSSL's default
4491 // configuration. Assert this with ExpectMissingKeyShare.
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4492 CurvePreferences: []CurveID{CurveP384},
4493 Bugs: ProtocolBugs{
4494 ExpectMissingKeyShare: true,
4495 },
4496 },
4497 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
4498 resumeSession: true,
4499 })
4500
4501 tests = append(tests, testCase{
4502 testType: serverTest,
4503 name: "TLS13-HelloRetryRequest-Server",
4504 config: Config{
4505 MaxVersion: VersionTLS13,
4506 MinVersion: VersionTLS13,
4507 // Require a HelloRetryRequest for every curve.
4508 DefaultCurves: []CurveID{},
4509 },
4510 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
4511 resumeSession: true,
4512 })
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]4513
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]4514 tests = append(tests, testCase{
4515 testType: clientTest,
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]4516 name: "TLS13-EarlyData-TooMuchData-Client",
4517 config: Config{
4518 MaxVersion: VersionTLS13,
4519 MinVersion: VersionTLS13,
4520 MaxEarlyDataSize: 2,
4521 },
4522 resumeConfig: &Config{
4523 MaxVersion: VersionTLS13,
4524 MinVersion: VersionTLS13,
4525 MaxEarlyDataSize: 2,
4526 Bugs: ProtocolBugs{
4527 ExpectEarlyData: [][]byte{{'h', 'e'}},
4528 },
4529 },
4530 resumeShimPrefix: "llo",
4531 resumeSession: true,
4532 flags: []string{
4533 "-enable-early-data",
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]4534 "-expect-ticket-supports-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]4535 "-expect-accept-early-data",
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]4536 "-on-resume-shim-writes-first",
4537 },
4538 })
4539
4540 // Unfinished writes can only be tested when operations are async. EarlyData
4541 // can't be tested as part of an ImplicitHandshake in this case since
4542 // otherwise the early data will be sent as normal data.
4543 if config.async && !config.implicitHandshake {
4544 tests = append(tests, testCase{
4545 testType: clientTest,
4546 name: "TLS13-EarlyData-UnfinishedWrite-Client",
4547 config: Config{
4548 MaxVersion: VersionTLS13,
4549 MinVersion: VersionTLS13,
4550 MaxEarlyDataSize: 16384,
4551 },
4552 resumeConfig: &Config{
4553 MaxVersion: VersionTLS13,
4554 MinVersion: VersionTLS13,
4555 MaxEarlyDataSize: 16384,
4556 Bugs: ProtocolBugs{
4557 ExpectLateEarlyData: [][]byte{{'h', 'e', 'l', 'l', 'o'}},
4558 },
4559 },
4560 resumeSession: true,
4561 flags: []string{
4562 "-enable-early-data",
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]4563 "-expect-ticket-supports-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]4564 "-expect-accept-early-data",
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]4565 "-on-resume-read-with-unfinished-write",
4566 "-on-resume-shim-writes-first",
4567 },
4568 })
4569
4570 // Rejected unfinished writes are discarded (from the
4571 // perspective of the calling application) on 0-RTT
4572 // reject.
4573 tests = append(tests, testCase{
4574 testType: clientTest,
4575 name: "TLS13-EarlyData-RejectUnfinishedWrite-Client",
4576 config: Config{
4577 MaxVersion: VersionTLS13,
4578 MinVersion: VersionTLS13,
4579 MaxEarlyDataSize: 16384,
4580 },
4581 resumeConfig: &Config{
4582 MaxVersion: VersionTLS13,
4583 MinVersion: VersionTLS13,
4584 MaxEarlyDataSize: 16384,
4585 Bugs: ProtocolBugs{
4586 AlwaysRejectEarlyData: true,
4587 },
4588 },
4589 resumeSession: true,
4590 flags: []string{
4591 "-enable-early-data",
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]4592 "-expect-ticket-supports-early-data",
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]4593 "-expect-reject-early-data",
4594 "-on-resume-read-with-unfinished-write",
4595 "-on-resume-shim-writes-first",
4596 },
4597 })
4598 }
4599
4600 tests = append(tests, testCase{
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]4601 testType: serverTest,
Robert Sloan9254e682017-04-24 09:42:06 -0700[diff] [blame]4602 name: "TLS13-MaxEarlyData-Server",
4603 config: Config{
4604 MaxVersion: VersionTLS13,
4605 MinVersion: VersionTLS13,
4606 Bugs: ProtocolBugs{
Robert Sloan2424d842017-05-01 07:46:28 -0700[diff] [blame]4607 SendEarlyData: [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
Robert Sloan9254e682017-04-24 09:42:06 -0700[diff] [blame]4608 ExpectEarlyDataAccepted: true,
4609 },
4610 },
4611 messageCount: 2,
4612 resumeSession: true,
4613 flags: []string{
4614 "-enable-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]4615 "-expect-accept-early-data",
Robert Sloan9254e682017-04-24 09:42:06 -0700[diff] [blame]4616 },
4617 shouldFail: true,
4618 expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
4619 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4620 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4621
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4622 // TLS client auth.
4623 tests = append(tests, testCase{
4624 testType: clientTest,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4625 name: "ClientAuth-NoCertificate-Client",
4626 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4627 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4628 ClientAuth: RequestClientCert,
4629 },
4630 })
4631 tests = append(tests, testCase{
4632 testType: serverTest,
4633 name: "ClientAuth-NoCertificate-Server",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4634 config: Config{
4635 MaxVersion: VersionTLS12,
4636 },
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4637 // Setting SSL_VERIFY_PEER allows anonymous clients.
4638 flags: []string{"-verify-peer"},
4639 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4640 if config.protocol == tls {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4641 tests = append(tests, testCase{
4642 testType: clientTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4643 name: "ClientAuth-NoCertificate-Client-TLS13",
4644 config: Config{
4645 MaxVersion: VersionTLS13,
4646 ClientAuth: RequestClientCert,
4647 },
4648 })
4649 tests = append(tests, testCase{
4650 testType: serverTest,
4651 name: "ClientAuth-NoCertificate-Server-TLS13",
4652 config: Config{
4653 MaxVersion: VersionTLS13,
4654 },
4655 // Setting SSL_VERIFY_PEER allows anonymous clients.
4656 flags: []string{"-verify-peer"},
4657 })
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4658 }
4659 tests = append(tests, testCase{
4660 testType: clientTest,
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]4661 name: "ClientAuth-RSA-Client",
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4662 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4663 MaxVersion: VersionTLS12,
4664 ClientAuth: RequireAnyClientCert,
4665 },
4666 flags: []string{
4667 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4668 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4669 },
4670 })
4671 tests = append(tests, testCase{
4672 testType: clientTest,
4673 name: "ClientAuth-RSA-Client-TLS13",
4674 config: Config{
4675 MaxVersion: VersionTLS13,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4676 ClientAuth: RequireAnyClientCert,
4677 },
4678 flags: []string{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]4679 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4680 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4681 },
4682 })
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]4683 tests = append(tests, testCase{
4684 testType: clientTest,
4685 name: "ClientAuth-ECDSA-Client",
4686 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4687 MaxVersion: VersionTLS12,
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]4688 ClientAuth: RequireAnyClientCert,
4689 },
4690 flags: []string{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4691 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4692 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]4693 },
4694 })
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4695 tests = append(tests, testCase{
4696 testType: clientTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4697 name: "ClientAuth-ECDSA-Client-TLS13",
4698 config: Config{
4699 MaxVersion: VersionTLS13,
4700 ClientAuth: RequireAnyClientCert,
4701 },
4702 flags: []string{
4703 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4704 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
4705 },
4706 })
4707 tests = append(tests, testCase{
4708 testType: clientTest,
4709 name: "ClientAuth-NoCertificate-OldCallback",
4710 config: Config{
4711 MaxVersion: VersionTLS12,
4712 ClientAuth: RequestClientCert,
4713 },
4714 flags: []string{"-use-old-client-cert-callback"},
4715 })
4716 tests = append(tests, testCase{
4717 testType: clientTest,
4718 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
4719 config: Config{
4720 MaxVersion: VersionTLS13,
4721 ClientAuth: RequestClientCert,
4722 },
4723 flags: []string{"-use-old-client-cert-callback"},
4724 })
4725 tests = append(tests, testCase{
4726 testType: clientTest,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4727 name: "ClientAuth-OldCallback",
4728 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4729 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]4730 ClientAuth: RequireAnyClientCert,
4731 },
4732 flags: []string{
4733 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4734 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4735 "-use-old-client-cert-callback",
4736 },
4737 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4738 tests = append(tests, testCase{
4739 testType: clientTest,
4740 name: "ClientAuth-OldCallback-TLS13",
4741 config: Config{
4742 MaxVersion: VersionTLS13,
4743 ClientAuth: RequireAnyClientCert,
4744 },
4745 flags: []string{
4746 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4747 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4748 "-use-old-client-cert-callback",
4749 },
4750 })
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4751 tests = append(tests, testCase{
4752 testType: serverTest,
4753 name: "ClientAuth-Server",
4754 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4755 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4756 Certificates: []Certificate{rsaCertificate},
4757 },
4758 flags: []string{"-require-any-client-certificate"},
4759 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4760 tests = append(tests, testCase{
4761 testType: serverTest,
4762 name: "ClientAuth-Server-TLS13",
4763 config: Config{
4764 MaxVersion: VersionTLS13,
4765 Certificates: []Certificate{rsaCertificate},
4766 },
4767 flags: []string{"-require-any-client-certificate"},
4768 })
4769
4770 // Test each key exchange on the server side for async keys.
4771 tests = append(tests, testCase{
4772 testType: serverTest,
4773 name: "Basic-Server-RSA",
4774 config: Config{
4775 MaxVersion: VersionTLS12,
4776 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
4777 },
4778 flags: []string{
4779 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4780 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4781 },
4782 })
4783 tests = append(tests, testCase{
4784 testType: serverTest,
4785 name: "Basic-Server-ECDHE-RSA",
4786 config: Config{
4787 MaxVersion: VersionTLS12,
4788 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4789 },
4790 flags: []string{
4791 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4792 "-key-file", path.Join(*resourceDir, rsaKeyFile),
4793 },
4794 })
4795 tests = append(tests, testCase{
4796 testType: serverTest,
4797 name: "Basic-Server-ECDHE-ECDSA",
4798 config: Config{
4799 MaxVersion: VersionTLS12,
4800 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
4801 },
4802 flags: []string{
4803 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4804 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
4805 },
4806 })
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]4807 tests = append(tests, testCase{
4808 testType: serverTest,
4809 name: "Basic-Server-Ed25519",
4810 config: Config{
4811 MaxVersion: VersionTLS12,
4812 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
4813 },
4814 flags: []string{
4815 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
4816 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
4817 "-enable-ed25519",
4818 },
4819 })
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4820
4821 // No session ticket support; server doesn't send NewSessionTicket.
4822 tests = append(tests, testCase{
4823 name: "SessionTicketsDisabled-Client",
4824 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4825 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4826 SessionTicketsDisabled: true,
4827 },
4828 })
4829 tests = append(tests, testCase{
4830 testType: serverTest,
4831 name: "SessionTicketsDisabled-Server",
4832 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4833 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4834 SessionTicketsDisabled: true,
4835 },
4836 })
4837
4838 // Skip ServerKeyExchange in PSK key exchange if there's no
4839 // identity hint.
4840 tests = append(tests, testCase{
4841 name: "EmptyPSKHint-Client",
4842 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4843 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4844 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
4845 PreSharedKey: []byte("secret"),
4846 },
4847 flags: []string{"-psk", "secret"},
4848 })
4849 tests = append(tests, testCase{
4850 testType: serverTest,
4851 name: "EmptyPSKHint-Server",
4852 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4853 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4854 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
4855 PreSharedKey: []byte("secret"),
4856 },
4857 flags: []string{"-psk", "secret"},
4858 })
4859
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4860 // OCSP stapling tests.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4861 for _, vers := range tlsVersions {
4862 if config.protocol == dtls && !vers.hasDTLS {
4863 continue
4864 }
4865 tests = append(tests, testCase{
4866 testType: clientTest,
4867 name: "OCSPStapling-Client-" + vers.name,
4868 config: Config{
4869 MaxVersion: vers.version,
4870 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4871 flags: []string{
4872 "-enable-ocsp-stapling",
4873 "-expect-ocsp-response",
4874 base64.StdEncoding.EncodeToString(testOCSPResponse),
4875 "-verify-peer",
4876 },
4877 resumeSession: true,
4878 })
4879 tests = append(tests, testCase{
4880 testType: serverTest,
4881 name: "OCSPStapling-Server-" + vers.name,
4882 config: Config{
4883 MaxVersion: vers.version,
4884 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4885 expectedOCSPResponse: testOCSPResponse,
4886 flags: []string{
4887 "-ocsp-response",
4888 base64.StdEncoding.EncodeToString(testOCSPResponse),
4889 },
4890 resumeSession: true,
4891 })
4892
4893 // The client OCSP callback is an alternate certificate
4894 // verification callback.
4895 tests = append(tests, testCase{
4896 testType: clientTest,
4897 name: "ClientOCSPCallback-Pass-" + vers.name,
4898 config: Config{
4899 MaxVersion: vers.version,
4900 Certificates: []Certificate{rsaCertificate},
4901 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4902 flags: []string{
4903 "-enable-ocsp-stapling",
4904 "-use-ocsp-callback",
4905 },
4906 })
4907 var expectedLocalError string
4908 if !config.async {
4909 // TODO(davidben): Asynchronous fatal alerts are never
4910 // sent. https://crbug.com/boringssl/130.
4911 expectedLocalError = "remote error: bad certificate status response"
4912 }
4913 tests = append(tests, testCase{
4914 testType: clientTest,
4915 name: "ClientOCSPCallback-Fail-" + vers.name,
4916 config: Config{
4917 MaxVersion: vers.version,
4918 Certificates: []Certificate{rsaCertificate},
4919 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4920 flags: []string{
4921 "-enable-ocsp-stapling",
4922 "-use-ocsp-callback",
4923 "-fail-ocsp-callback",
4924 },
4925 shouldFail: true,
4926 expectedLocalError: expectedLocalError,
4927 expectedError: ":OCSP_CB_ERROR:",
4928 })
4929 // The callback still runs if the server does not send an OCSP
4930 // response.
4931 certNoStaple := rsaCertificate
4932 certNoStaple.OCSPStaple = nil
4933 tests = append(tests, testCase{
4934 testType: clientTest,
4935 name: "ClientOCSPCallback-FailNoStaple-" + vers.name,
4936 config: Config{
4937 MaxVersion: vers.version,
4938 Certificates: []Certificate{certNoStaple},
4939 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4940 flags: []string{
4941 "-enable-ocsp-stapling",
4942 "-use-ocsp-callback",
4943 "-fail-ocsp-callback",
4944 },
4945 shouldFail: true,
4946 expectedLocalError: expectedLocalError,
4947 expectedError: ":OCSP_CB_ERROR:",
4948 })
4949
4950 // The server OCSP callback is a legacy mechanism for
4951 // configuring OCSP, used by unreliable server software.
4952 tests = append(tests, testCase{
4953 testType: serverTest,
4954 name: "ServerOCSPCallback-SetInCallback-" + vers.name,
4955 config: Config{
4956 MaxVersion: vers.version,
4957 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4958 expectedOCSPResponse: testOCSPResponse,
4959 flags: []string{
4960 "-use-ocsp-callback",
4961 "-set-ocsp-in-callback",
4962 "-ocsp-response",
4963 base64.StdEncoding.EncodeToString(testOCSPResponse),
4964 },
4965 resumeSession: true,
4966 })
4967
4968 // The callback may decline OCSP, in which case we act as if
4969 // the client did not support it, even if a response was
4970 // configured.
4971 tests = append(tests, testCase{
4972 testType: serverTest,
4973 name: "ServerOCSPCallback-Decline-" + vers.name,
4974 config: Config{
4975 MaxVersion: vers.version,
4976 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4977 expectedOCSPResponse: []byte{},
4978 flags: []string{
4979 "-use-ocsp-callback",
4980 "-decline-ocsp-callback",
4981 "-ocsp-response",
4982 base64.StdEncoding.EncodeToString(testOCSPResponse),
4983 },
4984 resumeSession: true,
4985 })
4986
4987 // The callback may also signal an internal error.
4988 tests = append(tests, testCase{
4989 testType: serverTest,
4990 name: "ServerOCSPCallback-Fail-" + vers.name,
4991 config: Config{
4992 MaxVersion: vers.version,
4993 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]4994 flags: []string{
4995 "-use-ocsp-callback",
4996 "-fail-ocsp-callback",
4997 "-ocsp-response",
4998 base64.StdEncoding.EncodeToString(testOCSPResponse),
4999 },
5000 shouldFail: true,
5001 expectedError: ":OCSP_CB_ERROR:",
5002 })
5003 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5004
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5005 // Certificate verification tests.
5006 for _, vers := range tlsVersions {
5007 if config.protocol == dtls && !vers.hasDTLS {
5008 continue
5009 }
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]5010 for _, useCustomCallback := range []bool{false, true} {
5011 for _, testType := range []testType{clientTest, serverTest} {
5012 suffix := "-Client"
5013 if testType == serverTest {
5014 suffix = "-Server"
5015 }
5016 suffix += "-" + vers.name
5017 if useCustomCallback {
5018 suffix += "-CustomCallback"
5019 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5020
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]5021 flags := []string{"-verify-peer"}
5022 if testType == serverTest {
5023 flags = append(flags, "-require-any-client-certificate")
5024 }
5025 if useCustomCallback {
5026 flags = append(flags, "-use-custom-verify-callback")
5027 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5028
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]5029 tests = append(tests, testCase{
5030 testType: testType,
5031 name: "CertificateVerificationSucceed" + suffix,
5032 config: Config{
5033 MaxVersion: vers.version,
5034 Certificates: []Certificate{rsaCertificate},
5035 },
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]5036 flags: append([]string{"-expect-verify-result"}, flags...),
5037 resumeSession: true,
5038 })
5039 tests = append(tests, testCase{
5040 testType: testType,
5041 name: "CertificateVerificationFail" + suffix,
5042 config: Config{
5043 MaxVersion: vers.version,
5044 Certificates: []Certificate{rsaCertificate},
5045 },
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]5046 flags: append([]string{"-verify-fail"}, flags...),
5047 shouldFail: true,
5048 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
5049 })
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5050 // Tests that although the verify callback fails on resumption, by default we don't call it.
5051 tests = append(tests, testCase{
5052 testType: testType,
5053 name: "CertificateVerificationDoesNotFailOnResume" + suffix,
5054 config: Config{
5055 MaxVersion: vers.version,
5056 Certificates: []Certificate{rsaCertificate},
5057 },
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5058 flags: append([]string{"-on-resume-verify-fail"}, flags...),
5059 resumeSession: true,
5060 })
5061 if testType == clientTest && useCustomCallback {
5062 tests = append(tests, testCase{
5063 testType: testType,
5064 name: "CertificateVerificationFailsOnResume" + suffix,
5065 config: Config{
5066 MaxVersion: vers.version,
5067 Certificates: []Certificate{rsaCertificate},
5068 },
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5069 flags: append([]string{
5070 "-on-resume-verify-fail",
5071 "-reverify-on-resume",
5072 }, flags...),
5073 resumeSession: true,
5074 shouldFail: true,
5075 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
5076 })
5077 tests = append(tests, testCase{
5078 testType: testType,
5079 name: "CertificateVerificationPassesOnResume" + suffix,
5080 config: Config{
5081 MaxVersion: vers.version,
5082 Certificates: []Certificate{rsaCertificate},
5083 },
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5084 flags: append([]string{
5085 "-reverify-on-resume",
5086 }, flags...),
5087 resumeSession: true,
5088 })
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]5089 if vers.version >= VersionTLS13 {
5090 tests = append(tests, testCase{
5091 testType: testType,
5092 name: "EarlyData-RejectTicket-Client-Reverify" + suffix,
5093 config: Config{
5094 MaxVersion: vers.version,
5095 MaxEarlyDataSize: 16384,
5096 },
5097 resumeConfig: &Config{
5098 MaxVersion: vers.version,
5099 MaxEarlyDataSize: 16384,
5100 SessionTicketsDisabled: true,
5101 },
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]5102 resumeSession: true,
5103 expectResumeRejected: true,
5104 flags: append([]string{
5105 "-enable-early-data",
5106 "-expect-ticket-supports-early-data",
5107 "-reverify-on-resume",
5108 "-on-resume-shim-writes-first",
5109 // Session tickets are disabled, so the runner will not send a ticket.
5110 "-on-retry-expect-no-session",
5111 "-expect-reject-early-data",
5112 }, flags...),
5113 })
5114 tests = append(tests, testCase{
5115 testType: testType,
5116 name: "EarlyData-Reject0RTT-Client-Reverify" + suffix,
5117 config: Config{
5118 MaxVersion: vers.version,
5119 MaxEarlyDataSize: 16384,
5120 },
5121 resumeConfig: &Config{
5122 MaxVersion: vers.version,
5123 MaxEarlyDataSize: 16384,
5124 Bugs: ProtocolBugs{
5125 AlwaysRejectEarlyData: true,
5126 },
5127 },
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]5128 resumeSession: true,
5129 expectResumeRejected: false,
5130 flags: append([]string{
5131 "-enable-early-data",
5132 "-expect-reject-early-data",
5133 "-expect-ticket-supports-early-data",
5134 "-reverify-on-resume",
5135 "-on-resume-shim-writes-first",
5136 }, flags...),
5137 })
5138 tests = append(tests, testCase{
5139 testType: testType,
5140 name: "EarlyData-RejectTicket-Client-ReverifyFails" + suffix,
5141 config: Config{
5142 MaxVersion: vers.version,
5143 MaxEarlyDataSize: 16384,
5144 },
5145 resumeConfig: &Config{
5146 MaxVersion: vers.version,
5147 MaxEarlyDataSize: 16384,
5148 SessionTicketsDisabled: true,
5149 },
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]5150 resumeSession: true,
5151 expectResumeRejected: true,
5152 shouldFail: true,
5153 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
5154 flags: append([]string{
5155 "-enable-early-data",
5156 "-expect-ticket-supports-early-data",
5157 "-reverify-on-resume",
5158 "-on-resume-shim-writes-first",
5159 // Session tickets are disabled, so the runner will not send a ticket.
5160 "-on-retry-expect-no-session",
5161 "-on-retry-verify-fail",
5162 "-expect-reject-early-data",
5163 }, flags...),
5164 })
5165 tests = append(tests, testCase{
5166 testType: testType,
5167 name: "EarlyData-Reject0RTT-Client-ReverifyFails" + suffix,
5168 config: Config{
5169 MaxVersion: vers.version,
5170 MaxEarlyDataSize: 16384,
5171 },
5172 resumeConfig: &Config{
5173 MaxVersion: vers.version,
5174 MaxEarlyDataSize: 16384,
5175 Bugs: ProtocolBugs{
5176 AlwaysRejectEarlyData: true,
5177 },
5178 },
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]5179 resumeSession: true,
5180 expectResumeRejected: false,
5181 shouldFail: true,
5182 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
5183 flags: append([]string{
5184 "-enable-early-data",
5185 "-expect-reject-early-data",
5186 "-expect-ticket-supports-early-data",
5187 "-reverify-on-resume",
5188 "-on-resume-shim-writes-first",
5189 "-on-retry-verify-fail",
5190 }, flags...),
5191 })
5192 // This tests that we only call the verify callback once.
5193 tests = append(tests, testCase{
5194 testType: testType,
5195 name: "EarlyData-Accept0RTT-Client-Reverify" + suffix,
5196 config: Config{
5197 MaxVersion: vers.version,
5198 MaxEarlyDataSize: 16384,
5199 },
5200 resumeConfig: &Config{
5201 MaxVersion: vers.version,
5202 MaxEarlyDataSize: 16384,
5203 Bugs: ProtocolBugs{
5204 ExpectEarlyData: [][]byte{[]byte("hello")},
5205 },
5206 },
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]5207 resumeSession: true,
5208 expectResumeRejected: false,
5209 flags: append([]string{
5210 "-enable-early-data",
5211 "-expect-ticket-supports-early-data",
5212 "-reverify-on-resume",
5213 "-on-resume-shim-writes-first",
5214 }, flags...),
5215 })
5216 tests = append(tests, testCase{
5217 testType: testType,
5218 name: "EarlyData-Accept0RTT-Client-ReverifyFails" + suffix,
5219 config: Config{
5220 MaxVersion: vers.version,
5221 MaxEarlyDataSize: 16384,
5222 },
5223 resumeConfig: &Config{
5224 MaxVersion: vers.version,
5225 MaxEarlyDataSize: 16384,
5226 Bugs: ProtocolBugs{
5227 ExpectEarlyData: [][]byte{[]byte("hello")},
5228 },
5229 },
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]5230 resumeSession: true,
5231 shouldFail: true,
5232 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
5233 flags: append([]string{
5234 "-enable-early-data",
5235 "-expect-ticket-supports-early-data",
5236 "-reverify-on-resume",
5237 "-on-resume-verify-fail",
5238 "-on-resume-shim-writes-first",
5239 }, flags...),
5240 })
5241 }
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5242 }
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]5243 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5244 }
5245
5246 // By default, the client is in a soft fail mode where the peer
5247 // certificate is verified but failures are non-fatal.
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5248 tests = append(tests, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5249 testType: clientTest,
5250 name: "CertificateVerificationSoftFail-" + vers.name,
5251 config: Config{
5252 MaxVersion: vers.version,
5253 Certificates: []Certificate{rsaCertificate},
5254 },
5255 flags: []string{
5256 "-verify-fail",
5257 "-expect-verify-result",
5258 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5259 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5260 })
5261 }
5262
5263 tests = append(tests, testCase{
5264 name: "ShimSendAlert",
5265 flags: []string{"-send-alert"},
5266 shimWritesFirst: true,
5267 shouldFail: true,
5268 expectedLocalError: "remote error: decompression failure",
5269 })
5270
5271 if config.protocol == tls {
5272 tests = append(tests, testCase{
5273 name: "Renegotiate-Client",
5274 config: Config{
5275 MaxVersion: VersionTLS12,
5276 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]5277 renegotiate: 1,
5278 flags: []string{
5279 "-renegotiate-freely",
5280 "-expect-total-renegotiations", "1",
5281 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5282 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5283
5284 tests = append(tests, testCase{
5285 name: "SendHalfHelloRequest",
5286 config: Config{
5287 MaxVersion: VersionTLS12,
5288 Bugs: ProtocolBugs{
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]5289 PackHelloRequestWithFinished: config.packHandshake,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5290 },
5291 },
5292 sendHalfHelloRequest: true,
5293 flags: []string{"-renegotiate-ignore"},
5294 shouldFail: true,
5295 expectedError: ":UNEXPECTED_RECORD:",
5296 })
5297
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5298 // NPN on client and server; results in post-handshake message.
5299 tests = append(tests, testCase{
5300 name: "NPN-Client",
5301 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5302 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5303 NextProtos: []string{"foo"},
5304 },
5305 flags: []string{"-select-next-proto", "foo"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5306 resumeSession: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5307 expectedNextProto: "foo",
5308 expectedNextProtoType: npn,
5309 })
5310 tests = append(tests, testCase{
5311 testType: serverTest,
5312 name: "NPN-Server",
5313 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5314 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5315 NextProtos: []string{"bar"},
5316 },
5317 flags: []string{
5318 "-advertise-npn", "\x03foo\x03bar\x03baz",
5319 "-expect-next-proto", "bar",
5320 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5321 resumeSession: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5322 expectedNextProto: "bar",
5323 expectedNextProtoType: npn,
5324 })
5325
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5326 // Client does False Start and negotiates NPN.
5327 tests = append(tests, testCase{
5328 name: "FalseStart",
5329 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5330 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5331 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5332 NextProtos: []string{"foo"},
5333 Bugs: ProtocolBugs{
5334 ExpectFalseStart: true,
5335 },
5336 },
5337 flags: []string{
5338 "-false-start",
5339 "-select-next-proto", "foo",
5340 },
5341 shimWritesFirst: true,
5342 resumeSession: true,
5343 })
5344
5345 // Client does False Start and negotiates ALPN.
5346 tests = append(tests, testCase{
5347 name: "FalseStart-ALPN",
5348 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5349 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5350 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5351 NextProtos: []string{"foo"},
5352 Bugs: ProtocolBugs{
5353 ExpectFalseStart: true,
5354 },
5355 },
5356 flags: []string{
5357 "-false-start",
5358 "-advertise-alpn", "\x03foo",
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]5359 "-expect-alpn", "foo",
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5360 },
5361 shimWritesFirst: true,
5362 resumeSession: true,
5363 })
5364
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5365 // False Start without session tickets.
5366 tests = append(tests, testCase{
5367 name: "FalseStart-SessionTicketsDisabled",
5368 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5369 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5370 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5371 NextProtos: []string{"foo"},
5372 SessionTicketsDisabled: true,
5373 Bugs: ProtocolBugs{
5374 ExpectFalseStart: true,
5375 },
5376 },
5377 flags: []string{
5378 "-false-start",
5379 "-select-next-proto", "foo",
5380 },
5381 shimWritesFirst: true,
5382 })
5383
5384 // Server parses a V2ClientHello.
5385 tests = append(tests, testCase{
5386 testType: serverTest,
5387 name: "SendV2ClientHello",
5388 config: Config{
5389 // Choose a cipher suite that does not involve
5390 // elliptic curves, so no extensions are
5391 // involved.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5392 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5393 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5394 Bugs: ProtocolBugs{
5395 SendV2ClientHello: true,
5396 },
5397 },
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]5398 flags: []string{
5399 "-expect-msg-callback",
5400 `read v2clienthello
5401write hs 2
5402write hs 11
5403write hs 14
5404read hs 16
5405read ccs
5406read hs 20
5407write ccs
5408write hs 20
5409read alert 1 0
5410`,
5411 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5412 })
5413
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5414 // Test Channel ID
5415 for _, ver := range tlsVersions {
5416 if ver.version < VersionTLS10 {
5417 continue
5418 }
5419 // Client sends a Channel ID.
5420 tests = append(tests, testCase{
5421 name: "ChannelID-Client-" + ver.name,
5422 config: Config{
5423 MaxVersion: ver.version,
5424 RequestChannelID: true,
5425 },
5426 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
5427 resumeSession: true,
5428 expectChannelID: true,
5429 })
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5430
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5431 // Server accepts a Channel ID.
5432 tests = append(tests, testCase{
5433 testType: serverTest,
5434 name: "ChannelID-Server-" + ver.name,
5435 config: Config{
5436 MaxVersion: ver.version,
5437 ChannelID: channelIDKey,
5438 },
5439 flags: []string{
5440 "-expect-channel-id",
5441 base64.StdEncoding.EncodeToString(channelIDBytes),
5442 },
5443 resumeSession: true,
5444 expectChannelID: true,
5445 })
5446
5447 tests = append(tests, testCase{
5448 testType: serverTest,
5449 name: "InvalidChannelIDSignature-" + ver.name,
5450 config: Config{
5451 MaxVersion: ver.version,
5452 ChannelID: channelIDKey,
5453 Bugs: ProtocolBugs{
5454 InvalidChannelIDSignature: true,
5455 },
5456 },
5457 flags: []string{"-enable-channel-id"},
5458 shouldFail: true,
5459 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
5460 })
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]5461
5462 if ver.version < VersionTLS13 {
5463 // Channel ID requires ECDHE ciphers.
5464 tests = append(tests, testCase{
5465 testType: serverTest,
5466 name: "ChannelID-NoECDHE-" + ver.name,
5467 config: Config{
5468 MaxVersion: ver.version,
5469 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
5470 ChannelID: channelIDKey,
5471 },
5472 expectChannelID: false,
5473 flags: []string{"-enable-channel-id"},
5474 })
5475
5476 // Sanity-check setting expectChannelID false works.
5477 tests = append(tests, testCase{
5478 testType: serverTest,
5479 name: "ChannelID-ECDHE-" + ver.name,
5480 config: Config{
5481 MaxVersion: ver.version,
5482 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
5483 ChannelID: channelIDKey,
5484 },
5485 expectChannelID: false,
5486 flags: []string{"-enable-channel-id"},
5487 shouldFail: true,
5488 expectedLocalError: "channel ID unexpectedly negotiated",
5489 })
5490 }
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5491 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5492
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5493 // Channel ID and NPN at the same time, to ensure their relative
5494 // ordering is correct.
5495 tests = append(tests, testCase{
5496 name: "ChannelID-NPN-Client",
5497 config: Config{
5498 MaxVersion: VersionTLS12,
5499 RequestChannelID: true,
5500 NextProtos: []string{"foo"},
5501 },
5502 flags: []string{
5503 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
5504 "-select-next-proto", "foo",
5505 },
5506 resumeSession: true,
5507 expectChannelID: true,
5508 expectedNextProto: "foo",
5509 expectedNextProtoType: npn,
5510 })
5511 tests = append(tests, testCase{
5512 testType: serverTest,
5513 name: "ChannelID-NPN-Server",
5514 config: Config{
5515 MaxVersion: VersionTLS12,
5516 ChannelID: channelIDKey,
5517 NextProtos: []string{"bar"},
5518 },
5519 flags: []string{
5520 "-expect-channel-id",
5521 base64.StdEncoding.EncodeToString(channelIDBytes),
5522 "-advertise-npn", "\x03foo\x03bar\x03baz",
5523 "-expect-next-proto", "bar",
5524 },
5525 resumeSession: true,
5526 expectChannelID: true,
5527 expectedNextProto: "bar",
5528 expectedNextProtoType: npn,
5529 })
5530
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5531 // Bidirectional shutdown with the runner initiating.
5532 tests = append(tests, testCase{
5533 name: "Shutdown-Runner",
5534 config: Config{
5535 Bugs: ProtocolBugs{
5536 ExpectCloseNotify: true,
5537 },
5538 },
5539 flags: []string{"-check-close-notify"},
5540 })
5541
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]5542 if !config.implicitHandshake {
5543 // Bidirectional shutdown with the shim initiating. The runner,
5544 // in the meantime, sends garbage before the close_notify which
5545 // the shim must ignore. This test is disabled under implicit
5546 // handshake tests because the shim never reads or writes.
5547 tests = append(tests, testCase{
5548 name: "Shutdown-Shim",
5549 config: Config{
5550 MaxVersion: VersionTLS12,
5551 Bugs: ProtocolBugs{
5552 ExpectCloseNotify: true,
5553 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5554 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]5555 shimShutsDown: true,
5556 sendEmptyRecords: 1,
5557 sendWarningAlerts: 1,
5558 flags: []string{"-check-close-notify"},
5559 })
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]5560
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5561 // The shim should reject unexpected application data
5562 // when shutting down.
5563 tests = append(tests, testCase{
5564 name: "Shutdown-Shim-ApplicationData",
5565 config: Config{
5566 MaxVersion: VersionTLS12,
5567 Bugs: ProtocolBugs{
5568 ExpectCloseNotify: true,
5569 },
5570 },
5571 shimShutsDown: true,
5572 messageCount: 1,
5573 sendEmptyRecords: 1,
5574 sendWarningAlerts: 1,
5575 flags: []string{"-check-close-notify"},
5576 shouldFail: true,
5577 expectedError: ":APPLICATION_DATA_ON_SHUTDOWN:",
5578 })
5579
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]5580 // Test that SSL_shutdown still processes KeyUpdate.
5581 tests = append(tests, testCase{
5582 name: "Shutdown-Shim-KeyUpdate",
5583 config: Config{
5584 MinVersion: VersionTLS13,
5585 MaxVersion: VersionTLS13,
5586 Bugs: ProtocolBugs{
5587 ExpectCloseNotify: true,
5588 },
5589 },
5590 shimShutsDown: true,
5591 sendKeyUpdates: 1,
5592 keyUpdateRequest: keyUpdateRequested,
5593 flags: []string{"-check-close-notify"},
5594 })
5595
5596 // Test that SSL_shutdown processes HelloRequest
5597 // correctly.
5598 tests = append(tests, testCase{
5599 name: "Shutdown-Shim-HelloRequest-Ignore",
5600 config: Config{
5601 MinVersion: VersionTLS12,
5602 MaxVersion: VersionTLS12,
5603 Bugs: ProtocolBugs{
5604 SendHelloRequestBeforeEveryAppDataRecord: true,
5605 ExpectCloseNotify: true,
5606 },
5607 },
5608 shimShutsDown: true,
5609 flags: []string{
5610 "-renegotiate-ignore",
5611 "-check-close-notify",
5612 },
5613 })
5614 tests = append(tests, testCase{
5615 name: "Shutdown-Shim-HelloRequest-Reject",
5616 config: Config{
5617 MinVersion: VersionTLS12,
5618 MaxVersion: VersionTLS12,
5619 Bugs: ProtocolBugs{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5620 ExpectCloseNotify: true,
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]5621 },
5622 },
5623 shimShutsDown: true,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5624 renegotiate: 1,
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]5625 shouldFail: true,
5626 expectedError: ":NO_RENEGOTIATION:",
5627 flags: []string{"-check-close-notify"},
5628 })
5629 tests = append(tests, testCase{
5630 name: "Shutdown-Shim-HelloRequest-CannotHandshake",
5631 config: Config{
5632 MinVersion: VersionTLS12,
5633 MaxVersion: VersionTLS12,
5634 Bugs: ProtocolBugs{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5635 ExpectCloseNotify: true,
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]5636 },
5637 },
5638 shimShutsDown: true,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5639 renegotiate: 1,
Robert Sloan36272962017-10-23 10:28:39 -0700[diff] [blame]5640 shouldFail: true,
5641 expectedError: ":NO_RENEGOTIATION:",
5642 flags: []string{
5643 "-check-close-notify",
5644 "-renegotiate-freely",
5645 },
5646 })
5647
5648 tests = append(tests, testCase{
5649 testType: serverTest,
5650 name: "Shutdown-Shim-Renegotiate-Server-Forbidden",
5651 config: Config{
5652 MaxVersion: VersionTLS12,
5653 Bugs: ProtocolBugs{
5654 ExpectCloseNotify: true,
5655 },
5656 },
5657 shimShutsDown: true,
5658 renegotiate: 1,
5659 shouldFail: true,
5660 expectedError: ":NO_RENEGOTIATION:",
5661 flags: []string{
5662 "-check-close-notify",
5663 },
5664 })
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]5665 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5666 } else {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5667 // TODO(davidben): DTLS 1.3 will want a similar thing for
5668 // HelloRetryRequest.
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5669 tests = append(tests, testCase{
5670 name: "SkipHelloVerifyRequest",
5671 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5672 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5673 Bugs: ProtocolBugs{
5674 SkipHelloVerifyRequest: true,
5675 },
5676 },
5677 })
5678 }
5679
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5680 for _, test := range tests {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5681 test.protocol = config.protocol
5682 if config.protocol == dtls {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]5683 test.name += "-DTLS"
5684 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5685 if config.async {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]5686 test.name += "-Async"
5687 test.flags = append(test.flags, "-async")
5688 } else {
5689 test.name += "-Sync"
5690 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5691 if config.splitHandshake {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]5692 test.name += "-SplitHandshakeRecords"
5693 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5694 if config.protocol == dtls {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]5695 test.config.Bugs.MaxPacketLength = 256
5696 test.flags = append(test.flags, "-mtu", "256")
5697 }
5698 }
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]5699 if config.packHandshake {
5700 test.name += "-PackHandshake"
5701 if config.protocol == dtls {
5702 test.config.Bugs.MaxHandshakeRecordLength = 2
5703 test.config.Bugs.PackHandshakeFragments = 20
5704 test.config.Bugs.PackHandshakeRecords = 1500
5705 test.config.Bugs.PackAppDataWithHandshake = true
5706 } else {
5707 test.config.Bugs.PackHandshakeFlight = true
5708 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5709 }
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]5710 if config.implicitHandshake {
5711 test.name += "-ImplicitHandshake"
5712 test.flags = append(test.flags, "-implicit-handshake")
5713 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5714 testCases = append(testCases, test)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5715 }
5716}
5717
5718func addDDoSCallbackTests() {
5719 // DDoS callback.
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5720 for _, resume := range []bool{false, true} {
5721 suffix := "Resume"
5722 if resume {
5723 suffix = "No" + suffix
5724 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5725
5726 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5727 testType: serverTest,
5728 name: "Server-DDoS-OK-" + suffix,
5729 config: Config{
5730 MaxVersion: VersionTLS12,
5731 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5732 flags: []string{"-install-ddos-callback"},
5733 resumeSession: resume,
5734 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5735 testCases = append(testCases, testCase{
5736 testType: serverTest,
5737 name: "Server-DDoS-OK-" + suffix + "-TLS13",
5738 config: Config{
5739 MaxVersion: VersionTLS13,
5740 },
5741 flags: []string{"-install-ddos-callback"},
5742 resumeSession: resume,
5743 })
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5744
5745 failFlag := "-fail-ddos-callback"
5746 if resume {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5747 failFlag = "-on-resume-fail-ddos-callback"
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5748 }
5749 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5750 testType: serverTest,
5751 name: "Server-DDoS-Reject-" + suffix,
5752 config: Config{
5753 MaxVersion: VersionTLS12,
5754 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]5755 flags: []string{"-install-ddos-callback", failFlag},
5756 resumeSession: resume,
5757 shouldFail: true,
5758 expectedError: ":CONNECTION_REJECTED:",
5759 expectedLocalError: "remote error: internal error",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5760 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5761 testCases = append(testCases, testCase{
5762 testType: serverTest,
5763 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
5764 config: Config{
5765 MaxVersion: VersionTLS13,
5766 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]5767 flags: []string{"-install-ddos-callback", failFlag},
5768 resumeSession: resume,
5769 shouldFail: true,
5770 expectedError: ":CONNECTION_REJECTED:",
5771 expectedLocalError: "remote error: internal error",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5772 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5773 }
5774}
5775
5776func addVersionNegotiationTests() {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5777 for _, protocol := range []protocol{tls, dtls} {
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]5778 for _, shimVers := range allVersions(protocol) {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5779 // Assemble flags to disable all newer versions on the shim.
5780 var flags []string
5781 for _, vers := range allVersions(protocol) {
5782 if vers.version > shimVers.version {
5783 flags = append(flags, vers.excludeFlag)
5784 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5785 }
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5786
5787 flags2 := []string{"-max-version", shimVers.shimFlag(protocol)}
5788
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5789 // Test configuring the runner's maximum version.
5790 for _, runnerVers := range allVersions(protocol) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5791 expectedVersion := shimVers.version
5792 if runnerVers.version < shimVers.version {
5793 expectedVersion = runnerVers.version
5794 }
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5795
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5796 suffix := shimVers.name + "-" + runnerVers.name
5797 if protocol == dtls {
5798 suffix += "-DTLS"
5799 }
5800
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5801 // Determine the expected initial record-layer versions.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5802 clientVers := shimVers.version
5803 if clientVers > VersionTLS10 {
5804 clientVers = VersionTLS10
5805 }
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5806 clientVers = recordVersionToWire(clientVers, protocol)
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5807 serverVers := expectedVersion
5808 if expectedVersion >= VersionTLS13 {
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]5809 serverVers = VersionTLS12
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5810 }
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5811 serverVers = recordVersionToWire(serverVers, protocol)
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5812
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5813 testCases = append(testCases, testCase{
5814 protocol: protocol,
5815 testType: clientTest,
5816 name: "VersionNegotiation-Client-" + suffix,
5817 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]5818 MaxVersion: runnerVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5819 Bugs: ProtocolBugs{
5820 ExpectInitialRecordVersion: clientVers,
5821 },
5822 },
5823 flags: flags,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5824 expectedVersion: expectedVersion,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5825 })
5826 testCases = append(testCases, testCase{
5827 protocol: protocol,
5828 testType: clientTest,
5829 name: "VersionNegotiation-Client2-" + suffix,
5830 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]5831 MaxVersion: runnerVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5832 Bugs: ProtocolBugs{
5833 ExpectInitialRecordVersion: clientVers,
5834 },
5835 },
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5836 flags: flags2,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5837 expectedVersion: expectedVersion,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5838 })
5839
5840 testCases = append(testCases, testCase{
5841 protocol: protocol,
5842 testType: serverTest,
5843 name: "VersionNegotiation-Server-" + suffix,
5844 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]5845 MaxVersion: runnerVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5846 Bugs: ProtocolBugs{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5847 ExpectInitialRecordVersion: serverVers,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5848 },
5849 },
5850 flags: flags,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5851 expectedVersion: expectedVersion,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5852 })
5853 testCases = append(testCases, testCase{
5854 protocol: protocol,
5855 testType: serverTest,
5856 name: "VersionNegotiation-Server2-" + suffix,
5857 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]5858 MaxVersion: runnerVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5859 Bugs: ProtocolBugs{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5860 ExpectInitialRecordVersion: serverVers,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5861 },
5862 },
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5863 flags: flags2,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5864 expectedVersion: expectedVersion,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5865 })
5866 }
5867 }
5868 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5869
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5870 // Test the version extension at all versions.
5871 for _, vers := range tlsVersions {
5872 protocols := []protocol{tls}
5873 if vers.hasDTLS {
5874 protocols = append(protocols, dtls)
5875 }
5876 for _, protocol := range protocols {
5877 suffix := vers.name
5878 if protocol == dtls {
5879 suffix += "-DTLS"
5880 }
5881
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5882 testCases = append(testCases, testCase{
5883 protocol: protocol,
5884 testType: serverTest,
5885 name: "VersionNegotiationExtension-" + suffix,
5886 config: Config{
5887 Bugs: ProtocolBugs{
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5888 SendSupportedVersions: []uint16{0x1111, vers.wire(protocol), 0x2222},
5889 IgnoreTLS13DowngradeRandom: true,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5890 },
5891 },
5892 expectedVersion: vers.version,
5893 })
5894 }
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5895 }
5896
5897 // If all versions are unknown, negotiation fails.
5898 testCases = append(testCases, testCase{
5899 testType: serverTest,
5900 name: "NoSupportedVersions",
5901 config: Config{
5902 Bugs: ProtocolBugs{
5903 SendSupportedVersions: []uint16{0x1111},
5904 },
5905 },
5906 shouldFail: true,
5907 expectedError: ":UNSUPPORTED_PROTOCOL:",
5908 })
5909 testCases = append(testCases, testCase{
5910 protocol: dtls,
5911 testType: serverTest,
5912 name: "NoSupportedVersions-DTLS",
5913 config: Config{
5914 Bugs: ProtocolBugs{
5915 SendSupportedVersions: []uint16{0x1111},
5916 },
5917 },
5918 shouldFail: true,
5919 expectedError: ":UNSUPPORTED_PROTOCOL:",
5920 })
5921
5922 testCases = append(testCases, testCase{
5923 testType: serverTest,
5924 name: "ClientHelloVersionTooHigh",
5925 config: Config{
5926 MaxVersion: VersionTLS13,
5927 Bugs: ProtocolBugs{
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5928 SendClientVersion: 0x0304,
5929 OmitSupportedVersions: true,
5930 IgnoreTLS13DowngradeRandom: true,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5931 },
5932 },
5933 expectedVersion: VersionTLS12,
5934 })
5935
5936 testCases = append(testCases, testCase{
5937 testType: serverTest,
5938 name: "ConflictingVersionNegotiation",
5939 config: Config{
5940 Bugs: ProtocolBugs{
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5941 SendClientVersion: VersionTLS12,
5942 SendSupportedVersions: []uint16{VersionTLS11},
5943 IgnoreTLS13DowngradeRandom: true,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5944 },
5945 },
5946 // The extension takes precedence over the ClientHello version.
5947 expectedVersion: VersionTLS11,
5948 })
5949
5950 testCases = append(testCases, testCase{
5951 testType: serverTest,
5952 name: "ConflictingVersionNegotiation-2",
5953 config: Config{
5954 Bugs: ProtocolBugs{
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5955 SendClientVersion: VersionTLS11,
5956 SendSupportedVersions: []uint16{VersionTLS12},
5957 IgnoreTLS13DowngradeRandom: true,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5958 },
5959 },
5960 // The extension takes precedence over the ClientHello version.
5961 expectedVersion: VersionTLS12,
5962 })
5963
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5964 // Test that TLS 1.2 isn't negotiated by the supported_versions extension in
5965 // the ServerHello.
5966 testCases = append(testCases, testCase{
5967 testType: clientTest,
5968 name: "SupportedVersionSelection-TLS12",
5969 config: Config{
5970 MaxVersion: VersionTLS12,
5971 Bugs: ProtocolBugs{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]5972 SendServerSupportedVersionExtension: VersionTLS12,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]5973 },
5974 },
5975 shouldFail: true,
5976 expectedError: ":UNEXPECTED_EXTENSION:",
5977 })
5978
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5979 // Test that the maximum version is selected regardless of the
5980 // client-sent order.
5981 testCases = append(testCases, testCase{
5982 testType: serverTest,
5983 name: "IgnoreClientVersionOrder",
5984 config: Config{
5985 Bugs: ProtocolBugs{
Robert Sloan1f278ae2018-09-04 13:56:45 -0700[diff] [blame]5986 SendSupportedVersions: []uint16{VersionTLS12, VersionTLS13},
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5987 },
5988 },
5989 expectedVersion: VersionTLS13,
5990 })
5991
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5992 // Test for version tolerance.
5993 testCases = append(testCases, testCase{
5994 testType: serverTest,
5995 name: "MinorVersionTolerance",
5996 config: Config{
5997 Bugs: ProtocolBugs{
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]5998 SendClientVersion: 0x03ff,
5999 OmitSupportedVersions: true,
6000 IgnoreTLS13DowngradeRandom: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6001 },
6002 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6003 expectedVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6004 })
6005 testCases = append(testCases, testCase{
6006 testType: serverTest,
6007 name: "MajorVersionTolerance",
6008 config: Config{
6009 Bugs: ProtocolBugs{
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]6010 SendClientVersion: 0x0400,
6011 OmitSupportedVersions: true,
6012 IgnoreTLS13DowngradeRandom: true,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6013 },
6014 },
6015 // TLS 1.3 must be negotiated with the supported_versions
6016 // extension, not ClientHello.version.
6017 expectedVersion: VersionTLS12,
6018 })
6019 testCases = append(testCases, testCase{
6020 testType: serverTest,
6021 name: "VersionTolerance-TLS13",
6022 config: Config{
6023 Bugs: ProtocolBugs{
6024 // Although TLS 1.3 does not use
6025 // ClientHello.version, it still tolerates high
6026 // values there.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6027 SendClientVersion: 0x0400,
6028 },
6029 },
6030 expectedVersion: VersionTLS13,
6031 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6032
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6033 testCases = append(testCases, testCase{
6034 protocol: dtls,
6035 testType: serverTest,
6036 name: "MinorVersionTolerance-DTLS",
6037 config: Config{
6038 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6039 SendClientVersion: 0xfe00,
6040 OmitSupportedVersions: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6041 },
6042 },
6043 expectedVersion: VersionTLS12,
6044 })
6045 testCases = append(testCases, testCase{
6046 protocol: dtls,
6047 testType: serverTest,
6048 name: "MajorVersionTolerance-DTLS",
6049 config: Config{
6050 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6051 SendClientVersion: 0xfdff,
6052 OmitSupportedVersions: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6053 },
6054 },
6055 expectedVersion: VersionTLS12,
6056 })
6057
6058 // Test that versions below 3.0 are rejected.
6059 testCases = append(testCases, testCase{
6060 testType: serverTest,
6061 name: "VersionTooLow",
6062 config: Config{
6063 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6064 SendClientVersion: 0x0200,
6065 OmitSupportedVersions: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6066 },
6067 },
6068 shouldFail: true,
6069 expectedError: ":UNSUPPORTED_PROTOCOL:",
6070 })
6071 testCases = append(testCases, testCase{
6072 protocol: dtls,
6073 testType: serverTest,
6074 name: "VersionTooLow-DTLS",
6075 config: Config{
6076 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6077 SendClientVersion: 0xffff,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6078 },
6079 },
6080 shouldFail: true,
6081 expectedError: ":UNSUPPORTED_PROTOCOL:",
6082 })
6083
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]6084 testCases = append(testCases, testCase{
6085 name: "ServerBogusVersion",
6086 config: Config{
6087 Bugs: ProtocolBugs{
6088 SendServerHelloVersion: 0x1234,
6089 },
6090 },
6091 shouldFail: true,
6092 expectedError: ":UNSUPPORTED_PROTOCOL:",
6093 })
6094
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6095 // Test TLS 1.3's downgrade signal.
Robert Sloanf068def2018-10-10 18:45:40 -0700[diff] [blame]6096 var downgradeTests = []struct {
6097 name string
6098 version uint16
6099 clientShimError string
6100 }{
6101 {"TLS12", VersionTLS12, "tls: downgrade from TLS 1.3 detected"},
6102 {"TLS11", VersionTLS11, "tls: downgrade from TLS 1.2 detected"},
6103 // TLS 1.0 does not have a dedicated value.
6104 {"TLS10", VersionTLS10, "tls: downgrade from TLS 1.2 detected"},
6105 }
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]6106
Robert Sloanf068def2018-10-10 18:45:40 -0700[diff] [blame]6107 for _, test := range downgradeTests {
6108 // The client should enforce the downgrade sentinel.
6109 testCases = append(testCases, testCase{
6110 name: "Downgrade-" + test.name + "-Client",
6111 config: Config{
6112 Bugs: ProtocolBugs{
6113 NegotiateVersion: test.version,
6114 },
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]6115 },
Robert Sloanf068def2018-10-10 18:45:40 -0700[diff] [blame]6116 expectedVersion: test.version,
6117 shouldFail: true,
6118 expectedError: ":TLS13_DOWNGRADE:",
6119 expectedLocalError: "remote error: illegal parameter",
6120 })
6121
6122 // The client should ignore the downgrade sentinel if
6123 // configured.
6124 testCases = append(testCases, testCase{
6125 name: "Downgrade-" + test.name + "-Client-Ignore",
6126 config: Config{
6127 Bugs: ProtocolBugs{
6128 NegotiateVersion: test.version,
6129 },
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]6130 },
Robert Sloanf068def2018-10-10 18:45:40 -0700[diff] [blame]6131 expectedVersion: test.version,
6132 flags: []string{
6133 "-ignore-tls13-downgrade",
6134 "-expect-tls13-downgrade",
6135 },
6136 })
6137
6138 // The server should emit the downgrade signal.
6139 testCases = append(testCases, testCase{
6140 testType: serverTest,
6141 name: "Downgrade-" + test.name + "-Server",
6142 config: Config{
6143 Bugs: ProtocolBugs{
6144 SendSupportedVersions: []uint16{test.version},
6145 },
6146 },
Robert Sloanf068def2018-10-10 18:45:40 -0700[diff] [blame]6147 expectedVersion: test.version,
6148 shouldFail: true,
6149 expectedLocalError: test.clientShimError,
6150 })
6151 }
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]6152
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]6153 // Test that False Start is disabled when the downgrade logic triggers.
6154 testCases = append(testCases, testCase{
6155 name: "Downgrade-FalseStart",
6156 config: Config{
6157 NextProtos: []string{"foo"},
6158 Bugs: ProtocolBugs{
6159 NegotiateVersion: VersionTLS12,
6160 ExpectFalseStart: true,
6161 AlertBeforeFalseStartTest: alertAccessDenied,
6162 },
6163 },
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]6164 expectedVersion: VersionTLS12,
6165 flags: []string{
6166 "-false-start",
6167 "-advertise-alpn", "\x03foo",
6168 "-ignore-tls13-downgrade",
6169 },
6170 shimWritesFirst: true,
6171 shouldFail: true,
6172 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
6173 expectedLocalError: "tls: peer did not false start: EOF",
6174 })
6175
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]6176 // SSL 3.0 support has been removed. Test that the shim does not
6177 // support it.
6178 testCases = append(testCases, testCase{
6179 name: "NoSSL3-Client",
6180 config: Config{
6181 MinVersion: VersionSSL30,
6182 MaxVersion: VersionSSL30,
6183 },
6184 shouldFail: true,
6185 expectedLocalError: "tls: client did not offer any supported protocol versions",
6186 })
6187 testCases = append(testCases, testCase{
6188 name: "NoSSL3-Client-Unsolicited",
6189 config: Config{
6190 MinVersion: VersionSSL30,
6191 MaxVersion: VersionSSL30,
6192 Bugs: ProtocolBugs{
6193 // The above test asserts the client does not
6194 // offer SSL 3.0 in the supported_versions
6195 // list. Additionally assert that it rejects an
6196 // unsolicited SSL 3.0 ServerHello.
6197 NegotiateVersion: VersionSSL30,
6198 },
6199 },
6200 shouldFail: true,
6201 expectedError: ":UNSUPPORTED_PROTOCOL:",
6202 expectedLocalError: "remote error: protocol version not supported",
6203 })
6204 testCases = append(testCases, testCase{
6205 testType: serverTest,
6206 name: "NoSSL3-Server",
6207 config: Config{
6208 MinVersion: VersionSSL30,
6209 MaxVersion: VersionSSL30,
6210 },
6211 shouldFail: true,
6212 expectedError: ":UNSUPPORTED_PROTOCOL:",
6213 expectedLocalError: "remote error: protocol version not supported",
6214 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6215}
6216
6217func addMinimumVersionTests() {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]6218 for _, protocol := range []protocol{tls, dtls} {
6219 for _, shimVers := range allVersions(protocol) {
6220 // Assemble flags to disable all older versions on the shim.
6221 var flags []string
6222 for _, vers := range allVersions(protocol) {
6223 if vers.version < shimVers.version {
6224 flags = append(flags, vers.excludeFlag)
6225 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6226 }
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]6227
6228 flags2 := []string{"-min-version", shimVers.shimFlag(protocol)}
6229
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]6230 for _, runnerVers := range allVersions(protocol) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6231 suffix := shimVers.name + "-" + runnerVers.name
6232 if protocol == dtls {
6233 suffix += "-DTLS"
6234 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6235
6236 var expectedVersion uint16
6237 var shouldFail bool
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6238 var expectedError, expectedLocalError string
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6239 if runnerVers.version >= shimVers.version {
6240 expectedVersion = runnerVers.version
6241 } else {
6242 shouldFail = true
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6243 expectedError = ":UNSUPPORTED_PROTOCOL:"
6244 expectedLocalError = "remote error: protocol version not supported"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6245 }
6246
6247 testCases = append(testCases, testCase{
6248 protocol: protocol,
6249 testType: clientTest,
6250 name: "MinimumVersion-Client-" + suffix,
6251 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]6252 MaxVersion: runnerVers.version,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6253 Bugs: ProtocolBugs{
6254 // Ensure the server does not decline to
6255 // select a version (versions extension) or
6256 // cipher (some ciphers depend on versions).
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]6257 NegotiateVersion: runnerVers.wire(protocol),
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6258 IgnorePeerCipherPreferences: shouldFail,
6259 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6260 },
6261 flags: flags,
6262 expectedVersion: expectedVersion,
6263 shouldFail: shouldFail,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6264 expectedError: expectedError,
6265 expectedLocalError: expectedLocalError,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6266 })
6267 testCases = append(testCases, testCase{
6268 protocol: protocol,
6269 testType: clientTest,
6270 name: "MinimumVersion-Client2-" + suffix,
6271 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]6272 MaxVersion: runnerVers.version,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6273 Bugs: ProtocolBugs{
6274 // Ensure the server does not decline to
6275 // select a version (versions extension) or
6276 // cipher (some ciphers depend on versions).
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]6277 NegotiateVersion: runnerVers.wire(protocol),
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6278 IgnorePeerCipherPreferences: shouldFail,
6279 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6280 },
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]6281 flags: flags2,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6282 expectedVersion: expectedVersion,
6283 shouldFail: shouldFail,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6284 expectedError: expectedError,
6285 expectedLocalError: expectedLocalError,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6286 })
6287
6288 testCases = append(testCases, testCase{
6289 protocol: protocol,
6290 testType: serverTest,
6291 name: "MinimumVersion-Server-" + suffix,
6292 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]6293 MaxVersion: runnerVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6294 },
6295 flags: flags,
6296 expectedVersion: expectedVersion,
6297 shouldFail: shouldFail,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6298 expectedError: expectedError,
6299 expectedLocalError: expectedLocalError,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6300 })
6301 testCases = append(testCases, testCase{
6302 protocol: protocol,
6303 testType: serverTest,
6304 name: "MinimumVersion-Server2-" + suffix,
6305 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]6306 MaxVersion: runnerVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6307 },
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]6308 flags: flags2,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6309 expectedVersion: expectedVersion,
6310 shouldFail: shouldFail,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6311 expectedError: expectedError,
6312 expectedLocalError: expectedLocalError,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6313 })
6314 }
6315 }
6316 }
6317}
6318
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6319func addExtensionTests() {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6320 // TODO(davidben): Extensions, where applicable, all move their server
6321 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
6322 // tests for both. Also test interaction with 0-RTT when implemented.
6323
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]6324 // Repeat extensions tests at all versions.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6325 for _, ver := range tlsVersions {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6326 // Test that duplicate extensions are rejected.
6327 testCases = append(testCases, testCase{
6328 testType: clientTest,
6329 name: "DuplicateExtensionClient-" + ver.name,
6330 config: Config{
6331 MaxVersion: ver.version,
6332 Bugs: ProtocolBugs{
6333 DuplicateExtension: true,
6334 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6335 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6336 shouldFail: true,
6337 expectedLocalError: "remote error: error decoding message",
6338 })
6339 testCases = append(testCases, testCase{
6340 testType: serverTest,
6341 name: "DuplicateExtensionServer-" + ver.name,
6342 config: Config{
6343 MaxVersion: ver.version,
6344 Bugs: ProtocolBugs{
6345 DuplicateExtension: true,
6346 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6347 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6348 shouldFail: true,
6349 expectedLocalError: "remote error: error decoding message",
6350 })
6351
6352 // Test SNI.
6353 testCases = append(testCases, testCase{
6354 testType: clientTest,
6355 name: "ServerNameExtensionClient-" + ver.name,
6356 config: Config{
6357 MaxVersion: ver.version,
6358 Bugs: ProtocolBugs{
6359 ExpectServerName: "example.com",
6360 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6361 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]6362 flags: []string{"-host-name", "example.com"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6363 })
6364 testCases = append(testCases, testCase{
6365 testType: clientTest,
6366 name: "ServerNameExtensionClientMismatch-" + ver.name,
6367 config: Config{
6368 MaxVersion: ver.version,
6369 Bugs: ProtocolBugs{
6370 ExpectServerName: "mismatch.com",
6371 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6372 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6373 flags: []string{"-host-name", "example.com"},
6374 shouldFail: true,
6375 expectedLocalError: "tls: unexpected server name",
6376 })
6377 testCases = append(testCases, testCase{
6378 testType: clientTest,
6379 name: "ServerNameExtensionClientMissing-" + ver.name,
6380 config: Config{
6381 MaxVersion: ver.version,
6382 Bugs: ProtocolBugs{
6383 ExpectServerName: "missing.com",
6384 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6385 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6386 shouldFail: true,
6387 expectedLocalError: "tls: unexpected server name",
6388 })
6389 testCases = append(testCases, testCase{
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]6390 testType: clientTest,
6391 name: "TolerateServerNameAck-" + ver.name,
6392 config: Config{
6393 MaxVersion: ver.version,
6394 Bugs: ProtocolBugs{
6395 SendServerNameAck: true,
6396 },
6397 },
6398 flags: []string{"-host-name", "example.com"},
6399 resumeSession: true,
6400 })
6401 testCases = append(testCases, testCase{
6402 testType: clientTest,
6403 name: "UnsolicitedServerNameAck-" + ver.name,
6404 config: Config{
6405 MaxVersion: ver.version,
6406 Bugs: ProtocolBugs{
6407 SendServerNameAck: true,
6408 },
6409 },
6410 shouldFail: true,
6411 expectedError: ":UNEXPECTED_EXTENSION:",
6412 expectedLocalError: "remote error: unsupported extension",
6413 })
6414 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6415 testType: serverTest,
6416 name: "ServerNameExtensionServer-" + ver.name,
6417 config: Config{
6418 MaxVersion: ver.version,
6419 ServerName: "example.com",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6420 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6421 flags: []string{"-expect-server-name", "example.com"},
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6422 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6423 })
6424
6425 // Test ALPN.
6426 testCases = append(testCases, testCase{
6427 testType: clientTest,
6428 name: "ALPNClient-" + ver.name,
6429 config: Config{
6430 MaxVersion: ver.version,
6431 NextProtos: []string{"foo"},
6432 },
6433 flags: []string{
6434 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6435 "-expect-alpn", "foo",
6436 },
6437 expectedNextProto: "foo",
6438 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6439 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6440 })
6441 testCases = append(testCases, testCase{
6442 testType: clientTest,
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6443 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6444 config: Config{
6445 MaxVersion: ver.version,
6446 Bugs: ProtocolBugs{
6447 SendALPN: "baz",
6448 },
6449 },
6450 flags: []string{
6451 "-advertise-alpn", "\x03foo\x03bar",
6452 },
6453 shouldFail: true,
6454 expectedError: ":INVALID_ALPN_PROTOCOL:",
6455 expectedLocalError: "remote error: illegal parameter",
6456 })
6457 testCases = append(testCases, testCase{
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6458 testType: clientTest,
6459 name: "ALPNClient-AllowUnknown-" + ver.name,
6460 config: Config{
6461 MaxVersion: ver.version,
6462 Bugs: ProtocolBugs{
6463 SendALPN: "baz",
6464 },
6465 },
6466 flags: []string{
6467 "-advertise-alpn", "\x03foo\x03bar",
6468 "-allow-unknown-alpn-protos",
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]6469 "-expect-alpn", "baz",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6470 },
6471 })
6472 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6473 testType: serverTest,
6474 name: "ALPNServer-" + ver.name,
6475 config: Config{
6476 MaxVersion: ver.version,
6477 NextProtos: []string{"foo", "bar", "baz"},
6478 },
6479 flags: []string{
6480 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6481 "-select-alpn", "foo",
6482 },
6483 expectedNextProto: "foo",
6484 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6485 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6486 })
6487 testCases = append(testCases, testCase{
6488 testType: serverTest,
6489 name: "ALPNServer-Decline-" + ver.name,
6490 config: Config{
6491 MaxVersion: ver.version,
6492 NextProtos: []string{"foo", "bar", "baz"},
6493 },
6494 flags: []string{"-decline-alpn"},
6495 expectNoNextProto: true,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6496 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6497 })
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]6498 // Test that the server implementation catches itself if the
6499 // callback tries to return an invalid empty ALPN protocol.
6500 testCases = append(testCases, testCase{
6501 testType: serverTest,
6502 name: "ALPNServer-SelectEmpty-" + ver.name,
6503 config: Config{
6504 MaxVersion: ver.version,
6505 NextProtos: []string{"foo", "bar", "baz"},
6506 },
6507 flags: []string{
6508 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6509 "-select-empty-alpn",
6510 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]6511 shouldFail: true,
6512 expectedLocalError: "remote error: internal error",
6513 expectedError: ":INVALID_ALPN_PROTOCOL:",
6514 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6515
6516 // Test ALPN in async mode as well to ensure that extensions callbacks are only
6517 // called once.
6518 testCases = append(testCases, testCase{
6519 testType: serverTest,
6520 name: "ALPNServer-Async-" + ver.name,
6521 config: Config{
6522 MaxVersion: ver.version,
6523 NextProtos: []string{"foo", "bar", "baz"},
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]6524 // Prior to TLS 1.3, exercise the asynchronous session callback.
6525 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6526 },
6527 flags: []string{
6528 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6529 "-select-alpn", "foo",
6530 "-async",
6531 },
6532 expectedNextProto: "foo",
6533 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6534 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6535 })
6536
6537 var emptyString string
6538 testCases = append(testCases, testCase{
6539 testType: clientTest,
6540 name: "ALPNClient-EmptyProtocolName-" + ver.name,
6541 config: Config{
6542 MaxVersion: ver.version,
6543 NextProtos: []string{""},
6544 Bugs: ProtocolBugs{
6545 // A server returning an empty ALPN protocol
6546 // should be rejected.
6547 ALPNProtocol: &emptyString,
6548 },
6549 },
6550 flags: []string{
6551 "-advertise-alpn", "\x03foo",
6552 },
6553 shouldFail: true,
6554 expectedError: ":PARSE_TLSEXT:",
6555 })
6556 testCases = append(testCases, testCase{
6557 testType: serverTest,
6558 name: "ALPNServer-EmptyProtocolName-" + ver.name,
6559 config: Config{
6560 MaxVersion: ver.version,
6561 // A ClientHello containing an empty ALPN protocol
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6562 // should be rejected.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6563 NextProtos: []string{"foo", "", "baz"},
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6564 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6565 flags: []string{
6566 "-select-alpn", "foo",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6567 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6568 shouldFail: true,
6569 expectedError: ":PARSE_TLSEXT:",
6570 })
6571
6572 // Test NPN and the interaction with ALPN.
6573 if ver.version < VersionTLS13 {
6574 // Test that the server prefers ALPN over NPN.
6575 testCases = append(testCases, testCase{
6576 testType: serverTest,
6577 name: "ALPNServer-Preferred-" + ver.name,
6578 config: Config{
6579 MaxVersion: ver.version,
6580 NextProtos: []string{"foo", "bar", "baz"},
6581 },
6582 flags: []string{
6583 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6584 "-select-alpn", "foo",
6585 "-advertise-npn", "\x03foo\x03bar\x03baz",
6586 },
6587 expectedNextProto: "foo",
6588 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6589 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6590 })
6591 testCases = append(testCases, testCase{
6592 testType: serverTest,
6593 name: "ALPNServer-Preferred-Swapped-" + ver.name,
6594 config: Config{
6595 MaxVersion: ver.version,
6596 NextProtos: []string{"foo", "bar", "baz"},
6597 Bugs: ProtocolBugs{
6598 SwapNPNAndALPN: true,
6599 },
6600 },
6601 flags: []string{
6602 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6603 "-select-alpn", "foo",
6604 "-advertise-npn", "\x03foo\x03bar\x03baz",
6605 },
6606 expectedNextProto: "foo",
6607 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6608 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6609 })
6610
6611 // Test that negotiating both NPN and ALPN is forbidden.
6612 testCases = append(testCases, testCase{
6613 name: "NegotiateALPNAndNPN-" + ver.name,
6614 config: Config{
6615 MaxVersion: ver.version,
6616 NextProtos: []string{"foo", "bar", "baz"},
6617 Bugs: ProtocolBugs{
6618 NegotiateALPNAndNPN: true,
6619 },
6620 },
6621 flags: []string{
6622 "-advertise-alpn", "\x03foo",
6623 "-select-next-proto", "foo",
6624 },
6625 shouldFail: true,
6626 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
6627 })
6628 testCases = append(testCases, testCase{
6629 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
6630 config: Config{
6631 MaxVersion: ver.version,
6632 NextProtos: []string{"foo", "bar", "baz"},
6633 Bugs: ProtocolBugs{
6634 NegotiateALPNAndNPN: true,
6635 SwapNPNAndALPN: true,
6636 },
6637 },
6638 flags: []string{
6639 "-advertise-alpn", "\x03foo",
6640 "-select-next-proto", "foo",
6641 },
6642 shouldFail: true,
6643 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
6644 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6645 }
6646
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6647 // Test Token Binding.
6648
6649 const maxTokenBindingVersion = 16
6650 const minTokenBindingVersion = 13
6651 testCases = append(testCases, testCase{
6652 testType: serverTest,
6653 name: "TokenBinding-Server-" + ver.name,
6654
6655 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6656 MinVersion: ver.version,
6657 MaxVersion: ver.version,
6658 TokenBindingParams: []byte{0, 1, 2},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6659 TokenBindingVersion: maxTokenBindingVersion,
6660 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6661 expectTokenBinding: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6662 expectedTokenBindingParam: 2,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6663 flags: []string{
6664 "-token-binding-params",
6665 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]6666 "-expected-token-binding-param",
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6667 "2",
6668 },
6669 })
6670 testCases = append(testCases, testCase{
6671 testType: serverTest,
6672 name: "TokenBinding-Server-UnsupportedParam-" + ver.name,
6673
6674 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6675 MinVersion: ver.version,
6676 MaxVersion: ver.version,
6677 TokenBindingParams: []byte{3},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6678 TokenBindingVersion: maxTokenBindingVersion,
6679 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6680 flags: []string{
6681 "-token-binding-params",
6682 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6683 },
6684 })
6685 testCases = append(testCases, testCase{
6686 testType: serverTest,
6687 name: "TokenBinding-Server-OldVersion-" + ver.name,
6688
6689 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6690 MinVersion: ver.version,
6691 MaxVersion: ver.version,
6692 TokenBindingParams: []byte{0, 1, 2},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6693 TokenBindingVersion: minTokenBindingVersion - 1,
6694 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6695 flags: []string{
6696 "-token-binding-params",
6697 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6698 },
6699 })
6700 testCases = append(testCases, testCase{
6701 testType: serverTest,
6702 name: "TokenBinding-Server-NewVersion-" + ver.name,
6703
6704 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6705 MinVersion: ver.version,
6706 MaxVersion: ver.version,
6707 TokenBindingParams: []byte{0, 1, 2},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6708 TokenBindingVersion: maxTokenBindingVersion + 1,
6709 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6710 expectTokenBinding: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6711 expectedTokenBindingParam: 2,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6712 flags: []string{
6713 "-token-binding-params",
6714 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]6715 "-expected-token-binding-param",
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6716 "2",
6717 },
6718 })
6719 testCases = append(testCases, testCase{
6720 testType: serverTest,
6721 name: "TokenBinding-Server-NoParams-" + ver.name,
6722
6723 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6724 MinVersion: ver.version,
6725 MaxVersion: ver.version,
6726 TokenBindingParams: []byte{},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6727 TokenBindingVersion: maxTokenBindingVersion,
6728 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6729 flags: []string{
6730 "-token-binding-params",
6731 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6732 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6733 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6734 expectedError: ":ERROR_PARSING_EXTENSION:",
6735 })
6736 testCases = append(testCases, testCase{
6737 testType: serverTest,
6738 name: "TokenBinding-Server-RepeatedParam" + ver.name,
6739
6740 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6741 MinVersion: ver.version,
6742 MaxVersion: ver.version,
6743 TokenBindingParams: []byte{0, 1, 2, 2},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6744 TokenBindingVersion: maxTokenBindingVersion,
6745 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6746 expectTokenBinding: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6747 expectedTokenBindingParam: 2,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6748 flags: []string{
6749 "-token-binding-params",
6750 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]6751 "-expected-token-binding-param",
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6752 "2",
6753 },
6754 })
6755 testCases = append(testCases, testCase{
6756 testType: clientTest,
6757 name: "TokenBinding-Client-" + ver.name,
6758
6759 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6760 MinVersion: ver.version,
6761 MaxVersion: ver.version,
6762 TokenBindingParams: []byte{2},
6763 TokenBindingVersion: maxTokenBindingVersion,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6764 ExpectTokenBindingParams: []byte{0, 1, 2},
6765 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6766 flags: []string{
6767 "-token-binding-params",
6768 base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]6769 "-expected-token-binding-param",
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6770 "2",
6771 },
6772 })
6773 testCases = append(testCases, testCase{
6774 testType: clientTest,
6775 name: "TokenBinding-Client-Unexpected-" + ver.name,
6776
6777 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6778 MinVersion: ver.version,
6779 MaxVersion: ver.version,
6780 TokenBindingParams: []byte{2},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6781 TokenBindingVersion: maxTokenBindingVersion,
6782 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6783 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6784 expectedError: ":UNEXPECTED_EXTENSION:",
6785 })
6786 testCases = append(testCases, testCase{
6787 testType: clientTest,
6788 name: "TokenBinding-Client-ExtraParams-" + ver.name,
6789
6790 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6791 MinVersion: ver.version,
6792 MaxVersion: ver.version,
6793 TokenBindingParams: []byte{2, 1},
6794 TokenBindingVersion: maxTokenBindingVersion,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6795 ExpectTokenBindingParams: []byte{0, 1, 2},
6796 },
6797 flags: []string{
6798 "-token-binding-params",
6799 base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]6800 "-expected-token-binding-param",
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6801 "2",
6802 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6803 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6804 expectedError: ":ERROR_PARSING_EXTENSION:",
6805 })
6806 testCases = append(testCases, testCase{
6807 testType: clientTest,
6808 name: "TokenBinding-Client-NoParams-" + ver.name,
6809
6810 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6811 MinVersion: ver.version,
6812 MaxVersion: ver.version,
6813 TokenBindingParams: []byte{},
6814 TokenBindingVersion: maxTokenBindingVersion,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6815 ExpectTokenBindingParams: []byte{0, 1, 2},
6816 },
6817 flags: []string{
6818 "-token-binding-params",
6819 base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]6820 "-expected-token-binding-param",
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6821 "2",
6822 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6823 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6824 expectedError: ":ERROR_PARSING_EXTENSION:",
6825 })
6826 testCases = append(testCases, testCase{
6827 testType: clientTest,
6828 name: "TokenBinding-Client-WrongParam-" + ver.name,
6829
6830 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6831 MinVersion: ver.version,
6832 MaxVersion: ver.version,
6833 TokenBindingParams: []byte{3},
6834 TokenBindingVersion: maxTokenBindingVersion,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6835 ExpectTokenBindingParams: []byte{0, 1, 2},
6836 },
6837 flags: []string{
6838 "-token-binding-params",
6839 base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]6840 "-expected-token-binding-param",
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6841 "2",
6842 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6843 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6844 expectedError: ":ERROR_PARSING_EXTENSION:",
6845 })
6846 testCases = append(testCases, testCase{
6847 testType: clientTest,
6848 name: "TokenBinding-Client-OldVersion-" + ver.name,
6849
6850 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6851 MinVersion: ver.version,
6852 MaxVersion: ver.version,
6853 TokenBindingParams: []byte{2},
6854 TokenBindingVersion: minTokenBindingVersion - 1,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6855 ExpectTokenBindingParams: []byte{0, 1, 2},
6856 },
6857 flags: []string{
6858 "-token-binding-params",
6859 base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6860 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6861 })
6862 testCases = append(testCases, testCase{
6863 testType: clientTest,
6864 name: "TokenBinding-Client-MinVersion-" + ver.name,
6865
6866 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6867 MinVersion: ver.version,
6868 MaxVersion: ver.version,
6869 TokenBindingParams: []byte{2},
6870 TokenBindingVersion: minTokenBindingVersion,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6871 ExpectTokenBindingParams: []byte{0, 1, 2},
6872 },
6873 flags: []string{
6874 "-token-binding-params",
6875 base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]6876 "-expected-token-binding-param",
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6877 "2",
6878 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6879 })
6880 testCases = append(testCases, testCase{
6881 testType: clientTest,
6882 name: "TokenBinding-Client-VersionTooNew-" + ver.name,
6883
6884 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6885 MinVersion: ver.version,
6886 MaxVersion: ver.version,
6887 TokenBindingParams: []byte{2},
6888 TokenBindingVersion: maxTokenBindingVersion + 1,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6889 ExpectTokenBindingParams: []byte{0, 1, 2},
6890 },
6891 flags: []string{
6892 "-token-binding-params",
6893 base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6894 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6895 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6896 expectedError: "ERROR_PARSING_EXTENSION",
6897 })
6898 if ver.version < VersionTLS13 {
6899 testCases = append(testCases, testCase{
6900 testType: clientTest,
6901 name: "TokenBinding-Client-NoEMS-" + ver.name,
6902
6903 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6904 MinVersion: ver.version,
6905 MaxVersion: ver.version,
6906 TokenBindingParams: []byte{2},
6907 TokenBindingVersion: maxTokenBindingVersion,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6908 ExpectTokenBindingParams: []byte{2, 1, 0},
6909 Bugs: ProtocolBugs{
6910 NoExtendedMasterSecret: true,
6911 },
6912 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6913 flags: []string{
6914 "-token-binding-params",
6915 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6916 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6917 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6918 expectedError: ":NEGOTIATED_TB_WITHOUT_EMS_OR_RI:",
6919 })
6920 testCases = append(testCases, testCase{
6921 testType: serverTest,
6922 name: "TokenBinding-Server-NoEMS-" + ver.name,
6923
6924 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6925 MinVersion: ver.version,
6926 MaxVersion: ver.version,
6927 TokenBindingParams: []byte{0, 1, 2},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6928 TokenBindingVersion: maxTokenBindingVersion,
6929 Bugs: ProtocolBugs{
6930 NoExtendedMasterSecret: true,
6931 },
6932 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6933 flags: []string{
6934 "-token-binding-params",
6935 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6936 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6937 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6938 expectedError: ":NEGOTIATED_TB_WITHOUT_EMS_OR_RI:",
6939 })
6940 testCases = append(testCases, testCase{
6941 testType: clientTest,
6942 name: "TokenBinding-Client-NoRI-" + ver.name,
6943
6944 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6945 MinVersion: ver.version,
6946 MaxVersion: ver.version,
6947 TokenBindingParams: []byte{2},
6948 TokenBindingVersion: maxTokenBindingVersion,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6949 ExpectTokenBindingParams: []byte{2, 1, 0},
6950 Bugs: ProtocolBugs{
6951 NoRenegotiationInfo: true,
6952 },
6953 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6954 flags: []string{
6955 "-token-binding-params",
6956 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6957 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6958 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6959 expectedError: ":NEGOTIATED_TB_WITHOUT_EMS_OR_RI:",
6960 })
6961 testCases = append(testCases, testCase{
6962 testType: serverTest,
6963 name: "TokenBinding-Server-NoRI-" + ver.name,
6964
6965 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6966 MinVersion: ver.version,
6967 MaxVersion: ver.version,
6968 TokenBindingParams: []byte{0, 1, 2},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6969 TokenBindingVersion: maxTokenBindingVersion,
6970 Bugs: ProtocolBugs{
6971 NoRenegotiationInfo: true,
6972 },
6973 },
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6974 flags: []string{
6975 "-token-binding-params",
6976 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6977 },
6978 shouldFail: true,
6979 expectedError: ":NEGOTIATED_TB_WITHOUT_EMS_OR_RI:",
6980 })
6981 } else {
6982 testCases = append(testCases, testCase{
6983 testType: clientTest,
6984 name: "TokenBinding-WithEarlyDataFails-" + ver.name,
6985 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6986 MinVersion: ver.version,
6987 MaxVersion: ver.version,
6988 TokenBindingParams: []byte{2},
6989 TokenBindingVersion: maxTokenBindingVersion,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6990 ExpectTokenBindingParams: []byte{2, 1, 0},
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]6991 MaxEarlyDataSize: 16384,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6992 },
6993 resumeSession: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]6994 flags: []string{
6995 "-enable-early-data",
6996 "-expect-ticket-supports-early-data",
6997 "-token-binding-params",
6998 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6999 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]7000 shouldFail: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]7001 expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:",
7002 })
7003 testCases = append(testCases, testCase{
7004 testType: serverTest,
7005 name: "TokenBinding-EarlyDataRejected-" + ver.name,
7006 config: Config{
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]7007 MinVersion: ver.version,
7008 MaxVersion: ver.version,
7009 TokenBindingParams: []byte{0, 1, 2},
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]7010 TokenBindingVersion: maxTokenBindingVersion,
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]7011 MaxEarlyDataSize: 16384,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]7012 },
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]7013 resumeSession: true,
7014 expectTokenBinding: true,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]7015 expectedTokenBindingParam: 2,
Robert Sloan978112c2018-01-22 12:53:01 -0800[diff] [blame]7016 flags: []string{
7017 "-enable-early-data",
7018 "-expect-ticket-supports-early-data",
7019 "-token-binding-params",
7020 base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
7021 },
7022 })
7023 }
7024
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7025 // Test QUIC transport params
7026 if ver.version >= VersionTLS13 {
7027 // Client sends params
7028 testCases = append(testCases, testCase{
7029 testType: clientTest,
7030 name: "QUICTransportParams-Client-" + ver.name,
7031 config: Config{
7032 MinVersion: ver.version,
7033 MaxVersion: ver.version,
7034 QUICTransportParams: []byte{1, 2},
7035 },
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7036 flags: []string{
7037 "-quic-transport-params",
7038 base64.StdEncoding.EncodeToString([]byte{3, 4}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]7039 "-expected-quic-transport-params",
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7040 base64.StdEncoding.EncodeToString([]byte{1, 2}),
7041 },
7042 expectedQUICTransportParams: []byte{3, 4},
7043 })
7044 // Server sends params
7045 testCases = append(testCases, testCase{
7046 testType: serverTest,
7047 name: "QUICTransportParams-Server-" + ver.name,
7048 config: Config{
7049 MinVersion: ver.version,
7050 MaxVersion: ver.version,
7051 QUICTransportParams: []byte{1, 2},
7052 },
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7053 flags: []string{
7054 "-quic-transport-params",
7055 base64.StdEncoding.EncodeToString([]byte{3, 4}),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]7056 "-expected-quic-transport-params",
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7057 base64.StdEncoding.EncodeToString([]byte{1, 2}),
7058 },
7059 expectedQUICTransportParams: []byte{3, 4},
7060 })
7061 } else {
7062 testCases = append(testCases, testCase{
7063 testType: clientTest,
7064 name: "QUICTransportParams-Client-NotSent-" + ver.name,
7065 config: Config{
7066 MinVersion: ver.version,
7067 MaxVersion: ver.version,
7068 },
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7069 flags: []string{
7070 "-max-version",
7071 strconv.Itoa(int(ver.version)),
7072 "-quic-transport-params",
7073 base64.StdEncoding.EncodeToString([]byte{3, 4}),
7074 },
7075 })
7076 testCases = append(testCases, testCase{
7077 testType: clientTest,
7078 name: "QUICTransportParams-Client-Rejected-" + ver.name,
7079 config: Config{
7080 MinVersion: ver.version,
7081 MaxVersion: ver.version,
7082 QUICTransportParams: []byte{1, 2},
7083 },
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7084 flags: []string{
7085 "-quic-transport-params",
7086 base64.StdEncoding.EncodeToString([]byte{3, 4}),
7087 },
7088 shouldFail: true,
7089 expectedError: ":ERROR_PARSING_EXTENSION:",
7090 })
7091 testCases = append(testCases, testCase{
7092 testType: serverTest,
7093 name: "QUICTransportParams-Server-Rejected-" + ver.name,
7094 config: Config{
7095 MinVersion: ver.version,
7096 MaxVersion: ver.version,
7097 QUICTransportParams: []byte{1, 2},
7098 },
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7099 flags: []string{
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]7100 "-expected-quic-transport-params",
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]7101 base64.StdEncoding.EncodeToString([]byte{1, 2}),
7102 },
7103 shouldFail: true,
7104 expectedError: "QUIC transport params mismatch",
7105 })
7106 testCases = append(testCases, testCase{
7107 testType: serverTest,
7108 name: "QUICTransportParams-OldServerIgnores-" + ver.name,
7109 config: Config{
7110 MaxVersion: VersionTLS13,
7111 QUICTransportParams: []byte{1, 2},
7112 },
7113 flags: []string{
7114 "-min-version", ver.shimFlag(tls),
7115 "-max-version", ver.shimFlag(tls),
7116 },
7117 })
7118 }
7119
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7120 // Test ticket behavior.
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7121
7122 // Resume with a corrupt ticket.
7123 testCases = append(testCases, testCase{
7124 testType: serverTest,
7125 name: "CorruptTicket-" + ver.name,
7126 config: Config{
7127 MaxVersion: ver.version,
7128 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7129 FilterTicket: func(in []byte) ([]byte, error) {
7130 in[len(in)-1] ^= 1
7131 return in, nil
7132 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7133 },
7134 },
7135 resumeSession: true,
7136 expectResumeRejected: true,
7137 })
7138 // Test the ticket callback, with and without renewal.
7139 testCases = append(testCases, testCase{
7140 testType: serverTest,
7141 name: "TicketCallback-" + ver.name,
7142 config: Config{
7143 MaxVersion: ver.version,
7144 },
7145 resumeSession: true,
7146 flags: []string{"-use-ticket-callback"},
7147 })
7148 testCases = append(testCases, testCase{
7149 testType: serverTest,
7150 name: "TicketCallback-Renew-" + ver.name,
7151 config: Config{
7152 MaxVersion: ver.version,
7153 Bugs: ProtocolBugs{
7154 ExpectNewTicket: true,
7155 },
7156 },
7157 flags: []string{"-use-ticket-callback", "-renew-ticket"},
7158 resumeSession: true,
7159 })
7160
7161 // Test that the ticket callback is only called once when everything before
7162 // it in the ClientHello is asynchronous. This corrupts the ticket so
7163 // certificate selection callbacks run.
7164 testCases = append(testCases, testCase{
7165 testType: serverTest,
7166 name: "TicketCallback-SingleCall-" + ver.name,
7167 config: Config{
7168 MaxVersion: ver.version,
7169 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7170 FilterTicket: func(in []byte) ([]byte, error) {
7171 in[len(in)-1] ^= 1
7172 return in, nil
7173 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7174 },
7175 },
7176 resumeSession: true,
7177 expectResumeRejected: true,
7178 flags: []string{
7179 "-use-ticket-callback",
7180 "-async",
7181 },
7182 })
7183
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]7184 // Resume with various lengths of ticket session id.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7185 if ver.version < VersionTLS13 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7186 testCases = append(testCases, testCase{
7187 testType: serverTest,
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]7188 name: "TicketSessionIDLength-0-" + ver.name,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7189 config: Config{
7190 MaxVersion: ver.version,
7191 Bugs: ProtocolBugs{
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]7192 EmptyTicketSessionID: true,
7193 },
7194 },
7195 resumeSession: true,
7196 })
7197 testCases = append(testCases, testCase{
7198 testType: serverTest,
7199 name: "TicketSessionIDLength-16-" + ver.name,
7200 config: Config{
7201 MaxVersion: ver.version,
7202 Bugs: ProtocolBugs{
7203 TicketSessionIDLength: 16,
7204 },
7205 },
7206 resumeSession: true,
7207 })
7208 testCases = append(testCases, testCase{
7209 testType: serverTest,
7210 name: "TicketSessionIDLength-32-" + ver.name,
7211 config: Config{
7212 MaxVersion: ver.version,
7213 Bugs: ProtocolBugs{
7214 TicketSessionIDLength: 32,
7215 },
7216 },
7217 resumeSession: true,
7218 })
7219 testCases = append(testCases, testCase{
7220 testType: serverTest,
7221 name: "TicketSessionIDLength-33-" + ver.name,
7222 config: Config{
7223 MaxVersion: ver.version,
7224 Bugs: ProtocolBugs{
7225 TicketSessionIDLength: 33,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7226 },
7227 },
7228 resumeSession: true,
7229 shouldFail: true,
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]7230 // The maximum session ID length is 32.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7231 expectedError: ":DECODE_ERROR:",
7232 })
7233 }
7234
7235 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
7236 // are ignored.
7237 if ver.hasDTLS {
7238 testCases = append(testCases, testCase{
7239 protocol: dtls,
7240 name: "SRTP-Client-" + ver.name,
7241 config: Config{
7242 MaxVersion: ver.version,
7243 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
7244 },
7245 flags: []string{
7246 "-srtp-profiles",
7247 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
7248 },
7249 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
7250 })
7251 testCases = append(testCases, testCase{
7252 protocol: dtls,
7253 testType: serverTest,
7254 name: "SRTP-Server-" + ver.name,
7255 config: Config{
7256 MaxVersion: ver.version,
7257 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
7258 },
7259 flags: []string{
7260 "-srtp-profiles",
7261 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
7262 },
7263 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
7264 })
7265 // Test that the MKI is ignored.
7266 testCases = append(testCases, testCase{
7267 protocol: dtls,
7268 testType: serverTest,
7269 name: "SRTP-Server-IgnoreMKI-" + ver.name,
7270 config: Config{
7271 MaxVersion: ver.version,
7272 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
7273 Bugs: ProtocolBugs{
7274 SRTPMasterKeyIdentifer: "bogus",
7275 },
7276 },
7277 flags: []string{
7278 "-srtp-profiles",
7279 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
7280 },
7281 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
7282 })
7283 // Test that SRTP isn't negotiated on the server if there were
7284 // no matching profiles.
7285 testCases = append(testCases, testCase{
7286 protocol: dtls,
7287 testType: serverTest,
7288 name: "SRTP-Server-NoMatch-" + ver.name,
7289 config: Config{
7290 MaxVersion: ver.version,
7291 SRTPProtectionProfiles: []uint16{100, 101, 102},
7292 },
7293 flags: []string{
7294 "-srtp-profiles",
7295 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
7296 },
7297 expectedSRTPProtectionProfile: 0,
7298 })
7299 // Test that the server returning an invalid SRTP profile is
7300 // flagged as an error by the client.
7301 testCases = append(testCases, testCase{
7302 protocol: dtls,
7303 name: "SRTP-Client-NoMatch-" + ver.name,
7304 config: Config{
7305 MaxVersion: ver.version,
7306 Bugs: ProtocolBugs{
7307 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
7308 },
7309 },
7310 flags: []string{
7311 "-srtp-profiles",
7312 "SRTP_AES128_CM_SHA1_80",
7313 },
7314 shouldFail: true,
7315 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
7316 })
7317 }
7318
7319 // Test SCT list.
7320 testCases = append(testCases, testCase{
7321 name: "SignedCertificateTimestampList-Client-" + ver.name,
7322 testType: clientTest,
7323 config: Config{
7324 MaxVersion: ver.version,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7325 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7326 flags: []string{
7327 "-enable-signed-cert-timestamps",
7328 "-expect-signed-cert-timestamps",
7329 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7330 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7331 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7332 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7333
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7334 var differentSCTList []byte
7335 differentSCTList = append(differentSCTList, testSCTList...)
7336 differentSCTList[len(differentSCTList)-1] ^= 1
7337
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7338 // The SCT extension did not specify that it must only be sent on resumption as it
7339 // should have, so test that we tolerate but ignore it.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7340 testCases = append(testCases, testCase{
7341 name: "SendSCTListOnResume-" + ver.name,
7342 config: Config{
7343 MaxVersion: ver.version,
7344 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7345 SendSCTListOnResume: differentSCTList,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7346 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7347 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7348 flags: []string{
7349 "-enable-signed-cert-timestamps",
7350 "-expect-signed-cert-timestamps",
7351 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7352 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7353 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7354 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7355
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7356 testCases = append(testCases, testCase{
7357 name: "SignedCertificateTimestampList-Server-" + ver.name,
7358 testType: serverTest,
7359 config: Config{
7360 MaxVersion: ver.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7361 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7362 flags: []string{
7363 "-signed-cert-timestamps",
7364 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7365 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7366 expectedSCTList: testSCTList,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7367 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7368 })
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7369
7370 emptySCTListCert := *testCerts[0].cert
7371 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
7372
7373 // Test empty SCT list.
7374 testCases = append(testCases, testCase{
7375 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
7376 testType: clientTest,
7377 config: Config{
7378 MaxVersion: ver.version,
7379 Certificates: []Certificate{emptySCTListCert},
7380 },
7381 flags: []string{
7382 "-enable-signed-cert-timestamps",
7383 },
7384 shouldFail: true,
7385 expectedError: ":ERROR_PARSING_EXTENSION:",
7386 })
7387
7388 emptySCTCert := *testCerts[0].cert
7389 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
7390
7391 // Test empty SCT in non-empty list.
7392 testCases = append(testCases, testCase{
7393 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
7394 testType: clientTest,
7395 config: Config{
7396 MaxVersion: ver.version,
7397 Certificates: []Certificate{emptySCTCert},
7398 },
7399 flags: []string{
7400 "-enable-signed-cert-timestamps",
7401 },
7402 shouldFail: true,
7403 expectedError: ":ERROR_PARSING_EXTENSION:",
7404 })
7405
7406 // Test that certificate-related extensions are not sent unsolicited.
7407 testCases = append(testCases, testCase{
7408 testType: serverTest,
7409 name: "UnsolicitedCertificateExtensions-" + ver.name,
7410 config: Config{
7411 MaxVersion: ver.version,
7412 Bugs: ProtocolBugs{
7413 NoOCSPStapling: true,
7414 NoSignedCertificateTimestamps: true,
7415 },
7416 },
7417 flags: []string{
7418 "-ocsp-response",
7419 base64.StdEncoding.EncodeToString(testOCSPResponse),
7420 "-signed-cert-timestamps",
7421 base64.StdEncoding.EncodeToString(testSCTList),
7422 },
7423 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7424 }
7425
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7426 testCases = append(testCases, testCase{
7427 testType: clientTest,
7428 name: "ClientHelloPadding",
7429 config: Config{
7430 Bugs: ProtocolBugs{
7431 RequireClientHelloSize: 512,
7432 },
7433 },
7434 // This hostname just needs to be long enough to push the
7435 // ClientHello into F5's danger zone between 256 and 511 bytes
7436 // long.
7437 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7438 })
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]7439
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7440 // Test that illegal extensions in TLS 1.3 are rejected by the client if
7441 // in ServerHello.
7442 testCases = append(testCases, testCase{
7443 name: "NPN-Forbidden-TLS13",
7444 config: Config{
7445 MaxVersion: VersionTLS13,
7446 NextProtos: []string{"foo"},
7447 Bugs: ProtocolBugs{
7448 NegotiateNPNAtAllVersions: true,
7449 },
7450 },
7451 flags: []string{"-select-next-proto", "foo"},
7452 shouldFail: true,
7453 expectedError: ":ERROR_PARSING_EXTENSION:",
7454 })
7455 testCases = append(testCases, testCase{
7456 name: "EMS-Forbidden-TLS13",
7457 config: Config{
7458 MaxVersion: VersionTLS13,
7459 Bugs: ProtocolBugs{
7460 NegotiateEMSAtAllVersions: true,
7461 },
7462 },
7463 shouldFail: true,
7464 expectedError: ":ERROR_PARSING_EXTENSION:",
7465 })
7466 testCases = append(testCases, testCase{
7467 name: "RenegotiationInfo-Forbidden-TLS13",
7468 config: Config{
7469 MaxVersion: VersionTLS13,
7470 Bugs: ProtocolBugs{
7471 NegotiateRenegotiationInfoAtAllVersions: true,
7472 },
7473 },
7474 shouldFail: true,
7475 expectedError: ":ERROR_PARSING_EXTENSION:",
7476 })
7477 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7478 name: "Ticket-Forbidden-TLS13",
7479 config: Config{
7480 MaxVersion: VersionTLS12,
7481 },
7482 resumeConfig: &Config{
7483 MaxVersion: VersionTLS13,
7484 Bugs: ProtocolBugs{
7485 AdvertiseTicketExtension: true,
7486 },
7487 },
7488 resumeSession: true,
7489 shouldFail: true,
7490 expectedError: ":ERROR_PARSING_EXTENSION:",
7491 })
7492
7493 // Test that illegal extensions in TLS 1.3 are declined by the server if
7494 // offered in ClientHello. The runner's server will fail if this occurs,
7495 // so we exercise the offering path. (EMS and Renegotiation Info are
7496 // implicit in every test.)
7497 testCases = append(testCases, testCase{
7498 testType: serverTest,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7499 name: "NPN-Declined-TLS13",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7500 config: Config{
7501 MaxVersion: VersionTLS13,
7502 NextProtos: []string{"bar"},
7503 },
7504 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
7505 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7506
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7507 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
7508 // tolerated.
7509 testCases = append(testCases, testCase{
7510 name: "SendOCSPResponseOnResume-TLS12",
7511 config: Config{
7512 MaxVersion: VersionTLS12,
7513 Bugs: ProtocolBugs{
7514 SendOCSPResponseOnResume: []byte("bogus"),
7515 },
7516 },
7517 flags: []string{
7518 "-enable-ocsp-stapling",
7519 "-expect-ocsp-response",
7520 base64.StdEncoding.EncodeToString(testOCSPResponse),
7521 },
7522 resumeSession: true,
7523 })
7524
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7525 testCases = append(testCases, testCase{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7526 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7527 config: Config{
7528 MaxVersion: VersionTLS13,
7529 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7530 SendExtensionOnCertificate: testOCSPExtension,
7531 },
7532 },
7533 shouldFail: true,
7534 expectedError: ":UNEXPECTED_EXTENSION:",
7535 })
7536
7537 testCases = append(testCases, testCase{
7538 name: "SendUnsolicitedSCTOnCertificate-TLS13",
7539 config: Config{
7540 MaxVersion: VersionTLS13,
7541 Bugs: ProtocolBugs{
7542 SendExtensionOnCertificate: testSCTExtension,
7543 },
7544 },
7545 shouldFail: true,
7546 expectedError: ":UNEXPECTED_EXTENSION:",
7547 })
7548
7549 // Test that extensions on client certificates are never accepted.
7550 testCases = append(testCases, testCase{
7551 name: "SendExtensionOnClientCertificate-TLS13",
7552 testType: serverTest,
7553 config: Config{
7554 MaxVersion: VersionTLS13,
7555 Certificates: []Certificate{rsaCertificate},
7556 Bugs: ProtocolBugs{
7557 SendExtensionOnCertificate: testOCSPExtension,
7558 },
7559 },
7560 flags: []string{
7561 "-enable-ocsp-stapling",
7562 "-require-any-client-certificate",
7563 },
7564 shouldFail: true,
7565 expectedError: ":UNEXPECTED_EXTENSION:",
7566 })
7567
7568 testCases = append(testCases, testCase{
7569 name: "SendUnknownExtensionOnCertificate-TLS13",
7570 config: Config{
7571 MaxVersion: VersionTLS13,
7572 Bugs: ProtocolBugs{
7573 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
7574 },
7575 },
7576 shouldFail: true,
7577 expectedError: ":UNEXPECTED_EXTENSION:",
7578 })
7579
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7580 // Test that extensions on intermediates are allowed but ignored.
7581 testCases = append(testCases, testCase{
7582 name: "IgnoreExtensionsOnIntermediates-TLS13",
7583 config: Config{
7584 MaxVersion: VersionTLS13,
7585 Certificates: []Certificate{rsaChainCertificate},
7586 Bugs: ProtocolBugs{
7587 // Send different values on the intermediate. This tests
7588 // the intermediate's extensions do not override the
7589 // leaf's.
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]7590 SendOCSPOnIntermediates: testOCSPResponse2,
7591 SendSCTOnIntermediates: testSCTList2,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7592 },
7593 },
7594 flags: []string{
7595 "-enable-ocsp-stapling",
7596 "-expect-ocsp-response",
7597 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7598 "-enable-signed-cert-timestamps",
7599 "-expect-signed-cert-timestamps",
7600 base64.StdEncoding.EncodeToString(testSCTList),
7601 },
7602 resumeSession: true,
7603 })
7604
7605 // Test that extensions are not sent on intermediates when configured
7606 // only for a leaf.
7607 testCases = append(testCases, testCase{
7608 testType: serverTest,
7609 name: "SendNoExtensionsOnIntermediate-TLS13",
7610 config: Config{
7611 MaxVersion: VersionTLS13,
7612 Bugs: ProtocolBugs{
7613 ExpectNoExtensionsOnIntermediate: true,
7614 },
7615 },
7616 flags: []string{
7617 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
7618 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
7619 "-ocsp-response",
7620 base64.StdEncoding.EncodeToString(testOCSPResponse),
7621 "-signed-cert-timestamps",
7622 base64.StdEncoding.EncodeToString(testSCTList),
7623 },
7624 })
7625
7626 // Test that extensions are not sent on client certificates.
7627 testCases = append(testCases, testCase{
7628 name: "SendNoClientCertificateExtensions-TLS13",
7629 config: Config{
7630 MaxVersion: VersionTLS13,
7631 ClientAuth: RequireAnyClientCert,
7632 },
7633 flags: []string{
7634 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7635 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7636 "-ocsp-response",
7637 base64.StdEncoding.EncodeToString(testOCSPResponse),
7638 "-signed-cert-timestamps",
7639 base64.StdEncoding.EncodeToString(testSCTList),
7640 },
7641 })
7642
7643 testCases = append(testCases, testCase{
7644 name: "SendDuplicateExtensionsOnCerts-TLS13",
7645 config: Config{
7646 MaxVersion: VersionTLS13,
7647 Bugs: ProtocolBugs{
7648 SendDuplicateCertExtensions: true,
7649 },
7650 },
7651 flags: []string{
7652 "-enable-ocsp-stapling",
7653 "-enable-signed-cert-timestamps",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7654 },
7655 resumeSession: true,
7656 shouldFail: true,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7657 expectedError: ":DUPLICATE_EXTENSION:",
7658 })
7659
7660 testCases = append(testCases, testCase{
7661 name: "SignedCertificateTimestampListInvalid-Server",
7662 testType: serverTest,
7663 flags: []string{
7664 "-signed-cert-timestamps",
7665 base64.StdEncoding.EncodeToString([]byte{0, 0}),
7666 },
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]7667 shouldFail: true,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7668 expectedError: ":INVALID_SCT_LIST:",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7669 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7670}
7671
7672func addResumptionVersionTests() {
7673 for _, sessionVers := range tlsVersions {
7674 for _, resumeVers := range tlsVersions {
7675 protocols := []protocol{tls}
7676 if sessionVers.hasDTLS && resumeVers.hasDTLS {
7677 protocols = append(protocols, dtls)
7678 }
7679 for _, protocol := range protocols {
7680 suffix := "-" + sessionVers.name + "-" + resumeVers.name
7681 if protocol == dtls {
7682 suffix += "-DTLS"
7683 }
7684
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7685 if sessionVers.version == resumeVers.version {
7686 testCases = append(testCases, testCase{
7687 protocol: protocol,
7688 name: "Resume-Client" + suffix,
7689 resumeSession: true,
7690 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]7691 MaxVersion: sessionVers.version,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7692 Bugs: ProtocolBugs{
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]7693 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7694 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7695 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7696 expectedVersion: sessionVers.version,
7697 expectedResumeVersion: resumeVers.version,
7698 })
7699 } else {
7700 testCases = append(testCases, testCase{
7701 protocol: protocol,
7702 name: "Resume-Client-Mismatch" + suffix,
7703 resumeSession: true,
7704 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]7705 MaxVersion: sessionVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7706 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7707 expectedVersion: sessionVers.version,
7708 resumeConfig: &Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]7709 MaxVersion: resumeVers.version,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7710 Bugs: ProtocolBugs{
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7711 AcceptAnySession: true,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7712 },
7713 },
7714 expectedResumeVersion: resumeVers.version,
7715 shouldFail: true,
Robert Sloan726e9d12018-09-11 11:45:04 -0700[diff] [blame]7716 expectedError: ":OLD_SESSION_VERSION_NOT_RETURNED:",
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7717 })
7718 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7719
7720 testCases = append(testCases, testCase{
7721 protocol: protocol,
7722 name: "Resume-Client-NoResume" + suffix,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7723 resumeSession: true,
7724 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]7725 MaxVersion: sessionVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7726 },
7727 expectedVersion: sessionVers.version,
7728 resumeConfig: &Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]7729 MaxVersion: resumeVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7730 },
7731 newSessionsOnResume: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]7732 expectResumeRejected: true,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7733 expectedResumeVersion: resumeVers.version,
7734 })
7735
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7736 testCases = append(testCases, testCase{
7737 protocol: protocol,
7738 testType: serverTest,
7739 name: "Resume-Server" + suffix,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7740 resumeSession: true,
7741 config: Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]7742 MaxVersion: sessionVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7743 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]7744 expectedVersion: sessionVers.version,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]7745 expectResumeRejected: sessionVers != resumeVers,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7746 resumeConfig: &Config{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]7747 MaxVersion: resumeVers.version,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7748 Bugs: ProtocolBugs{
7749 SendBothTickets: true,
7750 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7751 },
7752 expectedResumeVersion: resumeVers.version,
7753 })
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]7754
7755 // Repeat the test using session IDs, rather than tickets.
7756 if sessionVers.version < VersionTLS13 && resumeVers.version < VersionTLS13 {
7757 testCases = append(testCases, testCase{
7758 protocol: protocol,
7759 testType: serverTest,
7760 name: "Resume-Server-NoTickets" + suffix,
7761 resumeSession: true,
7762 config: Config{
7763 MaxVersion: sessionVers.version,
7764 SessionTicketsDisabled: true,
7765 },
7766 expectedVersion: sessionVers.version,
7767 expectResumeRejected: sessionVers != resumeVers,
7768 resumeConfig: &Config{
7769 MaxVersion: resumeVers.version,
7770 SessionTicketsDisabled: true,
7771 },
7772 expectedResumeVersion: resumeVers.version,
7773 })
7774 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7775 }
7776 }
7777 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7778
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7779 // Make sure shim ticket mutations are functional.
7780 testCases = append(testCases, testCase{
7781 testType: serverTest,
7782 name: "ShimTicketRewritable",
7783 resumeSession: true,
7784 config: Config{
7785 MaxVersion: VersionTLS12,
7786 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7787 Bugs: ProtocolBugs{
7788 FilterTicket: func(in []byte) ([]byte, error) {
7789 in, err := SetShimTicketVersion(in, VersionTLS12)
7790 if err != nil {
7791 return nil, err
7792 }
7793 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
7794 },
7795 },
7796 },
7797 flags: []string{
7798 "-ticket-key",
7799 base64.StdEncoding.EncodeToString(TestShimTicketKey),
7800 },
7801 })
7802
7803 // Resumptions are declined if the version does not match.
7804 testCases = append(testCases, testCase{
7805 testType: serverTest,
7806 name: "Resume-Server-DeclineCrossVersion",
7807 resumeSession: true,
7808 config: Config{
7809 MaxVersion: VersionTLS12,
7810 Bugs: ProtocolBugs{
7811 ExpectNewTicket: true,
7812 FilterTicket: func(in []byte) ([]byte, error) {
7813 return SetShimTicketVersion(in, VersionTLS13)
7814 },
7815 },
7816 },
7817 flags: []string{
7818 "-ticket-key",
7819 base64.StdEncoding.EncodeToString(TestShimTicketKey),
7820 },
7821 expectResumeRejected: true,
7822 })
7823
7824 testCases = append(testCases, testCase{
7825 testType: serverTest,
7826 name: "Resume-Server-DeclineCrossVersion-TLS13",
7827 resumeSession: true,
7828 config: Config{
7829 MaxVersion: VersionTLS13,
7830 Bugs: ProtocolBugs{
7831 FilterTicket: func(in []byte) ([]byte, error) {
7832 return SetShimTicketVersion(in, VersionTLS12)
7833 },
7834 },
7835 },
7836 flags: []string{
7837 "-ticket-key",
7838 base64.StdEncoding.EncodeToString(TestShimTicketKey),
7839 },
7840 expectResumeRejected: true,
7841 })
7842
7843 // Resumptions are declined if the cipher is invalid or disabled.
7844 testCases = append(testCases, testCase{
7845 testType: serverTest,
7846 name: "Resume-Server-DeclineBadCipher",
7847 resumeSession: true,
7848 config: Config{
7849 MaxVersion: VersionTLS12,
7850 Bugs: ProtocolBugs{
7851 ExpectNewTicket: true,
7852 FilterTicket: func(in []byte) ([]byte, error) {
7853 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
7854 },
7855 },
7856 },
7857 flags: []string{
7858 "-ticket-key",
7859 base64.StdEncoding.EncodeToString(TestShimTicketKey),
7860 },
7861 expectResumeRejected: true,
7862 })
7863
7864 testCases = append(testCases, testCase{
7865 testType: serverTest,
7866 name: "Resume-Server-DeclineBadCipher-2",
7867 resumeSession: true,
7868 config: Config{
7869 MaxVersion: VersionTLS12,
7870 Bugs: ProtocolBugs{
7871 ExpectNewTicket: true,
7872 FilterTicket: func(in []byte) ([]byte, error) {
7873 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
7874 },
7875 },
7876 },
7877 flags: []string{
7878 "-cipher", "AES128",
7879 "-ticket-key",
7880 base64.StdEncoding.EncodeToString(TestShimTicketKey),
7881 },
7882 expectResumeRejected: true,
7883 })
7884
7885 // Sessions are not resumed if they do not use the preferred cipher.
7886 testCases = append(testCases, testCase{
7887 testType: serverTest,
7888 name: "Resume-Server-CipherNotPreferred",
7889 resumeSession: true,
7890 config: Config{
7891 MaxVersion: VersionTLS12,
7892 Bugs: ProtocolBugs{
7893 ExpectNewTicket: true,
7894 FilterTicket: func(in []byte) ([]byte, error) {
7895 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
7896 },
7897 },
7898 },
7899 flags: []string{
7900 "-ticket-key",
7901 base64.StdEncoding.EncodeToString(TestShimTicketKey),
7902 },
7903 shouldFail: false,
7904 expectResumeRejected: true,
7905 })
7906
7907 // TLS 1.3 allows sessions to be resumed at a different cipher if their
7908 // PRF hashes match, but BoringSSL will always decline such resumptions.
7909 testCases = append(testCases, testCase{
7910 testType: serverTest,
7911 name: "Resume-Server-CipherNotPreferred-TLS13",
7912 resumeSession: true,
7913 config: Config{
7914 MaxVersion: VersionTLS13,
7915 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
7916 Bugs: ProtocolBugs{
7917 FilterTicket: func(in []byte) ([]byte, error) {
7918 // If the client (runner) offers ChaCha20-Poly1305 first, the
7919 // server (shim) always prefers it. Switch it to AES-GCM.
7920 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
7921 },
7922 },
7923 },
7924 flags: []string{
7925 "-ticket-key",
7926 base64.StdEncoding.EncodeToString(TestShimTicketKey),
7927 },
7928 shouldFail: false,
7929 expectResumeRejected: true,
7930 })
7931
7932 // Sessions may not be resumed if they contain another version's cipher.
7933 testCases = append(testCases, testCase{
7934 testType: serverTest,
7935 name: "Resume-Server-DeclineBadCipher-TLS13",
7936 resumeSession: true,
7937 config: Config{
7938 MaxVersion: VersionTLS13,
7939 Bugs: ProtocolBugs{
7940 FilterTicket: func(in []byte) ([]byte, error) {
7941 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
7942 },
7943 },
7944 },
7945 flags: []string{
7946 "-ticket-key",
7947 base64.StdEncoding.EncodeToString(TestShimTicketKey),
7948 },
7949 expectResumeRejected: true,
7950 })
7951
7952 // If the client does not offer the cipher from the session, decline to
7953 // resume. Clients are forbidden from doing this, but BoringSSL selects
7954 // the cipher first, so we only decline.
7955 testCases = append(testCases, testCase{
7956 testType: serverTest,
7957 name: "Resume-Server-UnofferedCipher",
7958 resumeSession: true,
7959 config: Config{
7960 MaxVersion: VersionTLS12,
7961 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
7962 },
7963 resumeConfig: &Config{
7964 MaxVersion: VersionTLS12,
7965 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
7966 Bugs: ProtocolBugs{
7967 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7968 },
7969 },
7970 expectResumeRejected: true,
7971 })
7972
7973 // In TLS 1.3, clients may advertise a cipher list which does not
7974 // include the selected cipher. Test that we tolerate this. Servers may
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]7975 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
7976 // BoringSSL will always decline.
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7977 testCases = append(testCases, testCase{
7978 testType: serverTest,
7979 name: "Resume-Server-UnofferedCipher-TLS13",
7980 resumeSession: true,
7981 config: Config{
7982 MaxVersion: VersionTLS13,
7983 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
7984 },
7985 resumeConfig: &Config{
7986 MaxVersion: VersionTLS13,
7987 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
7988 Bugs: ProtocolBugs{
7989 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
7990 },
7991 },
7992 expectResumeRejected: true,
7993 })
7994
7995 // Sessions may not be resumed at a different cipher.
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7996 testCases = append(testCases, testCase{
7997 name: "Resume-Client-CipherMismatch",
7998 resumeSession: true,
7999 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8000 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8001 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8002 },
8003 resumeConfig: &Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8004 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8005 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8006 Bugs: ProtocolBugs{
8007 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
8008 },
8009 },
8010 shouldFail: true,
8011 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
8012 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8013
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8014 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
8015 // matches.
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8016 testCases = append(testCases, testCase{
8017 name: "Resume-Client-CipherMismatch-TLS13",
8018 resumeSession: true,
8019 config: Config{
8020 MaxVersion: VersionTLS13,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8021 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8022 },
8023 resumeConfig: &Config{
8024 MaxVersion: VersionTLS13,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8025 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
8026 },
8027 })
8028
8029 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
8030 testCases = append(testCases, testCase{
8031 name: "Resume-Client-PRFMismatch-TLS13",
8032 resumeSession: true,
8033 config: Config{
8034 MaxVersion: VersionTLS13,
8035 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
8036 },
8037 resumeConfig: &Config{
8038 MaxVersion: VersionTLS13,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8039 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8040 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8041 SendCipherSuite: TLS_AES_256_GCM_SHA384,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8042 },
8043 },
8044 shouldFail: true,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8045 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
8046 })
8047
8048 testCases = append(testCases, testCase{
8049 testType: serverTest,
8050 name: "Resume-Server-BinderWrongLength",
8051 resumeSession: true,
8052 config: Config{
8053 MaxVersion: VersionTLS13,
8054 Bugs: ProtocolBugs{
8055 SendShortPSKBinder: true,
8056 },
8057 },
8058 shouldFail: true,
8059 expectedLocalError: "remote error: error decrypting message",
8060 expectedError: ":DIGEST_CHECK_FAILED:",
8061 })
8062
8063 testCases = append(testCases, testCase{
8064 testType: serverTest,
8065 name: "Resume-Server-NoPSKBinder",
8066 resumeSession: true,
8067 config: Config{
8068 MaxVersion: VersionTLS13,
8069 Bugs: ProtocolBugs{
8070 SendNoPSKBinder: true,
8071 },
8072 },
8073 shouldFail: true,
8074 expectedLocalError: "remote error: error decoding message",
8075 expectedError: ":DECODE_ERROR:",
8076 })
8077
8078 testCases = append(testCases, testCase{
8079 testType: serverTest,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]8080 name: "Resume-Server-ExtraPSKBinder",
8081 resumeSession: true,
8082 config: Config{
8083 MaxVersion: VersionTLS13,
8084 Bugs: ProtocolBugs{
8085 SendExtraPSKBinder: true,
8086 },
8087 },
8088 shouldFail: true,
8089 expectedLocalError: "remote error: illegal parameter",
8090 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
8091 })
8092
8093 testCases = append(testCases, testCase{
8094 testType: serverTest,
8095 name: "Resume-Server-ExtraIdentityNoBinder",
8096 resumeSession: true,
8097 config: Config{
8098 MaxVersion: VersionTLS13,
8099 Bugs: ProtocolBugs{
8100 ExtraPSKIdentity: true,
8101 },
8102 },
8103 shouldFail: true,
8104 expectedLocalError: "remote error: illegal parameter",
8105 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
8106 })
8107
8108 testCases = append(testCases, testCase{
8109 testType: serverTest,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8110 name: "Resume-Server-InvalidPSKBinder",
8111 resumeSession: true,
8112 config: Config{
8113 MaxVersion: VersionTLS13,
8114 Bugs: ProtocolBugs{
8115 SendInvalidPSKBinder: true,
8116 },
8117 },
8118 shouldFail: true,
8119 expectedLocalError: "remote error: error decrypting message",
8120 expectedError: ":DIGEST_CHECK_FAILED:",
8121 })
8122
8123 testCases = append(testCases, testCase{
8124 testType: serverTest,
8125 name: "Resume-Server-PSKBinderFirstExtension",
8126 resumeSession: true,
8127 config: Config{
8128 MaxVersion: VersionTLS13,
8129 Bugs: ProtocolBugs{
8130 PSKBinderFirst: true,
8131 },
8132 },
8133 shouldFail: true,
8134 expectedLocalError: "remote error: illegal parameter",
8135 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8136 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8137}
8138
8139func addRenegotiationTests() {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8140 // Servers cannot renegotiate.
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8141 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8142 testType: serverTest,
8143 name: "Renegotiate-Server-Forbidden",
8144 config: Config{
8145 MaxVersion: VersionTLS12,
8146 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8147 renegotiate: 1,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8148 shouldFail: true,
8149 expectedError: ":NO_RENEGOTIATION:",
8150 expectedLocalError: "remote error: no renegotiation",
8151 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8152 // The server shouldn't echo the renegotiation extension unless
8153 // requested by the client.
8154 testCases = append(testCases, testCase{
8155 testType: serverTest,
8156 name: "Renegotiate-Server-NoExt",
8157 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8158 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8159 Bugs: ProtocolBugs{
8160 NoRenegotiationInfo: true,
8161 RequireRenegotiationInfo: true,
8162 },
8163 },
8164 shouldFail: true,
8165 expectedLocalError: "renegotiation extension missing",
8166 })
8167 // The renegotiation SCSV should be sufficient for the server to echo
8168 // the extension.
8169 testCases = append(testCases, testCase{
8170 testType: serverTest,
8171 name: "Renegotiate-Server-NoExt-SCSV",
8172 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8173 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8174 Bugs: ProtocolBugs{
8175 NoRenegotiationInfo: true,
8176 SendRenegotiationSCSV: true,
8177 RequireRenegotiationInfo: true,
8178 },
8179 },
8180 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8181 testCases = append(testCases, testCase{
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8182 name: "Renegotiate-Client",
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8183 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8184 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8185 Bugs: ProtocolBugs{
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8186 FailIfResumeOnRenego: true,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8187 },
8188 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8189 renegotiate: 1,
Robert Sloand1d118f2017-09-11 09:00:48 -0700[diff] [blame]8190 // Test renegotiation after both an initial and resumption
8191 // handshake.
8192 resumeSession: true,
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8193 flags: []string{
8194 "-renegotiate-freely",
8195 "-expect-total-renegotiations", "1",
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]8196 "-expect-secure-renegotiation",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8197 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8198 })
8199 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]8200 name: "Renegotiate-Client-TLS12",
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]8201 config: Config{
8202 MaxVersion: VersionTLS12,
8203 Bugs: ProtocolBugs{
8204 FailIfResumeOnRenego: true,
8205 },
8206 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]8207 renegotiate: 1,
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]8208 // Test renegotiation after both an initial and resumption
8209 // handshake.
8210 resumeSession: true,
8211 flags: []string{
8212 "-renegotiate-freely",
8213 "-expect-total-renegotiations", "1",
8214 "-expect-secure-renegotiation",
8215 },
8216 })
8217 testCases = append(testCases, testCase{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8218 name: "Renegotiate-Client-EmptyExt",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8219 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8220 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8221 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8222 Bugs: ProtocolBugs{
8223 EmptyRenegotiationInfo: true,
8224 },
8225 },
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]8226 flags: []string{"-renegotiate-freely"},
8227 shouldFail: true,
8228 expectedError: ":RENEGOTIATION_MISMATCH:",
8229 expectedLocalError: "handshake failure",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8230 })
8231 testCases = append(testCases, testCase{
8232 name: "Renegotiate-Client-BadExt",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8233 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8234 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8235 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8236 Bugs: ProtocolBugs{
8237 BadRenegotiationInfo: true,
8238 },
8239 },
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]8240 flags: []string{"-renegotiate-freely"},
8241 shouldFail: true,
8242 expectedError: ":RENEGOTIATION_MISMATCH:",
8243 expectedLocalError: "handshake failure",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8244 })
8245 testCases = append(testCases, testCase{
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]8246 name: "Renegotiate-Client-BadExt2",
8247 renegotiate: 1,
8248 config: Config{
8249 MaxVersion: VersionTLS12,
8250 Bugs: ProtocolBugs{
8251 BadRenegotiationInfoEnd: true,
8252 },
8253 },
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]8254 flags: []string{"-renegotiate-freely"},
8255 shouldFail: true,
8256 expectedError: ":RENEGOTIATION_MISMATCH:",
8257 expectedLocalError: "handshake failure",
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]8258 })
8259 testCases = append(testCases, testCase{
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8260 name: "Renegotiate-Client-Downgrade",
8261 renegotiate: 1,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8262 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8263 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8264 Bugs: ProtocolBugs{
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8265 NoRenegotiationInfoAfterInitial: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8266 },
8267 },
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]8268 flags: []string{"-renegotiate-freely"},
8269 shouldFail: true,
8270 expectedError: ":RENEGOTIATION_MISMATCH:",
8271 expectedLocalError: "handshake failure",
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8272 })
8273 testCases = append(testCases, testCase{
8274 name: "Renegotiate-Client-Upgrade",
8275 renegotiate: 1,
8276 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8277 MaxVersion: VersionTLS12,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8278 Bugs: ProtocolBugs{
8279 NoRenegotiationInfoInInitial: true,
8280 },
8281 },
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]8282 flags: []string{"-renegotiate-freely"},
8283 shouldFail: true,
8284 expectedError: ":RENEGOTIATION_MISMATCH:",
8285 expectedLocalError: "handshake failure",
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8286 })
8287 testCases = append(testCases, testCase{
8288 name: "Renegotiate-Client-NoExt-Allowed",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8289 renegotiate: 1,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8290 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8291 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8292 Bugs: ProtocolBugs{
8293 NoRenegotiationInfo: true,
8294 },
8295 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8296 flags: []string{
8297 "-renegotiate-freely",
8298 "-expect-total-renegotiations", "1",
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]8299 "-expect-no-secure-renegotiation",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8300 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8301 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8302
8303 // Test that the server may switch ciphers on renegotiation without
8304 // problems.
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8305 testCases = append(testCases, testCase{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8306 name: "Renegotiate-Client-SwitchCiphers",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8307 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8308 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8309 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8310 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8311 },
8312 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8313 flags: []string{
8314 "-renegotiate-freely",
8315 "-expect-total-renegotiations", "1",
8316 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8317 })
8318 testCases = append(testCases, testCase{
8319 name: "Renegotiate-Client-SwitchCiphers2",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8320 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8321 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8322 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8323 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8324 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8325 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8326 flags: []string{
8327 "-renegotiate-freely",
8328 "-expect-total-renegotiations", "1",
8329 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8330 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8331
8332 // Test that the server may not switch versions on renegotiation.
8333 testCases = append(testCases, testCase{
8334 name: "Renegotiate-Client-SwitchVersion",
8335 config: Config{
8336 MaxVersion: VersionTLS12,
8337 // Pick a cipher which exists at both versions.
8338 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
8339 Bugs: ProtocolBugs{
8340 NegotiateVersionOnRenego: VersionTLS11,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8341 // Avoid failing early at the record layer.
8342 SendRecordVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8343 },
8344 },
8345 renegotiate: 1,
8346 flags: []string{
8347 "-renegotiate-freely",
8348 "-expect-total-renegotiations", "1",
8349 },
8350 shouldFail: true,
8351 expectedError: ":WRONG_SSL_VERSION:",
8352 })
8353
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]8354 testCases = append(testCases, testCase{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8355 name: "Renegotiate-SameClientVersion",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8356 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8357 config: Config{
8358 MaxVersion: VersionTLS10,
8359 Bugs: ProtocolBugs{
8360 RequireSameRenegoClientVersion: true,
8361 },
8362 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8363 flags: []string{
8364 "-renegotiate-freely",
8365 "-expect-total-renegotiations", "1",
8366 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8367 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8368 testCases = append(testCases, testCase{
8369 name: "Renegotiate-FalseStart",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8370 renegotiate: 1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8371 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8372 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8373 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8374 NextProtos: []string{"foo"},
8375 },
8376 flags: []string{
8377 "-false-start",
8378 "-select-next-proto", "foo",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8379 "-renegotiate-freely",
8380 "-expect-total-renegotiations", "1",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8381 },
8382 shimWritesFirst: true,
8383 })
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8384
8385 // Client-side renegotiation controls.
8386 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8387 name: "Renegotiate-Client-Forbidden-1",
8388 config: Config{
8389 MaxVersion: VersionTLS12,
8390 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8391 renegotiate: 1,
8392 shouldFail: true,
8393 expectedError: ":NO_RENEGOTIATION:",
8394 expectedLocalError: "remote error: no renegotiation",
8395 })
8396 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8397 name: "Renegotiate-Client-Once-1",
8398 config: Config{
8399 MaxVersion: VersionTLS12,
8400 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8401 renegotiate: 1,
8402 flags: []string{
8403 "-renegotiate-once",
8404 "-expect-total-renegotiations", "1",
8405 },
8406 })
8407 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8408 name: "Renegotiate-Client-Freely-1",
8409 config: Config{
8410 MaxVersion: VersionTLS12,
8411 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8412 renegotiate: 1,
8413 flags: []string{
8414 "-renegotiate-freely",
8415 "-expect-total-renegotiations", "1",
8416 },
8417 })
8418 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8419 name: "Renegotiate-Client-Once-2",
8420 config: Config{
8421 MaxVersion: VersionTLS12,
8422 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8423 renegotiate: 2,
8424 flags: []string{"-renegotiate-once"},
8425 shouldFail: true,
8426 expectedError: ":NO_RENEGOTIATION:",
8427 expectedLocalError: "remote error: no renegotiation",
8428 })
8429 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8430 name: "Renegotiate-Client-Freely-2",
8431 config: Config{
8432 MaxVersion: VersionTLS12,
8433 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]8434 renegotiate: 2,
8435 flags: []string{
8436 "-renegotiate-freely",
8437 "-expect-total-renegotiations", "2",
8438 },
8439 })
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]8440 testCases = append(testCases, testCase{
8441 name: "Renegotiate-Client-NoIgnore",
8442 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8443 MaxVersion: VersionTLS12,
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]8444 Bugs: ProtocolBugs{
8445 SendHelloRequestBeforeEveryAppDataRecord: true,
8446 },
8447 },
8448 shouldFail: true,
8449 expectedError: ":NO_RENEGOTIATION:",
8450 })
8451 testCases = append(testCases, testCase{
8452 name: "Renegotiate-Client-Ignore",
8453 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8454 MaxVersion: VersionTLS12,
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]8455 Bugs: ProtocolBugs{
8456 SendHelloRequestBeforeEveryAppDataRecord: true,
8457 },
8458 },
8459 flags: []string{
8460 "-renegotiate-ignore",
8461 "-expect-total-renegotiations", "0",
8462 },
8463 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8464
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8465 // Renegotiation may be enabled and then disabled immediately after the
8466 // handshake.
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8467 testCases = append(testCases, testCase{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8468 name: "Renegotiate-ForbidAfterHandshake",
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8469 config: Config{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8470 MaxVersion: VersionTLS12,
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8471 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8472 renegotiate: 1,
8473 flags: []string{"-forbid-renegotiation-after-handshake"},
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8474 shouldFail: true,
8475 expectedError: ":NO_RENEGOTIATION:",
8476 expectedLocalError: "remote error: no renegotiation",
8477 })
8478
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8479 // Renegotiation is not allowed when there is an unfinished write.
8480 testCases = append(testCases, testCase{
8481 name: "Renegotiate-Client-UnfinishedWrite",
8482 config: Config{
8483 MaxVersion: VersionTLS12,
8484 },
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8485 renegotiate: 1,
8486 readWithUnfinishedWrite: true,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8487 flags: []string{
8488 "-async",
8489 "-renegotiate-freely",
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8490 },
8491 shouldFail: true,
8492 expectedError: ":NO_RENEGOTIATION:",
8493 // We do not successfully send the no_renegotiation alert in
8494 // this case. https://crbug.com/boringssl/130
8495 })
8496
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]8497 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8498 testCases = append(testCases, testCase{
8499 name: "StrayHelloRequest",
8500 config: Config{
8501 MaxVersion: VersionTLS12,
8502 Bugs: ProtocolBugs{
8503 SendHelloRequestBeforeEveryHandshakeMessage: true,
8504 },
8505 },
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]8506 shouldFail: true,
8507 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8508 })
8509 testCases = append(testCases, testCase{
8510 name: "StrayHelloRequest-Packed",
8511 config: Config{
8512 MaxVersion: VersionTLS12,
8513 Bugs: ProtocolBugs{
8514 PackHandshakeFlight: true,
8515 SendHelloRequestBeforeEveryHandshakeMessage: true,
8516 },
8517 },
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]8518 shouldFail: true,
8519 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8520 })
8521
8522 // Test renegotiation works if HelloRequest and server Finished come in
8523 // the same record.
8524 testCases = append(testCases, testCase{
8525 name: "Renegotiate-Client-Packed",
8526 config: Config{
8527 MaxVersion: VersionTLS12,
8528 Bugs: ProtocolBugs{
8529 PackHandshakeFlight: true,
8530 PackHelloRequestWithFinished: true,
8531 },
8532 },
8533 renegotiate: 1,
8534 flags: []string{
8535 "-renegotiate-freely",
8536 "-expect-total-renegotiations", "1",
8537 },
8538 })
8539
8540 // Renegotiation is forbidden in TLS 1.3.
8541 testCases = append(testCases, testCase{
8542 name: "Renegotiate-Client-TLS13",
8543 config: Config{
8544 MaxVersion: VersionTLS13,
8545 Bugs: ProtocolBugs{
8546 SendHelloRequestBeforeEveryAppDataRecord: true,
8547 },
8548 },
8549 flags: []string{
8550 "-renegotiate-freely",
8551 },
8552 shouldFail: true,
8553 expectedError: ":UNEXPECTED_MESSAGE:",
8554 })
8555
8556 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
8557 testCases = append(testCases, testCase{
8558 name: "StrayHelloRequest-TLS13",
8559 config: Config{
8560 MaxVersion: VersionTLS13,
8561 Bugs: ProtocolBugs{
8562 SendHelloRequestBeforeEveryHandshakeMessage: true,
8563 },
8564 },
8565 shouldFail: true,
8566 expectedError: ":UNEXPECTED_MESSAGE:",
8567 })
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]8568
8569 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
8570 // always reads as supporting it, regardless of whether it was
8571 // negotiated.
8572 testCases = append(testCases, testCase{
8573 name: "AlwaysReportRenegotiationInfo-TLS13",
8574 config: Config{
8575 MaxVersion: VersionTLS13,
8576 Bugs: ProtocolBugs{
8577 NoRenegotiationInfo: true,
8578 },
8579 },
8580 flags: []string{
8581 "-expect-secure-renegotiation",
8582 },
8583 })
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]8584
8585 // Certificates may not change on renegotiation.
8586 testCases = append(testCases, testCase{
8587 name: "Renegotiation-CertificateChange",
8588 config: Config{
8589 MaxVersion: VersionTLS12,
8590 Certificates: []Certificate{rsaCertificate},
8591 Bugs: ProtocolBugs{
8592 RenegotiationCertificate: &rsaChainCertificate,
8593 },
8594 },
8595 renegotiate: 1,
8596 flags: []string{"-renegotiate-freely"},
8597 shouldFail: true,
8598 expectedError: ":SERVER_CERT_CHANGED:",
8599 })
8600 testCases = append(testCases, testCase{
8601 name: "Renegotiation-CertificateChange-2",
8602 config: Config{
8603 MaxVersion: VersionTLS12,
8604 Certificates: []Certificate{rsaCertificate},
8605 Bugs: ProtocolBugs{
8606 RenegotiationCertificate: &rsa1024Certificate,
8607 },
8608 },
8609 renegotiate: 1,
8610 flags: []string{"-renegotiate-freely"},
8611 shouldFail: true,
8612 expectedError: ":SERVER_CERT_CHANGED:",
8613 })
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]8614
8615 // We do not negotiate ALPN after the initial handshake. This is
8616 // error-prone and only risks bugs in consumers.
8617 testCases = append(testCases, testCase{
8618 testType: clientTest,
8619 name: "Renegotiation-ForbidALPN",
8620 config: Config{
8621 MaxVersion: VersionTLS12,
8622 Bugs: ProtocolBugs{
8623 // Forcibly negotiate ALPN on both initial and
8624 // renegotiation handshakes. The test stack will
8625 // internally check the client does not offer
8626 // it.
8627 SendALPN: "foo",
8628 },
8629 },
8630 flags: []string{
8631 "-advertise-alpn", "\x03foo\x03bar\x03baz",
8632 "-expect-alpn", "foo",
8633 "-renegotiate-freely",
8634 },
8635 renegotiate: 1,
8636 shouldFail: true,
8637 expectedError: ":UNEXPECTED_EXTENSION:",
8638 })
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]8639
8640 // The server may send different stapled OCSP responses or SCT lists on
8641 // renegotiation, but BoringSSL ignores this and reports the old values.
8642 // Also test that non-fatal verify results are preserved.
8643 testCases = append(testCases, testCase{
8644 testType: clientTest,
8645 name: "Renegotiation-ChangeAuthProperties",
8646 config: Config{
8647 MaxVersion: VersionTLS12,
8648 Bugs: ProtocolBugs{
8649 SendOCSPResponseOnRenegotiation: testOCSPResponse2,
8650 SendSCTListOnRenegotiation: testSCTList2,
8651 },
8652 },
8653 renegotiate: 1,
8654 flags: []string{
8655 "-renegotiate-freely",
8656 "-expect-total-renegotiations", "1",
8657 "-enable-ocsp-stapling",
8658 "-expect-ocsp-response",
8659 base64.StdEncoding.EncodeToString(testOCSPResponse),
8660 "-enable-signed-cert-timestamps",
8661 "-expect-signed-cert-timestamps",
8662 base64.StdEncoding.EncodeToString(testSCTList),
8663 "-verify-fail",
8664 "-expect-verify-result",
8665 },
8666 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8667}
8668
8669func addDTLSReplayTests() {
8670 // Test that sequence number replays are detected.
8671 testCases = append(testCases, testCase{
8672 protocol: dtls,
8673 name: "DTLS-Replay",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8674 messageCount: 200,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8675 replayWrites: true,
8676 })
8677
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8678 // Test the incoming sequence number skipping by values larger
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8679 // than the retransmit window.
8680 testCases = append(testCases, testCase{
8681 protocol: dtls,
8682 name: "DTLS-Replay-LargeGaps",
8683 config: Config{
8684 Bugs: ProtocolBugs{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8685 SequenceNumberMapping: func(in uint64) uint64 {
8686 return in * 127
8687 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8688 },
8689 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8690 messageCount: 200,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8691 replayWrites: true,
8692 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8693
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8694 // Test the incoming sequence number changing non-monotonically.
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]8695 testCases = append(testCases, testCase{
8696 protocol: dtls,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8697 name: "DTLS-Replay-NonMonotonic",
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]8698 config: Config{
8699 Bugs: ProtocolBugs{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8700 SequenceNumberMapping: func(in uint64) uint64 {
8701 return in ^ 31
8702 },
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]8703 },
8704 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8705 messageCount: 200,
8706 replayWrites: true,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8707 })
8708}
8709
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8710var testSignatureAlgorithms = []struct {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8711 name string
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8712 id signatureAlgorithm
8713 cert testCert
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8714}{
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]8715 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
8716 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
8717 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
8718 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
8719 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]8720 // The “P256” in the following line is not a mistake. In TLS 1.2 the
8721 // hash function doesn't have to match the curve and so the same
8722 // signature algorithm works with P-224.
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]8723 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
8724 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
8725 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
8726 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
8727 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
8728 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
8729 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8730 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8731 // Tests for key types prior to TLS 1.2.
8732 {"RSA", 0, testCertRSA},
8733 {"ECDSA", 0, testCertECDSAP256},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8734}
8735
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8736const fakeSigAlg1 signatureAlgorithm = 0x2a01
8737const fakeSigAlg2 signatureAlgorithm = 0xff01
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8738
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8739func addSignatureAlgorithmTests() {
8740 // Not all ciphers involve a signature. Advertise a list which gives all
8741 // versions a signing cipher.
8742 signingCiphers := []uint16{
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]8743 TLS_AES_256_GCM_SHA384,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8744 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
8745 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
8746 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
8747 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]8748 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8749
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8750 var allAlgorithms []signatureAlgorithm
8751 for _, alg := range testSignatureAlgorithms {
8752 if alg.id != 0 {
8753 allAlgorithms = append(allAlgorithms, alg.id)
8754 }
8755 }
8756
8757 // Make sure each signature algorithm works. Include some fake values in
8758 // the list and ensure they're ignored.
8759 for _, alg := range testSignatureAlgorithms {
8760 for _, ver := range tlsVersions {
8761 if (ver.version < VersionTLS12) != (alg.id == 0) {
8762 continue
8763 }
8764
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8765 var shouldSignFail, shouldVerifyFail bool
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8766 // ecdsa_sha1 does not exist in TLS 1.3.
8767 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8768 shouldSignFail = true
8769 shouldVerifyFail = true
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8770 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8771 // RSA-PKCS1 does not exist in TLS 1.3.
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]8772 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
8773 shouldSignFail = true
8774 shouldVerifyFail = true
8775 }
8776 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
8777 // the curve has to match the hash size.
8778 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8779 shouldSignFail = true
8780 shouldVerifyFail = true
8781 }
8782
8783 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
8784 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
8785 shouldVerifyFail = true
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8786 }
8787
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8788 var signError, signLocalError, verifyError, verifyLocalError string
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8789 if shouldSignFail {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8790 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8791 signLocalError = "remote error: handshake failure"
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8792 }
8793 if shouldVerifyFail {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8794 verifyError = ":WRONG_SIGNATURE_TYPE:"
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8795 verifyLocalError = "remote error"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8796 }
8797
8798 suffix := "-" + alg.name + "-" + ver.name
8799
8800 testCases = append(testCases, testCase{
8801 name: "ClientAuth-Sign" + suffix,
8802 config: Config{
8803 MaxVersion: ver.version,
8804 ClientAuth: RequireAnyClientCert,
8805 VerifySignatureAlgorithms: []signatureAlgorithm{
8806 fakeSigAlg1,
8807 alg.id,
8808 fakeSigAlg2,
8809 },
8810 },
8811 flags: []string{
8812 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
8813 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
8814 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8815 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8816 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8817 shouldFail: shouldSignFail,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8818 expectedError: signError,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8819 expectedLocalError: signLocalError,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8820 expectedPeerSignatureAlgorithm: alg.id,
8821 })
8822
8823 testCases = append(testCases, testCase{
8824 testType: serverTest,
8825 name: "ClientAuth-Verify" + suffix,
8826 config: Config{
8827 MaxVersion: ver.version,
8828 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
8829 SignSignatureAlgorithms: []signatureAlgorithm{
8830 alg.id,
8831 },
8832 Bugs: ProtocolBugs{
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8833 SkipECDSACurveCheck: shouldVerifyFail,
8834 IgnoreSignatureVersionChecks: shouldVerifyFail,
8835 // Some signature algorithms may not be advertised.
8836 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8837 },
8838 },
8839 flags: []string{
8840 "-require-any-client-certificate",
8841 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
8842 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8843 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8844 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8845 // Resume the session to assert the peer signature
8846 // algorithm is reported on both handshakes.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8847 resumeSession: !shouldVerifyFail,
8848 shouldFail: shouldVerifyFail,
8849 expectedError: verifyError,
8850 expectedLocalError: verifyLocalError,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8851 })
8852
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8853 testCases = append(testCases, testCase{
8854 testType: serverTest,
8855 name: "ServerAuth-Sign" + suffix,
8856 config: Config{
8857 MaxVersion: ver.version,
8858 CipherSuites: signingCiphers,
8859 VerifySignatureAlgorithms: []signatureAlgorithm{
8860 fakeSigAlg1,
8861 alg.id,
8862 fakeSigAlg2,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8863 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8864 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8865 flags: []string{
8866 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
8867 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
8868 "-enable-all-curves",
8869 "-enable-ed25519",
8870 },
8871 shouldFail: shouldSignFail,
8872 expectedError: signError,
8873 expectedLocalError: signLocalError,
8874 expectedPeerSignatureAlgorithm: alg.id,
8875 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8876
8877 testCases = append(testCases, testCase{
8878 name: "ServerAuth-Verify" + suffix,
8879 config: Config{
8880 MaxVersion: ver.version,
8881 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
8882 CipherSuites: signingCiphers,
8883 SignSignatureAlgorithms: []signatureAlgorithm{
8884 alg.id,
8885 },
8886 Bugs: ProtocolBugs{
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8887 SkipECDSACurveCheck: shouldVerifyFail,
8888 IgnoreSignatureVersionChecks: shouldVerifyFail,
8889 // Some signature algorithms may not be advertised.
8890 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8891 },
8892 },
8893 flags: []string{
8894 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
8895 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8896 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8897 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8898 // Resume the session to assert the peer signature
8899 // algorithm is reported on both handshakes.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8900 resumeSession: !shouldVerifyFail,
8901 shouldFail: shouldVerifyFail,
8902 expectedError: verifyError,
8903 expectedLocalError: verifyLocalError,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8904 })
8905
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8906 if !shouldVerifyFail {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8907 testCases = append(testCases, testCase{
8908 testType: serverTest,
8909 name: "ClientAuth-InvalidSignature" + suffix,
8910 config: Config{
8911 MaxVersion: ver.version,
8912 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
8913 SignSignatureAlgorithms: []signatureAlgorithm{
8914 alg.id,
8915 },
8916 Bugs: ProtocolBugs{
8917 InvalidSignature: true,
8918 },
8919 },
8920 flags: []string{
8921 "-require-any-client-certificate",
8922 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8923 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8924 },
8925 shouldFail: true,
8926 expectedError: ":BAD_SIGNATURE:",
8927 })
8928
8929 testCases = append(testCases, testCase{
8930 name: "ServerAuth-InvalidSignature" + suffix,
8931 config: Config{
8932 MaxVersion: ver.version,
8933 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
8934 CipherSuites: signingCiphers,
8935 SignSignatureAlgorithms: []signatureAlgorithm{
8936 alg.id,
8937 },
8938 Bugs: ProtocolBugs{
8939 InvalidSignature: true,
8940 },
8941 },
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8942 flags: []string{
8943 "-enable-all-curves",
8944 "-enable-ed25519",
8945 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8946 shouldFail: true,
8947 expectedError: ":BAD_SIGNATURE:",
8948 })
8949 }
8950
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8951 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8952 testCases = append(testCases, testCase{
8953 name: "ClientAuth-Sign-Negotiate" + suffix,
8954 config: Config{
8955 MaxVersion: ver.version,
8956 ClientAuth: RequireAnyClientCert,
8957 VerifySignatureAlgorithms: allAlgorithms,
8958 },
8959 flags: []string{
8960 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
8961 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
8962 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8963 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8964 "-signing-prefs", strconv.Itoa(int(alg.id)),
8965 },
8966 expectedPeerSignatureAlgorithm: alg.id,
8967 })
8968
8969 testCases = append(testCases, testCase{
8970 testType: serverTest,
8971 name: "ServerAuth-Sign-Negotiate" + suffix,
8972 config: Config{
8973 MaxVersion: ver.version,
8974 CipherSuites: signingCiphers,
8975 VerifySignatureAlgorithms: allAlgorithms,
8976 },
8977 flags: []string{
8978 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
8979 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
8980 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]8981 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8982 "-signing-prefs", strconv.Itoa(int(alg.id)),
8983 },
8984 expectedPeerSignatureAlgorithm: alg.id,
8985 })
8986 }
8987 }
8988 }
8989
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]8990 // Test the peer's verify preferences are available.
8991 for _, ver := range tlsVersions {
8992 if ver.version < VersionTLS12 {
8993 continue
8994 }
8995 testCases = append(testCases, testCase{
8996 name: "ClientAuth-PeerVerifyPrefs-" + ver.name,
8997 config: Config{
8998 MaxVersion: ver.version,
8999 ClientAuth: RequireAnyClientCert,
9000 VerifySignatureAlgorithms: []signatureAlgorithm{
9001 signatureRSAPSSWithSHA256,
9002 signatureEd25519,
9003 signatureECDSAWithP256AndSHA256,
9004 },
9005 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]9006 flags: []string{
9007 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9008 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9009 "-expect-peer-verify-pref", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
9010 "-expect-peer-verify-pref", strconv.Itoa(int(signatureEd25519)),
9011 "-expect-peer-verify-pref", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
9012 },
9013 })
9014
9015 testCases = append(testCases, testCase{
9016 testType: serverTest,
9017 name: "ServerAuth-PeerVerifyPrefs-" + ver.name,
9018 config: Config{
9019 MaxVersion: ver.version,
9020 VerifySignatureAlgorithms: []signatureAlgorithm{
9021 signatureRSAPSSWithSHA256,
9022 signatureEd25519,
9023 signatureECDSAWithP256AndSHA256,
9024 },
9025 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]9026 flags: []string{
9027 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9028 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9029 "-expect-peer-verify-pref", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
9030 "-expect-peer-verify-pref", strconv.Itoa(int(signatureEd25519)),
9031 "-expect-peer-verify-pref", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
9032 },
9033 })
9034
9035 }
9036
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9037 // Test that algorithm selection takes the key type into account.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9038 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9039 name: "ClientAuth-SignatureType",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9040 config: Config{
9041 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9042 MaxVersion: VersionTLS12,
9043 VerifySignatureAlgorithms: []signatureAlgorithm{
9044 signatureECDSAWithP521AndSHA512,
9045 signatureRSAPKCS1WithSHA384,
9046 signatureECDSAWithSHA1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9047 },
9048 },
9049 flags: []string{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9050 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9051 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9052 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9053 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9054 })
9055
9056 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9057 name: "ClientAuth-SignatureType-TLS13",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9058 config: Config{
9059 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9060 MaxVersion: VersionTLS13,
9061 VerifySignatureAlgorithms: []signatureAlgorithm{
9062 signatureECDSAWithP521AndSHA512,
9063 signatureRSAPKCS1WithSHA384,
9064 signatureRSAPSSWithSHA384,
9065 signatureECDSAWithSHA1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9066 },
9067 },
9068 flags: []string{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9069 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9070 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9071 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9072 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9073 })
9074
9075 testCases = append(testCases, testCase{
9076 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9077 name: "ServerAuth-SignatureType",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9078 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9079 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9080 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9081 VerifySignatureAlgorithms: []signatureAlgorithm{
9082 signatureECDSAWithP521AndSHA512,
9083 signatureRSAPKCS1WithSHA384,
9084 signatureECDSAWithSHA1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9085 },
9086 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9087 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]9088 })
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9089
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9090 testCases = append(testCases, testCase{
9091 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9092 name: "ServerAuth-SignatureType-TLS13",
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9093 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]9094 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9095 VerifySignatureAlgorithms: []signatureAlgorithm{
9096 signatureECDSAWithP521AndSHA512,
9097 signatureRSAPKCS1WithSHA384,
9098 signatureRSAPSSWithSHA384,
9099 signatureECDSAWithSHA1,
9100 },
9101 },
9102 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
9103 })
9104
9105 // Test that signature verification takes the key type into account.
9106 testCases = append(testCases, testCase{
9107 testType: serverTest,
9108 name: "Verify-ClientAuth-SignatureType",
9109 config: Config{
9110 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9111 Certificates: []Certificate{rsaCertificate},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9112 SignSignatureAlgorithms: []signatureAlgorithm{
9113 signatureRSAPKCS1WithSHA256,
9114 },
9115 Bugs: ProtocolBugs{
9116 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9117 },
9118 },
9119 flags: []string{
9120 "-require-any-client-certificate",
9121 },
9122 shouldFail: true,
9123 expectedError: ":WRONG_SIGNATURE_TYPE:",
9124 })
9125
9126 testCases = append(testCases, testCase{
9127 testType: serverTest,
9128 name: "Verify-ClientAuth-SignatureType-TLS13",
9129 config: Config{
9130 MaxVersion: VersionTLS13,
9131 Certificates: []Certificate{rsaCertificate},
9132 SignSignatureAlgorithms: []signatureAlgorithm{
9133 signatureRSAPSSWithSHA256,
9134 },
9135 Bugs: ProtocolBugs{
9136 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9137 },
9138 },
9139 flags: []string{
9140 "-require-any-client-certificate",
9141 },
9142 shouldFail: true,
9143 expectedError: ":WRONG_SIGNATURE_TYPE:",
9144 })
9145
9146 testCases = append(testCases, testCase{
9147 name: "Verify-ServerAuth-SignatureType",
9148 config: Config{
9149 MaxVersion: VersionTLS12,
9150 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9151 SignSignatureAlgorithms: []signatureAlgorithm{
9152 signatureRSAPKCS1WithSHA256,
9153 },
9154 Bugs: ProtocolBugs{
9155 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9156 },
9157 },
9158 shouldFail: true,
9159 expectedError: ":WRONG_SIGNATURE_TYPE:",
9160 })
9161
9162 testCases = append(testCases, testCase{
9163 name: "Verify-ServerAuth-SignatureType-TLS13",
9164 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]9165 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9166 SignSignatureAlgorithms: []signatureAlgorithm{
9167 signatureRSAPSSWithSHA256,
9168 },
9169 Bugs: ProtocolBugs{
9170 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9171 },
9172 },
9173 shouldFail: true,
9174 expectedError: ":WRONG_SIGNATURE_TYPE:",
9175 })
9176
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]9177 // Test that, if the ClientHello list is missing, the server falls back
9178 // to SHA-1 in TLS 1.2, but not TLS 1.3.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9179 testCases = append(testCases, testCase{
9180 testType: serverTest,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]9181 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9182 config: Config{
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]9183 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9184 VerifySignatureAlgorithms: []signatureAlgorithm{
9185 signatureRSAPKCS1WithSHA1,
9186 },
9187 Bugs: ProtocolBugs{
9188 NoSignatureAlgorithms: true,
9189 },
9190 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]9191 flags: []string{
9192 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9193 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9194 },
9195 })
9196
9197 testCases = append(testCases, testCase{
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]9198 testType: serverTest,
9199 name: "ServerAuth-SHA1-Fallback-ECDSA",
9200 config: Config{
9201 MaxVersion: VersionTLS12,
9202 VerifySignatureAlgorithms: []signatureAlgorithm{
9203 signatureECDSAWithSHA1,
9204 },
9205 Bugs: ProtocolBugs{
9206 NoSignatureAlgorithms: true,
9207 },
9208 },
9209 flags: []string{
9210 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
9211 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
9212 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9213 })
9214
9215 testCases = append(testCases, testCase{
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]9216 testType: serverTest,
9217 name: "ServerAuth-NoFallback-TLS13",
9218 config: Config{
9219 MaxVersion: VersionTLS13,
9220 VerifySignatureAlgorithms: []signatureAlgorithm{
9221 signatureRSAPKCS1WithSHA1,
9222 },
9223 Bugs: ProtocolBugs{
9224 NoSignatureAlgorithms: true,
9225 },
9226 },
9227 shouldFail: true,
9228 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9229 })
9230
9231 // The CertificateRequest list, however, may never be omitted. It is a
9232 // syntax error for it to be empty.
9233 testCases = append(testCases, testCase{
9234 name: "ClientAuth-NoFallback-RSA",
9235 config: Config{
9236 MaxVersion: VersionTLS12,
9237 ClientAuth: RequireAnyClientCert,
9238 VerifySignatureAlgorithms: []signatureAlgorithm{
9239 signatureRSAPKCS1WithSHA1,
9240 },
9241 Bugs: ProtocolBugs{
9242 NoSignatureAlgorithms: true,
9243 },
9244 },
9245 flags: []string{
9246 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9247 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9248 },
9249 shouldFail: true,
9250 expectedError: ":DECODE_ERROR:",
9251 expectedLocalError: "remote error: error decoding message",
9252 })
9253
9254 testCases = append(testCases, testCase{
9255 name: "ClientAuth-NoFallback-ECDSA",
9256 config: Config{
9257 MaxVersion: VersionTLS12,
9258 ClientAuth: RequireAnyClientCert,
9259 VerifySignatureAlgorithms: []signatureAlgorithm{
9260 signatureECDSAWithSHA1,
9261 },
9262 Bugs: ProtocolBugs{
9263 NoSignatureAlgorithms: true,
9264 },
9265 },
9266 flags: []string{
9267 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
9268 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
9269 },
9270 shouldFail: true,
9271 expectedError: ":DECODE_ERROR:",
9272 expectedLocalError: "remote error: error decoding message",
9273 })
9274
9275 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9276 name: "ClientAuth-NoFallback-TLS13",
9277 config: Config{
9278 MaxVersion: VersionTLS13,
9279 ClientAuth: RequireAnyClientCert,
9280 VerifySignatureAlgorithms: []signatureAlgorithm{
9281 signatureRSAPKCS1WithSHA1,
9282 },
9283 Bugs: ProtocolBugs{
9284 NoSignatureAlgorithms: true,
9285 },
9286 },
9287 flags: []string{
9288 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9289 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9290 },
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]9291 shouldFail: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9292 expectedError: ":DECODE_ERROR:",
9293 expectedLocalError: "remote error: error decoding message",
9294 })
9295
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]9296 // Test that signature preferences are enforced. BoringSSL does not
9297 // implement MD5 signatures.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9298 testCases = append(testCases, testCase{
9299 testType: serverTest,
9300 name: "ClientAuth-Enforced",
9301 config: Config{
9302 MaxVersion: VersionTLS12,
9303 Certificates: []Certificate{rsaCertificate},
9304 SignSignatureAlgorithms: []signatureAlgorithm{
9305 signatureRSAPKCS1WithMD5,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9306 },
9307 Bugs: ProtocolBugs{
9308 IgnorePeerSignatureAlgorithmPreferences: true,
9309 },
9310 },
9311 flags: []string{"-require-any-client-certificate"},
9312 shouldFail: true,
9313 expectedError: ":WRONG_SIGNATURE_TYPE:",
9314 })
9315
9316 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9317 name: "ServerAuth-Enforced",
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9318 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9319 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9320 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9321 SignSignatureAlgorithms: []signatureAlgorithm{
9322 signatureRSAPKCS1WithMD5,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9323 },
9324 Bugs: ProtocolBugs{
9325 IgnorePeerSignatureAlgorithmPreferences: true,
9326 },
9327 },
9328 shouldFail: true,
9329 expectedError: ":WRONG_SIGNATURE_TYPE:",
9330 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9331 testCases = append(testCases, testCase{
9332 testType: serverTest,
9333 name: "ClientAuth-Enforced-TLS13",
9334 config: Config{
9335 MaxVersion: VersionTLS13,
9336 Certificates: []Certificate{rsaCertificate},
9337 SignSignatureAlgorithms: []signatureAlgorithm{
9338 signatureRSAPKCS1WithMD5,
9339 },
9340 Bugs: ProtocolBugs{
9341 IgnorePeerSignatureAlgorithmPreferences: true,
9342 IgnoreSignatureVersionChecks: true,
9343 },
9344 },
9345 flags: []string{"-require-any-client-certificate"},
9346 shouldFail: true,
9347 expectedError: ":WRONG_SIGNATURE_TYPE:",
9348 })
9349
9350 testCases = append(testCases, testCase{
9351 name: "ServerAuth-Enforced-TLS13",
9352 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]9353 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9354 SignSignatureAlgorithms: []signatureAlgorithm{
9355 signatureRSAPKCS1WithMD5,
9356 },
9357 Bugs: ProtocolBugs{
9358 IgnorePeerSignatureAlgorithmPreferences: true,
9359 IgnoreSignatureVersionChecks: true,
9360 },
9361 },
9362 shouldFail: true,
9363 expectedError: ":WRONG_SIGNATURE_TYPE:",
9364 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9365
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]9366 // Test that the negotiated signature algorithm respects the client and
9367 // server preferences.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9368 testCases = append(testCases, testCase{
9369 name: "NoCommonAlgorithms",
9370 config: Config{
9371 MaxVersion: VersionTLS12,
9372 ClientAuth: RequireAnyClientCert,
9373 VerifySignatureAlgorithms: []signatureAlgorithm{
9374 signatureRSAPKCS1WithSHA512,
9375 signatureRSAPKCS1WithSHA1,
9376 },
9377 },
9378 flags: []string{
9379 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9380 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9381 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
9382 },
9383 shouldFail: true,
9384 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9385 })
9386 testCases = append(testCases, testCase{
9387 name: "NoCommonAlgorithms-TLS13",
9388 config: Config{
9389 MaxVersion: VersionTLS13,
9390 ClientAuth: RequireAnyClientCert,
9391 VerifySignatureAlgorithms: []signatureAlgorithm{
9392 signatureRSAPSSWithSHA512,
9393 signatureRSAPSSWithSHA384,
9394 },
9395 },
9396 flags: []string{
9397 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9398 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9399 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
9400 },
9401 shouldFail: true,
9402 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9403 })
9404 testCases = append(testCases, testCase{
9405 name: "Agree-Digest-SHA256",
9406 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9407 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9408 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9409 VerifySignatureAlgorithms: []signatureAlgorithm{
9410 signatureRSAPKCS1WithSHA1,
9411 signatureRSAPKCS1WithSHA256,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9412 },
9413 },
9414 flags: []string{
9415 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9416 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]9417 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
9418 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA1)),
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9419 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9420 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9421 })
9422 testCases = append(testCases, testCase{
9423 name: "Agree-Digest-SHA1",
9424 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9425 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9426 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9427 VerifySignatureAlgorithms: []signatureAlgorithm{
9428 signatureRSAPKCS1WithSHA1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9429 },
9430 },
9431 flags: []string{
9432 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9433 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]9434 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA512)),
9435 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
9436 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA1)),
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9437 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9438 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9439 })
9440 testCases = append(testCases, testCase{
9441 name: "Agree-Digest-Default",
9442 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9443 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9444 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9445 VerifySignatureAlgorithms: []signatureAlgorithm{
9446 signatureRSAPKCS1WithSHA256,
9447 signatureECDSAWithP256AndSHA256,
9448 signatureRSAPKCS1WithSHA1,
9449 signatureECDSAWithSHA1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9450 },
9451 },
9452 flags: []string{
9453 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9454 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9455 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9456 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
9457 })
9458
9459 // Test that the signing preference list may include extra algorithms
9460 // without negotiation problems.
9461 testCases = append(testCases, testCase{
9462 testType: serverTest,
9463 name: "FilterExtraAlgorithms",
9464 config: Config{
9465 MaxVersion: VersionTLS12,
9466 VerifySignatureAlgorithms: []signatureAlgorithm{
9467 signatureRSAPKCS1WithSHA256,
9468 },
9469 },
9470 flags: []string{
9471 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9472 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9473 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
9474 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
9475 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
9476 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
9477 },
9478 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
9479 })
9480
9481 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
9482 // signature algorithms.
9483 testCases = append(testCases, testCase{
9484 name: "CheckLeafCurve",
9485 config: Config{
9486 MaxVersion: VersionTLS12,
9487 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
9488 Certificates: []Certificate{ecdsaP256Certificate},
9489 },
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]9490 flags: []string{"-curves", strconv.Itoa(int(CurveP384))},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9491 shouldFail: true,
9492 expectedError: ":BAD_ECC_CERT:",
9493 })
9494
9495 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
9496 testCases = append(testCases, testCase{
9497 name: "CheckLeafCurve-TLS13",
9498 config: Config{
9499 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9500 Certificates: []Certificate{ecdsaP256Certificate},
9501 },
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]9502 flags: []string{"-curves", strconv.Itoa(int(CurveP384))},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9503 })
9504
9505 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
9506 testCases = append(testCases, testCase{
9507 name: "ECDSACurveMismatch-Verify-TLS12",
9508 config: Config{
9509 MaxVersion: VersionTLS12,
9510 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
9511 Certificates: []Certificate{ecdsaP256Certificate},
9512 SignSignatureAlgorithms: []signatureAlgorithm{
9513 signatureECDSAWithP384AndSHA384,
9514 },
9515 },
9516 })
9517
9518 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
9519 testCases = append(testCases, testCase{
9520 name: "ECDSACurveMismatch-Verify-TLS13",
9521 config: Config{
9522 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9523 Certificates: []Certificate{ecdsaP256Certificate},
9524 SignSignatureAlgorithms: []signatureAlgorithm{
9525 signatureECDSAWithP384AndSHA384,
9526 },
9527 Bugs: ProtocolBugs{
9528 SkipECDSACurveCheck: true,
9529 },
9530 },
9531 shouldFail: true,
9532 expectedError: ":WRONG_SIGNATURE_TYPE:",
9533 })
9534
9535 // Signature algorithm selection in TLS 1.3 should take the curve into
9536 // account.
9537 testCases = append(testCases, testCase{
9538 testType: serverTest,
9539 name: "ECDSACurveMismatch-Sign-TLS13",
9540 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]9541 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9542 VerifySignatureAlgorithms: []signatureAlgorithm{
9543 signatureECDSAWithP384AndSHA384,
9544 signatureECDSAWithP256AndSHA256,
9545 },
9546 },
9547 flags: []string{
9548 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
9549 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
9550 },
9551 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9552 })
9553
9554 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
9555 // server does not attempt to sign in that case.
9556 testCases = append(testCases, testCase{
9557 testType: serverTest,
9558 name: "RSA-PSS-Large",
9559 config: Config{
9560 MaxVersion: VersionTLS13,
9561 VerifySignatureAlgorithms: []signatureAlgorithm{
9562 signatureRSAPSSWithSHA512,
9563 },
9564 },
9565 flags: []string{
9566 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
9567 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
9568 },
9569 shouldFail: true,
9570 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]9571 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]9572
9573 // Test that RSA-PSS is enabled by default for TLS 1.2.
9574 testCases = append(testCases, testCase{
9575 testType: clientTest,
9576 name: "RSA-PSS-Default-Verify",
9577 config: Config{
9578 MaxVersion: VersionTLS12,
9579 SignSignatureAlgorithms: []signatureAlgorithm{
9580 signatureRSAPSSWithSHA256,
9581 },
9582 },
9583 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9584 })
9585
9586 testCases = append(testCases, testCase{
9587 testType: serverTest,
9588 name: "RSA-PSS-Default-Sign",
9589 config: Config{
9590 MaxVersion: VersionTLS12,
9591 VerifySignatureAlgorithms: []signatureAlgorithm{
9592 signatureRSAPSSWithSHA256,
9593 },
9594 },
9595 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9596 })
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]9597
9598 // TLS 1.1 and below has no way to advertise support for or negotiate
9599 // Ed25519's signature algorithm.
9600 testCases = append(testCases, testCase{
9601 testType: clientTest,
9602 name: "NoEd25519-TLS11-ServerAuth-Verify",
9603 config: Config{
9604 MaxVersion: VersionTLS11,
9605 Certificates: []Certificate{ed25519Certificate},
9606 Bugs: ProtocolBugs{
9607 // Sign with Ed25519 even though it is TLS 1.1.
9608 UseLegacySigningAlgorithm: signatureEd25519,
9609 },
9610 },
9611 flags: []string{"-enable-ed25519"},
9612 shouldFail: true,
9613 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
9614 })
9615 testCases = append(testCases, testCase{
9616 testType: serverTest,
9617 name: "NoEd25519-TLS11-ServerAuth-Sign",
9618 config: Config{
9619 MaxVersion: VersionTLS11,
9620 },
9621 flags: []string{
9622 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
9623 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
9624 },
9625 shouldFail: true,
9626 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9627 })
9628 testCases = append(testCases, testCase{
9629 testType: serverTest,
9630 name: "NoEd25519-TLS11-ClientAuth-Verify",
9631 config: Config{
9632 MaxVersion: VersionTLS11,
9633 Certificates: []Certificate{ed25519Certificate},
9634 Bugs: ProtocolBugs{
9635 // Sign with Ed25519 even though it is TLS 1.1.
9636 UseLegacySigningAlgorithm: signatureEd25519,
9637 },
9638 },
9639 flags: []string{
9640 "-enable-ed25519",
9641 "-require-any-client-certificate",
9642 },
9643 shouldFail: true,
9644 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
9645 })
9646 testCases = append(testCases, testCase{
9647 testType: clientTest,
9648 name: "NoEd25519-TLS11-ClientAuth-Sign",
9649 config: Config{
9650 MaxVersion: VersionTLS11,
9651 ClientAuth: RequireAnyClientCert,
9652 },
9653 flags: []string{
9654 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
9655 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
9656 },
9657 shouldFail: true,
9658 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9659 })
9660
9661 // Test Ed25519 is not advertised by default.
9662 testCases = append(testCases, testCase{
9663 testType: clientTest,
9664 name: "Ed25519DefaultDisable-NoAdvertise",
9665 config: Config{
9666 Certificates: []Certificate{ed25519Certificate},
9667 },
9668 shouldFail: true,
9669 expectedLocalError: "tls: no common signature algorithms",
9670 })
9671
9672 // Test Ed25519, when disabled, is not accepted if the peer ignores our
9673 // preferences.
9674 testCases = append(testCases, testCase{
9675 testType: clientTest,
9676 name: "Ed25519DefaultDisable-NoAccept",
9677 config: Config{
9678 Certificates: []Certificate{ed25519Certificate},
9679 Bugs: ProtocolBugs{
9680 IgnorePeerSignatureAlgorithmPreferences: true,
9681 },
9682 },
9683 shouldFail: true,
9684 expectedLocalError: "remote error: illegal parameter",
9685 expectedError: ":WRONG_SIGNATURE_TYPE:",
9686 })
9687
9688 // Test that configuring verify preferences changes what the client
9689 // advertises.
9690 testCases = append(testCases, testCase{
9691 name: "VerifyPreferences-Advertised",
9692 config: Config{
9693 Certificates: []Certificate{rsaCertificate},
9694 SignSignatureAlgorithms: []signatureAlgorithm{
9695 signatureRSAPSSWithSHA256,
9696 signatureRSAPSSWithSHA384,
9697 signatureRSAPSSWithSHA512,
9698 },
9699 },
9700 flags: []string{
9701 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
9702 "-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
9703 },
9704 })
9705
9706 // Test that the client advertises a set which the runner can find
9707 // nothing in common with.
9708 testCases = append(testCases, testCase{
9709 name: "VerifyPreferences-NoCommonAlgorithms",
9710 config: Config{
9711 Certificates: []Certificate{rsaCertificate},
9712 SignSignatureAlgorithms: []signatureAlgorithm{
9713 signatureRSAPSSWithSHA256,
9714 signatureRSAPSSWithSHA512,
9715 },
9716 },
9717 flags: []string{
9718 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
9719 },
9720 shouldFail: true,
9721 expectedLocalError: "tls: no common signature algorithms",
9722 })
9723
9724 // Test that the client enforces its preferences when configured.
9725 testCases = append(testCases, testCase{
9726 name: "VerifyPreferences-Enforced",
9727 config: Config{
9728 Certificates: []Certificate{rsaCertificate},
9729 SignSignatureAlgorithms: []signatureAlgorithm{
9730 signatureRSAPSSWithSHA256,
9731 signatureRSAPSSWithSHA512,
9732 },
9733 Bugs: ProtocolBugs{
9734 IgnorePeerSignatureAlgorithmPreferences: true,
9735 },
9736 },
9737 flags: []string{
9738 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
9739 },
9740 shouldFail: true,
9741 expectedLocalError: "remote error: illegal parameter",
9742 expectedError: ":WRONG_SIGNATURE_TYPE:",
9743 })
9744
9745 // Test that explicitly configuring Ed25519 is as good as changing the
9746 // boolean toggle.
9747 testCases = append(testCases, testCase{
9748 name: "VerifyPreferences-Ed25519",
9749 config: Config{
9750 Certificates: []Certificate{ed25519Certificate},
9751 },
9752 flags: []string{
9753 "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
9754 },
9755 })
Robert Sloan5cbb5c82018-04-24 11:35:46 -0700[diff] [blame]9756
9757 rsaPSSSupportTests := []struct {
9758 name string
9759 expectRSAPSSSupport RSAPSSSupport
9760 verifyPrefs []signatureAlgorithm
9761 noCerts bool
9762 }{
9763 // By default, RSA-PSS is fully advertised.
9764 {
9765 name: "Default",
9766 expectRSAPSSSupport: RSAPSSSupportBoth,
9767 },
9768 // Disabling RSA-PSS certificates makes it online-signature-only.
9769 {
9770 name: "Default-NoCerts",
9771 expectRSAPSSSupport: RSAPSSSupportOnlineSignatureOnly,
9772 noCerts: true,
9773 },
9774 // The above also apply if verify preferences were explicitly configured.
9775 {
9776 name: "ConfigPSS",
9777 expectRSAPSSSupport: RSAPSSSupportBoth,
9778 verifyPrefs: []signatureAlgorithm{signatureRSAPSSWithSHA256, signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256},
9779 },
9780 {
9781 name: "ConfigPSS-NoCerts",
9782 expectRSAPSSSupport: RSAPSSSupportOnlineSignatureOnly,
9783 verifyPrefs: []signatureAlgorithm{signatureRSAPSSWithSHA256, signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256},
9784 noCerts: true,
9785 },
9786 // If verify preferences were explicitly configured without RSA-PSS support,
9787 // NoCerts is a no-op and the shim correctly only sends one extension.
9788 // (This is checked internally in the runner.)
9789 {
9790 name: "ConfigNoPSS",
9791 expectRSAPSSSupport: RSAPSSSupportNone,
9792 verifyPrefs: []signatureAlgorithm{signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256},
9793 },
9794 {
9795 name: "ConfigNoPSS-NoCerts",
9796 expectRSAPSSSupport: RSAPSSSupportNone,
9797 verifyPrefs: []signatureAlgorithm{signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256},
9798 noCerts: true,
9799 },
9800 }
9801
9802 for _, test := range rsaPSSSupportTests {
9803 var pssFlags []string
9804 for _, pref := range test.verifyPrefs {
9805 pssFlags = append(pssFlags, "-verify-prefs", strconv.Itoa(int(pref)))
9806 }
9807 if test.noCerts {
9808 pssFlags = append(pssFlags, "-no-rsa-pss-rsae-certs")
9809 }
9810 for _, ver := range tlsVersions {
9811 if ver.version < VersionTLS12 {
9812 continue
9813 }
9814
9815 // TLS 1.2 cannot express different RSAPSSSupportOnlineSignatureOnly,
9816 // so it decays to RSAPSSSupportNone.
9817 expect := test.expectRSAPSSSupport
9818 if ver.version < VersionTLS13 && expect == RSAPSSSupportOnlineSignatureOnly {
9819 expect = RSAPSSSupportNone
9820 }
9821
9822 // If the configuration results in no RSA-PSS support, the handshake won't complete.
9823 // (The test, however, still covers the RSA-PSS assertion.)
9824 var localError string
9825 var shouldFail bool
9826 if ver.version >= VersionTLS13 && expect == RSAPSSSupportNone {
9827 shouldFail = true
9828 localError = "tls: no common signature algorithms"
9829 }
9830
9831 flags := []string{"-max-version", ver.shimFlag(tls)}
9832 flags = append(flags, pssFlags...)
9833 testCases = append(testCases, testCase{
9834 name: fmt.Sprintf("RSAPSSSupport-%s-%s-Client", test.name, ver.name),
9835 config: Config{
9836 MinVersion: ver.version,
9837 MaxVersion: ver.version,
9838 Certificates: []Certificate{rsaCertificate},
9839 Bugs: ProtocolBugs{
9840 ExpectRSAPSSSupport: expect,
9841 },
9842 },
Robert Sloan5cbb5c82018-04-24 11:35:46 -0700[diff] [blame]9843 flags: flags,
9844 shouldFail: shouldFail,
9845 expectedLocalError: localError,
9846 })
9847
9848 serverFlags := []string{"-require-any-client-certificate"}
9849 serverFlags = append(flags, serverFlags...)
9850 testCases = append(testCases, testCase{
9851 testType: serverTest,
9852 name: fmt.Sprintf("RSAPSSSupport-%s-%s-Server", test.name, ver.name),
9853 config: Config{
9854 MinVersion: ver.version,
9855 MaxVersion: ver.version,
9856 Certificates: []Certificate{rsaCertificate},
9857 Bugs: ProtocolBugs{
9858 ExpectRSAPSSSupport: expect,
9859 },
9860 },
Robert Sloan5cbb5c82018-04-24 11:35:46 -0700[diff] [blame]9861 flags: serverFlags,
9862 shouldFail: shouldFail,
9863 expectedLocalError: localError,
9864 })
9865 }
9866 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9867}
9868
9869// timeouts is the retransmit schedule for BoringSSL. It doubles and
9870// caps at 60 seconds. On the 13th timeout, it gives up.
9871var timeouts = []time.Duration{
9872 1 * time.Second,
9873 2 * time.Second,
9874 4 * time.Second,
9875 8 * time.Second,
9876 16 * time.Second,
9877 32 * time.Second,
9878 60 * time.Second,
9879 60 * time.Second,
9880 60 * time.Second,
9881 60 * time.Second,
9882 60 * time.Second,
9883 60 * time.Second,
9884 60 * time.Second,
9885}
9886
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]9887// shortTimeouts is an alternate set of timeouts which would occur if the
9888// initial timeout duration was set to 250ms.
9889var shortTimeouts = []time.Duration{
9890 250 * time.Millisecond,
9891 500 * time.Millisecond,
9892 1 * time.Second,
9893 2 * time.Second,
9894 4 * time.Second,
9895 8 * time.Second,
9896 16 * time.Second,
9897 32 * time.Second,
9898 60 * time.Second,
9899 60 * time.Second,
9900 60 * time.Second,
9901 60 * time.Second,
9902 60 * time.Second,
9903}
9904
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9905func addDTLSRetransmitTests() {
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]9906 // These tests work by coordinating some behavior on both the shim and
9907 // the runner.
9908 //
9909 // TimeoutSchedule configures the runner to send a series of timeout
9910 // opcodes to the shim (see packetAdaptor) immediately before reading
9911 // each peer handshake flight N. The timeout opcode both simulates a
9912 // timeout in the shim and acts as a synchronization point to help the
9913 // runner bracket each handshake flight.
9914 //
9915 // We assume the shim does not read from the channel eagerly. It must
9916 // first wait until it has sent flight N and is ready to receive
9917 // handshake flight N+1. At this point, it will process the timeout
9918 // opcode. It must then immediately respond with a timeout ACK and act
9919 // as if the shim was idle for the specified amount of time.
9920 //
9921 // The runner then drops all packets received before the ACK and
9922 // continues waiting for flight N. This ordering results in one attempt
9923 // at sending flight N to be dropped. For the test to complete, the
9924 // shim must send flight N again, testing that the shim implements DTLS
9925 // retransmit on a timeout.
9926
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9927 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
9928 // likely be more epochs to cross and the final message's retransmit may
9929 // be more complex.
9930
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9931 // Test that this is indeed the timeout schedule. Stress all
9932 // four patterns of handshake.
9933 for i := 1; i < len(timeouts); i++ {
9934 number := strconv.Itoa(i)
9935 testCases = append(testCases, testCase{
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9936 protocol: dtls,
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9937 name: "DTLS-Retransmit-Client-" + number,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9938 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9939 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9940 Bugs: ProtocolBugs{
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9941 TimeoutSchedule: timeouts[:i],
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9942 },
9943 },
9944 resumeSession: true,
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9945 flags: []string{"-async"},
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9946 })
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9947 testCases = append(testCases, testCase{
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9948 protocol: dtls,
9949 testType: serverTest,
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9950 name: "DTLS-Retransmit-Server-" + number,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9951 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9952 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9953 Bugs: ProtocolBugs{
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9954 TimeoutSchedule: timeouts[:i],
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9955 },
9956 },
9957 resumeSession: true,
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9958 flags: []string{"-async"},
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]9959 })
9960 }
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]9961
9962 // Test that exceeding the timeout schedule hits a read
9963 // timeout.
9964 testCases = append(testCases, testCase{
9965 protocol: dtls,
9966 name: "DTLS-Retransmit-Timeout",
9967 config: Config{
9968 MaxVersion: VersionTLS12,
9969 Bugs: ProtocolBugs{
9970 TimeoutSchedule: timeouts,
9971 },
9972 },
9973 resumeSession: true,
9974 flags: []string{"-async"},
9975 shouldFail: true,
9976 expectedError: ":READ_TIMEOUT_EXPIRED:",
9977 })
9978
9979 // Test that timeout handling has a fudge factor, due to API
9980 // problems.
9981 testCases = append(testCases, testCase{
9982 protocol: dtls,
9983 name: "DTLS-Retransmit-Fudge",
9984 config: Config{
9985 MaxVersion: VersionTLS12,
9986 Bugs: ProtocolBugs{
9987 TimeoutSchedule: []time.Duration{
9988 timeouts[0] - 10*time.Millisecond,
9989 },
9990 },
9991 },
9992 resumeSession: true,
9993 flags: []string{"-async"},
9994 })
9995
9996 // Test that the final Finished retransmitting isn't
9997 // duplicated if the peer badly fragments everything.
9998 testCases = append(testCases, testCase{
9999 testType: serverTest,
10000 protocol: dtls,
10001 name: "DTLS-Retransmit-Fragmented",
10002 config: Config{
10003 MaxVersion: VersionTLS12,
10004 Bugs: ProtocolBugs{
10005 TimeoutSchedule: []time.Duration{timeouts[0]},
10006 MaxHandshakeRecordLength: 2,
10007 },
10008 },
10009 flags: []string{"-async"},
10010 })
10011
10012 // Test the timeout schedule when a shorter initial timeout duration is set.
10013 testCases = append(testCases, testCase{
10014 protocol: dtls,
10015 name: "DTLS-Retransmit-Short-Client",
10016 config: Config{
10017 MaxVersion: VersionTLS12,
10018 Bugs: ProtocolBugs{
10019 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
10020 },
10021 },
10022 resumeSession: true,
10023 flags: []string{
10024 "-async",
10025 "-initial-timeout-duration-ms", "250",
10026 },
10027 })
10028 testCases = append(testCases, testCase{
10029 protocol: dtls,
10030 testType: serverTest,
10031 name: "DTLS-Retransmit-Short-Server",
10032 config: Config{
10033 MaxVersion: VersionTLS12,
10034 Bugs: ProtocolBugs{
10035 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
10036 },
10037 },
10038 resumeSession: true,
10039 flags: []string{
10040 "-async",
10041 "-initial-timeout-duration-ms", "250",
10042 },
10043 })
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]10044
10045 // If the shim sends the last Finished (server full or client resume
10046 // handshakes), it must retransmit that Finished when it sees a
10047 // post-handshake penultimate Finished from the runner. The above tests
10048 // cover this. Conversely, if the shim sends the penultimate Finished
10049 // (client full or server resume), test that it does not retransmit.
10050 testCases = append(testCases, testCase{
10051 protocol: dtls,
10052 testType: clientTest,
10053 name: "DTLS-StrayRetransmitFinished-ClientFull",
10054 config: Config{
10055 MaxVersion: VersionTLS12,
10056 Bugs: ProtocolBugs{
10057 RetransmitFinished: true,
10058 },
10059 },
10060 })
10061 testCases = append(testCases, testCase{
10062 protocol: dtls,
10063 testType: serverTest,
10064 name: "DTLS-StrayRetransmitFinished-ServerResume",
10065 config: Config{
10066 MaxVersion: VersionTLS12,
10067 },
10068 resumeConfig: &Config{
10069 MaxVersion: VersionTLS12,
10070 Bugs: ProtocolBugs{
10071 RetransmitFinished: true,
10072 },
10073 },
10074 resumeSession: true,
10075 })
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]10076}
10077
10078func addExportKeyingMaterialTests() {
10079 for _, vers := range tlsVersions {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]10080 testCases = append(testCases, testCase{
10081 name: "ExportKeyingMaterial-" + vers.name,
10082 config: Config{
10083 MaxVersion: vers.version,
10084 },
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]10085 // Test the exporter in both initial and resumption
10086 // handshakes.
10087 resumeSession: true,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]10088 exportKeyingMaterial: 1024,
10089 exportLabel: "label",
10090 exportContext: "context",
10091 useExportContext: true,
10092 })
10093 testCases = append(testCases, testCase{
10094 name: "ExportKeyingMaterial-NoContext-" + vers.name,
10095 config: Config{
10096 MaxVersion: vers.version,
10097 },
10098 exportKeyingMaterial: 1024,
10099 })
10100 testCases = append(testCases, testCase{
10101 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
10102 config: Config{
10103 MaxVersion: vers.version,
10104 },
10105 exportKeyingMaterial: 1024,
10106 useExportContext: true,
10107 })
10108 testCases = append(testCases, testCase{
10109 name: "ExportKeyingMaterial-Small-" + vers.name,
10110 config: Config{
10111 MaxVersion: vers.version,
10112 },
10113 exportKeyingMaterial: 1,
10114 exportLabel: "label",
10115 exportContext: "context",
10116 useExportContext: true,
10117 })
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]10118
10119 if vers.version >= VersionTLS13 {
10120 // Test the exporters do not work while the client is
10121 // sending 0-RTT data.
10122 testCases = append(testCases, testCase{
10123 name: "NoEarlyKeyingMaterial-Client-InEarlyData-" + vers.name,
10124 config: Config{
10125 MaxVersion: vers.version,
10126 MaxEarlyDataSize: 16384,
10127 },
10128 resumeSession: true,
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]10129 flags: []string{
10130 "-enable-early-data",
10131 "-expect-ticket-supports-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]10132 "-expect-accept-early-data",
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]10133 "-on-resume-export-keying-material", "1024",
10134 "-on-resume-export-label", "label",
10135 "-on-resume-export-context", "context",
10136 },
10137 shouldFail: true,
10138 expectedError: ":HANDSHAKE_NOT_COMPLETE:",
10139 })
10140
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]10141 // Test the early exporter works while the client is
10142 // sending 0-RTT data. This data arrives during the
10143 // server handshake, so we test it with ProtocolBugs.
10144 testCases = append(testCases, testCase{
10145 name: "ExportEarlyKeyingMaterial-Client-InEarlyData-" + vers.name,
10146 config: Config{
10147 MaxVersion: vers.version,
10148 MaxEarlyDataSize: 16384,
10149 },
10150 resumeConfig: &Config{
10151 MaxVersion: vers.version,
10152 MaxEarlyDataSize: 16384,
10153 Bugs: ProtocolBugs{
10154 ExpectEarlyKeyingMaterial: 1024,
10155 ExpectEarlyKeyingLabel: "label",
10156 ExpectEarlyKeyingContext: "context",
10157 },
10158 },
10159 resumeSession: true,
10160 flags: []string{
10161 "-enable-early-data",
10162 "-expect-ticket-supports-early-data",
10163 "-expect-accept-early-data",
10164 "-on-resume-export-early-keying-material", "1024",
10165 "-on-resume-export-label", "label",
10166 "-on-resume-export-context", "context",
10167 },
10168 })
10169
10170 // Test the early exporter still works on the client
10171 // after the handshake is confirmed. This arrives after
10172 // the server handshake, so the normal hooks work.
10173 testCases = append(testCases, testCase{
10174 name: "ExportEarlyKeyingMaterial-Client-EarlyDataAccept-" + vers.name,
10175 config: Config{
10176 MaxVersion: vers.version,
10177 MaxEarlyDataSize: 16384,
10178 },
10179 resumeConfig: &Config{
10180 MaxVersion: vers.version,
10181 MaxEarlyDataSize: 16384,
10182 },
10183 resumeSession: true,
10184 exportEarlyKeyingMaterial: 1024,
10185 exportLabel: "label",
10186 exportContext: "context",
10187 flags: []string{
10188 "-enable-early-data",
10189 "-expect-ticket-supports-early-data",
10190 "-expect-accept-early-data",
10191 // Handshake twice on the client to force
10192 // handshake confirmation.
10193 "-handshake-twice",
10194 },
10195 })
10196
10197 // Test the early exporter does not work on the client
10198 // if 0-RTT was not offered.
10199 testCases = append(testCases, testCase{
10200 name: "NoExportEarlyKeyingMaterial-Client-Initial-" + vers.name,
10201 config: Config{
10202 MaxVersion: vers.version,
10203 },
10204 flags: []string{"-export-early-keying-material", "1024"},
10205 shouldFail: true,
10206 expectedError: ":EARLY_DATA_NOT_IN_USE:",
10207 })
10208 testCases = append(testCases, testCase{
10209 name: "NoExportEarlyKeyingMaterial-Client-Resume-" + vers.name,
10210 config: Config{
10211 MaxVersion: vers.version,
10212 },
10213 resumeSession: true,
10214 flags: []string{"-on-resume-export-early-keying-material", "1024"},
10215 shouldFail: true,
10216 expectedError: ":EARLY_DATA_NOT_IN_USE:",
10217 })
10218
10219 // Test the early exporter does not work on the client
10220 // after a 0-RTT reject.
10221 testCases = append(testCases, testCase{
10222 name: "NoExportEarlyKeyingMaterial-Client-EarlyDataReject-" + vers.name,
10223 config: Config{
10224 MaxVersion: vers.version,
10225 MaxEarlyDataSize: 16384,
10226 Bugs: ProtocolBugs{
10227 AlwaysRejectEarlyData: true,
10228 },
10229 },
10230 resumeSession: true,
10231 flags: []string{
10232 "-enable-early-data",
10233 "-expect-ticket-supports-early-data",
10234 "-expect-reject-early-data",
10235 "-on-retry-export-early-keying-material", "1024",
10236 },
10237 shouldFail: true,
10238 expectedError: ":EARLY_DATA_NOT_IN_USE:",
10239 })
10240
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]10241 // Test the normal exporter on the server in half-RTT.
10242 testCases = append(testCases, testCase{
10243 testType: serverTest,
10244 name: "ExportKeyingMaterial-Server-HalfRTT-" + vers.name,
10245 config: Config{
10246 MaxVersion: vers.version,
10247 Bugs: ProtocolBugs{
10248 SendEarlyData: [][]byte{},
10249 ExpectEarlyDataAccepted: true,
10250 },
10251 },
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]10252 resumeSession: true,
10253 exportKeyingMaterial: 1024,
10254 exportLabel: "label",
10255 exportContext: "context",
10256 useExportContext: true,
10257 flags: []string{"-enable-early-data"},
10258 })
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]10259
10260 // Test the early exporter works on the server in half-RTT.
10261 testCases = append(testCases, testCase{
10262 testType: serverTest,
10263 name: "ExportEarlyKeyingMaterial-Server-HalfRTT-" + vers.name,
10264 config: Config{
10265 MaxVersion: vers.version,
10266 Bugs: ProtocolBugs{
10267 SendEarlyData: [][]byte{},
10268 ExpectEarlyDataAccepted: true,
10269 },
10270 },
10271 resumeSession: true,
10272 exportEarlyKeyingMaterial: 1024,
10273 exportLabel: "label",
10274 exportContext: "context",
10275 flags: []string{"-enable-early-data"},
10276 })
10277
10278 // Test the early exporter does not work on the server
10279 // if 0-RTT was not offered.
10280 testCases = append(testCases, testCase{
10281 testType: serverTest,
10282 name: "NoExportEarlyKeyingMaterial-Server-Initial-" + vers.name,
10283 config: Config{
10284 MaxVersion: vers.version,
10285 },
10286 flags: []string{"-export-early-keying-material", "1024"},
10287 shouldFail: true,
10288 expectedError: ":EARLY_DATA_NOT_IN_USE:",
10289 })
10290 testCases = append(testCases, testCase{
10291 testType: serverTest,
10292 name: "NoExportEarlyKeyingMaterial-Server-Resume-" + vers.name,
10293 config: Config{
10294 MaxVersion: vers.version,
10295 },
10296 resumeSession: true,
10297 flags: []string{"-on-resume-export-early-keying-material", "1024"},
10298 shouldFail: true,
10299 expectedError: ":EARLY_DATA_NOT_IN_USE:",
10300 })
10301 } else {
10302 // Test the early exporter fails before TLS 1.3.
10303 testCases = append(testCases, testCase{
10304 name: "NoExportEarlyKeyingMaterial-Client-" + vers.name,
10305 config: Config{
10306 MaxVersion: vers.version,
10307 },
10308 resumeSession: true,
10309 exportEarlyKeyingMaterial: 1024,
10310 exportLabel: "label",
10311 exportContext: "context",
10312 shouldFail: true,
10313 expectedError: ":WRONG_SSL_VERSION:",
10314 })
10315 testCases = append(testCases, testCase{
10316 testType: serverTest,
10317 name: "NoExportEarlyKeyingMaterial-Server-" + vers.name,
10318 config: Config{
10319 MaxVersion: vers.version,
10320 },
10321 resumeSession: true,
10322 exportEarlyKeyingMaterial: 1024,
10323 exportLabel: "label",
10324 exportContext: "context",
10325 shouldFail: true,
10326 expectedError: ":WRONG_SSL_VERSION:",
10327 })
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]10328 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]10329 }
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10330
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10331 // Exporters work during a False Start.
10332 testCases = append(testCases, testCase{
10333 name: "ExportKeyingMaterial-FalseStart",
10334 config: Config{
10335 MaxVersion: VersionTLS12,
10336 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10337 NextProtos: []string{"foo"},
10338 Bugs: ProtocolBugs{
10339 ExpectFalseStart: true,
10340 },
10341 },
10342 flags: []string{
10343 "-false-start",
10344 "-advertise-alpn", "\x03foo",
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]10345 "-expect-alpn", "foo",
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10346 },
10347 shimWritesFirst: true,
10348 exportKeyingMaterial: 1024,
10349 exportLabel: "label",
10350 exportContext: "context",
10351 useExportContext: true,
10352 })
10353
10354 // Exporters do not work in the middle of a renegotiation. Test this by
10355 // triggering the exporter after every SSL_read call and configuring the
10356 // shim to run asynchronously.
10357 testCases = append(testCases, testCase{
10358 name: "ExportKeyingMaterial-Renegotiate",
10359 config: Config{
10360 MaxVersion: VersionTLS12,
10361 },
10362 renegotiate: 1,
10363 flags: []string{
10364 "-async",
10365 "-use-exporter-between-reads",
10366 "-renegotiate-freely",
10367 "-expect-total-renegotiations", "1",
10368 },
10369 shouldFail: true,
10370 expectedError: "failed to export keying material",
10371 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]10372}
10373
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10374func addExportTrafficSecretsTests() {
10375 for _, cipherSuite := range []testCipherSuite{
10376 // Test a SHA-256 and SHA-384 based cipher suite.
10377 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
10378 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
10379 } {
10380
10381 testCases = append(testCases, testCase{
10382 name: "ExportTrafficSecrets-" + cipherSuite.name,
10383 config: Config{
10384 MinVersion: VersionTLS13,
10385 CipherSuites: []uint16{cipherSuite.id},
10386 },
10387 exportTrafficSecrets: true,
10388 })
10389 }
10390}
10391
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]10392func addTLSUniqueTests() {
10393 for _, isClient := range []bool{false, true} {
10394 for _, isResumption := range []bool{false, true} {
10395 for _, hasEMS := range []bool{false, true} {
10396 var suffix string
10397 if isResumption {
10398 suffix = "Resume-"
10399 } else {
10400 suffix = "Full-"
10401 }
10402
10403 if hasEMS {
10404 suffix += "EMS-"
10405 } else {
10406 suffix += "NoEMS-"
10407 }
10408
10409 if isClient {
10410 suffix += "Client"
10411 } else {
10412 suffix += "Server"
10413 }
10414
10415 test := testCase{
10416 name: "TLSUnique-" + suffix,
10417 testTLSUnique: true,
10418 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10419 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]10420 Bugs: ProtocolBugs{
10421 NoExtendedMasterSecret: !hasEMS,
10422 },
10423 },
10424 }
10425
10426 if isResumption {
10427 test.resumeSession = true
10428 test.resumeConfig = &Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10429 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]10430 Bugs: ProtocolBugs{
10431 NoExtendedMasterSecret: !hasEMS,
10432 },
10433 }
10434 }
10435
10436 if isResumption && !hasEMS {
10437 test.shouldFail = true
10438 test.expectedError = "failed to get tls-unique"
10439 }
10440
10441 testCases = append(testCases, test)
10442 }
10443 }
10444 }
10445}
10446
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]10447func addCustomExtensionTests() {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]10448 // Test an unknown extension from the server.
10449 testCases = append(testCases, testCase{
10450 testType: clientTest,
10451 name: "UnknownExtension-Client",
10452 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10453 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]10454 Bugs: ProtocolBugs{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]10455 CustomExtension: "custom extension",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]10456 },
10457 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10458 shouldFail: true,
10459 expectedError: ":UNEXPECTED_EXTENSION:",
10460 expectedLocalError: "remote error: unsupported extension",
10461 })
10462 testCases = append(testCases, testCase{
10463 testType: clientTest,
10464 name: "UnknownExtension-Client-TLS13",
10465 config: Config{
10466 MaxVersion: VersionTLS13,
10467 Bugs: ProtocolBugs{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]10468 CustomExtension: "custom extension",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10469 },
10470 },
10471 shouldFail: true,
10472 expectedError: ":UNEXPECTED_EXTENSION:",
10473 expectedLocalError: "remote error: unsupported extension",
10474 })
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]10475 testCases = append(testCases, testCase{
10476 testType: clientTest,
10477 name: "UnknownUnencryptedExtension-Client-TLS13",
10478 config: Config{
10479 MaxVersion: VersionTLS13,
10480 Bugs: ProtocolBugs{
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]10481 CustomUnencryptedExtension: "custom extension",
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]10482 },
10483 },
10484 shouldFail: true,
10485 expectedError: ":UNEXPECTED_EXTENSION:",
10486 // The shim must send an alert, but alerts at this point do not
10487 // get successfully decrypted by the runner.
10488 expectedLocalError: "local error: bad record MAC",
10489 })
10490 testCases = append(testCases, testCase{
10491 testType: clientTest,
10492 name: "UnexpectedUnencryptedExtension-Client-TLS13",
10493 config: Config{
10494 MaxVersion: VersionTLS13,
10495 Bugs: ProtocolBugs{
10496 SendUnencryptedALPN: "foo",
10497 },
10498 },
10499 flags: []string{
10500 "-advertise-alpn", "\x03foo\x03bar",
10501 },
10502 shouldFail: true,
10503 expectedError: ":UNEXPECTED_EXTENSION:",
10504 // The shim must send an alert, but alerts at this point do not
10505 // get successfully decrypted by the runner.
10506 expectedLocalError: "local error: bad record MAC",
10507 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10508
10509 // Test a known but unoffered extension from the server.
10510 testCases = append(testCases, testCase{
10511 testType: clientTest,
10512 name: "UnofferedExtension-Client",
10513 config: Config{
10514 MaxVersion: VersionTLS12,
10515 Bugs: ProtocolBugs{
10516 SendALPN: "alpn",
10517 },
10518 },
10519 shouldFail: true,
10520 expectedError: ":UNEXPECTED_EXTENSION:",
10521 expectedLocalError: "remote error: unsupported extension",
10522 })
10523 testCases = append(testCases, testCase{
10524 testType: clientTest,
10525 name: "UnofferedExtension-Client-TLS13",
10526 config: Config{
10527 MaxVersion: VersionTLS13,
10528 Bugs: ProtocolBugs{
10529 SendALPN: "alpn",
10530 },
10531 },
10532 shouldFail: true,
10533 expectedError: ":UNEXPECTED_EXTENSION:",
10534 expectedLocalError: "remote error: unsupported extension",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]10535 })
10536}
10537
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10538func addRSAClientKeyExchangeTests() {
10539 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
10540 testCases = append(testCases, testCase{
10541 testType: serverTest,
10542 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
10543 config: Config{
10544 // Ensure the ClientHello version and final
10545 // version are different, to detect if the
10546 // server uses the wrong one.
10547 MaxVersion: VersionTLS11,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]10548 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10549 Bugs: ProtocolBugs{
10550 BadRSAClientKeyExchange: bad,
10551 },
10552 },
10553 shouldFail: true,
10554 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
10555 })
10556 }
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]10557
10558 // The server must compare whatever was in ClientHello.version for the
10559 // RSA premaster.
10560 testCases = append(testCases, testCase{
10561 testType: serverTest,
10562 name: "SendClientVersion-RSA",
10563 config: Config{
10564 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
10565 Bugs: ProtocolBugs{
10566 SendClientVersion: 0x1234,
10567 },
10568 },
10569 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
10570 })
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10571}
10572
10573var testCurves = []struct {
10574 name string
10575 id CurveID
10576}{
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]10577 {"P-224", CurveP224},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10578 {"P-256", CurveP256},
10579 {"P-384", CurveP384},
10580 {"P-521", CurveP521},
10581 {"X25519", CurveX25519},
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10582 {"CECPQ2", CurveCECPQ2},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10583}
10584
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10585const bogusCurve = 0x1234
10586
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10587func addCurveTests() {
10588 for _, curve := range testCurves {
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10589 for _, ver := range tlsVersions {
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]10590 if curve.id == CurveCECPQ2 && ver.version < VersionTLS13 {
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10591 continue
10592 }
10593
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10594 suffix := curve.name + "-" + ver.name
10595
10596 testCases = append(testCases, testCase{
10597 name: "CurveTest-Client-" + suffix,
10598 config: Config{
10599 MaxVersion: ver.version,
10600 CipherSuites: []uint16{
10601 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10602 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10603 TLS_AES_256_GCM_SHA384,
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10604 },
10605 CurvePreferences: []CurveID{curve.id},
10606 },
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10607 flags: []string{
10608 "-enable-all-curves",
10609 "-expect-curve-id", strconv.Itoa(int(curve.id)),
10610 },
10611 expectedCurveID: curve.id,
10612 })
10613 testCases = append(testCases, testCase{
10614 testType: serverTest,
10615 name: "CurveTest-Server-" + suffix,
10616 config: Config{
10617 MaxVersion: ver.version,
10618 CipherSuites: []uint16{
10619 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10620 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10621 TLS_AES_256_GCM_SHA384,
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10622 },
10623 CurvePreferences: []CurveID{curve.id},
10624 },
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10625 flags: []string{
10626 "-enable-all-curves",
10627 "-expect-curve-id", strconv.Itoa(int(curve.id)),
10628 },
10629 expectedCurveID: curve.id,
10630 })
10631
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]10632 if curve.id != CurveX25519 && curve.id != CurveCECPQ2 {
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10633 testCases = append(testCases, testCase{
10634 name: "CurveTest-Client-Compressed-" + suffix,
10635 config: Config{
10636 MaxVersion: ver.version,
10637 CipherSuites: []uint16{
10638 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10639 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10640 TLS_AES_256_GCM_SHA384,
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10641 },
10642 CurvePreferences: []CurveID{curve.id},
10643 Bugs: ProtocolBugs{
10644 SendCompressedCoordinates: true,
10645 },
10646 },
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10647 flags: []string{"-enable-all-curves"},
10648 shouldFail: true,
10649 expectedError: ":BAD_ECPOINT:",
10650 })
10651 testCases = append(testCases, testCase{
10652 testType: serverTest,
10653 name: "CurveTest-Server-Compressed-" + suffix,
10654 config: Config{
10655 MaxVersion: ver.version,
10656 CipherSuites: []uint16{
10657 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10658 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10659 TLS_AES_256_GCM_SHA384,
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10660 },
10661 CurvePreferences: []CurveID{curve.id},
10662 Bugs: ProtocolBugs{
10663 SendCompressedCoordinates: true,
10664 },
10665 },
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10666 flags: []string{"-enable-all-curves"},
10667 shouldFail: true,
10668 expectedError: ":BAD_ECPOINT:",
10669 })
10670 }
10671 }
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10672 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]10673
10674 // The server must be tolerant to bogus curves.
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]10675 testCases = append(testCases, testCase{
10676 testType: serverTest,
10677 name: "UnknownCurve",
10678 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10679 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]10680 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10681 CurvePreferences: []CurveID{bogusCurve, CurveP256},
10682 },
10683 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10684
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10685 // The server must be tolerant to bogus curves.
10686 testCases = append(testCases, testCase{
10687 testType: serverTest,
10688 name: "UnknownCurve-TLS13",
10689 config: Config{
10690 MaxVersion: VersionTLS13,
10691 CurvePreferences: []CurveID{bogusCurve, CurveP256},
10692 },
10693 })
10694
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10695 // The server must not consider ECDHE ciphers when there are no
10696 // supported curves.
10697 testCases = append(testCases, testCase{
10698 testType: serverTest,
10699 name: "NoSupportedCurves",
10700 config: Config{
10701 MaxVersion: VersionTLS12,
10702 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10703 Bugs: ProtocolBugs{
10704 NoSupportedCurves: true,
10705 },
10706 },
10707 shouldFail: true,
10708 expectedError: ":NO_SHARED_CIPHER:",
10709 })
10710 testCases = append(testCases, testCase{
10711 testType: serverTest,
10712 name: "NoSupportedCurves-TLS13",
10713 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10714 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10715 Bugs: ProtocolBugs{
10716 NoSupportedCurves: true,
10717 },
10718 },
10719 shouldFail: true,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10720 expectedError: ":NO_SHARED_GROUP:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10721 })
10722
10723 // The server must fall back to another cipher when there are no
10724 // supported curves.
10725 testCases = append(testCases, testCase{
10726 testType: serverTest,
10727 name: "NoCommonCurves",
10728 config: Config{
10729 MaxVersion: VersionTLS12,
10730 CipherSuites: []uint16{
10731 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10732 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10733 },
10734 CurvePreferences: []CurveID{CurveP224},
10735 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10736 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10737 })
10738
10739 // The client must reject bogus curves and disabled curves.
10740 testCases = append(testCases, testCase{
10741 name: "BadECDHECurve",
10742 config: Config{
10743 MaxVersion: VersionTLS12,
10744 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10745 Bugs: ProtocolBugs{
10746 SendCurve: bogusCurve,
10747 },
10748 },
10749 shouldFail: true,
10750 expectedError: ":WRONG_CURVE:",
10751 })
10752 testCases = append(testCases, testCase{
10753 name: "BadECDHECurve-TLS13",
10754 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10755 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10756 Bugs: ProtocolBugs{
10757 SendCurve: bogusCurve,
10758 },
10759 },
10760 shouldFail: true,
10761 expectedError: ":WRONG_CURVE:",
10762 })
10763
10764 testCases = append(testCases, testCase{
10765 name: "UnsupportedCurve",
10766 config: Config{
10767 MaxVersion: VersionTLS12,
10768 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10769 CurvePreferences: []CurveID{CurveP256},
10770 Bugs: ProtocolBugs{
10771 IgnorePeerCurvePreferences: true,
10772 },
10773 },
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10774 flags: []string{"-curves", strconv.Itoa(int(CurveP384))},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10775 shouldFail: true,
10776 expectedError: ":WRONG_CURVE:",
10777 })
10778
10779 testCases = append(testCases, testCase{
10780 // TODO(davidben): Add a TLS 1.3 version where
10781 // HelloRetryRequest requests an unsupported curve.
10782 name: "UnsupportedCurve-ServerHello-TLS13",
10783 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10784 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10785 CurvePreferences: []CurveID{CurveP384},
10786 Bugs: ProtocolBugs{
10787 SendCurve: CurveP256,
10788 },
10789 },
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]10790 flags: []string{"-curves", strconv.Itoa(int(CurveP384))},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10791 shouldFail: true,
10792 expectedError: ":WRONG_CURVE:",
10793 })
10794
10795 // Test invalid curve points.
10796 testCases = append(testCases, testCase{
10797 name: "InvalidECDHPoint-Client",
10798 config: Config{
10799 MaxVersion: VersionTLS12,
10800 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10801 CurvePreferences: []CurveID{CurveP256},
10802 Bugs: ProtocolBugs{
10803 InvalidECDHPoint: true,
10804 },
10805 },
10806 shouldFail: true,
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10807 expectedError: ":BAD_ECPOINT:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10808 })
10809 testCases = append(testCases, testCase{
10810 name: "InvalidECDHPoint-Client-TLS13",
10811 config: Config{
10812 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10813 CurvePreferences: []CurveID{CurveP256},
10814 Bugs: ProtocolBugs{
10815 InvalidECDHPoint: true,
10816 },
10817 },
10818 shouldFail: true,
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10819 expectedError: ":BAD_ECPOINT:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10820 })
10821 testCases = append(testCases, testCase{
10822 testType: serverTest,
10823 name: "InvalidECDHPoint-Server",
10824 config: Config{
10825 MaxVersion: VersionTLS12,
10826 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10827 CurvePreferences: []CurveID{CurveP256},
10828 Bugs: ProtocolBugs{
10829 InvalidECDHPoint: true,
10830 },
10831 },
10832 shouldFail: true,
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10833 expectedError: ":BAD_ECPOINT:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10834 })
10835 testCases = append(testCases, testCase{
10836 testType: serverTest,
10837 name: "InvalidECDHPoint-Server-TLS13",
10838 config: Config{
10839 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10840 CurvePreferences: []CurveID{CurveP256},
10841 Bugs: ProtocolBugs{
10842 InvalidECDHPoint: true,
10843 },
10844 },
10845 shouldFail: true,
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]10846 expectedError: ":BAD_ECPOINT:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10847 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10848
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10849 // The previous curve ID should be reported on TLS 1.2 resumption.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10850 testCases = append(testCases, testCase{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10851 name: "CurveID-Resume-Client",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10852 config: Config{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10853 MaxVersion: VersionTLS12,
10854 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10855 CurvePreferences: []CurveID{CurveX25519},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10856 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10857 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
10858 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10859 })
10860 testCases = append(testCases, testCase{
10861 testType: serverTest,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10862 name: "CurveID-Resume-Server",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10863 config: Config{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10864 MaxVersion: VersionTLS12,
10865 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10866 CurvePreferences: []CurveID{CurveX25519},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10867 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10868 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
10869 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10870 })
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10871
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10872 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
10873 // one should be reported.
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10874 testCases = append(testCases, testCase{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10875 name: "CurveID-Resume-Client-TLS13",
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10876 config: Config{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10877 MaxVersion: VersionTLS13,
10878 CurvePreferences: []CurveID{CurveX25519},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10879 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10880 resumeConfig: &Config{
10881 MaxVersion: VersionTLS13,
10882 CurvePreferences: []CurveID{CurveP256},
10883 },
10884 flags: []string{
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]10885 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
10886 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10887 },
10888 resumeSession: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10889 })
10890 testCases = append(testCases, testCase{
10891 testType: serverTest,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10892 name: "CurveID-Resume-Server-TLS13",
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10893 config: Config{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10894 MaxVersion: VersionTLS13,
10895 CurvePreferences: []CurveID{CurveX25519},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10896 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10897 resumeConfig: &Config{
10898 MaxVersion: VersionTLS13,
10899 CurvePreferences: []CurveID{CurveP256},
10900 },
10901 flags: []string{
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]10902 "-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
10903 "-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]10904 },
10905 resumeSession: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10906 })
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]10907
10908 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
10909 testCases = append(testCases, testCase{
10910 name: "PointFormat-ServerHello-TLS12",
10911 config: Config{
10912 MaxVersion: VersionTLS12,
10913 Bugs: ProtocolBugs{
10914 SendSupportedPointFormats: []byte{pointFormatUncompressed},
10915 },
10916 },
10917 })
10918 testCases = append(testCases, testCase{
10919 name: "PointFormat-EncryptedExtensions-TLS13",
10920 config: Config{
10921 MaxVersion: VersionTLS13,
10922 Bugs: ProtocolBugs{
10923 SendSupportedPointFormats: []byte{pointFormatUncompressed},
10924 },
10925 },
10926 shouldFail: true,
10927 expectedError: ":ERROR_PARSING_EXTENSION:",
10928 })
10929
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]10930 // Server-sent supported groups/curves are legal in TLS 1.3. They are
10931 // illegal in TLS 1.2, but some servers send them anyway, so we must
10932 // tolerate them.
10933 testCases = append(testCases, testCase{
10934 name: "SupportedCurves-ServerHello-TLS12",
10935 config: Config{
10936 MaxVersion: VersionTLS12,
10937 Bugs: ProtocolBugs{
10938 SendServerSupportedCurves: true,
10939 },
10940 },
10941 })
10942 testCases = append(testCases, testCase{
10943 name: "SupportedCurves-EncryptedExtensions-TLS13",
10944 config: Config{
10945 MaxVersion: VersionTLS13,
10946 Bugs: ProtocolBugs{
10947 SendServerSupportedCurves: true,
10948 },
10949 },
10950 })
10951
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]10952 // Test that we tolerate unknown point formats, as long as
10953 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
10954 // check they are still functional.
10955 testCases = append(testCases, testCase{
10956 name: "PointFormat-Client-Tolerance",
10957 config: Config{
10958 MaxVersion: VersionTLS12,
10959 Bugs: ProtocolBugs{
10960 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
10961 },
10962 },
10963 })
10964 testCases = append(testCases, testCase{
10965 testType: serverTest,
10966 name: "PointFormat-Server-Tolerance",
10967 config: Config{
10968 MaxVersion: VersionTLS12,
10969 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
10970 Bugs: ProtocolBugs{
10971 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
10972 },
10973 },
10974 })
10975
10976 // Test TLS 1.2 does not require the point format extension to be
10977 // present.
10978 testCases = append(testCases, testCase{
10979 name: "PointFormat-Client-Missing",
10980 config: Config{
10981 MaxVersion: VersionTLS12,
10982 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
10983 Bugs: ProtocolBugs{
10984 SendSupportedPointFormats: []byte{},
10985 },
10986 },
10987 })
10988 testCases = append(testCases, testCase{
10989 testType: serverTest,
10990 name: "PointFormat-Server-Missing",
10991 config: Config{
10992 MaxVersion: VersionTLS12,
10993 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
10994 Bugs: ProtocolBugs{
10995 SendSupportedPointFormats: []byte{},
10996 },
10997 },
10998 })
10999
11000 // If the point format extension is present, uncompressed points must be
11001 // offered. BoringSSL requires this whether or not ECDHE is used.
11002 testCases = append(testCases, testCase{
11003 name: "PointFormat-Client-MissingUncompressed",
11004 config: Config{
11005 MaxVersion: VersionTLS12,
11006 Bugs: ProtocolBugs{
11007 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
11008 },
11009 },
11010 shouldFail: true,
11011 expectedError: ":ERROR_PARSING_EXTENSION:",
11012 })
11013 testCases = append(testCases, testCase{
11014 testType: serverTest,
11015 name: "PointFormat-Server-MissingUncompressed",
11016 config: Config{
11017 MaxVersion: VersionTLS12,
11018 Bugs: ProtocolBugs{
11019 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
11020 },
11021 },
11022 shouldFail: true,
11023 expectedError: ":ERROR_PARSING_EXTENSION:",
11024 })
Robert Sloan5cbb5c82018-04-24 11:35:46 -0700[diff] [blame]11025
11026 // Implementations should mask off the high order bit in X25519.
11027 testCases = append(testCases, testCase{
11028 name: "SetX25519HighBit",
11029 config: Config{
11030 CipherSuites: []uint16{
11031 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
11032 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
11033 TLS_AES_128_GCM_SHA256,
11034 },
11035 CurvePreferences: []CurveID{CurveX25519},
11036 Bugs: ProtocolBugs{
11037 SetX25519HighBit: true,
11038 },
11039 },
11040 })
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]11041
11042 // CECPQ2 should not be offered by a TLS < 1.3 client.
11043 testCases = append(testCases, testCase{
11044 name: "CECPQ2NotInTLS12",
11045 config: Config{
11046 Bugs: ProtocolBugs{
11047 FailIfCECPQ2Offered: true,
11048 },
11049 },
11050 flags: []string{
11051 "-max-version", strconv.Itoa(VersionTLS12),
11052 "-curves", strconv.Itoa(int(CurveCECPQ2)),
11053 "-curves", strconv.Itoa(int(CurveX25519)),
11054 },
11055 })
11056
11057 // CECPQ2 should not crash a TLS < 1.3 client if the server mistakenly
11058 // selects it.
11059 testCases = append(testCases, testCase{
11060 name: "CECPQ2NotAcceptedByTLS12Client",
11061 config: Config{
11062 Bugs: ProtocolBugs{
11063 SendCurve: CurveCECPQ2,
11064 },
11065 },
11066 flags: []string{
11067 "-max-version", strconv.Itoa(VersionTLS12),
11068 "-curves", strconv.Itoa(int(CurveCECPQ2)),
11069 "-curves", strconv.Itoa(int(CurveX25519)),
11070 },
11071 shouldFail: true,
11072 expectedError: ":WRONG_CURVE:",
11073 })
11074
11075 // CECPQ2 should not be offered by default as a client.
11076 testCases = append(testCases, testCase{
11077 name: "CECPQ2NotEnabledByDefaultInClients",
11078 config: Config{
11079 MinVersion: VersionTLS13,
11080 Bugs: ProtocolBugs{
11081 FailIfCECPQ2Offered: true,
11082 },
11083 },
11084 })
11085
11086 // If CECPQ2 is offered, both X25519 and CECPQ2 should have a key-share.
11087 testCases = append(testCases, testCase{
11088 name: "NotJustCECPQ2KeyShare",
11089 config: Config{
11090 MinVersion: VersionTLS13,
11091 Bugs: ProtocolBugs{
11092 ExpectedKeyShares: []CurveID{CurveCECPQ2, CurveX25519},
11093 },
11094 },
11095 flags: []string{
11096 "-curves", strconv.Itoa(int(CurveCECPQ2)),
11097 "-curves", strconv.Itoa(int(CurveX25519)),
11098 "-expect-curve-id", strconv.Itoa(int(CurveCECPQ2)),
11099 },
11100 })
11101
11102 // ... but only if CECPQ2 is listed first.
11103 testCases = append(testCases, testCase{
11104 name: "CECPQ2KeyShareNotIncludedSecond",
11105 config: Config{
11106 MinVersion: VersionTLS13,
11107 Bugs: ProtocolBugs{
11108 ExpectedKeyShares: []CurveID{CurveX25519},
11109 },
11110 },
11111 flags: []string{
11112 "-curves", strconv.Itoa(int(CurveX25519)),
11113 "-curves", strconv.Itoa(int(CurveCECPQ2)),
11114 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
11115 },
11116 })
11117
11118 // If CECPQ2 is the only configured curve, the key share is sent.
11119 testCases = append(testCases, testCase{
11120 name: "JustConfiguringCECPQ2Works",
11121 config: Config{
11122 MinVersion: VersionTLS13,
11123 Bugs: ProtocolBugs{
11124 ExpectedKeyShares: []CurveID{CurveCECPQ2},
11125 },
11126 },
11127 flags: []string{
11128 "-curves", strconv.Itoa(int(CurveCECPQ2)),
11129 "-expect-curve-id", strconv.Itoa(int(CurveCECPQ2)),
11130 },
11131 })
11132
11133 // As a server, CECPQ2 is not yet supported by default.
11134 testCases = append(testCases, testCase{
11135 testType: serverTest,
11136 name: "CECPQ2NotEnabledByDefaultForAServer",
11137 config: Config{
11138 MinVersion: VersionTLS13,
11139 CurvePreferences: []CurveID{CurveCECPQ2, CurveX25519},
11140 DefaultCurves: []CurveID{CurveCECPQ2},
11141 },
11142 flags: []string{
11143 "-server-preference",
11144 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
11145 },
11146 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11147}
11148
11149func addTLS13RecordTests() {
11150 testCases = append(testCases, testCase{
11151 name: "TLS13-RecordPadding",
11152 config: Config{
11153 MaxVersion: VersionTLS13,
11154 MinVersion: VersionTLS13,
11155 Bugs: ProtocolBugs{
11156 RecordPadding: 10,
11157 },
11158 },
11159 })
11160
11161 testCases = append(testCases, testCase{
11162 name: "TLS13-EmptyRecords",
11163 config: Config{
11164 MaxVersion: VersionTLS13,
11165 MinVersion: VersionTLS13,
11166 Bugs: ProtocolBugs{
11167 OmitRecordContents: true,
11168 },
11169 },
11170 shouldFail: true,
11171 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
11172 })
11173
11174 testCases = append(testCases, testCase{
11175 name: "TLS13-OnlyPadding",
11176 config: Config{
11177 MaxVersion: VersionTLS13,
11178 MinVersion: VersionTLS13,
11179 Bugs: ProtocolBugs{
11180 OmitRecordContents: true,
11181 RecordPadding: 10,
11182 },
11183 },
11184 shouldFail: true,
11185 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
11186 })
11187
11188 testCases = append(testCases, testCase{
11189 name: "TLS13-WrongOuterRecord",
11190 config: Config{
11191 MaxVersion: VersionTLS13,
11192 MinVersion: VersionTLS13,
11193 Bugs: ProtocolBugs{
11194 OuterRecordType: recordTypeHandshake,
11195 },
11196 },
11197 shouldFail: true,
11198 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
11199 })
11200}
11201
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11202func addSessionTicketTests() {
11203 testCases = append(testCases, testCase{
11204 // In TLS 1.2 and below, empty NewSessionTicket messages
11205 // mean the server changed its mind on sending a ticket.
11206 name: "SendEmptySessionTicket",
11207 config: Config{
11208 MaxVersion: VersionTLS12,
11209 Bugs: ProtocolBugs{
11210 SendEmptySessionTicket: true,
11211 },
11212 },
11213 flags: []string{"-expect-no-session"},
11214 })
11215
11216 // Test that the server ignores unknown PSK modes.
11217 testCases = append(testCases, testCase{
11218 testType: serverTest,
11219 name: "TLS13-SendUnknownModeSessionTicket-Server",
11220 config: Config{
11221 MaxVersion: VersionTLS13,
11222 Bugs: ProtocolBugs{
11223 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11224 },
11225 },
11226 resumeSession: true,
11227 expectedResumeVersion: VersionTLS13,
11228 })
11229
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11230 // Test that the server does not send session tickets with no matching key exchange mode.
11231 testCases = append(testCases, testCase{
11232 testType: serverTest,
11233 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
11234 config: Config{
11235 MaxVersion: VersionTLS13,
11236 Bugs: ProtocolBugs{
11237 SendPSKKeyExchangeModes: []byte{0x1a},
11238 ExpectNoNewSessionTicket: true,
11239 },
11240 },
11241 })
11242
11243 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11244 testCases = append(testCases, testCase{
11245 testType: serverTest,
11246 name: "TLS13-SendBadKEModeSessionTicket-Server",
11247 config: Config{
11248 MaxVersion: VersionTLS13,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11249 },
11250 resumeConfig: &Config{
11251 MaxVersion: VersionTLS13,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11252 Bugs: ProtocolBugs{
11253 SendPSKKeyExchangeModes: []byte{0x1a},
11254 },
11255 },
11256 resumeSession: true,
11257 expectResumeRejected: true,
11258 })
11259
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11260 // Test that the client ticket age is sent correctly.
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11261 testCases = append(testCases, testCase{
11262 testType: clientTest,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11263 name: "TLS13-TestValidTicketAge-Client",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11264 config: Config{
11265 MaxVersion: VersionTLS13,
11266 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11267 ExpectTicketAge: 10 * time.Second,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11268 },
11269 },
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11270 resumeSession: true,
11271 flags: []string{
11272 "-resumption-delay", "10",
11273 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11274 })
11275
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11276 // Test that the client ticket age is enforced.
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11277 testCases = append(testCases, testCase{
11278 testType: clientTest,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11279 name: "TLS13-TestBadTicketAge-Client",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11280 config: Config{
11281 MaxVersion: VersionTLS13,
11282 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11283 ExpectTicketAge: 1000 * time.Second,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11284 },
11285 },
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11286 resumeSession: true,
11287 shouldFail: true,
11288 expectedLocalError: "tls: invalid ticket age",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11289 })
11290
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]11291 // Test that the server's ticket age skew reporting works.
11292 testCases = append(testCases, testCase{
11293 testType: serverTest,
11294 name: "TLS13-TicketAgeSkew-Forward",
11295 config: Config{
11296 MaxVersion: VersionTLS13,
11297 Bugs: ProtocolBugs{
11298 SendTicketAge: 15 * time.Second,
11299 },
11300 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]11301 resumeSession: true,
11302 resumeRenewedSession: true,
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]11303 flags: []string{
11304 "-resumption-delay", "10",
11305 "-expect-ticket-age-skew", "5",
11306 },
11307 })
11308 testCases = append(testCases, testCase{
11309 testType: serverTest,
11310 name: "TLS13-TicketAgeSkew-Backward",
11311 config: Config{
11312 MaxVersion: VersionTLS13,
11313 Bugs: ProtocolBugs{
11314 SendTicketAge: 5 * time.Second,
11315 },
11316 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]11317 resumeSession: true,
11318 resumeRenewedSession: true,
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]11319 flags: []string{
11320 "-resumption-delay", "10",
11321 "-expect-ticket-age-skew", "-5",
11322 },
11323 })
11324
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11325 testCases = append(testCases, testCase{
11326 testType: clientTest,
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]11327 name: "TLS13-SendTicketEarlyDataInfo",
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11328 config: Config{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]11329 MaxVersion: VersionTLS13,
11330 MaxEarlyDataSize: 16384,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11331 },
11332 flags: []string{
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]11333 "-enable-early-data",
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]11334 "-expect-ticket-supports-early-data",
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11335 },
11336 })
11337
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]11338 // Test that 0-RTT tickets are ignored in clients unless opted in.
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]11339 testCases = append(testCases, testCase{
11340 testType: clientTest,
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]11341 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]11342 config: Config{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]11343 MaxVersion: VersionTLS13,
11344 MaxEarlyDataSize: 16384,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]11345 },
11346 })
11347
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11348 testCases = append(testCases, testCase{
11349 testType: clientTest,
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]11350 name: "TLS13-DuplicateTicketEarlyDataInfo",
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11351 config: Config{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]11352 MaxVersion: VersionTLS13,
11353 MaxEarlyDataSize: 16384,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11354 Bugs: ProtocolBugs{
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]11355 DuplicateTicketEarlyData: true,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11356 },
11357 },
11358 shouldFail: true,
11359 expectedError: ":DUPLICATE_EXTENSION:",
11360 expectedLocalError: "remote error: illegal parameter",
11361 })
11362
11363 testCases = append(testCases, testCase{
11364 testType: serverTest,
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]11365 name: "TLS13-ExpectTicketEarlyDataInfo",
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11366 config: Config{
11367 MaxVersion: VersionTLS13,
11368 Bugs: ProtocolBugs{
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]11369 ExpectTicketEarlyData: true,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]11370 },
11371 },
11372 flags: []string{
11373 "-enable-early-data",
11374 },
11375 })
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]11376
11377 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
11378 // is honored.
11379 testCases = append(testCases, testCase{
11380 testType: clientTest,
11381 name: "TLS13-HonorServerSessionTicketLifetime",
11382 config: Config{
11383 MaxVersion: VersionTLS13,
11384 Bugs: ProtocolBugs{
11385 SendTicketLifetime: 20 * time.Second,
11386 },
11387 },
11388 flags: []string{
11389 "-resumption-delay", "19",
11390 },
11391 resumeSession: true,
11392 })
11393 testCases = append(testCases, testCase{
11394 testType: clientTest,
11395 name: "TLS13-HonorServerSessionTicketLifetime-2",
11396 config: Config{
11397 MaxVersion: VersionTLS13,
11398 Bugs: ProtocolBugs{
11399 SendTicketLifetime: 20 * time.Second,
11400 // The client should not offer the expired session.
11401 ExpectNoTLS13PSK: true,
11402 },
11403 },
11404 flags: []string{
11405 "-resumption-delay", "21",
11406 },
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]11407 resumeSession: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]11408 expectResumeRejected: true,
11409 })
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]11410
11411 for _, ver := range tlsVersions {
11412 // Prior to TLS 1.3, disabling session tickets enables session IDs.
11413 useStatefulResumption := ver.version < VersionTLS13
11414
11415 // SSL_OP_NO_TICKET implies the server must not mint any tickets.
11416 testCases = append(testCases, testCase{
11417 testType: serverTest,
11418 name: ver.name + "-NoTicket-NoMint",
11419 config: Config{
11420 MinVersion: ver.version,
11421 MaxVersion: ver.version,
11422 Bugs: ProtocolBugs{
11423 ExpectNoNewSessionTicket: true,
11424 RequireSessionIDs: useStatefulResumption,
11425 },
11426 },
11427 resumeSession: useStatefulResumption,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]11428 flags: []string{"-no-ticket"},
11429 })
11430
11431 // SSL_OP_NO_TICKET implies the server must not accept any tickets.
11432 testCases = append(testCases, testCase{
11433 testType: serverTest,
11434 name: ver.name + "-NoTicket-NoAccept",
11435 config: Config{
11436 MinVersion: ver.version,
11437 MaxVersion: ver.version,
11438 },
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]11439 resumeSession: true,
11440 expectResumeRejected: true,
11441 // Set SSL_OP_NO_TICKET on the second connection, after the first
11442 // has established tickets.
11443 flags: []string{"-on-resume-no-ticket"},
11444 })
11445 }
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11446}
11447
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11448func addChangeCipherSpecTests() {
11449 // Test missing ChangeCipherSpecs.
11450 testCases = append(testCases, testCase{
11451 name: "SkipChangeCipherSpec-Client",
11452 config: Config{
11453 MaxVersion: VersionTLS12,
11454 Bugs: ProtocolBugs{
11455 SkipChangeCipherSpec: true,
11456 },
11457 },
11458 shouldFail: true,
11459 expectedError: ":UNEXPECTED_RECORD:",
11460 })
11461 testCases = append(testCases, testCase{
11462 testType: serverTest,
11463 name: "SkipChangeCipherSpec-Server",
11464 config: Config{
11465 MaxVersion: VersionTLS12,
11466 Bugs: ProtocolBugs{
11467 SkipChangeCipherSpec: true,
11468 },
11469 },
11470 shouldFail: true,
11471 expectedError: ":UNEXPECTED_RECORD:",
11472 })
11473 testCases = append(testCases, testCase{
11474 testType: serverTest,
11475 name: "SkipChangeCipherSpec-Server-NPN",
11476 config: Config{
11477 MaxVersion: VersionTLS12,
11478 NextProtos: []string{"bar"},
11479 Bugs: ProtocolBugs{
11480 SkipChangeCipherSpec: true,
11481 },
11482 },
11483 flags: []string{
11484 "-advertise-npn", "\x03foo\x03bar\x03baz",
11485 },
11486 shouldFail: true,
11487 expectedError: ":UNEXPECTED_RECORD:",
11488 })
11489
11490 // Test synchronization between the handshake and ChangeCipherSpec.
11491 // Partial post-CCS handshake messages before ChangeCipherSpec should be
11492 // rejected. Test both with and without handshake packing to handle both
11493 // when the partial post-CCS message is in its own record and when it is
11494 // attached to the pre-CCS message.
11495 for _, packed := range []bool{false, true} {
11496 var suffix string
11497 if packed {
11498 suffix = "-Packed"
11499 }
11500
11501 testCases = append(testCases, testCase{
11502 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
11503 config: Config{
11504 MaxVersion: VersionTLS12,
11505 Bugs: ProtocolBugs{
11506 FragmentAcrossChangeCipherSpec: true,
11507 PackHandshakeFlight: packed,
11508 },
11509 },
11510 shouldFail: true,
11511 expectedError: ":UNEXPECTED_RECORD:",
11512 })
11513 testCases = append(testCases, testCase{
11514 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
11515 config: Config{
11516 MaxVersion: VersionTLS12,
11517 },
11518 resumeSession: true,
11519 resumeConfig: &Config{
11520 MaxVersion: VersionTLS12,
11521 Bugs: ProtocolBugs{
11522 FragmentAcrossChangeCipherSpec: true,
11523 PackHandshakeFlight: packed,
11524 },
11525 },
11526 shouldFail: true,
11527 expectedError: ":UNEXPECTED_RECORD:",
11528 })
11529 testCases = append(testCases, testCase{
11530 testType: serverTest,
11531 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
11532 config: Config{
11533 MaxVersion: VersionTLS12,
11534 Bugs: ProtocolBugs{
11535 FragmentAcrossChangeCipherSpec: true,
11536 PackHandshakeFlight: packed,
11537 },
11538 },
11539 shouldFail: true,
11540 expectedError: ":UNEXPECTED_RECORD:",
11541 })
11542 testCases = append(testCases, testCase{
11543 testType: serverTest,
11544 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
11545 config: Config{
11546 MaxVersion: VersionTLS12,
11547 },
11548 resumeSession: true,
11549 resumeConfig: &Config{
11550 MaxVersion: VersionTLS12,
11551 Bugs: ProtocolBugs{
11552 FragmentAcrossChangeCipherSpec: true,
11553 PackHandshakeFlight: packed,
11554 },
11555 },
11556 shouldFail: true,
11557 expectedError: ":UNEXPECTED_RECORD:",
11558 })
11559 testCases = append(testCases, testCase{
11560 testType: serverTest,
11561 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
11562 config: Config{
11563 MaxVersion: VersionTLS12,
11564 NextProtos: []string{"bar"},
11565 Bugs: ProtocolBugs{
11566 FragmentAcrossChangeCipherSpec: true,
11567 PackHandshakeFlight: packed,
11568 },
11569 },
11570 flags: []string{
11571 "-advertise-npn", "\x03foo\x03bar\x03baz",
11572 },
11573 shouldFail: true,
11574 expectedError: ":UNEXPECTED_RECORD:",
11575 })
11576 }
11577
11578 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
11579 // messages in the handshake queue. Do this by testing the server
11580 // reading the client Finished, reversing the flight so Finished comes
11581 // first.
11582 testCases = append(testCases, testCase{
11583 protocol: dtls,
11584 testType: serverTest,
11585 name: "SendUnencryptedFinished-DTLS",
11586 config: Config{
11587 MaxVersion: VersionTLS12,
11588 Bugs: ProtocolBugs{
11589 SendUnencryptedFinished: true,
11590 ReverseHandshakeFragments: true,
11591 },
11592 },
11593 shouldFail: true,
11594 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
11595 })
11596
11597 // Test synchronization between encryption changes and the handshake in
11598 // TLS 1.3, where ChangeCipherSpec is implicit.
11599 testCases = append(testCases, testCase{
11600 name: "PartialEncryptedExtensionsWithServerHello",
11601 config: Config{
11602 MaxVersion: VersionTLS13,
11603 Bugs: ProtocolBugs{
11604 PartialEncryptedExtensionsWithServerHello: true,
11605 },
11606 },
11607 shouldFail: true,
11608 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
11609 })
11610 testCases = append(testCases, testCase{
11611 testType: serverTest,
11612 name: "PartialClientFinishedWithClientHello",
11613 config: Config{
11614 MaxVersion: VersionTLS13,
11615 Bugs: ProtocolBugs{
11616 PartialClientFinishedWithClientHello: true,
11617 },
11618 },
11619 shouldFail: true,
11620 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
11621 })
11622
11623 // Test that early ChangeCipherSpecs are handled correctly.
11624 testCases = append(testCases, testCase{
11625 testType: serverTest,
11626 name: "EarlyChangeCipherSpec-server-1",
11627 config: Config{
11628 MaxVersion: VersionTLS12,
11629 Bugs: ProtocolBugs{
11630 EarlyChangeCipherSpec: 1,
11631 },
11632 },
11633 shouldFail: true,
11634 expectedError: ":UNEXPECTED_RECORD:",
11635 })
11636 testCases = append(testCases, testCase{
11637 testType: serverTest,
11638 name: "EarlyChangeCipherSpec-server-2",
11639 config: Config{
11640 MaxVersion: VersionTLS12,
11641 Bugs: ProtocolBugs{
11642 EarlyChangeCipherSpec: 2,
11643 },
11644 },
11645 shouldFail: true,
11646 expectedError: ":UNEXPECTED_RECORD:",
11647 })
11648 testCases = append(testCases, testCase{
11649 protocol: dtls,
11650 name: "StrayChangeCipherSpec",
11651 config: Config{
11652 // TODO(davidben): Once DTLS 1.3 exists, test
11653 // that stray ChangeCipherSpec messages are
11654 // rejected.
11655 MaxVersion: VersionTLS12,
11656 Bugs: ProtocolBugs{
11657 StrayChangeCipherSpec: true,
11658 },
11659 },
11660 })
11661
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]11662 // Test that reordered ChangeCipherSpecs are tolerated.
11663 testCases = append(testCases, testCase{
11664 protocol: dtls,
11665 name: "ReorderChangeCipherSpec-DTLS-Client",
11666 config: Config{
11667 MaxVersion: VersionTLS12,
11668 Bugs: ProtocolBugs{
11669 ReorderChangeCipherSpec: true,
11670 },
11671 },
11672 resumeSession: true,
11673 })
11674 testCases = append(testCases, testCase{
11675 testType: serverTest,
11676 protocol: dtls,
11677 name: "ReorderChangeCipherSpec-DTLS-Server",
11678 config: Config{
11679 MaxVersion: VersionTLS12,
11680 Bugs: ProtocolBugs{
11681 ReorderChangeCipherSpec: true,
11682 },
11683 },
11684 resumeSession: true,
11685 })
11686
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11687 // Test that the contents of ChangeCipherSpec are checked.
11688 testCases = append(testCases, testCase{
11689 name: "BadChangeCipherSpec-1",
11690 config: Config{
11691 MaxVersion: VersionTLS12,
11692 Bugs: ProtocolBugs{
11693 BadChangeCipherSpec: []byte{2},
11694 },
11695 },
11696 shouldFail: true,
11697 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
11698 })
11699 testCases = append(testCases, testCase{
11700 name: "BadChangeCipherSpec-2",
11701 config: Config{
11702 MaxVersion: VersionTLS12,
11703 Bugs: ProtocolBugs{
11704 BadChangeCipherSpec: []byte{1, 1},
11705 },
11706 },
11707 shouldFail: true,
11708 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
11709 })
11710 testCases = append(testCases, testCase{
11711 protocol: dtls,
11712 name: "BadChangeCipherSpec-DTLS-1",
11713 config: Config{
11714 MaxVersion: VersionTLS12,
11715 Bugs: ProtocolBugs{
11716 BadChangeCipherSpec: []byte{2},
11717 },
11718 },
11719 shouldFail: true,
11720 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
11721 })
11722 testCases = append(testCases, testCase{
11723 protocol: dtls,
11724 name: "BadChangeCipherSpec-DTLS-2",
11725 config: Config{
11726 MaxVersion: VersionTLS12,
11727 Bugs: ProtocolBugs{
11728 BadChangeCipherSpec: []byte{1, 1},
11729 },
11730 },
11731 shouldFail: true,
11732 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
11733 })
11734}
11735
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11736type perMessageTest struct {
11737 messageType uint8
11738 test testCase
11739}
11740
11741// makePerMessageTests returns a series of test templates which cover each
11742// message in the TLS handshake. These may be used with bugs like
11743// WrongMessageType to fully test a per-message bug.
11744func makePerMessageTests() []perMessageTest {
11745 var ret []perMessageTest
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11746 for _, protocol := range []protocol{tls, dtls} {
11747 var suffix string
11748 if protocol == dtls {
11749 suffix = "-DTLS"
11750 }
11751
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11752 ret = append(ret, perMessageTest{
11753 messageType: typeClientHello,
11754 test: testCase{
11755 protocol: protocol,
11756 testType: serverTest,
11757 name: "ClientHello" + suffix,
11758 config: Config{
11759 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11760 },
11761 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11762 })
11763
11764 if protocol == dtls {
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11765 ret = append(ret, perMessageTest{
11766 messageType: typeHelloVerifyRequest,
11767 test: testCase{
11768 protocol: protocol,
11769 name: "HelloVerifyRequest" + suffix,
11770 config: Config{
11771 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11772 },
11773 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11774 })
11775 }
11776
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11777 ret = append(ret, perMessageTest{
11778 messageType: typeServerHello,
11779 test: testCase{
11780 protocol: protocol,
11781 name: "ServerHello" + suffix,
11782 config: Config{
11783 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11784 },
11785 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11786 })
11787
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11788 ret = append(ret, perMessageTest{
11789 messageType: typeCertificate,
11790 test: testCase{
11791 protocol: protocol,
11792 name: "ServerCertificate" + suffix,
11793 config: Config{
11794 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11795 },
11796 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11797 })
11798
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11799 ret = append(ret, perMessageTest{
11800 messageType: typeCertificateStatus,
11801 test: testCase{
11802 protocol: protocol,
11803 name: "CertificateStatus" + suffix,
11804 config: Config{
11805 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11806 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11807 flags: []string{"-enable-ocsp-stapling"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11808 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11809 })
11810
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11811 ret = append(ret, perMessageTest{
11812 messageType: typeServerKeyExchange,
11813 test: testCase{
11814 protocol: protocol,
11815 name: "ServerKeyExchange" + suffix,
11816 config: Config{
11817 MaxVersion: VersionTLS12,
11818 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11819 },
11820 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11821 })
11822
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11823 ret = append(ret, perMessageTest{
11824 messageType: typeCertificateRequest,
11825 test: testCase{
11826 protocol: protocol,
11827 name: "CertificateRequest" + suffix,
11828 config: Config{
11829 MaxVersion: VersionTLS12,
11830 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11831 },
11832 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11833 })
11834
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11835 ret = append(ret, perMessageTest{
11836 messageType: typeServerHelloDone,
11837 test: testCase{
11838 protocol: protocol,
11839 name: "ServerHelloDone" + suffix,
11840 config: Config{
11841 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11842 },
11843 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11844 })
11845
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11846 ret = append(ret, perMessageTest{
11847 messageType: typeCertificate,
11848 test: testCase{
11849 testType: serverTest,
11850 protocol: protocol,
11851 name: "ClientCertificate" + suffix,
11852 config: Config{
11853 Certificates: []Certificate{rsaCertificate},
11854 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11855 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11856 flags: []string{"-require-any-client-certificate"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11857 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11858 })
11859
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11860 ret = append(ret, perMessageTest{
11861 messageType: typeCertificateVerify,
11862 test: testCase{
11863 testType: serverTest,
11864 protocol: protocol,
11865 name: "CertificateVerify" + suffix,
11866 config: Config{
11867 Certificates: []Certificate{rsaCertificate},
11868 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11869 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11870 flags: []string{"-require-any-client-certificate"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11871 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11872 })
11873
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11874 ret = append(ret, perMessageTest{
11875 messageType: typeClientKeyExchange,
11876 test: testCase{
11877 testType: serverTest,
11878 protocol: protocol,
11879 name: "ClientKeyExchange" + suffix,
11880 config: Config{
11881 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11882 },
11883 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11884 })
11885
11886 if protocol != dtls {
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11887 ret = append(ret, perMessageTest{
11888 messageType: typeNextProtocol,
11889 test: testCase{
11890 testType: serverTest,
11891 protocol: protocol,
11892 name: "NextProtocol" + suffix,
11893 config: Config{
11894 MaxVersion: VersionTLS12,
11895 NextProtos: []string{"bar"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11896 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11897 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11898 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11899 })
11900
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11901 ret = append(ret, perMessageTest{
11902 messageType: typeChannelID,
11903 test: testCase{
11904 testType: serverTest,
11905 protocol: protocol,
11906 name: "ChannelID" + suffix,
11907 config: Config{
11908 MaxVersion: VersionTLS12,
11909 ChannelID: channelIDKey,
11910 },
11911 flags: []string{
11912 "-expect-channel-id",
11913 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11914 },
11915 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11916 })
11917 }
11918
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11919 ret = append(ret, perMessageTest{
11920 messageType: typeFinished,
11921 test: testCase{
11922 testType: serverTest,
11923 protocol: protocol,
11924 name: "ClientFinished" + suffix,
11925 config: Config{
11926 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11927 },
11928 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11929 })
11930
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11931 ret = append(ret, perMessageTest{
11932 messageType: typeNewSessionTicket,
11933 test: testCase{
11934 protocol: protocol,
11935 name: "NewSessionTicket" + suffix,
11936 config: Config{
11937 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11938 },
11939 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11940 })
11941
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11942 ret = append(ret, perMessageTest{
11943 messageType: typeFinished,
11944 test: testCase{
11945 protocol: protocol,
11946 name: "ServerFinished" + suffix,
11947 config: Config{
11948 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11949 },
11950 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11951 })
11952
11953 }
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11954
11955 ret = append(ret, perMessageTest{
11956 messageType: typeClientHello,
11957 test: testCase{
11958 testType: serverTest,
11959 name: "TLS13-ClientHello",
11960 config: Config{
11961 MaxVersion: VersionTLS13,
11962 },
11963 },
11964 })
11965
11966 ret = append(ret, perMessageTest{
11967 messageType: typeServerHello,
11968 test: testCase{
11969 name: "TLS13-ServerHello",
11970 config: Config{
11971 MaxVersion: VersionTLS13,
11972 },
11973 },
11974 })
11975
11976 ret = append(ret, perMessageTest{
11977 messageType: typeEncryptedExtensions,
11978 test: testCase{
11979 name: "TLS13-EncryptedExtensions",
11980 config: Config{
11981 MaxVersion: VersionTLS13,
11982 },
11983 },
11984 })
11985
11986 ret = append(ret, perMessageTest{
11987 messageType: typeCertificateRequest,
11988 test: testCase{
11989 name: "TLS13-CertificateRequest",
11990 config: Config{
11991 MaxVersion: VersionTLS13,
11992 ClientAuth: RequireAnyClientCert,
11993 },
11994 },
11995 })
11996
11997 ret = append(ret, perMessageTest{
11998 messageType: typeCertificate,
11999 test: testCase{
12000 name: "TLS13-ServerCertificate",
12001 config: Config{
12002 MaxVersion: VersionTLS13,
12003 },
12004 },
12005 })
12006
12007 ret = append(ret, perMessageTest{
12008 messageType: typeCertificateVerify,
12009 test: testCase{
12010 name: "TLS13-ServerCertificateVerify",
12011 config: Config{
12012 MaxVersion: VersionTLS13,
12013 },
12014 },
12015 })
12016
12017 ret = append(ret, perMessageTest{
12018 messageType: typeFinished,
12019 test: testCase{
12020 name: "TLS13-ServerFinished",
12021 config: Config{
12022 MaxVersion: VersionTLS13,
12023 },
12024 },
12025 })
12026
12027 ret = append(ret, perMessageTest{
12028 messageType: typeCertificate,
12029 test: testCase{
12030 testType: serverTest,
12031 name: "TLS13-ClientCertificate",
12032 config: Config{
12033 Certificates: []Certificate{rsaCertificate},
12034 MaxVersion: VersionTLS13,
12035 },
12036 flags: []string{"-require-any-client-certificate"},
12037 },
12038 })
12039
12040 ret = append(ret, perMessageTest{
12041 messageType: typeCertificateVerify,
12042 test: testCase{
12043 testType: serverTest,
12044 name: "TLS13-ClientCertificateVerify",
12045 config: Config{
12046 Certificates: []Certificate{rsaCertificate},
12047 MaxVersion: VersionTLS13,
12048 },
12049 flags: []string{"-require-any-client-certificate"},
12050 },
12051 })
12052
12053 ret = append(ret, perMessageTest{
12054 messageType: typeFinished,
12055 test: testCase{
12056 testType: serverTest,
12057 name: "TLS13-ClientFinished",
12058 config: Config{
12059 MaxVersion: VersionTLS13,
12060 },
12061 },
12062 })
12063
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12064 ret = append(ret, perMessageTest{
12065 messageType: typeEndOfEarlyData,
12066 test: testCase{
12067 testType: serverTest,
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12068 name: "TLS13-EndOfEarlyData",
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12069 config: Config{
12070 MaxVersion: VersionTLS13,
12071 },
12072 resumeConfig: &Config{
12073 MaxVersion: VersionTLS13,
12074 Bugs: ProtocolBugs{
12075 SendEarlyData: [][]byte{{1, 2, 3, 4}},
12076 ExpectEarlyDataAccepted: true,
12077 },
12078 },
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12079 resumeSession: true,
12080 flags: []string{"-enable-early-data"},
12081 },
12082 })
12083
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12084 return ret
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]12085}
12086
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12087func addWrongMessageTypeTests() {
12088 for _, t := range makePerMessageTests() {
12089 t.test.name = "WrongMessageType-" + t.test.name
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12090 if t.test.resumeConfig != nil {
12091 t.test.resumeConfig.Bugs.SendWrongMessageType = t.messageType
12092 } else {
12093 t.test.config.Bugs.SendWrongMessageType = t.messageType
12094 }
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12095 t.test.shouldFail = true
12096 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
12097 t.test.expectedLocalError = "remote error: unexpected message"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]12098
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12099 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
12100 // In TLS 1.3, a bad ServerHello means the client sends
12101 // an unencrypted alert while the server expects
12102 // encryption, so the alert is not readable by runner.
12103 t.test.expectedLocalError = "local error: bad record MAC"
12104 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]12105
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12106 testCases = append(testCases, t.test)
12107 }
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]12108
12109 // The processing order for TLS 1.3 version negotiation is such that one
12110 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
12111 // TLS 1.2. Test that we do not do this.
12112 testCases = append(testCases, testCase{
12113 name: "SendServerHelloAsHelloRetryRequest",
12114 config: Config{
12115 MaxVersion: VersionTLS12,
12116 Bugs: ProtocolBugs{
12117 SendServerHelloAsHelloRetryRequest: true,
12118 },
12119 },
12120 shouldFail: true,
12121 expectedError: ":UNEXPECTED_MESSAGE:",
12122 expectedLocalError: "remote error: unexpected message",
12123 })
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12124}
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]12125
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12126func addTrailingMessageDataTests() {
12127 for _, t := range makePerMessageTests() {
12128 t.test.name = "TrailingMessageData-" + t.test.name
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12129 if t.test.resumeConfig != nil {
12130 t.test.resumeConfig.Bugs.SendTrailingMessageData = t.messageType
12131 } else {
12132 t.test.config.Bugs.SendTrailingMessageData = t.messageType
12133 }
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12134 t.test.shouldFail = true
12135 t.test.expectedError = ":DECODE_ERROR:"
12136 t.test.expectedLocalError = "remote error: error decoding message"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]12137
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12138 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
12139 // In TLS 1.3, a bad ServerHello means the client sends
12140 // an unencrypted alert while the server expects
12141 // encryption, so the alert is not readable by runner.
12142 t.test.expectedLocalError = "local error: bad record MAC"
12143 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]12144
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12145 if t.messageType == typeFinished {
12146 // Bad Finished messages read as the verify data having
12147 // the wrong length.
12148 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
12149 t.test.expectedLocalError = "remote error: error decrypting message"
12150 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]12151
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]12152 testCases = append(testCases, t.test)
12153 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]12154}
12155
12156func addTLS13HandshakeTests() {
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12157 testCases = append(testCases, testCase{
12158 testType: clientTest,
12159 name: "NegotiatePSKResumption-TLS13",
12160 config: Config{
12161 MaxVersion: VersionTLS13,
12162 Bugs: ProtocolBugs{
12163 NegotiatePSKResumption: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12164 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12165 },
12166 resumeSession: true,
12167 shouldFail: true,
12168 expectedError: ":MISSING_KEY_SHARE:",
12169 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12170
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12171 testCases = append(testCases, testCase{
12172 testType: clientTest,
12173 name: "MissingKeyShare-Client-TLS13",
12174 config: Config{
12175 MaxVersion: VersionTLS13,
12176 Bugs: ProtocolBugs{
12177 MissingKeyShare: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12178 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12179 },
12180 shouldFail: true,
12181 expectedError: ":MISSING_KEY_SHARE:",
12182 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12183
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12184 testCases = append(testCases, testCase{
12185 testType: serverTest,
12186 name: "MissingKeyShare-Server-TLS13",
12187 config: Config{
12188 MaxVersion: VersionTLS13,
12189 Bugs: ProtocolBugs{
12190 MissingKeyShare: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12191 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12192 },
12193 shouldFail: true,
12194 expectedError: ":MISSING_KEY_SHARE:",
12195 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12196
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12197 testCases = append(testCases, testCase{
12198 testType: serverTest,
12199 name: "DuplicateKeyShares-TLS13",
12200 config: Config{
12201 MaxVersion: VersionTLS13,
12202 Bugs: ProtocolBugs{
12203 DuplicateKeyShares: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12204 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12205 },
12206 shouldFail: true,
12207 expectedError: ":DUPLICATE_KEY_SHARE:",
12208 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12209
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12210 testCases = append(testCases, testCase{
12211 testType: serverTest,
12212 name: "SkipEarlyData-TLS13",
12213 config: Config{
12214 MaxVersion: VersionTLS13,
12215 Bugs: ProtocolBugs{
12216 SendFakeEarlyDataLength: 4,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]12217 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12218 },
12219 })
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]12220
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12221 // Test that enabling TLS 1.3 does not interfere with TLS 1.2 session ID
12222 // resumption.
12223 testCases = append(testCases, testCase{
12224 testType: clientTest,
12225 name: "ResumeTLS12SessionID-TLS13",
12226 config: Config{
12227 MaxVersion: VersionTLS12,
12228 SessionTicketsDisabled: true,
12229 },
12230 resumeSession: true,
12231 })
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12232
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12233 // Test that the client correctly handles a TLS 1.3 ServerHello which echoes
12234 // a TLS 1.2 session ID.
12235 testCases = append(testCases, testCase{
12236 testType: clientTest,
12237 name: "TLS12SessionID-TLS13",
12238 config: Config{
12239 MaxVersion: VersionTLS12,
12240 SessionTicketsDisabled: true,
12241 },
12242 resumeConfig: &Config{
12243 MaxVersion: VersionTLS13,
12244 },
12245 resumeSession: true,
12246 expectResumeRejected: true,
12247 })
12248
12249 // Test that the server correctly echoes back session IDs of
12250 // various lengths. The first test additionally asserts that
12251 // BoringSSL always sends the ChangeCipherSpec messages for
12252 // compatibility mode, rather than negotiating it based on the
12253 // ClientHello.
12254 testCases = append(testCases, testCase{
12255 testType: serverTest,
12256 name: "EmptySessionID-TLS13",
12257 config: Config{
12258 MaxVersion: VersionTLS13,
12259 Bugs: ProtocolBugs{
12260 SendClientHelloSessionID: []byte{},
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]12261 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12262 },
12263 })
Robert Sloana815d5a2017-12-04 11:49:16 -0800[diff] [blame]12264
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12265 testCases = append(testCases, testCase{
12266 testType: serverTest,
12267 name: "ShortSessionID-TLS13",
12268 config: Config{
12269 MaxVersion: VersionTLS13,
12270 Bugs: ProtocolBugs{
12271 SendClientHelloSessionID: make([]byte, 16),
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12272 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12273 },
12274 })
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12275
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12276 testCases = append(testCases, testCase{
12277 testType: serverTest,
12278 name: "FullSessionID-TLS13",
12279 config: Config{
12280 MaxVersion: VersionTLS13,
12281 Bugs: ProtocolBugs{
12282 SendClientHelloSessionID: make([]byte, 32),
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12283 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12284 },
12285 })
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12286
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12287 // Test that the client sends a fake session ID in TLS 1.3.
12288 testCases = append(testCases, testCase{
12289 testType: clientTest,
12290 name: "TLS13SessionID-TLS13",
12291 config: Config{
12292 MaxVersion: VersionTLS13,
12293 Bugs: ProtocolBugs{
12294 ExpectClientHelloSessionID: true,
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12295 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12296 },
12297 })
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12298
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12299 // Test that the client omits the fake session ID when the max version is TLS 1.2 and below.
12300 testCases = append(testCases, testCase{
12301 testType: clientTest,
12302 name: "TLS12NoSessionID-TLS13",
12303 config: Config{
12304 MaxVersion: VersionTLS13,
12305 Bugs: ProtocolBugs{
12306 ExpectNoTLS12Session: true,
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12307 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12308 },
12309 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
12310 })
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12311
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12312 testCases = append(testCases, testCase{
12313 testType: clientTest,
12314 name: "EarlyData-Client-TLS13",
12315 config: Config{
12316 MaxVersion: VersionTLS13,
12317 MinVersion: VersionTLS13,
12318 MaxEarlyDataSize: 16384,
12319 },
12320 resumeConfig: &Config{
12321 MaxVersion: VersionTLS13,
12322 MinVersion: VersionTLS13,
12323 MaxEarlyDataSize: 16384,
12324 Bugs: ProtocolBugs{
12325 ExpectEarlyData: [][]byte{{'h', 'e', 'l', 'l', 'o'}},
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]12326 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12327 },
12328 resumeSession: true,
12329 flags: []string{
12330 "-enable-early-data",
12331 "-expect-ticket-supports-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]12332 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12333 "-on-resume-shim-writes-first",
12334 },
12335 })
Robert Sloan55818102017-12-18 11:26:17 -0800[diff] [blame]12336
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12337 testCases = append(testCases, testCase{
12338 testType: clientTest,
12339 name: "EarlyData-Reject-Client-TLS13",
12340 config: Config{
12341 MaxVersion: VersionTLS13,
12342 MaxEarlyDataSize: 16384,
12343 },
12344 resumeConfig: &Config{
12345 MaxVersion: VersionTLS13,
12346 MaxEarlyDataSize: 16384,
12347 Bugs: ProtocolBugs{
12348 AlwaysRejectEarlyData: true,
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12349 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12350 },
12351 resumeSession: true,
12352 flags: []string{
12353 "-enable-early-data",
12354 "-expect-ticket-supports-early-data",
12355 "-expect-reject-early-data",
12356 "-on-resume-shim-writes-first",
12357 },
12358 })
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12359
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12360 testCases = append(testCases, testCase{
12361 testType: serverTest,
12362 name: "EarlyData-Server-TLS13",
12363 config: Config{
12364 MaxVersion: VersionTLS13,
12365 MinVersion: VersionTLS13,
12366 Bugs: ProtocolBugs{
12367 SendEarlyData: [][]byte{{1, 2, 3, 4}},
12368 ExpectEarlyDataAccepted: true,
12369 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12370 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12371 },
12372 messageCount: 2,
12373 resumeSession: true,
12374 flags: []string{
12375 "-enable-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]12376 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12377 },
12378 })
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12379
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12380 testCases = append(testCases, testCase{
12381 testType: serverTest,
12382 name: "EarlyData-FirstTicket-Server-TLS13",
12383 config: Config{
12384 MaxVersion: VersionTLS13,
12385 MinVersion: VersionTLS13,
12386 Bugs: ProtocolBugs{
12387 UseFirstSessionTicket: true,
12388 SendEarlyData: [][]byte{{1, 2, 3, 4}},
12389 ExpectEarlyDataAccepted: true,
12390 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12391 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12392 },
12393 messageCount: 2,
12394 resumeSession: true,
12395 flags: []string{
12396 "-enable-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]12397 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12398 },
12399 })
Robert Sloandb4251a2017-09-18 09:38:15 -0700[diff] [blame]12400
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12401 testCases = append(testCases, testCase{
12402 testType: serverTest,
12403 name: "SkipEarlyData-OmitEarlyDataExtension-TLS13",
12404 config: Config{
12405 MaxVersion: VersionTLS13,
12406 Bugs: ProtocolBugs{
12407 SendFakeEarlyDataLength: 4,
12408 OmitEarlyDataExtension: true,
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]12409 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12410 },
12411 shouldFail: true,
12412 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
12413 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12414
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12415 testCases = append(testCases, testCase{
12416 testType: serverTest,
12417 name: "SkipEarlyData-TooMuchData-TLS13",
12418 config: Config{
12419 MaxVersion: VersionTLS13,
12420 Bugs: ProtocolBugs{
12421 SendFakeEarlyDataLength: 16384 + 1,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12422 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12423 },
12424 shouldFail: true,
12425 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
12426 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12427
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12428 testCases = append(testCases, testCase{
12429 testType: serverTest,
12430 name: "SkipEarlyData-Interleaved-TLS13",
12431 config: Config{
12432 MaxVersion: VersionTLS13,
12433 Bugs: ProtocolBugs{
12434 SendFakeEarlyDataLength: 4,
12435 InterleaveEarlyData: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12436 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12437 },
12438 shouldFail: true,
12439 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
12440 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12441
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12442 testCases = append(testCases, testCase{
12443 testType: serverTest,
12444 name: "SkipEarlyData-EarlyDataInTLS12-TLS13",
12445 config: Config{
12446 MaxVersion: VersionTLS13,
12447 Bugs: ProtocolBugs{
12448 SendFakeEarlyDataLength: 4,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12449 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12450 },
12451 shouldFail: true,
12452 expectedError: ":UNEXPECTED_RECORD:",
12453 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
12454 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12455
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12456 testCases = append(testCases, testCase{
12457 testType: serverTest,
12458 name: "SkipEarlyData-HRR-TLS13",
12459 config: Config{
12460 MaxVersion: VersionTLS13,
12461 Bugs: ProtocolBugs{
12462 SendFakeEarlyDataLength: 4,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12463 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12464 DefaultCurves: []CurveID{},
12465 },
12466 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12467
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12468 testCases = append(testCases, testCase{
12469 testType: serverTest,
12470 name: "SkipEarlyData-HRR-Interleaved-TLS13",
12471 config: Config{
12472 MaxVersion: VersionTLS13,
12473 Bugs: ProtocolBugs{
12474 SendFakeEarlyDataLength: 4,
12475 InterleaveEarlyData: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12476 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12477 DefaultCurves: []CurveID{},
12478 },
12479 shouldFail: true,
12480 expectedError: ":UNEXPECTED_RECORD:",
12481 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12482
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12483 testCases = append(testCases, testCase{
12484 testType: serverTest,
12485 name: "SkipEarlyData-HRR-TooMuchData-TLS13",
12486 config: Config{
12487 MaxVersion: VersionTLS13,
12488 Bugs: ProtocolBugs{
12489 SendFakeEarlyDataLength: 16384 + 1,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12490 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12491 DefaultCurves: []CurveID{},
12492 },
12493 shouldFail: true,
12494 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
12495 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12496
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12497 // Test that skipping early data looking for cleartext correctly
12498 // processes an alert record.
12499 testCases = append(testCases, testCase{
12500 testType: serverTest,
12501 name: "SkipEarlyData-HRR-FatalAlert-TLS13",
12502 config: Config{
12503 MaxVersion: VersionTLS13,
12504 Bugs: ProtocolBugs{
12505 SendEarlyAlert: true,
12506 SendFakeEarlyDataLength: 4,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12507 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12508 DefaultCurves: []CurveID{},
12509 },
12510 shouldFail: true,
12511 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
12512 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12513
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12514 testCases = append(testCases, testCase{
12515 testType: serverTest,
12516 name: "SkipEarlyData-SecondClientHelloEarlyData-TLS13",
12517 config: Config{
12518 MaxVersion: VersionTLS13,
12519 Bugs: ProtocolBugs{
12520 SendEarlyDataOnSecondClientHello: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12521 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12522 DefaultCurves: []CurveID{},
12523 },
12524 shouldFail: true,
12525 expectedLocalError: "remote error: bad record MAC",
12526 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12527
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12528 testCases = append(testCases, testCase{
12529 testType: clientTest,
12530 name: "EmptyEncryptedExtensions-TLS13",
12531 config: Config{
12532 MaxVersion: VersionTLS13,
12533 Bugs: ProtocolBugs{
12534 EmptyEncryptedExtensions: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12535 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12536 },
12537 shouldFail: true,
12538 expectedLocalError: "remote error: error decoding message",
12539 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12540
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12541 testCases = append(testCases, testCase{
12542 testType: clientTest,
12543 name: "EncryptedExtensionsWithKeyShare-TLS13",
12544 config: Config{
12545 MaxVersion: VersionTLS13,
12546 Bugs: ProtocolBugs{
12547 EncryptedExtensionsWithKeyShare: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12548 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12549 },
12550 shouldFail: true,
12551 expectedLocalError: "remote error: unsupported extension",
12552 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12553
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12554 testCases = append(testCases, testCase{
12555 testType: serverTest,
12556 name: "SendHelloRetryRequest-TLS13",
12557 config: Config{
12558 MaxVersion: VersionTLS13,
12559 // Require a HelloRetryRequest for every curve.
12560 DefaultCurves: []CurveID{},
12561 CurvePreferences: []CurveID{CurveX25519},
12562 },
12563 expectedCurveID: CurveX25519,
12564 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12565
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12566 testCases = append(testCases, testCase{
12567 testType: serverTest,
12568 name: "SendHelloRetryRequest-2-TLS13",
12569 config: Config{
12570 MaxVersion: VersionTLS13,
12571 DefaultCurves: []CurveID{CurveP384},
12572 CurvePreferences: []CurveID{CurveX25519, CurveP384},
12573 },
12574 // Although the ClientHello did not predict our preferred curve,
12575 // we always select it whether it is predicted or not.
12576 expectedCurveID: CurveX25519,
12577 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12578
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12579 testCases = append(testCases, testCase{
12580 name: "UnknownCurve-HelloRetryRequest-TLS13",
12581 config: Config{
12582 MaxVersion: VersionTLS13,
12583 // P-384 requires HelloRetryRequest in BoringSSL.
12584 CurvePreferences: []CurveID{CurveP384},
12585 Bugs: ProtocolBugs{
12586 SendHelloRetryRequestCurve: bogusCurve,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12587 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12588 },
12589 shouldFail: true,
12590 expectedError: ":WRONG_CURVE:",
12591 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12592
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12593 testCases = append(testCases, testCase{
12594 name: "HelloRetryRequest-CipherChange-TLS13",
12595 config: Config{
12596 MaxVersion: VersionTLS13,
12597 // P-384 requires HelloRetryRequest in BoringSSL.
12598 CurvePreferences: []CurveID{CurveP384},
12599 Bugs: ProtocolBugs{
12600 SendCipherSuite: TLS_AES_128_GCM_SHA256,
12601 SendHelloRetryRequestCipherSuite: TLS_CHACHA20_POLY1305_SHA256,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12602 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12603 },
12604 shouldFail: true,
12605 expectedError: ":WRONG_CIPHER_RETURNED:",
12606 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12607
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12608 // Test that the client does not offer a PSK in the second ClientHello if the
12609 // HelloRetryRequest is incompatible with it.
12610 testCases = append(testCases, testCase{
12611 testType: clientTest,
12612 name: "HelloRetryRequest-NonResumableCipher-TLS13",
12613 config: Config{
12614 MaxVersion: VersionTLS13,
12615 CipherSuites: []uint16{
12616 TLS_AES_128_GCM_SHA256,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]12617 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12618 },
12619 resumeConfig: &Config{
12620 MaxVersion: VersionTLS13,
12621 // P-384 requires HelloRetryRequest in BoringSSL.
12622 CurvePreferences: []CurveID{CurveP384},
12623 Bugs: ProtocolBugs{
12624 ExpectNoTLS13PSKAfterHRR: true,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]12625 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12626 CipherSuites: []uint16{
12627 TLS_AES_256_GCM_SHA384,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]12628 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12629 },
12630 resumeSession: true,
12631 expectResumeRejected: true,
12632 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12633
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12634 testCases = append(testCases, testCase{
12635 name: "DisabledCurve-HelloRetryRequest-TLS13",
12636 config: Config{
12637 MaxVersion: VersionTLS13,
12638 CurvePreferences: []CurveID{CurveP256},
12639 Bugs: ProtocolBugs{
12640 IgnorePeerCurvePreferences: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12641 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12642 },
12643 flags: []string{"-curves", strconv.Itoa(int(CurveP384))},
12644 shouldFail: true,
12645 expectedError: ":WRONG_CURVE:",
12646 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12647
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12648 testCases = append(testCases, testCase{
12649 name: "UnnecessaryHelloRetryRequest-TLS13",
12650 config: Config{
12651 MaxVersion: VersionTLS13,
12652 CurvePreferences: []CurveID{CurveX25519},
12653 Bugs: ProtocolBugs{
12654 SendHelloRetryRequestCurve: CurveX25519,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12655 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12656 },
12657 shouldFail: true,
12658 expectedError: ":WRONG_CURVE:",
12659 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12660
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12661 testCases = append(testCases, testCase{
12662 name: "SecondHelloRetryRequest-TLS13",
12663 config: Config{
12664 MaxVersion: VersionTLS13,
12665 // P-384 requires HelloRetryRequest in BoringSSL.
12666 CurvePreferences: []CurveID{CurveP384},
12667 Bugs: ProtocolBugs{
12668 SecondHelloRetryRequest: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12669 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12670 },
12671 shouldFail: true,
12672 expectedError: ":UNEXPECTED_MESSAGE:",
12673 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12674
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12675 testCases = append(testCases, testCase{
12676 name: "HelloRetryRequest-Empty-TLS13",
12677 config: Config{
12678 MaxVersion: VersionTLS13,
12679 Bugs: ProtocolBugs{
12680 AlwaysSendHelloRetryRequest: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12681 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12682 },
12683 shouldFail: true,
12684 expectedError: ":EMPTY_HELLO_RETRY_REQUEST:",
12685 expectedLocalError: "remote error: illegal parameter",
12686 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12687
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12688 testCases = append(testCases, testCase{
12689 name: "HelloRetryRequest-DuplicateCurve-TLS13",
12690 config: Config{
12691 MaxVersion: VersionTLS13,
12692 // P-384 requires a HelloRetryRequest against BoringSSL's default
12693 // configuration. Assert this ExpectMissingKeyShare.
12694 CurvePreferences: []CurveID{CurveP384},
12695 Bugs: ProtocolBugs{
12696 ExpectMissingKeyShare: true,
12697 DuplicateHelloRetryRequestExtensions: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12698 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12699 },
12700 shouldFail: true,
12701 expectedError: ":DUPLICATE_EXTENSION:",
12702 expectedLocalError: "remote error: illegal parameter",
12703 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12704
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12705 testCases = append(testCases, testCase{
12706 name: "HelloRetryRequest-Cookie-TLS13",
12707 config: Config{
12708 MaxVersion: VersionTLS13,
12709 Bugs: ProtocolBugs{
12710 SendHelloRetryRequestCookie: []byte("cookie"),
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12711 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12712 },
12713 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12714
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12715 testCases = append(testCases, testCase{
12716 name: "HelloRetryRequest-DuplicateCookie-TLS13",
12717 config: Config{
12718 MaxVersion: VersionTLS13,
12719 Bugs: ProtocolBugs{
12720 SendHelloRetryRequestCookie: []byte("cookie"),
12721 DuplicateHelloRetryRequestExtensions: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12722 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12723 },
12724 shouldFail: true,
12725 expectedError: ":DUPLICATE_EXTENSION:",
12726 expectedLocalError: "remote error: illegal parameter",
12727 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12728
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12729 testCases = append(testCases, testCase{
12730 name: "HelloRetryRequest-EmptyCookie-TLS13",
12731 config: Config{
12732 MaxVersion: VersionTLS13,
12733 Bugs: ProtocolBugs{
12734 SendHelloRetryRequestCookie: []byte{},
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12735 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12736 },
12737 shouldFail: true,
12738 expectedError: ":DECODE_ERROR:",
12739 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12740
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12741 testCases = append(testCases, testCase{
12742 name: "HelloRetryRequest-Cookie-Curve-TLS13",
12743 config: Config{
12744 MaxVersion: VersionTLS13,
12745 // P-384 requires HelloRetryRequest in BoringSSL.
12746 CurvePreferences: []CurveID{CurveP384},
12747 Bugs: ProtocolBugs{
12748 SendHelloRetryRequestCookie: []byte("cookie"),
12749 ExpectMissingKeyShare: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12750 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12751 },
12752 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12753
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12754 testCases = append(testCases, testCase{
12755 name: "HelloRetryRequest-Unknown-TLS13",
12756 config: Config{
12757 MaxVersion: VersionTLS13,
12758 Bugs: ProtocolBugs{
12759 CustomHelloRetryRequestExtension: "extension",
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12760 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12761 },
12762 shouldFail: true,
12763 expectedError: ":UNEXPECTED_EXTENSION:",
12764 expectedLocalError: "remote error: unsupported extension",
12765 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12766
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12767 testCases = append(testCases, testCase{
12768 testType: serverTest,
12769 name: "SecondClientHelloMissingKeyShare-TLS13",
12770 config: Config{
12771 MaxVersion: VersionTLS13,
12772 DefaultCurves: []CurveID{},
12773 Bugs: ProtocolBugs{
12774 SecondClientHelloMissingKeyShare: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12775 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12776 },
12777 shouldFail: true,
12778 expectedError: ":MISSING_KEY_SHARE:",
12779 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12780
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12781 testCases = append(testCases, testCase{
12782 testType: serverTest,
12783 name: "SecondClientHelloWrongCurve-TLS13",
12784 config: Config{
12785 MaxVersion: VersionTLS13,
12786 DefaultCurves: []CurveID{},
12787 Bugs: ProtocolBugs{
12788 MisinterpretHelloRetryRequestCurve: CurveP521,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12789 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12790 },
12791 shouldFail: true,
12792 expectedError: ":WRONG_CURVE:",
12793 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12794
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12795 testCases = append(testCases, testCase{
12796 name: "HelloRetryRequestVersionMismatch-TLS13",
12797 config: Config{
12798 MaxVersion: VersionTLS13,
12799 // P-384 requires HelloRetryRequest in BoringSSL.
12800 CurvePreferences: []CurveID{CurveP384},
12801 Bugs: ProtocolBugs{
12802 SendServerHelloVersion: 0x0305,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12803 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12804 },
12805 shouldFail: true,
12806 expectedError: ":WRONG_VERSION_NUMBER:",
12807 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12808
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12809 testCases = append(testCases, testCase{
12810 name: "HelloRetryRequestCurveMismatch-TLS13",
12811 config: Config{
12812 MaxVersion: VersionTLS13,
12813 // P-384 requires HelloRetryRequest in BoringSSL.
12814 CurvePreferences: []CurveID{CurveP384},
12815 Bugs: ProtocolBugs{
12816 // Send P-384 (correct) in the HelloRetryRequest.
12817 SendHelloRetryRequestCurve: CurveP384,
12818 // But send P-256 in the ServerHello.
12819 SendCurve: CurveP256,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12820 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12821 },
12822 shouldFail: true,
12823 expectedError: ":WRONG_CURVE:",
12824 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12825
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12826 // Test the server selecting a curve that requires a HelloRetryRequest
12827 // without sending it.
12828 testCases = append(testCases, testCase{
12829 name: "SkipHelloRetryRequest-TLS13",
12830 config: Config{
12831 MaxVersion: VersionTLS13,
12832 // P-384 requires HelloRetryRequest in BoringSSL.
12833 CurvePreferences: []CurveID{CurveP384},
12834 Bugs: ProtocolBugs{
12835 SkipHelloRetryRequest: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12836 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12837 },
12838 shouldFail: true,
12839 expectedError: ":WRONG_CURVE:",
12840 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12841
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12842 testCases = append(testCases, testCase{
12843 name: "SecondServerHelloNoVersion-TLS13",
12844 config: Config{
12845 MaxVersion: VersionTLS13,
12846 // P-384 requires HelloRetryRequest in BoringSSL.
12847 CurvePreferences: []CurveID{CurveP384},
12848 Bugs: ProtocolBugs{
12849 OmitServerSupportedVersionExtension: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12850 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12851 },
12852 shouldFail: true,
12853 expectedError: ":SECOND_SERVERHELLO_VERSION_MISMATCH:",
12854 })
12855 testCases = append(testCases, testCase{
12856 name: "SecondServerHelloWrongVersion-TLS13",
12857 config: Config{
12858 MaxVersion: VersionTLS13,
12859 // P-384 requires HelloRetryRequest in BoringSSL.
12860 CurvePreferences: []CurveID{CurveP384},
12861 Bugs: ProtocolBugs{
12862 SendServerSupportedVersionExtension: 0x1234,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12863 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12864 },
12865 shouldFail: true,
12866 expectedError: ":SECOND_SERVERHELLO_VERSION_MISMATCH:",
12867 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12868
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12869 testCases = append(testCases, testCase{
12870 name: "RequestContextInHandshake-TLS13",
12871 config: Config{
12872 MaxVersion: VersionTLS13,
12873 MinVersion: VersionTLS13,
12874 ClientAuth: RequireAnyClientCert,
12875 Bugs: ProtocolBugs{
12876 SendRequestContext: []byte("request context"),
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]12877 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12878 },
12879 flags: []string{
12880 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
12881 "-key-file", path.Join(*resourceDir, rsaKeyFile),
12882 },
12883 shouldFail: true,
12884 expectedError: ":DECODE_ERROR:",
12885 })
12886
12887 testCases = append(testCases, testCase{
12888 name: "UnknownExtensionInCertificateRequest-TLS13",
12889 config: Config{
12890 MaxVersion: VersionTLS13,
12891 MinVersion: VersionTLS13,
12892 ClientAuth: RequireAnyClientCert,
12893 Bugs: ProtocolBugs{
12894 SendCustomCertificateRequest: 0x1212,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]12895 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12896 },
12897 flags: []string{
12898 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
12899 "-key-file", path.Join(*resourceDir, rsaKeyFile),
12900 },
12901 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12902
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12903 testCases = append(testCases, testCase{
12904 name: "MissingSignatureAlgorithmsInCertificateRequest-TLS13",
12905 config: Config{
12906 MaxVersion: VersionTLS13,
12907 MinVersion: VersionTLS13,
12908 ClientAuth: RequireAnyClientCert,
12909 Bugs: ProtocolBugs{
12910 OmitCertificateRequestAlgorithms: true,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]12911 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12912 },
12913 flags: []string{
12914 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
12915 "-key-file", path.Join(*resourceDir, rsaKeyFile),
12916 },
12917 shouldFail: true,
12918 expectedError: ":DECODE_ERROR:",
12919 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12920
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12921 testCases = append(testCases, testCase{
12922 testType: serverTest,
12923 name: "TrailingKeyShareData-TLS13",
12924 config: Config{
12925 MaxVersion: VersionTLS13,
12926 Bugs: ProtocolBugs{
12927 TrailingKeyShareData: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12928 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12929 },
12930 shouldFail: true,
12931 expectedError: ":DECODE_ERROR:",
12932 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12933
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12934 testCases = append(testCases, testCase{
12935 name: "AlwaysSelectPSKIdentity-TLS13",
12936 config: Config{
12937 MaxVersion: VersionTLS13,
12938 Bugs: ProtocolBugs{
12939 AlwaysSelectPSKIdentity: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12940 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12941 },
12942 shouldFail: true,
12943 expectedError: ":UNEXPECTED_EXTENSION:",
12944 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12945
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12946 testCases = append(testCases, testCase{
12947 name: "InvalidPSKIdentity-TLS13",
12948 config: Config{
12949 MaxVersion: VersionTLS13,
12950 Bugs: ProtocolBugs{
12951 SelectPSKIdentityOnResume: 1,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12952 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12953 },
12954 resumeSession: true,
12955 shouldFail: true,
12956 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
12957 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12958
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12959 testCases = append(testCases, testCase{
12960 testType: serverTest,
12961 name: "ExtraPSKIdentity-TLS13",
12962 config: Config{
12963 MaxVersion: VersionTLS13,
12964 Bugs: ProtocolBugs{
12965 ExtraPSKIdentity: true,
12966 SendExtraPSKBinder: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12967 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12968 },
12969 resumeSession: true,
12970 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12971
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12972 // Test that unknown NewSessionTicket extensions are tolerated.
12973 testCases = append(testCases, testCase{
12974 name: "CustomTicketExtension-TLS13",
12975 config: Config{
12976 MaxVersion: VersionTLS13,
12977 Bugs: ProtocolBugs{
12978 CustomTicketExtension: "1234",
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]12979 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]12980 },
12981 })
12982 testCases = append(testCases, testCase{
12983 testType: clientTest,
12984 name: "EarlyData-RejectTicket-Client-TLS13",
12985 config: Config{
12986 MaxVersion: VersionTLS13,
12987 MaxEarlyDataSize: 16384,
12988 Certificates: []Certificate{rsaCertificate},
12989 },
12990 resumeConfig: &Config{
12991 MaxVersion: VersionTLS13,
12992 MaxEarlyDataSize: 16384,
12993 Certificates: []Certificate{ecdsaP256Certificate},
12994 SessionTicketsDisabled: true,
12995 },
12996 resumeSession: true,
12997 expectResumeRejected: true,
12998 flags: []string{
12999 "-enable-early-data",
13000 "-expect-ticket-supports-early-data",
13001 "-expect-reject-early-data",
13002 "-on-resume-shim-writes-first",
13003 "-on-initial-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
13004 "-on-resume-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
13005 "-on-retry-expect-peer-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
13006 // Session tickets are disabled, so the runner will not send a ticket.
13007 "-on-retry-expect-no-session",
13008 },
13009 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13010
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13011 testCases = append(testCases, testCase{
13012 testType: clientTest,
13013 name: "EarlyData-HRR-Client-TLS13",
13014 config: Config{
13015 MaxVersion: VersionTLS13,
13016 MaxEarlyDataSize: 16384,
13017 },
13018 resumeConfig: &Config{
13019 MaxVersion: VersionTLS13,
13020 MaxEarlyDataSize: 16384,
13021 Bugs: ProtocolBugs{
13022 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13023 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13024 },
13025 resumeSession: true,
13026 flags: []string{
13027 "-enable-early-data",
13028 "-expect-ticket-supports-early-data",
13029 "-expect-reject-early-data",
13030 },
13031 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13032
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13033 // The client must check the server does not send the early_data
13034 // extension while rejecting the session.
13035 testCases = append(testCases, testCase{
13036 testType: clientTest,
13037 name: "EarlyDataWithoutResume-Client-TLS13",
13038 config: Config{
13039 MaxVersion: VersionTLS13,
13040 MaxEarlyDataSize: 16384,
13041 },
13042 resumeConfig: &Config{
13043 MaxVersion: VersionTLS13,
13044 SessionTicketsDisabled: true,
13045 Bugs: ProtocolBugs{
13046 SendEarlyDataExtension: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13047 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13048 },
13049 resumeSession: true,
13050 flags: []string{
13051 "-enable-early-data",
13052 "-expect-ticket-supports-early-data",
13053 },
13054 shouldFail: true,
13055 expectedError: ":UNEXPECTED_EXTENSION:",
13056 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13057
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13058 // The client must fail with a dedicated error code if the server
13059 // responds with TLS 1.2 when offering 0-RTT.
13060 testCases = append(testCases, testCase{
13061 testType: clientTest,
13062 name: "EarlyDataVersionDowngrade-Client-TLS13",
13063 config: Config{
13064 MaxVersion: VersionTLS13,
13065 MaxEarlyDataSize: 16384,
13066 },
13067 resumeConfig: &Config{
13068 MaxVersion: VersionTLS12,
13069 },
13070 resumeSession: true,
13071 flags: []string{
13072 "-enable-early-data",
13073 "-expect-ticket-supports-early-data",
13074 },
13075 shouldFail: true,
13076 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
13077 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13078
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13079 // Test that the client rejects an (unsolicited) early_data extension if
13080 // the server sent an HRR.
13081 testCases = append(testCases, testCase{
13082 testType: clientTest,
13083 name: "ServerAcceptsEarlyDataOnHRR-Client-TLS13",
13084 config: Config{
13085 MaxVersion: VersionTLS13,
13086 MaxEarlyDataSize: 16384,
13087 },
13088 resumeConfig: &Config{
13089 MaxVersion: VersionTLS13,
13090 MaxEarlyDataSize: 16384,
13091 Bugs: ProtocolBugs{
13092 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
13093 SendEarlyDataExtension: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13094 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13095 },
13096 resumeSession: true,
13097 flags: []string{
13098 "-enable-early-data",
13099 "-expect-ticket-supports-early-data",
13100 "-expect-reject-early-data",
13101 },
13102 shouldFail: true,
13103 expectedError: ":UNEXPECTED_EXTENSION:",
13104 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13105
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13106 testCases = append(testCases, testCase{
13107 testType: clientTest,
13108 name: "SkipChangeCipherSpec-Client-TLS13",
13109 config: Config{
13110 MaxVersion: VersionTLS13,
13111 Bugs: ProtocolBugs{
13112 SkipChangeCipherSpec: true,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]13113 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13114 },
13115 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13116
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13117 testCases = append(testCases, testCase{
13118 testType: serverTest,
13119 name: "SkipChangeCipherSpec-Server-TLS13",
13120 config: Config{
13121 MaxVersion: VersionTLS13,
13122 Bugs: ProtocolBugs{
13123 SkipChangeCipherSpec: true,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]13124 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13125 },
13126 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13127
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13128 testCases = append(testCases, testCase{
13129 testType: clientTest,
13130 name: "TooManyChangeCipherSpec-Client-TLS13",
13131 config: Config{
13132 MaxVersion: VersionTLS13,
13133 Bugs: ProtocolBugs{
13134 SendExtraChangeCipherSpec: 33,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]13135 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13136 },
13137 shouldFail: true,
13138 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
13139 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13140
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13141 testCases = append(testCases, testCase{
13142 testType: serverTest,
13143 name: "TooManyChangeCipherSpec-Server-TLS13",
13144 config: Config{
13145 MaxVersion: VersionTLS13,
13146 Bugs: ProtocolBugs{
13147 SendExtraChangeCipherSpec: 33,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]13148 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13149 },
13150 shouldFail: true,
13151 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
13152 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13153
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13154 testCases = append(testCases, testCase{
13155 name: "SendPostHandshakeChangeCipherSpec-TLS13",
13156 config: Config{
13157 MaxVersion: VersionTLS13,
13158 Bugs: ProtocolBugs{
13159 SendPostHandshakeChangeCipherSpec: true,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]13160 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13161 },
13162 shouldFail: true,
13163 expectedError: ":UNEXPECTED_RECORD:",
13164 expectedLocalError: "remote error: unexpected message",
13165 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13166
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13167 fooString := "foo"
13168 barString := "bar"
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13169
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13170 // Test that the client reports the correct ALPN after a 0-RTT reject
13171 // that changed it.
13172 testCases = append(testCases, testCase{
13173 testType: clientTest,
13174 name: "EarlyData-ALPNMismatch-Client-TLS13",
13175 config: Config{
13176 MaxVersion: VersionTLS13,
13177 MaxEarlyDataSize: 16384,
13178 Bugs: ProtocolBugs{
13179 ALPNProtocol: &fooString,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13180 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13181 },
13182 resumeConfig: &Config{
13183 MaxVersion: VersionTLS13,
13184 MaxEarlyDataSize: 16384,
13185 Bugs: ProtocolBugs{
13186 ALPNProtocol: &barString,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13187 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13188 },
13189 resumeSession: true,
13190 flags: []string{
13191 "-advertise-alpn", "\x03foo\x03bar",
13192 "-enable-early-data",
13193 "-expect-ticket-supports-early-data",
13194 "-expect-reject-early-data",
13195 "-on-initial-expect-alpn", "foo",
13196 "-on-resume-expect-alpn", "foo",
13197 "-on-retry-expect-alpn", "bar",
13198 },
13199 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13200
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13201 // Test that the client reports the correct ALPN after a 0-RTT reject if
13202 // ALPN was omitted from the first connection.
13203 testCases = append(testCases, testCase{
13204 testType: clientTest,
13205 name: "EarlyData-ALPNOmitted1-Client-TLS13",
13206 config: Config{
13207 MaxVersion: VersionTLS13,
13208 MaxEarlyDataSize: 16384,
13209 },
13210 resumeConfig: &Config{
13211 MaxVersion: VersionTLS13,
13212 MaxEarlyDataSize: 16384,
13213 NextProtos: []string{"foo"},
13214 },
13215 resumeSession: true,
13216 flags: []string{
13217 "-advertise-alpn", "\x03foo\x03bar",
13218 "-enable-early-data",
13219 "-expect-ticket-supports-early-data",
13220 "-expect-reject-early-data",
13221 "-on-initial-expect-alpn", "",
13222 "-on-resume-expect-alpn", "",
13223 "-on-retry-expect-alpn", "foo",
13224 "-on-resume-shim-writes-first",
13225 },
13226 })
13227
13228 // Test that the client reports the correct ALPN after a 0-RTT reject if
13229 // ALPN was omitted from the second connection.
13230 testCases = append(testCases, testCase{
13231 testType: clientTest,
13232 name: "EarlyData-ALPNOmitted2-Client-TLS13",
13233 config: Config{
13234 MaxVersion: VersionTLS13,
13235 MaxEarlyDataSize: 16384,
13236 NextProtos: []string{"foo"},
13237 },
13238 resumeConfig: &Config{
13239 MaxVersion: VersionTLS13,
13240 MaxEarlyDataSize: 16384,
13241 },
13242 resumeSession: true,
13243 flags: []string{
13244 "-advertise-alpn", "\x03foo\x03bar",
13245 "-enable-early-data",
13246 "-expect-ticket-supports-early-data",
13247 "-expect-reject-early-data",
13248 "-on-initial-expect-alpn", "foo",
13249 "-on-resume-expect-alpn", "foo",
13250 "-on-retry-expect-alpn", "",
13251 "-on-resume-shim-writes-first",
13252 },
13253 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13254
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13255 // Test that the client enforces ALPN match on 0-RTT accept.
13256 testCases = append(testCases, testCase{
13257 testType: clientTest,
13258 name: "EarlyData-BadALPNMismatch-Client-TLS13",
13259 config: Config{
13260 MaxVersion: VersionTLS13,
13261 MaxEarlyDataSize: 16384,
13262 Bugs: ProtocolBugs{
13263 ALPNProtocol: &fooString,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13264 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13265 },
13266 resumeConfig: &Config{
13267 MaxVersion: VersionTLS13,
13268 MaxEarlyDataSize: 16384,
13269 Bugs: ProtocolBugs{
13270 AlwaysAcceptEarlyData: true,
13271 ALPNProtocol: &barString,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13272 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13273 },
13274 resumeSession: true,
13275 flags: []string{
13276 "-advertise-alpn", "\x03foo\x03bar",
13277 "-enable-early-data",
13278 "-expect-ticket-supports-early-data",
13279 "-on-initial-expect-alpn", "foo",
13280 "-on-resume-expect-alpn", "foo",
13281 "-on-retry-expect-alpn", "bar",
13282 },
13283 shouldFail: true,
13284 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
13285 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13286
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13287 // Test that the client does not offer early data if it is incompatible
13288 // with ALPN preferences.
13289 testCases = append(testCases, testCase{
13290 testType: clientTest,
13291 name: "EarlyData-ALPNPreferenceChanged-TLS13",
13292 config: Config{
13293 MaxVersion: VersionTLS13,
13294 MaxEarlyDataSize: 16384,
13295 NextProtos: []string{"foo", "bar"},
13296 },
13297 resumeSession: true,
13298 flags: []string{
13299 "-enable-early-data",
13300 "-expect-ticket-supports-early-data",
13301 "-expect-no-offer-early-data",
13302 "-on-initial-advertise-alpn", "\x03foo",
Pete Bentleya5c947b2019-08-09 14:24:27 +0000[diff] [blame]13303 "-on-resume-advertise-alpn", "\x03bar",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]13304 "-on-initial-expect-alpn", "foo",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13305 "-on-resume-expect-alpn", "bar",
13306 },
13307 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13308
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13309 // Test that the server correctly rejects 0-RTT when the previous
13310 // session did not allow early data on resumption.
13311 testCases = append(testCases, testCase{
13312 testType: serverTest,
13313 name: "EarlyData-NonZeroRTTSession-Server-TLS13",
13314 config: Config{
13315 MaxVersion: VersionTLS13,
13316 },
13317 resumeConfig: &Config{
13318 MaxVersion: VersionTLS13,
13319 Bugs: ProtocolBugs{
13320 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13321 ExpectEarlyDataAccepted: false,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13322 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13323 },
13324 resumeSession: true,
13325 flags: []string{
13326 "-on-resume-enable-early-data",
13327 "-expect-reject-early-data",
13328 },
13329 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13330
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13331 // Test that we reject early data where ALPN is omitted from the first
13332 // connection.
13333 testCases = append(testCases, testCase{
13334 testType: serverTest,
13335 name: "EarlyData-ALPNOmitted1-Server-TLS13",
13336 config: Config{
13337 MaxVersion: VersionTLS13,
13338 NextProtos: []string{},
13339 },
13340 resumeConfig: &Config{
13341 MaxVersion: VersionTLS13,
13342 NextProtos: []string{"foo"},
13343 Bugs: ProtocolBugs{
13344 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13345 ExpectEarlyDataAccepted: false,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13346 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13347 },
13348 resumeSession: true,
13349 flags: []string{
13350 "-enable-early-data",
13351 "-on-initial-select-alpn", "",
13352 "-on-resume-select-alpn", "foo",
13353 },
13354 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13355
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13356 // Test that we reject early data where ALPN is omitted from the second
13357 // connection.
13358 testCases = append(testCases, testCase{
13359 testType: serverTest,
13360 name: "EarlyData-ALPNOmitted2-Server-TLS13",
13361 config: Config{
13362 MaxVersion: VersionTLS13,
13363 NextProtos: []string{"foo"},
13364 },
13365 resumeConfig: &Config{
13366 MaxVersion: VersionTLS13,
13367 NextProtos: []string{},
13368 Bugs: ProtocolBugs{
13369 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13370 ExpectEarlyDataAccepted: false,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13371 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13372 },
13373 resumeSession: true,
13374 flags: []string{
13375 "-enable-early-data",
13376 "-on-initial-select-alpn", "foo",
13377 "-on-resume-select-alpn", "",
13378 },
13379 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13380
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13381 // Test that we reject early data with mismatched ALPN.
13382 testCases = append(testCases, testCase{
13383 testType: serverTest,
13384 name: "EarlyData-ALPNMismatch-Server-TLS13",
13385 config: Config{
13386 MaxVersion: VersionTLS13,
13387 NextProtos: []string{"foo"},
13388 },
13389 resumeConfig: &Config{
13390 MaxVersion: VersionTLS13,
13391 NextProtos: []string{"bar"},
13392 Bugs: ProtocolBugs{
13393 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13394 ExpectEarlyDataAccepted: false,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13395 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13396 },
13397 resumeSession: true,
13398 flags: []string{
13399 "-enable-early-data",
13400 "-on-initial-select-alpn", "foo",
13401 "-on-resume-select-alpn", "bar",
13402 },
13403 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13404
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13405 // Test that the client offering 0-RTT and Channel ID forbids the server
13406 // from accepting both.
13407 testCases = append(testCases, testCase{
13408 testType: clientTest,
13409 name: "EarlyDataChannelID-AcceptBoth-Client-TLS13",
13410 config: Config{
13411 MaxVersion: VersionTLS13,
13412 MaxEarlyDataSize: 16384,
13413 RequestChannelID: true,
13414 },
13415 resumeSession: true,
13416 expectChannelID: true,
13417 shouldFail: true,
13418 expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:",
13419 flags: []string{
13420 "-enable-early-data",
13421 "-expect-ticket-supports-early-data",
13422 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
13423 },
13424 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13425
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13426 // Test that the client offering Channel ID and 0-RTT allows the server
13427 // to decline 0-RTT.
13428 testCases = append(testCases, testCase{
13429 testType: clientTest,
13430 name: "EarlyDataChannelID-AcceptChannelID-Client-TLS13",
13431 config: Config{
13432 MaxVersion: VersionTLS13,
13433 MaxEarlyDataSize: 16384,
13434 RequestChannelID: true,
13435 Bugs: ProtocolBugs{
13436 AlwaysRejectEarlyData: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13437 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13438 },
13439 resumeSession: true,
13440 expectChannelID: true,
13441 flags: []string{
13442 "-enable-early-data",
13443 "-expect-ticket-supports-early-data",
13444 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
13445 "-expect-reject-early-data",
13446 },
13447 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13448
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13449 // Test that the client offering Channel ID and 0-RTT allows the server
13450 // to decline Channel ID.
13451 testCases = append(testCases, testCase{
13452 testType: clientTest,
13453 name: "EarlyDataChannelID-AcceptEarlyData-Client-TLS13",
13454 config: Config{
13455 MaxVersion: VersionTLS13,
13456 MaxEarlyDataSize: 16384,
13457 },
13458 resumeSession: true,
13459 flags: []string{
13460 "-enable-early-data",
13461 "-expect-ticket-supports-early-data",
13462 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]13463 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13464 },
13465 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13466
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13467 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
13468 // if it would negotiate Channel ID.
13469 testCases = append(testCases, testCase{
13470 testType: serverTest,
13471 name: "EarlyDataChannelID-OfferBoth-Server-TLS13",
13472 config: Config{
13473 MaxVersion: VersionTLS13,
13474 ChannelID: channelIDKey,
13475 Bugs: ProtocolBugs{
13476 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13477 ExpectEarlyDataAccepted: false,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13478 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13479 },
13480 resumeSession: true,
13481 expectChannelID: true,
13482 flags: []string{
13483 "-enable-early-data",
13484 "-expect-reject-early-data",
13485 "-expect-channel-id",
13486 base64.StdEncoding.EncodeToString(channelIDBytes),
13487 },
13488 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13489
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13490 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
13491 // if not offered Channel ID.
13492 testCases = append(testCases, testCase{
13493 testType: serverTest,
13494 name: "EarlyDataChannelID-OfferEarlyData-Server-TLS13",
13495 config: Config{
13496 MaxVersion: VersionTLS13,
13497 Bugs: ProtocolBugs{
13498 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13499 ExpectEarlyDataAccepted: true,
13500 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13501 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13502 },
13503 resumeSession: true,
13504 expectChannelID: false,
13505 flags: []string{
13506 "-enable-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]13507 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13508 "-enable-channel-id",
13509 },
13510 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13511
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13512 // Test that the server rejects 0-RTT streams without end_of_early_data.
13513 // The subsequent records should fail to decrypt.
13514 testCases = append(testCases, testCase{
13515 testType: serverTest,
13516 name: "EarlyData-SkipEndOfEarlyData-TLS13",
13517 config: Config{
13518 MaxVersion: VersionTLS13,
13519 Bugs: ProtocolBugs{
13520 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13521 ExpectEarlyDataAccepted: true,
13522 SkipEndOfEarlyData: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13523 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13524 },
13525 resumeSession: true,
13526 flags: []string{"-enable-early-data"},
13527 shouldFail: true,
13528 expectedLocalError: "remote error: bad record MAC",
13529 expectedError: ":BAD_DECRYPT:",
13530 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13531
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13532 testCases = append(testCases, testCase{
13533 testType: serverTest,
13534 name: "EarlyData-UnexpectedHandshake-Server-TLS13",
13535 config: Config{
13536 MaxVersion: VersionTLS13,
13537 },
13538 resumeConfig: &Config{
13539 MaxVersion: VersionTLS13,
13540 Bugs: ProtocolBugs{
13541 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13542 SendStrayEarlyHandshake: true,
13543 ExpectEarlyDataAccepted: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13544 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13545 },
13546 resumeSession: true,
13547 shouldFail: true,
13548 expectedError: ":UNEXPECTED_MESSAGE:",
13549 expectedLocalError: "remote error: unexpected message",
13550 flags: []string{
13551 "-enable-early-data",
13552 },
13553 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13554
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13555 // Test that the client reports TLS 1.3 as the version while sending
13556 // early data.
13557 testCases = append(testCases, testCase{
13558 testType: clientTest,
13559 name: "EarlyData-Client-VersionAPI-TLS13",
13560 config: Config{
13561 MaxVersion: VersionTLS13,
13562 MaxEarlyDataSize: 16384,
13563 },
13564 resumeSession: true,
13565 flags: []string{
13566 "-enable-early-data",
13567 "-expect-ticket-supports-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]13568 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13569 "-expect-version", strconv.Itoa(VersionTLS13),
13570 },
13571 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13572
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13573 // Test that client and server both notice handshake errors after data
13574 // has started flowing.
13575 testCases = append(testCases, testCase{
13576 testType: clientTest,
13577 name: "EarlyData-Client-BadFinished-TLS13",
13578 config: Config{
13579 MaxVersion: VersionTLS13,
13580 MaxEarlyDataSize: 16384,
13581 },
13582 resumeConfig: &Config{
13583 MaxVersion: VersionTLS13,
13584 MaxEarlyDataSize: 16384,
13585 Bugs: ProtocolBugs{
13586 BadFinished: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13587 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13588 },
13589 resumeSession: true,
13590 flags: []string{
13591 "-enable-early-data",
13592 "-expect-ticket-supports-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]13593 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13594 },
13595 shouldFail: true,
13596 expectedError: ":DIGEST_CHECK_FAILED:",
13597 expectedLocalError: "remote error: error decrypting message",
13598 })
13599 testCases = append(testCases, testCase{
13600 testType: serverTest,
13601 name: "EarlyData-Server-BadFinished-TLS13",
13602 config: Config{
13603 MaxVersion: VersionTLS13,
13604 },
13605 resumeConfig: &Config{
13606 MaxVersion: VersionTLS13,
13607 Bugs: ProtocolBugs{
13608 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13609 ExpectEarlyDataAccepted: true,
13610 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
13611 BadFinished: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13612 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13613 },
13614 resumeSession: true,
13615 flags: []string{
13616 "-enable-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]13617 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13618 },
13619 shouldFail: true,
13620 expectedError: ":DIGEST_CHECK_FAILED:",
13621 expectedLocalError: "remote error: error decrypting message",
13622 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13623
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13624 testCases = append(testCases, testCase{
13625 testType: serverTest,
13626 name: "Server-NonEmptyEndOfEarlyData-TLS13",
13627 config: Config{
13628 MaxVersion: VersionTLS13,
13629 },
13630 resumeConfig: &Config{
13631 MaxVersion: VersionTLS13,
13632 Bugs: ProtocolBugs{
13633 SendEarlyData: [][]byte{{1, 2, 3, 4}},
13634 ExpectEarlyDataAccepted: true,
13635 NonEmptyEndOfEarlyData: true,
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13636 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13637 },
13638 resumeSession: true,
13639 flags: []string{
13640 "-enable-early-data",
13641 "-expect-ticket-supports-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]13642 "-expect-accept-early-data",
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13643 },
13644 shouldFail: true,
13645 expectedError: ":DECODE_ERROR:",
13646 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13647
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13648 testCases = append(testCases, testCase{
13649 testType: serverTest,
13650 name: "ServerSkipCertificateVerify-TLS13",
13651 config: Config{
13652 MinVersion: VersionTLS13,
13653 MaxVersion: VersionTLS13,
13654 Certificates: []Certificate{rsaChainCertificate},
13655 Bugs: ProtocolBugs{
13656 SkipCertificateVerify: true,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]13657 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13658 },
13659 expectPeerCertificate: &rsaChainCertificate,
13660 flags: []string{
13661 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13662 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
13663 "-require-any-client-certificate",
13664 },
13665 shouldFail: true,
13666 expectedError: ":UNEXPECTED_MESSAGE:",
13667 expectedLocalError: "remote error: unexpected message",
13668 })
13669 testCases = append(testCases, testCase{
13670 testType: clientTest,
13671 name: "ClientSkipCertificateVerify-TLS13",
13672 config: Config{
13673 MinVersion: VersionTLS13,
13674 MaxVersion: VersionTLS13,
13675 Certificates: []Certificate{rsaChainCertificate},
13676 Bugs: ProtocolBugs{
13677 SkipCertificateVerify: true,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]13678 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13679 },
13680 expectPeerCertificate: &rsaChainCertificate,
13681 flags: []string{
13682 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13683 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
13684 },
13685 shouldFail: true,
13686 expectedError: ":UNEXPECTED_MESSAGE:",
13687 expectedLocalError: "remote error: unexpected message",
13688 })
Robert Sloan99319a12017-11-27 10:32:46 -0800[diff] [blame]13689
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]13690}
13691
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13692func addTLS13CipherPreferenceTests() {
13693 // Test that client preference is honored if the shim has AES hardware
13694 // and ChaCha20-Poly1305 is preferred otherwise.
13695 testCases = append(testCases, testCase{
13696 testType: serverTest,
13697 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
13698 config: Config{
13699 MaxVersion: VersionTLS13,
13700 CipherSuites: []uint16{
13701 TLS_CHACHA20_POLY1305_SHA256,
13702 TLS_AES_128_GCM_SHA256,
13703 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13704 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13705 },
13706 flags: []string{
13707 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13708 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13709 },
13710 })
13711
13712 testCases = append(testCases, testCase{
13713 testType: serverTest,
13714 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
13715 config: Config{
13716 MaxVersion: VersionTLS13,
13717 CipherSuites: []uint16{
13718 TLS_AES_128_GCM_SHA256,
13719 TLS_CHACHA20_POLY1305_SHA256,
13720 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13721 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13722 },
13723 flags: []string{
13724 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
13725 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13726 },
13727 })
13728
13729 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
13730 // whether it has AES hardware.
13731 testCases = append(testCases, testCase{
13732 name: "TLS13-CipherPreference-Client",
13733 config: Config{
13734 MaxVersion: VersionTLS13,
13735 // Use the client cipher order. (This is the default but
13736 // is listed to be explicit.)
13737 PreferServerCipherSuites: false,
13738 },
13739 flags: []string{
13740 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
13741 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13742 },
13743 })
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]13744
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13745 // CECPQ2 prefers 256-bit ciphers but will use AES-128 if there's nothing else.
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]13746 testCases = append(testCases, testCase{
13747 testType: serverTest,
13748 name: "TLS13-CipherPreference-CECPQ2-AES128Only",
13749 config: Config{
13750 MaxVersion: VersionTLS13,
13751 CipherSuites: []uint16{
13752 TLS_AES_128_GCM_SHA256,
13753 },
13754 },
13755 flags: []string{
13756 "-curves", strconv.Itoa(int(CurveCECPQ2)),
13757 },
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]13758 })
13759 // When a 256-bit cipher is offered, even if not in first place, it should be
13760 // picked.
13761 testCases = append(testCases, testCase{
13762 testType: serverTest,
13763 name: "TLS13-CipherPreference-CECPQ2-AES256Preferred",
13764 config: Config{
13765 MaxVersion: VersionTLS13,
13766 CipherSuites: []uint16{
13767 TLS_AES_128_GCM_SHA256,
13768 TLS_AES_256_GCM_SHA384,
13769 },
13770 },
13771 flags: []string{
13772 "-curves", strconv.Itoa(int(CurveCECPQ2)),
13773 },
13774 expectedCipher: TLS_AES_256_GCM_SHA384,
13775 })
13776 // ... but when CECPQ2 isn't being used, the client's preference controls.
13777 testCases = append(testCases, testCase{
13778 testType: serverTest,
13779 name: "TLS13-CipherPreference-CECPQ2-AES128PreferredOtherwise",
13780 config: Config{
13781 MaxVersion: VersionTLS13,
13782 CipherSuites: []uint16{
13783 TLS_AES_128_GCM_SHA256,
13784 TLS_AES_256_GCM_SHA384,
13785 },
13786 },
13787 flags: []string{
13788 "-curves", strconv.Itoa(int(CurveX25519)),
13789 },
13790 expectedCipher: TLS_AES_128_GCM_SHA256,
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]13791 })
13792
13793 // Test that CECPQ2 continues to honor AES vs ChaCha20 logic.
13794 testCases = append(testCases, testCase{
13795 testType: serverTest,
13796 name: "TLS13-CipherPreference-CECPQ2-AES128-ChaCha20-AES256",
13797 config: Config{
13798 MaxVersion: VersionTLS13,
13799 CipherSuites: []uint16{
13800 TLS_AES_128_GCM_SHA256,
13801 TLS_CHACHA20_POLY1305_SHA256,
13802 TLS_AES_256_GCM_SHA384,
13803 },
13804 },
13805 flags: []string{
13806 "-curves", strconv.Itoa(int(CurveCECPQ2)),
13807 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13808 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13809 },
13810 })
13811 testCases = append(testCases, testCase{
13812 testType: serverTest,
13813 name: "TLS13-CipherPreference-CECPQ2-AES128-AES256-ChaCha20",
13814 config: Config{
13815 MaxVersion: VersionTLS13,
13816 CipherSuites: []uint16{
13817 TLS_AES_128_GCM_SHA256,
13818 TLS_AES_256_GCM_SHA384,
13819 TLS_CHACHA20_POLY1305_SHA256,
13820 },
13821 },
13822 flags: []string{
13823 "-curves", strconv.Itoa(int(CurveCECPQ2)),
13824 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_256_GCM_SHA384)),
13825 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13826 },
13827 })
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13828}
13829
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]13830func addPeekTests() {
13831 // Test SSL_peek works, including on empty records.
13832 testCases = append(testCases, testCase{
13833 name: "Peek-Basic",
13834 sendEmptyRecords: 1,
13835 flags: []string{"-peek-then-read"},
13836 })
13837
13838 // Test SSL_peek can drive the initial handshake.
13839 testCases = append(testCases, testCase{
13840 name: "Peek-ImplicitHandshake",
13841 flags: []string{
13842 "-peek-then-read",
13843 "-implicit-handshake",
13844 },
13845 })
13846
13847 // Test SSL_peek can discover and drive a renegotiation.
13848 testCases = append(testCases, testCase{
13849 name: "Peek-Renegotiate",
13850 config: Config{
13851 MaxVersion: VersionTLS12,
13852 },
13853 renegotiate: 1,
13854 flags: []string{
13855 "-peek-then-read",
13856 "-renegotiate-freely",
13857 "-expect-total-renegotiations", "1",
13858 },
13859 })
13860
13861 // Test SSL_peek can discover a close_notify.
13862 testCases = append(testCases, testCase{
13863 name: "Peek-Shutdown",
13864 config: Config{
13865 Bugs: ProtocolBugs{
13866 ExpectCloseNotify: true,
13867 },
13868 },
13869 flags: []string{
13870 "-peek-then-read",
13871 "-check-close-notify",
13872 },
13873 })
13874
13875 // Test SSL_peek can discover an alert.
13876 testCases = append(testCases, testCase{
13877 name: "Peek-Alert",
13878 config: Config{
13879 Bugs: ProtocolBugs{
13880 SendSpuriousAlert: alertRecordOverflow,
13881 },
13882 },
13883 flags: []string{"-peek-then-read"},
13884 shouldFail: true,
13885 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
13886 })
13887
13888 // Test SSL_peek can handle KeyUpdate.
13889 testCases = append(testCases, testCase{
13890 name: "Peek-KeyUpdate",
13891 config: Config{
13892 MaxVersion: VersionTLS13,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]13893 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]13894 sendKeyUpdates: 1,
13895 keyUpdateRequest: keyUpdateNotRequested,
13896 flags: []string{"-peek-then-read"},
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]13897 })
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]13898}
13899
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13900func addRecordVersionTests() {
13901 for _, ver := range tlsVersions {
13902 // Test that the record version is enforced.
13903 testCases = append(testCases, testCase{
13904 name: "CheckRecordVersion-" + ver.name,
13905 config: Config{
13906 MinVersion: ver.version,
13907 MaxVersion: ver.version,
13908 Bugs: ProtocolBugs{
13909 SendRecordVersion: 0x03ff,
13910 },
13911 },
13912 shouldFail: true,
13913 expectedError: ":WRONG_VERSION_NUMBER:",
13914 })
13915
13916 // Test that the ClientHello may use any record version, for
13917 // compatibility reasons.
13918 testCases = append(testCases, testCase{
13919 testType: serverTest,
13920 name: "LooseInitialRecordVersion-" + ver.name,
13921 config: Config{
13922 MinVersion: ver.version,
13923 MaxVersion: ver.version,
13924 Bugs: ProtocolBugs{
13925 SendInitialRecordVersion: 0x03ff,
13926 },
13927 },
13928 })
13929
13930 // Test that garbage ClientHello record versions are rejected.
13931 testCases = append(testCases, testCase{
13932 testType: serverTest,
13933 name: "GarbageInitialRecordVersion-" + ver.name,
13934 config: Config{
13935 MinVersion: ver.version,
13936 MaxVersion: ver.version,
13937 Bugs: ProtocolBugs{
13938 SendInitialRecordVersion: 0xffff,
13939 },
13940 },
13941 shouldFail: true,
13942 expectedError: ":WRONG_VERSION_NUMBER:",
13943 })
13944 }
13945}
13946
13947func addCertificateTests() {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13948 for _, ver := range tlsVersions {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]13949 // Test that a certificate chain with intermediate may be sent
13950 // and received as both client and server.
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13951 testCases = append(testCases, testCase{
13952 testType: clientTest,
13953 name: "SendReceiveIntermediate-Client-" + ver.name,
13954 config: Config{
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]13955 MinVersion: ver.version,
13956 MaxVersion: ver.version,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13957 Certificates: []Certificate{rsaChainCertificate},
13958 ClientAuth: RequireAnyClientCert,
13959 },
13960 expectPeerCertificate: &rsaChainCertificate,
13961 flags: []string{
13962 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13963 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
13964 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13965 },
13966 })
13967
13968 testCases = append(testCases, testCase{
13969 testType: serverTest,
13970 name: "SendReceiveIntermediate-Server-" + ver.name,
13971 config: Config{
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]13972 MinVersion: ver.version,
13973 MaxVersion: ver.version,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]13974 Certificates: []Certificate{rsaChainCertificate},
13975 },
13976 expectPeerCertificate: &rsaChainCertificate,
13977 flags: []string{
13978 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13979 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
13980 "-require-any-client-certificate",
13981 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13982 },
13983 })
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]13984
13985 // Test that garbage leaf certificates are properly rejected.
13986 testCases = append(testCases, testCase{
13987 testType: clientTest,
13988 name: "GarbageCertificate-Client-" + ver.name,
13989 config: Config{
13990 MinVersion: ver.version,
13991 MaxVersion: ver.version,
13992 Certificates: []Certificate{garbageCertificate},
13993 },
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]13994 shouldFail: true,
13995 expectedError: ":CANNOT_PARSE_LEAF_CERT:",
13996 expectedLocalError: "remote error: error decoding message",
13997 })
13998
13999 testCases = append(testCases, testCase{
14000 testType: serverTest,
14001 name: "GarbageCertificate-Server-" + ver.name,
14002 config: Config{
14003 MinVersion: ver.version,
14004 MaxVersion: ver.version,
14005 Certificates: []Certificate{garbageCertificate},
14006 },
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]14007 flags: []string{"-require-any-client-certificate"},
14008 shouldFail: true,
14009 expectedError: ":CANNOT_PARSE_LEAF_CERT:",
14010 expectedLocalError: "remote error: error decoding message",
14011 })
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]14012 }
14013}
14014
14015func addRetainOnlySHA256ClientCertTests() {
14016 for _, ver := range tlsVersions {
14017 // Test that enabling
14018 // SSL_CTX_set_retain_only_sha256_of_client_certs without
14019 // actually requesting a client certificate is a no-op.
14020 testCases = append(testCases, testCase{
14021 testType: serverTest,
14022 name: "RetainOnlySHA256-NoCert-" + ver.name,
14023 config: Config{
14024 MinVersion: ver.version,
14025 MaxVersion: ver.version,
14026 },
14027 flags: []string{
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]14028 "-on-initial-retain-only-sha256-client-cert",
14029 "-on-resume-retain-only-sha256-client-cert",
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]14030 },
14031 resumeSession: true,
14032 })
14033
14034 // Test that when retaining only a SHA-256 certificate is
14035 // enabled, the hash appears as expected.
14036 testCases = append(testCases, testCase{
14037 testType: serverTest,
14038 name: "RetainOnlySHA256-Cert-" + ver.name,
14039 config: Config{
14040 MinVersion: ver.version,
14041 MaxVersion: ver.version,
14042 Certificates: []Certificate{rsaCertificate},
14043 },
14044 flags: []string{
14045 "-verify-peer",
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]14046 "-on-initial-retain-only-sha256-client-cert",
14047 "-on-resume-retain-only-sha256-client-cert",
14048 "-on-initial-expect-sha256-client-cert",
14049 "-on-resume-expect-sha256-client-cert",
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]14050 },
14051 resumeSession: true,
14052 })
14053
14054 // Test that when the config changes from on to off, a
14055 // resumption is rejected because the server now wants the full
14056 // certificate chain.
14057 testCases = append(testCases, testCase{
14058 testType: serverTest,
14059 name: "RetainOnlySHA256-OnOff-" + ver.name,
14060 config: Config{
14061 MinVersion: ver.version,
14062 MaxVersion: ver.version,
14063 Certificates: []Certificate{rsaCertificate},
14064 },
14065 flags: []string{
14066 "-verify-peer",
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]14067 "-on-initial-retain-only-sha256-client-cert",
14068 "-on-initial-expect-sha256-client-cert",
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]14069 },
14070 resumeSession: true,
14071 expectResumeRejected: true,
14072 })
14073
14074 // Test that when the config changes from off to on, a
14075 // resumption is rejected because the server now wants just the
14076 // hash.
14077 testCases = append(testCases, testCase{
14078 testType: serverTest,
14079 name: "RetainOnlySHA256-OffOn-" + ver.name,
14080 config: Config{
14081 MinVersion: ver.version,
14082 MaxVersion: ver.version,
14083 Certificates: []Certificate{rsaCertificate},
14084 },
14085 flags: []string{
14086 "-verify-peer",
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]14087 "-on-resume-retain-only-sha256-client-cert",
14088 "-on-resume-expect-sha256-client-cert",
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]14089 },
14090 resumeSession: true,
14091 expectResumeRejected: true,
14092 })
14093 }
14094}
14095
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]14096func addECDSAKeyUsageTests() {
14097 p256 := elliptic.P256()
14098 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
14099 if err != nil {
14100 panic(err)
14101 }
14102
14103 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
14104 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
14105 if err != nil {
14106 panic(err)
14107 }
14108
14109 template := x509.Certificate{
14110 SerialNumber: serialNumber,
14111 Subject: pkix.Name{
14112 Organization: []string{"Acme Co"},
14113 },
14114 NotBefore: time.Now(),
14115 NotAfter: time.Now(),
14116
14117 // An ECC certificate with only the keyAgreement key usgae may
14118 // be used with ECDH, but not ECDSA.
14119 KeyUsage: x509.KeyUsageKeyAgreement,
14120 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
14121 BasicConstraintsValid: true,
14122 }
14123
14124 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
14125 if err != nil {
14126 panic(err)
14127 }
14128
14129 cert := Certificate{
14130 Certificate: [][]byte{derBytes},
14131 PrivateKey: priv,
14132 }
14133
14134 for _, ver := range tlsVersions {
14135 if ver.version < VersionTLS12 {
14136 continue
14137 }
14138
14139 testCases = append(testCases, testCase{
14140 testType: clientTest,
14141 name: "ECDSAKeyUsage-" + ver.name,
14142 config: Config{
14143 MinVersion: ver.version,
14144 MaxVersion: ver.version,
14145 Certificates: []Certificate{cert},
14146 },
14147 shouldFail: true,
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14148 expectedError: ":KEY_USAGE_BIT_INCORRECT:",
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]14149 })
14150 }
14151}
14152
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14153func addRSAKeyUsageTests() {
14154 priv := rsaCertificate.PrivateKey.(*rsa.PrivateKey)
14155
14156 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
14157 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
14158 if err != nil {
14159 panic(err)
14160 }
14161
14162 dsTemplate := x509.Certificate{
14163 SerialNumber: serialNumber,
14164 Subject: pkix.Name{
14165 Organization: []string{"Acme Co"},
14166 },
14167 NotBefore: time.Now(),
14168 NotAfter: time.Now(),
14169
14170 KeyUsage: x509.KeyUsageDigitalSignature,
14171 BasicConstraintsValid: true,
14172 }
14173
14174 encTemplate := x509.Certificate{
14175 SerialNumber: serialNumber,
14176 Subject: pkix.Name{
14177 Organization: []string{"Acme Co"},
14178 },
14179 NotBefore: time.Now(),
14180 NotAfter: time.Now(),
14181
14182 KeyUsage: x509.KeyUsageKeyEncipherment,
14183 BasicConstraintsValid: true,
14184 }
14185
14186 dsDerBytes, err := x509.CreateCertificate(rand.Reader, &dsTemplate, &dsTemplate, &priv.PublicKey, priv)
14187 if err != nil {
14188 panic(err)
14189 }
14190
14191 encDerBytes, err := x509.CreateCertificate(rand.Reader, &encTemplate, &encTemplate, &priv.PublicKey, priv)
14192 if err != nil {
14193 panic(err)
14194 }
14195
14196 dsCert := Certificate{
14197 Certificate: [][]byte{dsDerBytes},
14198 PrivateKey: priv,
14199 }
14200
14201 encCert := Certificate{
14202 Certificate: [][]byte{encDerBytes},
14203 PrivateKey: priv,
14204 }
14205
14206 dsSuites := []uint16{
14207 TLS_AES_128_GCM_SHA256,
14208 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
14209 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
14210 }
14211 encSuites := []uint16{
14212 TLS_RSA_WITH_AES_128_GCM_SHA256,
14213 TLS_RSA_WITH_AES_128_CBC_SHA,
14214 }
14215
14216 for _, ver := range tlsVersions {
14217 testCases = append(testCases, testCase{
14218 testType: clientTest,
14219 name: "RSAKeyUsage-WantSignature-GotEncipherment-" + ver.name,
14220 config: Config{
14221 MinVersion: ver.version,
14222 MaxVersion: ver.version,
14223 Certificates: []Certificate{encCert},
14224 CipherSuites: dsSuites,
14225 },
14226 shouldFail: true,
14227 expectedError: ":KEY_USAGE_BIT_INCORRECT:",
14228 flags: []string{
14229 "-enforce-rsa-key-usage",
14230 },
14231 })
14232
14233 testCases = append(testCases, testCase{
14234 testType: clientTest,
14235 name: "RSAKeyUsage-WantSignature-GotSignature-" + ver.name,
14236 config: Config{
14237 MinVersion: ver.version,
14238 MaxVersion: ver.version,
14239 Certificates: []Certificate{dsCert},
14240 CipherSuites: dsSuites,
14241 },
14242 flags: []string{
14243 "-enforce-rsa-key-usage",
14244 },
14245 })
14246
14247 // TLS 1.3 removes the encipherment suites.
14248 if ver.version < VersionTLS13 {
14249 testCases = append(testCases, testCase{
14250 testType: clientTest,
14251 name: "RSAKeyUsage-WantEncipherment-GotEncipherment" + ver.name,
14252 config: Config{
14253 MinVersion: ver.version,
14254 MaxVersion: ver.version,
14255 Certificates: []Certificate{encCert},
14256 CipherSuites: encSuites,
14257 },
14258 flags: []string{
14259 "-enforce-rsa-key-usage",
14260 },
14261 })
14262
14263 testCases = append(testCases, testCase{
14264 testType: clientTest,
14265 name: "RSAKeyUsage-WantEncipherment-GotSignature-" + ver.name,
14266 config: Config{
14267 MinVersion: ver.version,
14268 MaxVersion: ver.version,
14269 Certificates: []Certificate{dsCert},
14270 CipherSuites: encSuites,
14271 },
14272 shouldFail: true,
14273 expectedError: ":KEY_USAGE_BIT_INCORRECT:",
14274 flags: []string{
14275 "-enforce-rsa-key-usage",
14276 },
14277 })
14278
14279 // In 1.2 and below, we should not enforce without the enforce-rsa-key-usage flag.
14280 testCases = append(testCases, testCase{
14281 testType: clientTest,
14282 name: "RSAKeyUsage-WantSignature-GotEncipherment-Unenforced" + ver.name,
14283 config: Config{
14284 MinVersion: ver.version,
14285 MaxVersion: ver.version,
14286 Certificates: []Certificate{dsCert},
14287 CipherSuites: encSuites,
14288 },
14289 })
14290
14291 testCases = append(testCases, testCase{
14292 testType: clientTest,
14293 name: "RSAKeyUsage-WantEncipherment-GotSignature-Unenforced" + ver.name,
14294 config: Config{
14295 MinVersion: ver.version,
14296 MaxVersion: ver.version,
14297 Certificates: []Certificate{encCert},
14298 CipherSuites: dsSuites,
14299 },
14300 })
14301
14302 }
14303
14304 if ver.version >= VersionTLS13 {
14305 // In 1.3 and above, we enforce keyUsage even without the flag.
14306 testCases = append(testCases, testCase{
14307 testType: clientTest,
14308 name: "RSAKeyUsage-WantSignature-GotEncipherment-Enforced" + ver.name,
14309 config: Config{
14310 MinVersion: ver.version,
14311 MaxVersion: ver.version,
14312 Certificates: []Certificate{encCert},
14313 CipherSuites: dsSuites,
14314 },
14315 shouldFail: true,
14316 expectedError: ":KEY_USAGE_BIT_INCORRECT:",
14317 })
14318
14319 }
14320 }
14321}
14322
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]14323func addExtraHandshakeTests() {
14324 // An extra SSL_do_handshake is normally a no-op. These tests use -async
14325 // to ensure there is no transport I/O.
14326 testCases = append(testCases, testCase{
14327 testType: clientTest,
14328 name: "ExtraHandshake-Client-TLS12",
14329 config: Config{
14330 MinVersion: VersionTLS12,
14331 MaxVersion: VersionTLS12,
14332 },
14333 flags: []string{
14334 "-async",
14335 "-no-op-extra-handshake",
14336 },
14337 })
14338 testCases = append(testCases, testCase{
14339 testType: serverTest,
14340 name: "ExtraHandshake-Server-TLS12",
14341 config: Config{
14342 MinVersion: VersionTLS12,
14343 MaxVersion: VersionTLS12,
14344 },
14345 flags: []string{
14346 "-async",
14347 "-no-op-extra-handshake",
14348 },
14349 })
14350 testCases = append(testCases, testCase{
14351 testType: clientTest,
14352 name: "ExtraHandshake-Client-TLS13",
14353 config: Config{
14354 MinVersion: VersionTLS13,
14355 MaxVersion: VersionTLS13,
14356 },
14357 flags: []string{
14358 "-async",
14359 "-no-op-extra-handshake",
14360 },
14361 })
14362 testCases = append(testCases, testCase{
14363 testType: serverTest,
14364 name: "ExtraHandshake-Server-TLS13",
14365 config: Config{
14366 MinVersion: VersionTLS13,
14367 MaxVersion: VersionTLS13,
14368 },
14369 flags: []string{
14370 "-async",
14371 "-no-op-extra-handshake",
14372 },
14373 })
14374
14375 // An extra SSL_do_handshake is a no-op in server 0-RTT.
14376 testCases = append(testCases, testCase{
14377 testType: serverTest,
14378 name: "ExtraHandshake-Server-EarlyData-TLS13",
14379 config: Config{
14380 MaxVersion: VersionTLS13,
14381 MinVersion: VersionTLS13,
14382 Bugs: ProtocolBugs{
14383 SendEarlyData: [][]byte{{1, 2, 3, 4}},
14384 ExpectEarlyDataAccepted: true,
14385 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
14386 },
14387 },
14388 messageCount: 2,
14389 resumeSession: true,
14390 flags: []string{
14391 "-async",
14392 "-enable-early-data",
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]14393 "-expect-accept-early-data",
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]14394 "-no-op-extra-handshake",
14395 },
14396 })
14397
14398 // An extra SSL_do_handshake drives the handshake to completion in False
14399 // Start. We test this by handshaking twice and asserting the False
14400 // Start does not appear to happen. See AlertBeforeFalseStartTest for
14401 // how the test works.
14402 testCases = append(testCases, testCase{
14403 testType: clientTest,
14404 name: "ExtraHandshake-FalseStart",
14405 config: Config{
14406 MaxVersion: VersionTLS12,
14407 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
14408 NextProtos: []string{"foo"},
14409 Bugs: ProtocolBugs{
14410 ExpectFalseStart: true,
14411 AlertBeforeFalseStartTest: alertAccessDenied,
14412 },
14413 },
14414 flags: []string{
14415 "-handshake-twice",
14416 "-false-start",
14417 "-advertise-alpn", "\x03foo",
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]14418 "-expect-alpn", "foo",
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]14419 },
14420 shimWritesFirst: true,
14421 shouldFail: true,
14422 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
14423 expectedLocalError: "tls: peer did not false start: EOF",
14424 })
14425}
14426
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]14427// Test that omitted and empty extensions blocks are tolerated.
14428func addOmitExtensionsTests() {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]14429 // Check the ExpectOmitExtensions setting works.
14430 testCases = append(testCases, testCase{
14431 testType: serverTest,
14432 name: "ExpectOmitExtensions",
14433 config: Config{
14434 MinVersion: VersionTLS12,
14435 MaxVersion: VersionTLS12,
14436 Bugs: ProtocolBugs{
14437 ExpectOmitExtensions: true,
14438 },
14439 },
14440 shouldFail: true,
14441 expectedLocalError: "tls: ServerHello did not omit extensions",
14442 })
14443
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]14444 for _, ver := range tlsVersions {
14445 if ver.version > VersionTLS12 {
14446 continue
14447 }
14448
14449 testCases = append(testCases, testCase{
14450 testType: serverTest,
14451 name: "OmitExtensions-ClientHello-" + ver.name,
14452 config: Config{
14453 MinVersion: ver.version,
14454 MaxVersion: ver.version,
14455 SessionTicketsDisabled: true,
14456 Bugs: ProtocolBugs{
14457 OmitExtensions: true,
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]14458 // With no client extensions, the ServerHello must not have
14459 // extensions. It should then omit the extensions field.
14460 ExpectOmitExtensions: true,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]14461 },
14462 },
14463 })
14464
14465 testCases = append(testCases, testCase{
14466 testType: serverTest,
14467 name: "EmptyExtensions-ClientHello-" + ver.name,
14468 config: Config{
14469 MinVersion: ver.version,
14470 MaxVersion: ver.version,
14471 SessionTicketsDisabled: true,
14472 Bugs: ProtocolBugs{
14473 EmptyExtensions: true,
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]14474 // With no client extensions, the ServerHello must not have
14475 // extensions. It should then omit the extensions field.
14476 ExpectOmitExtensions: true,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]14477 },
14478 },
14479 })
14480
14481 testCases = append(testCases, testCase{
14482 testType: clientTest,
14483 name: "OmitExtensions-ServerHello-" + ver.name,
14484 config: Config{
14485 MinVersion: ver.version,
14486 MaxVersion: ver.version,
14487 SessionTicketsDisabled: true,
14488 Bugs: ProtocolBugs{
14489 OmitExtensions: true,
14490 // Disable all ServerHello extensions so
14491 // OmitExtensions works.
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14492 NoExtendedMasterSecret: true,
14493 NoRenegotiationInfo: true,
14494 NoOCSPStapling: true,
14495 NoSignedCertificateTimestamps: true,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]14496 },
14497 },
14498 })
14499
14500 testCases = append(testCases, testCase{
14501 testType: clientTest,
14502 name: "EmptyExtensions-ServerHello-" + ver.name,
14503 config: Config{
14504 MinVersion: ver.version,
14505 MaxVersion: ver.version,
14506 SessionTicketsDisabled: true,
14507 Bugs: ProtocolBugs{
14508 EmptyExtensions: true,
14509 // Disable all ServerHello extensions so
14510 // EmptyExtensions works.
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14511 NoExtendedMasterSecret: true,
14512 NoRenegotiationInfo: true,
14513 NoOCSPStapling: true,
14514 NoSignedCertificateTimestamps: true,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]14515 },
14516 },
14517 })
14518 }
14519}
14520
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14521func addCertCompressionTests() {
14522 // shrinkingPrefix is the first two bytes of a Certificate message.
14523 shrinkingPrefix := []byte{0, 0}
14524 // expandingPrefix is just some arbitrary byte string. This has to match the
14525 // value in the shim.
14526 expandingPrefix := []byte{1, 2, 3, 4}
14527
14528 shrinking := CertCompressionAlg{
14529 Compress: func(uncompressed []byte) []byte {
14530 if !bytes.HasPrefix(uncompressed, shrinkingPrefix) {
14531 panic(fmt.Sprintf("cannot compress certificate message %x", uncompressed))
14532 }
14533 return uncompressed[len(shrinkingPrefix):]
14534 },
14535 Decompress: func(out []byte, compressed []byte) bool {
14536 if len(out) != len(shrinkingPrefix)+len(compressed) {
14537 return false
14538 }
14539
14540 copy(out, shrinkingPrefix)
14541 copy(out[len(shrinkingPrefix):], compressed)
14542 return true
14543 },
14544 }
14545
14546 expanding := CertCompressionAlg{
14547 Compress: func(uncompressed []byte) []byte {
14548 ret := make([]byte, 0, len(expandingPrefix)+len(uncompressed))
14549 ret = append(ret, expandingPrefix...)
14550 return append(ret, uncompressed...)
14551 },
14552 Decompress: func(out []byte, compressed []byte) bool {
14553 if !bytes.HasPrefix(compressed, expandingPrefix) {
14554 return false
14555 }
14556 copy(out, compressed[len(expandingPrefix):])
14557 return true
14558 },
14559 }
14560
14561 const (
14562 shrinkingAlgId = 0xff01
14563 expandingAlgId = 0xff02
14564 )
14565
14566 for _, ver := range tlsVersions {
14567 if ver.version < VersionTLS12 {
14568 continue
14569 }
14570
14571 // Duplicate compression algorithms is an error, even if nothing is
14572 // configured.
14573 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14574 testType: serverTest,
14575 name: "DuplicateCertCompressionExt-" + ver.name,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14576 config: Config{
14577 MinVersion: ver.version,
14578 MaxVersion: ver.version,
14579 Bugs: ProtocolBugs{
14580 DuplicateCompressedCertAlgs: true,
14581 },
14582 },
14583 shouldFail: true,
14584 expectedError: ":ERROR_PARSING_EXTENSION:",
14585 })
14586
14587 // With compression algorithms configured, an duplicate values should still
14588 // be an error.
14589 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14590 testType: serverTest,
14591 name: "DuplicateCertCompressionExt2-" + ver.name,
14592 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14593 config: Config{
14594 MinVersion: ver.version,
14595 MaxVersion: ver.version,
14596 Bugs: ProtocolBugs{
14597 DuplicateCompressedCertAlgs: true,
14598 },
14599 },
14600 shouldFail: true,
14601 expectedError: ":ERROR_PARSING_EXTENSION:",
14602 })
14603
14604 if ver.version < VersionTLS13 {
14605 testCases = append(testCases, testCase{
14606 testType: serverTest,
14607 name: "CertCompressionIgnoredBefore13-" + ver.name,
14608 flags: []string{"-install-cert-compression-algs"},
14609 config: Config{
14610 MinVersion: ver.version,
14611 MaxVersion: ver.version,
14612 CertCompressionAlgs: map[uint16]CertCompressionAlg{expandingAlgId: expanding},
14613 },
14614 })
14615
14616 continue
14617 }
14618
14619 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14620 testType: serverTest,
14621 name: "CertCompressionExpands-" + ver.name,
14622 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14623 config: Config{
14624 MinVersion: ver.version,
14625 MaxVersion: ver.version,
14626 CertCompressionAlgs: map[uint16]CertCompressionAlg{expandingAlgId: expanding},
14627 Bugs: ProtocolBugs{
14628 ExpectedCompressedCert: expandingAlgId,
14629 },
14630 },
14631 })
14632
14633 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14634 testType: serverTest,
14635 name: "CertCompressionShrinks-" + ver.name,
14636 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14637 config: Config{
14638 MinVersion: ver.version,
14639 MaxVersion: ver.version,
14640 CertCompressionAlgs: map[uint16]CertCompressionAlg{shrinkingAlgId: shrinking},
14641 Bugs: ProtocolBugs{
14642 ExpectedCompressedCert: shrinkingAlgId,
14643 },
14644 },
14645 })
14646
14647 // With both algorithms configured, the server should pick its most
14648 // preferable. (Which is expandingAlgId.)
14649 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14650 testType: serverTest,
14651 name: "CertCompressionPriority-" + ver.name,
14652 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14653 config: Config{
14654 MinVersion: ver.version,
14655 MaxVersion: ver.version,
14656 CertCompressionAlgs: map[uint16]CertCompressionAlg{
14657 shrinkingAlgId: shrinking,
14658 expandingAlgId: expanding,
14659 },
14660 Bugs: ProtocolBugs{
14661 ExpectedCompressedCert: expandingAlgId,
14662 },
14663 },
14664 })
14665
14666 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14667 testType: clientTest,
14668 name: "CertCompressionExpandsClient-" + ver.name,
14669 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14670 config: Config{
14671 MinVersion: ver.version,
14672 MaxVersion: ver.version,
14673 CertCompressionAlgs: map[uint16]CertCompressionAlg{
14674 expandingAlgId: expanding,
14675 },
14676 Bugs: ProtocolBugs{
14677 ExpectedCompressedCert: expandingAlgId,
14678 },
14679 },
14680 })
14681
14682 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14683 testType: clientTest,
14684 name: "CertCompressionShrinksClient-" + ver.name,
14685 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14686 config: Config{
14687 MinVersion: ver.version,
14688 MaxVersion: ver.version,
14689 CertCompressionAlgs: map[uint16]CertCompressionAlg{
14690 shrinkingAlgId: shrinking,
14691 },
14692 Bugs: ProtocolBugs{
14693 ExpectedCompressedCert: shrinkingAlgId,
14694 },
14695 },
14696 })
14697
14698 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14699 testType: clientTest,
14700 name: "CertCompressionBadAlgIdClient-" + ver.name,
14701 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14702 config: Config{
14703 MinVersion: ver.version,
14704 MaxVersion: ver.version,
14705 CertCompressionAlgs: map[uint16]CertCompressionAlg{
14706 shrinkingAlgId: shrinking,
14707 },
14708 Bugs: ProtocolBugs{
14709 ExpectedCompressedCert: shrinkingAlgId,
14710 SendCertCompressionAlgId: 1234,
14711 },
14712 },
14713 shouldFail: true,
14714 expectedError: ":UNKNOWN_CERT_COMPRESSION_ALG:",
14715 })
14716
14717 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14718 testType: clientTest,
14719 name: "CertCompressionTooSmallClient-" + ver.name,
14720 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14721 config: Config{
14722 MinVersion: ver.version,
14723 MaxVersion: ver.version,
14724 CertCompressionAlgs: map[uint16]CertCompressionAlg{
14725 shrinkingAlgId: shrinking,
14726 },
14727 Bugs: ProtocolBugs{
14728 ExpectedCompressedCert: shrinkingAlgId,
14729 SendCertUncompressedLength: 12,
14730 },
14731 },
14732 shouldFail: true,
14733 expectedError: ":CERT_DECOMPRESSION_FAILED:",
14734 })
14735
14736 testCases = append(testCases, testCase{
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14737 testType: clientTest,
14738 name: "CertCompressionTooLargeClient-" + ver.name,
14739 flags: []string{"-install-cert-compression-algs"},
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]14740 config: Config{
14741 MinVersion: ver.version,
14742 MaxVersion: ver.version,
14743 CertCompressionAlgs: map[uint16]CertCompressionAlg{
14744 shrinkingAlgId: shrinking,
14745 },
14746 Bugs: ProtocolBugs{
14747 ExpectedCompressedCert: shrinkingAlgId,
14748 SendCertUncompressedLength: 1 << 20,
14749 },
14750 },
14751 shouldFail: true,
14752 expectedError: ":UNCOMPRESSED_CERT_TOO_LARGE:",
14753 })
14754 }
14755}
14756
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]14757func addJDK11WorkaroundTests() {
14758 // Test the client treats the JDK 11 downgrade random like the usual one.
14759 testCases = append(testCases, testCase{
14760 testType: clientTest,
14761 name: "Client-RejectJDK11DowngradeRandom",
14762 config: Config{
14763 MaxVersion: VersionTLS12,
14764 Bugs: ProtocolBugs{
14765 SendJDK11DowngradeRandom: true,
14766 },
14767 },
14768 shouldFail: true,
14769 expectedError: ":TLS13_DOWNGRADE:",
14770 expectedLocalError: "remote error: illegal parameter",
14771 })
14772 testCases = append(testCases, testCase{
14773 testType: clientTest,
14774 name: "Client-AcceptJDK11DowngradeRandom",
14775 config: Config{
14776 MaxVersion: VersionTLS12,
14777 Bugs: ProtocolBugs{
14778 SendJDK11DowngradeRandom: true,
14779 },
14780 },
14781 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
14782 })
14783
14784 var clientHelloTests = []struct {
14785 clientHello []byte
14786 isJDK11 bool
14787 }{
14788 {
14789 // A default JDK 11 ClientHello.
14790 decodeHexOrPanic("010001a9030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b5"),
14791 true,
14792 },
14793 {
14794 // The above with supported_versions and
14795 // psk_key_exchange_modes in the wrong order.
14796 decodeHexOrPanic("010001a9030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002d00020101002b00090803040303030203010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b5"),
14797 false,
14798 },
14799 {
14800 // The above with a padding extension added at the end.
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]14801 decodeHexOrPanic("010001b4030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000111000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b50015000700000000000000"),
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]14802 false,
14803 },
14804 {
14805 // A JDK 11 ClientHello offering a TLS 1.3 PSK.
14806 decodeHexOrPanic("0100024c0303a8d71b20f060545a398226e807d21371a7a02b7ca2f96f476c2dea7e5860c5a400005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff010001c9000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104aaec585ea9e121b24710a23560571322b2cf8ab8cd14e5762ef0486d8a6d0ecd721d8f2abda2eb8ed5ab7195505660450f49bba94bbf0c3f0070a531d9a1be4f002900cb00a600a0e6f7586d9a2bf64a54c1adf55a2f76657047e8e88e26629e2e7b9d630941e06fd87792770f6834e159a70b252157a9b4b082183f24629c8ff5049088b07ce37c49de8cf752a2ed7a545aff63bdc7a1b18e1bc201f23f159ee75d4987a04e00f840824f764691ab83a20e3032646e793065874cdb46138a52f50ed71406f399f96f9309eba4e5b1966148c22a63dc4aa1364269dd41dd5cc0e848d07af0095622c52cfcfc00212009cc315259e2328d65ad17a3de7c182c7874140a9356fecdd4614657806cd659"),
14807 true,
14808 },
14809 {
14810 // A JDK 11 ClientHello offering a TLS 1.2 session.
14811 decodeHexOrPanic("010001a903038cdec49f4836d064a75046c93f22d0b9c2cf4900917332e6f0e1f41d692d3146201a3e99047492285ec65ab4e0eeee59f8f9d1eb7687398887bcd7b81353e93923005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d0002010100330047004500170041041c83c42fcd8fc06265b9f6e4f076f7e7ee17ace915c587845c0e1bc8cd177f904befeb611b682cae4702509a5f5d0c7162a282b8152d843169b91136e7c6f3e7"),
14812 true,
14813 },
14814 {
14815 // A JDK 11 ClientHello with EMS disabled.
14816 decodeHexOrPanic("010001a50303323a857c324a9ef57d6e2544d129073830385cb1dc75ea79f6a2ec8ae09d2e7320f85fdd081678874c67ebab235e6d6a81d947f690bc0af9be4d39854ed67d9ef9005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000102000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b040105010601040203030301030202030201020200110009000702000400000000002b0009080304030303020301002d0002010100330047004500170041049c904c4850b495d75522f955d79e9cabea065c90279d6037a101a4c4ee712afc93ad0df5d12d287d53e458c7075d9a3ce3969c939bb62222bda779cecf54a603"),
14817 true,
14818 },
14819 {
14820 // A JDK 11 ClientHello with OCSP stapling disabled.
14821 decodeHexOrPanic("0100019303038a50481dc85ee4f6581670821c50f2b3d34ac3251dc6e9b751bfd2521ab47ab02069a963c5486034c37ae0577ddb4c2db28cab592380ef8e4599d1305148712112005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff010000f0000000080006000003736e69000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b040105010601040203030301030202030201020200170000002b0009080304030303020301002d00020101003300470045001700410438a97824f842c549e3c339322d8b2dbaa85d10bd7bca9c969376cb0c60b1e929eb4d13db38dcb0082ad8c637b24f55466a9acbb0b63634c1f431ec8342cf720d"),
14822 true,
14823 },
14824 {
14825 // A JDK 11 ClientHello configured with a smaller set of
14826 // ciphers.
14827 decodeHexOrPanic("0100015603036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f4811800061301c02bc02f01000107000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
14828 true,
14829 },
14830 {
14831 // The above with TLS_CHACHA20_POLY1305_SHA256 added,
14832 // which JDK 11 does not support.
14833 decodeHexOrPanic("0100015803036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f48118000813011303c02bc02f01000107000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
14834 false,
14835 },
14836 {
14837 // The above with X25519 added, which JDK 11 does not
14838 // support.
14839 decodeHexOrPanic("0100015803036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f4811800061301c02bc02f01000109000000080006000003736e69000500050100000000000a00220020001d0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
14840 false,
14841 },
14842 {
14843 // A JDK 11 ClientHello with ALPN protocols configured.
14844 decodeHexOrPanic("010001bb0303c0e0ea707b00c5311eb09cabd58626692cebfaefaef7265637e4550811dae16220da86d6eea04e214e873675223f08a6926bcf79f16d866280bdbab85e9e09c3ff005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000118000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020010000e000c02683208687474702f312e310011000900070200040000000000170000002b0009080304030303020301002d00020101003300470045001700410416def07c1d66ddde5fc9dcc328c8e77022d321c590c0d30cb41d515b38dca34540819a216c6c053bd47b9068f4f6b960f03647de4e36e8b7ffeea78f7252e3d9"),
14845 true,
14846 },
14847 }
14848 for i, t := range clientHelloTests {
14849 expectedVersion := uint16(VersionTLS13)
14850 if t.isJDK11 {
14851 expectedVersion = VersionTLS12
14852 }
14853
14854 // In each of these tests, we set DefaultCurves to P-256 to
14855 // match the test inputs. SendClientHelloWithFixes requires the
14856 // key_shares extension to match in type.
14857
14858 // With the workaround enabled, we should negotiate TLS 1.2 on
14859 // JDK 11 ClientHellos.
14860 testCases = append(testCases, testCase{
14861 testType: serverTest,
14862 name: fmt.Sprintf("Server-JDK11-%d", i),
14863 config: Config{
14864 MaxVersion: VersionTLS13,
14865 DefaultCurves: []CurveID{CurveP256},
14866 Bugs: ProtocolBugs{
14867 SendClientHelloWithFixes: t.clientHello,
14868 ExpectJDK11DowngradeRandom: t.isJDK11,
14869 },
14870 },
14871 expectedVersion: expectedVersion,
14872 flags: []string{"-jdk11-workaround"},
14873 })
14874
14875 // With the workaround disabled, we always negotiate TLS 1.3.
14876 testCases = append(testCases, testCase{
14877 testType: serverTest,
14878 name: fmt.Sprintf("Server-JDK11-NoWorkaround-%d", i),
14879 config: Config{
14880 MaxVersion: VersionTLS13,
14881 DefaultCurves: []CurveID{CurveP256},
14882 Bugs: ProtocolBugs{
14883 SendClientHelloWithFixes: t.clientHello,
14884 ExpectJDK11DowngradeRandom: false,
14885 },
14886 },
14887 expectedVersion: VersionTLS13,
14888 })
14889
14890 // If the server does not support TLS 1.3, the workaround should
14891 // be a no-op. In particular, it should not send the downgrade
14892 // signal.
14893 testCases = append(testCases, testCase{
14894 testType: serverTest,
14895 name: fmt.Sprintf("Server-JDK11-TLS12-%d", i),
14896 config: Config{
14897 MaxVersion: VersionTLS13,
14898 DefaultCurves: []CurveID{CurveP256},
14899 Bugs: ProtocolBugs{
14900 SendClientHelloWithFixes: t.clientHello,
14901 ExpectJDK11DowngradeRandom: false,
14902 },
14903 },
14904 expectedVersion: VersionTLS12,
14905 flags: []string{
14906 "-jdk11-workaround",
14907 "-max-version", strconv.Itoa(VersionTLS12),
14908 },
14909 })
14910 }
14911}
14912
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]14913func addDelegatedCredentialTests() {
14914 certPath := path.Join(*resourceDir, rsaCertificateFile)
14915 pemBytes, err := ioutil.ReadFile(certPath)
14916 if err != nil {
14917 panic(err)
14918 }
14919
14920 block, _ := pem.Decode(pemBytes)
14921 if block == nil {
14922 panic(fmt.Sprintf("no PEM block found in %q", certPath))
14923 }
14924 parentDER := block.Bytes
14925
14926 rsaPriv, _, err := loadRSAPrivateKey(rsaKeyFile)
14927 if err != nil {
14928 panic(err)
14929 }
14930
14931 ecdsaDC, ecdsaPKCS8, err := createDelegatedCredential(delegatedCredentialConfig{
14932 algo: signatureRSAPSSWithSHA256,
14933 }, parentDER, rsaPriv)
14934 if err != nil {
14935 panic(err)
14936 }
14937 ecdsaFlagValue := fmt.Sprintf("%x,%x", ecdsaDC, ecdsaPKCS8)
14938
14939 testCases = append(testCases, testCase{
14940 testType: serverTest,
14941 name: "DelegatedCredentials-NoClientSupport",
14942 config: Config{
14943 MinVersion: VersionTLS13,
14944 MaxVersion: VersionTLS13,
14945 Bugs: ProtocolBugs{
14946 DisableDelegatedCredentials: true,
14947 },
14948 },
14949 flags: []string{
14950 "-delegated-credential", ecdsaFlagValue,
14951 },
14952 })
14953
14954 testCases = append(testCases, testCase{
14955 testType: serverTest,
14956 name: "DelegatedCredentials-Basic",
14957 config: Config{
14958 MinVersion: VersionTLS13,
14959 MaxVersion: VersionTLS13,
14960 Bugs: ProtocolBugs{
14961 ExpectDelegatedCredentials: true,
14962 },
14963 },
14964 flags: []string{
14965 "-delegated-credential", ecdsaFlagValue,
14966 },
14967 })
14968
14969 testCases = append(testCases, testCase{
14970 testType: serverTest,
14971 name: "DelegatedCredentials-SigAlgoMissing",
14972 config: Config{
14973 MinVersion: VersionTLS13,
14974 MaxVersion: VersionTLS13,
14975 Bugs: ProtocolBugs{
14976 FailIfDelegatedCredentials: true,
14977 },
14978 // If the client doesn't support the delegated credential signature
14979 // algorithm then the handshake should complete without using delegated
14980 // credentials.
14981 VerifySignatureAlgorithms: []signatureAlgorithm{signatureRSAPSSWithSHA256},
14982 },
14983 flags: []string{
14984 "-delegated-credential", ecdsaFlagValue,
14985 },
14986 })
14987
14988 // This flag value has mismatched public and private keys which should cause a
14989 // configuration error in the shim.
14990 _, badTLSVersionPKCS8, err := createDelegatedCredential(delegatedCredentialConfig{
14991 algo: signatureRSAPSSWithSHA256,
14992 tlsVersion: 0x1234,
14993 }, parentDER, rsaPriv)
14994 if err != nil {
14995 panic(err)
14996 }
14997 mismatchFlagValue := fmt.Sprintf("%x,%x", ecdsaDC, badTLSVersionPKCS8)
14998 testCases = append(testCases, testCase{
14999 testType: serverTest,
15000 name: "DelegatedCredentials-KeyMismatch",
15001 config: Config{
15002 MinVersion: VersionTLS13,
15003 MaxVersion: VersionTLS13,
15004 Bugs: ProtocolBugs{
15005 FailIfDelegatedCredentials: true,
15006 },
15007 },
15008 flags: []string{
15009 "-delegated-credential", mismatchFlagValue,
15010 },
15011 shouldFail: true,
15012 expectedError: ":KEY_VALUES_MISMATCH:",
15013 })
15014}
15015
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]15016func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15017 defer wg.Done()
15018
15019 for test := range c {
15020 var err error
15021
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]15022 if *mallocTest >= 0 {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15023 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
15024 statusChan <- statusMsg{test: test, started: true}
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]15025 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15026 if err != nil {
15027 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
15028 }
15029 break
15030 }
15031 }
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]15032 } else if *repeatUntilFailure {
15033 for err == nil {
15034 statusChan <- statusMsg{test: test, started: true}
15035 err = runTest(test, shimPath, -1)
15036 }
15037 } else {
15038 statusChan <- statusMsg{test: test, started: true}
15039 err = runTest(test, shimPath, -1)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15040 }
15041 statusChan <- statusMsg{test: test, err: err}
15042 }
15043}
15044
15045type statusMsg struct {
15046 test *testCase
15047 started bool
15048 err error
15049}
15050
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15051func statusPrinter(doneChan chan *testresult.Results, statusChan chan statusMsg, total int) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15052 var started, done, failed, unimplemented, lineLen int
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15053
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15054 testOutput := testresult.NewResults()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15055 for msg := range statusChan {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15056 if !*pipe {
15057 // Erase the previous status line.
15058 var erase string
15059 for i := 0; i < lineLen; i++ {
15060 erase += "\b \b"
15061 }
15062 fmt.Print(erase)
15063 }
15064
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15065 if msg.started {
15066 started++
15067 } else {
15068 done++
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15069
15070 if msg.err != nil {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15071 if msg.err == errUnimplemented {
15072 if *pipe {
15073 // Print each test instead of a status line.
15074 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
15075 }
15076 unimplemented++
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15077 if *allowUnimplemented {
15078 testOutput.AddSkip(msg.test.name)
15079 } else {
15080 testOutput.AddResult(msg.test.name, "SKIP")
15081 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15082 } else {
15083 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
15084 failed++
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15085 testOutput.AddResult(msg.test.name, "FAIL")
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15086 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15087 } else {
15088 if *pipe {
15089 // Print each test instead of a status line.
15090 fmt.Printf("PASSED (%s)\n", msg.test.name)
15091 }
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15092 testOutput.AddResult(msg.test.name, "PASS")
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15093 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15094 }
15095
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15096 if !*pipe {
15097 // Print a new status line.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15098 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15099 lineLen = len(line)
15100 os.Stdout.WriteString(line)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15101 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15102 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15103
15104 doneChan <- testOutput
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15105}
15106
15107func main() {
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]15108 flag.Parse()
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]15109 *resourceDir = path.Clean(*resourceDir)
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15110 initCertificates()
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]15111
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]15112 addBasicTests()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15113 addCipherSuiteTests()
15114 addBadECDSASignatureTests()
15115 addCBCPaddingTests()
15116 addCBCSplittingTests()
15117 addClientAuthTests()
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15118 addDDoSCallbackTests()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15119 addVersionNegotiationTests()
15120 addMinimumVersionTests()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15121 addExtensionTests()
15122 addResumptionVersionTests()
15123 addExtendedMasterSecretTests()
15124 addRenegotiationTests()
15125 addDTLSReplayTests()
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15126 addSignatureAlgorithmTests()
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15127 addDTLSRetransmitTests()
15128 addExportKeyingMaterialTests()
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]15129 addExportTrafficSecretsTests()
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]15130 addTLSUniqueTests()
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]15131 addCustomExtensionTests()
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]15132 addRSAClientKeyExchangeTests()
15133 addCurveTests()
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]15134 addSessionTicketTests()
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15135 addTLS13RecordTests()
15136 addAllStateMachineCoverageTests()
15137 addChangeCipherSpecTests()
15138 addWrongMessageTypeTests()
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]15139 addTrailingMessageDataTests()
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15140 addTLS13HandshakeTests()
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]15141 addTLS13CipherPreferenceTests()
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]15142 addPeekTests()
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]15143 addRecordVersionTests()
15144 addCertificateTests()
15145 addRetainOnlySHA256ClientCertTests()
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]15146 addECDSAKeyUsageTests()
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]15147 addRSAKeyUsageTests()
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]15148 addExtraHandshakeTests()
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]15149 addOmitExtensionsTests()
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]15150 addCertCompressionTests()
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15151 addJDK11WorkaroundTests()
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]15152 addDelegatedCredentialTests()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15153
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]15154 testCases = append(testCases, convertToSplitHandshakeTests(testCases)...)
15155
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15156 var wg sync.WaitGroup
15157
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]15158 statusChan := make(chan statusMsg, *numWorkers)
15159 testChan := make(chan *testCase, *numWorkers)
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15160 doneChan := make(chan *testresult.Results)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15161
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15162 if len(*shimConfigFile) != 0 {
15163 encoded, err := ioutil.ReadFile(*shimConfigFile)
15164 if err != nil {
15165 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
15166 os.Exit(1)
15167 }
15168
15169 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
15170 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
15171 os.Exit(1)
15172 }
15173 }
15174
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15175 go statusPrinter(doneChan, statusChan, len(testCases))
15176
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]15177 for i := 0; i < *numWorkers; i++ {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15178 wg.Add(1)
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]15179 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15180 }
15181
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]15182 var foundTest bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15183 for i := range testCases {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15184 matched := true
15185 if len(*testToRun) != 0 {
15186 var err error
15187 matched, err = filepath.Match(*testToRun, testCases[i].name)
15188 if err != nil {
15189 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
15190 os.Exit(1)
15191 }
15192 }
15193
15194 if !*includeDisabled {
15195 for pattern := range shimConfig.DisabledTests {
15196 isDisabled, err := filepath.Match(pattern, testCases[i].name)
15197 if err != nil {
15198 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
15199 os.Exit(1)
15200 }
15201
15202 if isDisabled {
15203 matched = false
15204 break
15205 }
15206 }
15207 }
15208
15209 if matched {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]15210 foundTest = true
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15211 testChan <- &testCases[i]
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]15212
15213 // Only run one test if repeating until failure.
15214 if *repeatUntilFailure {
15215 break
15216 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15217 }
15218 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15219
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]15220 if !foundTest {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]15221 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]15222 os.Exit(1)
15223 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15224
15225 close(testChan)
15226 wg.Wait()
15227 close(statusChan)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15228 testOutput := <-doneChan
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15229
15230 fmt.Printf("\n")
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15231
15232 if *jsonOutput != "" {
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15233 if err := testOutput.WriteToFile(*jsonOutput); err != nil {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15234 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
15235 }
15236 }
15237
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]15238 if !testOutput.HasUnexpectedResults() {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]15239 os.Exit(1)
15240 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]15241}