Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / fb44824b91c8219bc2dd49195d16c1f07d511a26 / . / src / ssl / test / runner / runner.go
blob: 55e22b621219bd8ed732be47b4a6aaa22f3751e1 [file] [log] [blame]
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]14
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]15package runner
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]16
17import (
18 "bytes"
19 "crypto/ecdsa"
20 "crypto/elliptic"
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]21 "crypto/rand"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]22 "crypto/x509"
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]23 "crypto/x509/pkix"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]24 "encoding/base64"
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]25 "encoding/hex"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]26 "encoding/json"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]27 "encoding/pem"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]28 "errors"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]29 "flag"
30 "fmt"
31 "io"
32 "io/ioutil"
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]33 "math/big"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]34 "net"
35 "os"
36 "os/exec"
37 "path"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]38 "path/filepath"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]39 "runtime"
40 "strconv"
41 "strings"
42 "sync"
43 "syscall"
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]44 "time"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]45)
46
47var (
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]68 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]69)
70
71// ShimConfigurations is used with the “json” package and represents a shim
72// config file.
73type ShimConfiguration struct {
74 // DisabledTests maps from a glob-based pattern to a freeform string.
75 // The glob pattern is used to exclude tests from being run and the
76 // freeform string is unparsed but expected to explain why the test is
77 // disabled.
78 DisabledTests map[string]string
79
80 // ErrorMap maps from expected error strings to the correct error
81 // string for the shim in question. For example, it might map
82 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
83 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
84 ErrorMap map[string]string
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]85
86 // HalfRTTTickets is the number of half-RTT tickets the client should
87 // expect before half-RTT data when testing 0-RTT.
88 HalfRTTTickets int
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]89}
90
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]91// Setup shimConfig defaults aligning with BoringSSL.
92var shimConfig ShimConfiguration = ShimConfiguration{
93 HalfRTTTickets: 2,
94}
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]95
96type testCert int
97
98const (
99 testCertRSA testCert = iota
100 testCertRSA1024
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]101 testCertRSAChain
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]102 testCertECDSAP224
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]103 testCertECDSAP256
104 testCertECDSAP384
105 testCertECDSAP521
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]106 testCertEd25519
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]107)
108
109const (
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]110 rsaCertificateFile = "cert.pem"
111 rsa1024CertificateFile = "rsa_1024_cert.pem"
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]112 rsaChainCertificateFile = "rsa_chain_cert.pem"
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]117 ed25519CertificateFile = "ed25519_cert.pem"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]118)
119
120const (
121 rsaKeyFile = "key.pem"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]122 rsa1024KeyFile = "rsa_1024_key.pem"
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]123 rsaChainKeyFile = "rsa_chain_key.pem"
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]124 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]125 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
126 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
127 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]128 ed25519KeyFile = "ed25519_key.pem"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]129 channelIDKeyFile = "channel_id_key.pem"
130)
131
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]132var (
133 rsaCertificate Certificate
134 rsa1024Certificate Certificate
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]135 rsaChainCertificate Certificate
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]136 ecdsaP224Certificate Certificate
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]137 ecdsaP256Certificate Certificate
138 ecdsaP384Certificate Certificate
139 ecdsaP521Certificate Certificate
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]140 ed25519Certificate Certificate
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]141)
142
143var testCerts = []struct {
144 id testCert
145 certFile, keyFile string
146 cert *Certificate
147}{
148 {
149 id: testCertRSA,
150 certFile: rsaCertificateFile,
151 keyFile: rsaKeyFile,
152 cert: &rsaCertificate,
153 },
154 {
155 id: testCertRSA1024,
156 certFile: rsa1024CertificateFile,
157 keyFile: rsa1024KeyFile,
158 cert: &rsa1024Certificate,
159 },
160 {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]161 id: testCertRSAChain,
162 certFile: rsaChainCertificateFile,
163 keyFile: rsaChainKeyFile,
164 cert: &rsaChainCertificate,
165 },
166 {
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]167 id: testCertECDSAP224,
168 certFile: ecdsaP224CertificateFile,
169 keyFile: ecdsaP224KeyFile,
170 cert: &ecdsaP224Certificate,
171 },
172 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]173 id: testCertECDSAP256,
174 certFile: ecdsaP256CertificateFile,
175 keyFile: ecdsaP256KeyFile,
176 cert: &ecdsaP256Certificate,
177 },
178 {
179 id: testCertECDSAP384,
180 certFile: ecdsaP384CertificateFile,
181 keyFile: ecdsaP384KeyFile,
182 cert: &ecdsaP384Certificate,
183 },
184 {
185 id: testCertECDSAP521,
186 certFile: ecdsaP521CertificateFile,
187 keyFile: ecdsaP521KeyFile,
188 cert: &ecdsaP521Certificate,
189 },
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]190 {
191 id: testCertEd25519,
192 certFile: ed25519CertificateFile,
193 keyFile: ed25519KeyFile,
194 cert: &ed25519Certificate,
195 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]196}
197
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]198var channelIDKey *ecdsa.PrivateKey
199var channelIDBytes []byte
200
201var testOCSPResponse = []byte{1, 2, 3, 4}
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]202var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
203
204var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
205var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]206
207func initCertificates() {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]208 for i := range testCerts {
209 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
210 if err != nil {
211 panic(err)
212 }
213 cert.OCSPStaple = testOCSPResponse
214 cert.SignedCertificateTimestampList = testSCTList
215 *testCerts[i].cert = cert
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]216 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]217
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]218 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]219 if err != nil {
220 panic(err)
221 }
222 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
223 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
224 panic("bad key type")
225 }
226 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
227 if err != nil {
228 panic(err)
229 }
230 if channelIDKey.Curve != elliptic.P256() {
231 panic("bad curve")
232 }
233
234 channelIDBytes = make([]byte, 64)
235 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
236 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
237}
238
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]239func getRunnerCertificate(t testCert) Certificate {
240 for _, cert := range testCerts {
241 if cert.id == t {
242 return *cert.cert
243 }
244 }
245 panic("Unknown test certificate")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]246}
247
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]248func getShimCertificate(t testCert) string {
249 for _, cert := range testCerts {
250 if cert.id == t {
251 return cert.certFile
252 }
253 }
254 panic("Unknown test certificate")
255}
256
257func getShimKey(t testCert) string {
258 for _, cert := range testCerts {
259 if cert.id == t {
260 return cert.keyFile
261 }
262 }
263 panic("Unknown test certificate")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]264}
265
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]266// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
267func encodeDERValues(values [][]byte) string {
268 var ret string
269 for i, v := range values {
270 if i > 0 {
271 ret += ","
272 }
273 ret += hex.EncodeToString(v)
274 }
275
276 return ret
277}
278
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]279type testType int
280
281const (
282 clientTest testType = iota
283 serverTest
284)
285
286type protocol int
287
288const (
289 tls protocol = iota
290 dtls
291)
292
293const (
294 alpn = 1
295 npn = 2
296)
297
298type testCase struct {
299 testType testType
300 protocol protocol
301 name string
302 config Config
303 shouldFail bool
304 expectedError string
305 // expectedLocalError, if not empty, contains a substring that must be
306 // found in the local error.
307 expectedLocalError string
308 // expectedVersion, if non-zero, specifies the TLS version that must be
309 // negotiated.
310 expectedVersion uint16
311 // expectedResumeVersion, if non-zero, specifies the TLS version that
312 // must be negotiated on resumption. If zero, expectedVersion is used.
313 expectedResumeVersion uint16
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]314 // expectedCipher, if non-zero, specifies the TLS cipher suite that
315 // should be negotiated.
316 expectedCipher uint16
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]317 // expectChannelID controls whether the connection should have
318 // negotiated a Channel ID with channelIDKey.
319 expectChannelID bool
320 // expectedNextProto controls whether the connection should
321 // negotiate a next protocol via NPN or ALPN.
322 expectedNextProto string
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]323 // expectNoNextProto, if true, means that no next protocol should be
324 // negotiated.
325 expectNoNextProto bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]326 // expectedNextProtoType, if non-zero, is the expected next
327 // protocol negotiation mechanism.
328 expectedNextProtoType int
329 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
330 // should be negotiated. If zero, none should be negotiated.
331 expectedSRTPProtectionProfile uint16
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]332 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
333 expectedOCSPResponse []uint8
334 // expectedSCTList, if not nil, is the expected SCT list to be received.
335 expectedSCTList []uint8
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]336 // expectedPeerSignatureAlgorithm, if not zero, is the signature
337 // algorithm that the peer should have used in the handshake.
338 expectedPeerSignatureAlgorithm signatureAlgorithm
339 // expectedCurveID, if not zero, is the curve that the handshake should
340 // have used.
341 expectedCurveID CurveID
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]342 // messageLen is the length, in bytes, of the test message that will be
343 // sent.
344 messageLen int
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]345 // messageCount is the number of test messages that will be sent.
346 messageCount int
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]347 // certFile is the path to the certificate to use for the server.
348 certFile string
349 // keyFile is the path to the private key to use for the server.
350 keyFile string
351 // resumeSession controls whether a second connection should be tested
352 // which attempts to resume the first session.
353 resumeSession bool
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]354 // resumeRenewedSession controls whether a third connection should be
355 // tested which attempts to resume the second connection's session.
356 resumeRenewedSession bool
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]357 // expectResumeRejected, if true, specifies that the attempted
358 // resumption must be rejected by the client. This is only valid for a
359 // serverTest.
360 expectResumeRejected bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]361 // resumeConfig, if not nil, points to a Config to be used on
362 // resumption. Unless newSessionsOnResume is set,
363 // SessionTicketKey, ServerSessionCache, and
364 // ClientSessionCache are copied from the initial connection's
365 // config. If nil, the initial connection's config is used.
366 resumeConfig *Config
367 // newSessionsOnResume, if true, will cause resumeConfig to
368 // use a different session resumption context.
369 newSessionsOnResume bool
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]370 // noSessionCache, if true, will cause the server to run without a
371 // session cache.
372 noSessionCache bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]373 // sendPrefix sends a prefix on the socket before actually performing a
374 // handshake.
375 sendPrefix string
376 // shimWritesFirst controls whether the shim sends an initial "hello"
377 // message before doing a roundtrip with the runner.
378 shimWritesFirst bool
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]379 // readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
380 // does not complete the write until responding to the first runner
381 // message.
382 readWithUnfinishedWrite bool
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]383 // shimShutsDown, if true, runs a test where the shim shuts down the
384 // connection immediately after the handshake rather than echoing
385 // messages from the runner.
386 shimShutsDown bool
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]387 // renegotiate indicates the number of times the connection should be
388 // renegotiated during the exchange.
389 renegotiate int
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]390 // sendHalfHelloRequest, if true, causes the server to send half a
391 // HelloRequest when the handshake completes.
392 sendHalfHelloRequest bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]393 // renegotiateCiphers is a list of ciphersuite ids that will be
394 // switched in just before renegotiation.
395 renegotiateCiphers []uint16
396 // replayWrites, if true, configures the underlying transport
397 // to replay every write it makes in DTLS tests.
398 replayWrites bool
399 // damageFirstWrite, if true, configures the underlying transport to
400 // damage the final byte of the first application data write.
401 damageFirstWrite bool
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]402 // exportKeyingMaterial, if non-zero, configures the test to exchange
403 // keying material and verify they match.
404 exportKeyingMaterial int
405 exportLabel string
406 exportContext string
407 useExportContext bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]408 // flags, if not empty, contains a list of command-line flags that will
409 // be passed to the shim program.
410 flags []string
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]411 // testTLSUnique, if true, causes the shim to send the tls-unique value
412 // which will be compared against the expected value.
413 testTLSUnique bool
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]414 // sendEmptyRecords is the number of consecutive empty records to send
415 // before and after the test message.
416 sendEmptyRecords int
417 // sendWarningAlerts is the number of consecutive warning alerts to send
418 // before and after the test message.
419 sendWarningAlerts int
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]420 // sendKeyUpdates is the number of consecutive key updates to send
421 // before and after the test message.
422 sendKeyUpdates int
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]423 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
424 keyUpdateRequest byte
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]425 // expectMessageDropped, if true, means the test message is expected to
426 // be dropped by the client rather than echoed back.
427 expectMessageDropped bool
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]428 // expectPeerCertificate, if not nil, is the certificate chain the peer
429 // is expected to send.
430 expectPeerCertificate *Certificate
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]431}
432
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]433var testCases []testCase
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]434
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]435func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]436 if len(data) == 0 {
437 return
438 }
439
440 protocol := "tls"
441 if test.protocol == dtls {
442 protocol = "dtls"
443 }
444
445 side := "client"
446 if test.testType == serverTest {
447 side = "server"
448 }
449
450 dir := path.Join(*transcriptDir, protocol, side)
451 if err := os.MkdirAll(dir, 0755); err != nil {
452 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
453 return
454 }
455
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]456 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]457 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
458 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
459 }
460}
461
462// A timeoutConn implements an idle timeout on each Read and Write operation.
463type timeoutConn struct {
464 net.Conn
465 timeout time.Duration
466}
467
468func (t *timeoutConn) Read(b []byte) (int, error) {
469 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
470 return 0, err
471 }
472 return t.Conn.Read(b)
473}
474
475func (t *timeoutConn) Write(b []byte) (int, error) {
476 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
477 return 0, err
478 }
479 return t.Conn.Write(b)
480}
481
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]482func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]483 if !test.noSessionCache {
484 if config.ClientSessionCache == nil {
485 config.ClientSessionCache = NewLRUClientSessionCache(1)
486 }
487 if config.ServerSessionCache == nil {
488 config.ServerSessionCache = NewLRUServerSessionCache(1)
489 }
490 }
491 if test.testType == clientTest {
492 if len(config.Certificates) == 0 {
493 config.Certificates = []Certificate{rsaCertificate}
494 }
495 } else {
496 // Supply a ServerName to ensure a constant session cache key,
497 // rather than falling back to net.Conn.RemoteAddr.
498 if len(config.ServerName) == 0 {
499 config.ServerName = "test"
500 }
501 }
502 if *fuzzer {
503 config.Bugs.NullAllCiphers = true
504 }
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]505 if *deterministic {
506 config.Time = func() time.Time { return time.Unix(1234, 1234) }
507 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]508
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]509 conn = &timeoutConn{conn, *idleTimeout}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]510
511 if test.protocol == dtls {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]512 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
513 conn = config.Bugs.PacketAdaptor
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]514 }
515
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]516 if *flagDebug || len(*transcriptDir) != 0 {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]517 local, peer := "client", "server"
518 if test.testType == clientTest {
519 local, peer = peer, local
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]520 }
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]521 connDebug := &recordingConn{
522 Conn: conn,
523 isDatagram: test.protocol == dtls,
524 local: local,
525 peer: peer,
526 }
527 conn = connDebug
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]528 if *flagDebug {
529 defer connDebug.WriteTo(os.Stdout)
530 }
531 if len(*transcriptDir) != 0 {
532 defer func() {
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]533 writeTranscript(test, num, connDebug.Transcript())
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]534 }()
535 }
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]536
537 if config.Bugs.PacketAdaptor != nil {
538 config.Bugs.PacketAdaptor.debug = connDebug
539 }
540 }
541
542 if test.replayWrites {
543 conn = newReplayAdaptor(conn)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]544 }
545
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]546 var connDamage *damageAdaptor
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]547 if test.damageFirstWrite {
548 connDamage = newDamageAdaptor(conn)
549 conn = connDamage
550 }
551
552 if test.sendPrefix != "" {
553 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
554 return err
555 }
556 }
557
558 var tlsConn *Conn
559 if test.testType == clientTest {
560 if test.protocol == dtls {
561 tlsConn = DTLSServer(conn, config)
562 } else {
563 tlsConn = Server(conn, config)
564 }
565 } else {
566 config.InsecureSkipVerify = true
567 if test.protocol == dtls {
568 tlsConn = DTLSClient(conn, config)
569 } else {
570 tlsConn = Client(conn, config)
571 }
572 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]573 defer tlsConn.Close()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]574
575 if err := tlsConn.Handshake(); err != nil {
576 return err
577 }
578
579 // TODO(davidben): move all per-connection expectations into a dedicated
580 // expectations struct that can be specified separately for the two
581 // legs.
582 expectedVersion := test.expectedVersion
583 if isResume && test.expectedResumeVersion != 0 {
584 expectedVersion = test.expectedResumeVersion
585 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]586 connState := tlsConn.ConnectionState()
587 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]588 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
589 }
590
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]591 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]592 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
593 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]594 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
595 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
596 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]597
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]598 if test.expectChannelID {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]599 channelID := connState.ChannelID
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]600 if channelID == nil {
601 return fmt.Errorf("no channel ID negotiated")
602 }
603 if channelID.Curve != channelIDKey.Curve ||
604 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
605 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
606 return fmt.Errorf("incorrect channel ID")
607 }
608 }
609
610 if expected := test.expectedNextProto; expected != "" {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]611 if actual := connState.NegotiatedProtocol; actual != expected {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]612 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
613 }
614 }
615
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]616 if test.expectNoNextProto {
617 if actual := connState.NegotiatedProtocol; actual != "" {
618 return fmt.Errorf("got unexpected next proto %s", actual)
619 }
620 }
621
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]622 if test.expectedNextProtoType != 0 {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]623 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]624 return fmt.Errorf("next proto type mismatch")
625 }
626 }
627
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]628 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]629 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
630 }
631
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]632 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]633 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]634 }
635
636 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
637 return fmt.Errorf("SCT list mismatch")
638 }
639
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]640 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
641 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
642 }
643
644 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
645 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]646 }
647
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]648 if test.expectPeerCertificate != nil {
649 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
650 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
651 }
652 for i, cert := range connState.PeerCertificates {
653 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
654 return fmt.Errorf("peer certificate %d did not match", i+1)
655 }
656 }
657 }
658
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]659 if test.exportKeyingMaterial > 0 {
660 actual := make([]byte, test.exportKeyingMaterial)
661 if _, err := io.ReadFull(tlsConn, actual); err != nil {
662 return err
663 }
664 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
665 if err != nil {
666 return err
667 }
668 if !bytes.Equal(actual, expected) {
669 return fmt.Errorf("keying material mismatch")
670 }
671 }
672
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]673 if test.testTLSUnique {
674 var peersValue [12]byte
675 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
676 return err
677 }
678 expected := tlsConn.ConnectionState().TLSUnique
679 if !bytes.Equal(peersValue[:], expected) {
680 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
681 }
682 }
683
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]684 if test.sendHalfHelloRequest {
685 tlsConn.SendHalfHelloRequest()
686 }
687
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]688 shimPrefixPending := test.shimWritesFirst || test.readWithUnfinishedWrite
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]689 if test.renegotiate > 0 {
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]690 // If readWithUnfinishedWrite is set, the shim prefix will be
691 // available later.
692 if shimPrefixPending && !test.readWithUnfinishedWrite {
693 var buf [5]byte
694 _, err := io.ReadFull(tlsConn, buf[:])
695 if err != nil {
696 return err
697 }
698 if string(buf[:]) != "hello" {
699 return fmt.Errorf("bad initial message")
700 }
701 shimPrefixPending = false
702 }
703
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]704 if test.renegotiateCiphers != nil {
705 config.CipherSuites = test.renegotiateCiphers
706 }
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]707 for i := 0; i < test.renegotiate; i++ {
708 if err := tlsConn.Renegotiate(); err != nil {
709 return err
710 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]711 }
712 } else if test.renegotiateCiphers != nil {
713 panic("renegotiateCiphers without renegotiate")
714 }
715
716 if test.damageFirstWrite {
717 connDamage.setDamage(true)
718 tlsConn.Write([]byte("DAMAGED WRITE"))
719 connDamage.setDamage(false)
720 }
721
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]722 messageLen := test.messageLen
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]723 if messageLen < 0 {
724 if test.protocol == dtls {
725 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
726 }
727 // Read until EOF.
728 _, err := io.Copy(ioutil.Discard, tlsConn)
729 return err
730 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]731 if messageLen == 0 {
732 messageLen = 32
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]733 }
734
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]735 messageCount := test.messageCount
736 if messageCount == 0 {
737 messageCount = 1
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]738 }
739
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]740 for j := 0; j < messageCount; j++ {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]741 for i := 0; i < test.sendKeyUpdates; i++ {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]742 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]743 }
744
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]745 for i := 0; i < test.sendEmptyRecords; i++ {
746 tlsConn.Write(nil)
747 }
748
749 for i := 0; i < test.sendWarningAlerts; i++ {
750 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
751 }
752
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]753 testMessage := make([]byte, messageLen)
754 for i := range testMessage {
755 testMessage[i] = 0x42 ^ byte(j)
756 }
757 tlsConn.Write(testMessage)
758
759 // Consume the shim prefix if needed.
760 if shimPrefixPending {
761 var buf [5]byte
762 _, err := io.ReadFull(tlsConn, buf[:])
763 if err != nil {
764 return err
765 }
766 if string(buf[:]) != "hello" {
767 return fmt.Errorf("bad initial message")
768 }
769 shimPrefixPending = false
770 }
771
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]772 if test.shimShutsDown || test.expectMessageDropped {
773 // The shim will not respond.
774 continue
775 }
776
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]777 // Process the KeyUpdate ACK. However many KeyUpdates the runner
778 // sends, the shim should respond only once.
779 if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
780 if err := tlsConn.ReadKeyUpdateACK(); err != nil {
781 return err
782 }
783 }
784
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]785 buf := make([]byte, len(testMessage))
786 if test.protocol == dtls {
787 bufTmp := make([]byte, len(buf)+1)
788 n, err := tlsConn.Read(bufTmp)
789 if err != nil {
790 return err
791 }
792 if n != len(buf) {
793 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
794 }
795 copy(buf, bufTmp)
796 } else {
797 _, err := io.ReadFull(tlsConn, buf)
798 if err != nil {
799 return err
800 }
801 }
802
803 for i, v := range buf {
804 if v != testMessage[i]^0xff {
805 return fmt.Errorf("bad reply contents at byte %d", i)
806 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]807 }
808 }
809
810 return nil
811}
812
813func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]814 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]815 if dbAttach {
816 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
817 }
818 valgrindArgs = append(valgrindArgs, path)
819 valgrindArgs = append(valgrindArgs, args...)
820
821 return exec.Command("valgrind", valgrindArgs...)
822}
823
824func gdbOf(path string, args ...string) *exec.Cmd {
825 xtermArgs := []string{"-e", "gdb", "--args"}
826 xtermArgs = append(xtermArgs, path)
827 xtermArgs = append(xtermArgs, args...)
828
829 return exec.Command("xterm", xtermArgs...)
830}
831
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]832func lldbOf(path string, args ...string) *exec.Cmd {
833 xtermArgs := []string{"-e", "lldb", "--"}
834 xtermArgs = append(xtermArgs, path)
835 xtermArgs = append(xtermArgs, args...)
836
837 return exec.Command("xterm", xtermArgs...)
838}
839
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]840var (
841 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
842 errUnimplemented = errors.New("child process does not implement needed flags")
843)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]844
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]845// accept accepts a connection from listener, unless waitChan signals a process
846// exit first.
847func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
848 type connOrError struct {
849 conn net.Conn
850 err error
851 }
852 connChan := make(chan connOrError, 1)
853 go func() {
854 conn, err := listener.Accept()
855 connChan <- connOrError{conn, err}
856 close(connChan)
857 }()
858 select {
859 case result := <-connChan:
860 return result.conn, result.err
861 case childErr := <-waitChan:
862 waitChan <- childErr
863 return nil, fmt.Errorf("child exited early: %s", childErr)
864 }
865}
866
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]867func translateExpectedError(errorStr string) string {
868 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
869 return translated
870 }
871
872 if *looseErrors {
873 return ""
874 }
875
876 return errorStr
877}
878
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]879func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]880 // Help debugging panics on the Go side.
881 defer func() {
882 if r := recover(); r != nil {
883 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
884 panic(r)
885 }
886 }()
887
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]888 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
889 panic("Error expected without shouldFail in " + test.name)
890 }
891
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]892 if test.expectResumeRejected && !test.resumeSession {
893 panic("expectResumeRejected without resumeSession in " + test.name)
894 }
895
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]896 for _, ver := range tlsVersions {
897 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
898 continue
899 }
900
901 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
902 continue
903 }
904
905 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
906 }
907
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]908 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
909 if err != nil {
910 panic(err)
911 }
912 defer func() {
913 if listener != nil {
914 listener.Close()
915 }
916 }()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]917
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]918 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]919 if test.testType == serverTest {
920 flags = append(flags, "-server")
921
922 flags = append(flags, "-key-file")
923 if test.keyFile == "" {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]924 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]925 } else {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]926 flags = append(flags, path.Join(*resourceDir, test.keyFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]927 }
928
929 flags = append(flags, "-cert-file")
930 if test.certFile == "" {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]931 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]932 } else {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]933 flags = append(flags, path.Join(*resourceDir, test.certFile))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]934 }
935 }
936
937 if test.protocol == dtls {
938 flags = append(flags, "-dtls")
939 }
940
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]941 var resumeCount int
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]942 if test.resumeSession {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]943 resumeCount++
944 if test.resumeRenewedSession {
945 resumeCount++
946 }
947 }
948
949 if resumeCount > 0 {
950 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]951 }
952
953 if test.shimWritesFirst {
954 flags = append(flags, "-shim-writes-first")
955 }
956
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]957 if test.readWithUnfinishedWrite {
958 flags = append(flags, "-read-with-unfinished-write")
959 }
960
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]961 if test.shimShutsDown {
962 flags = append(flags, "-shim-shuts-down")
963 }
964
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]965 if test.exportKeyingMaterial > 0 {
966 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
967 flags = append(flags, "-export-label", test.exportLabel)
968 flags = append(flags, "-export-context", test.exportContext)
969 if test.useExportContext {
970 flags = append(flags, "-use-export-context")
971 }
972 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]973 if test.expectResumeRejected {
974 flags = append(flags, "-expect-session-miss")
975 }
976
977 if test.testTLSUnique {
978 flags = append(flags, "-tls-unique")
979 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]980
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]981 flags = append(flags, test.flags...)
982
983 var shim *exec.Cmd
984 if *useValgrind {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]985 shim = valgrindOf(false, shimPath, flags...)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]986 } else if *useGDB {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]987 shim = gdbOf(shimPath, flags...)
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]988 } else if *useLLDB {
989 shim = lldbOf(shimPath, flags...)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]990 } else {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]991 shim = exec.Command(shimPath, flags...)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]992 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]993 shim.Stdin = os.Stdin
994 var stdoutBuf, stderrBuf bytes.Buffer
995 shim.Stdout = &stdoutBuf
996 shim.Stderr = &stderrBuf
997 if mallocNumToFail >= 0 {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]998 shim.Env = os.Environ()
999 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1000 if *mallocTestDebug {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1001 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1002 }
1003 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1004 }
1005
1006 if err := shim.Start(); err != nil {
1007 panic(err)
1008 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1009 waitChan := make(chan error, 1)
1010 go func() { waitChan <- shim.Wait() }()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1011
1012 config := test.config
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1013
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1014 if *deterministic {
1015 config.Rand = &deterministicRand{}
1016 }
1017
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1018 conn, err := acceptOrWait(listener, waitChan)
1019 if err == nil {
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]1020 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1021 conn.Close()
1022 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1023
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]1024 for i := 0; err == nil && i < resumeCount; i++ {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1025 var resumeConfig Config
1026 if test.resumeConfig != nil {
1027 resumeConfig = *test.resumeConfig
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]1028 if !test.newSessionsOnResume {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1029 resumeConfig.SessionTicketKey = config.SessionTicketKey
1030 resumeConfig.ClientSessionCache = config.ClientSessionCache
1031 resumeConfig.ServerSessionCache = config.ServerSessionCache
1032 }
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]1033 resumeConfig.Rand = config.Rand
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1034 } else {
1035 resumeConfig = config
1036 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1037 var connResume net.Conn
1038 connResume, err = acceptOrWait(listener, waitChan)
1039 if err == nil {
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]1040 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1041 connResume.Close()
1042 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1043 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1044
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1045 // Close the listener now. This is to avoid hangs should the shim try to
1046 // open more connections than expected.
1047 listener.Close()
1048 listener = nil
1049
1050 childErr := <-waitChan
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1051 var isValgrindError bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1052 if exitError, ok := childErr.(*exec.ExitError); ok {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1053 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1054 case 88:
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1055 return errMoreMallocs
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1056 case 89:
1057 return errUnimplemented
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1058 case 99:
1059 isValgrindError = true
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1060 }
1061 }
1062
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]1063 // Account for Windows line endings.
1064 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1065 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
1066
1067 // Separate the errors from the shim and those from tools like
1068 // AddressSanitizer.
1069 var extraStderr string
1070 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1071 stderr = stderrParts[0]
1072 extraStderr = stderrParts[1]
1073 }
1074
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1075 failed := err != nil || childErr != nil
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1076 expectedError := translateExpectedError(test.expectedError)
1077 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
1078
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1079 localError := "none"
1080 if err != nil {
1081 localError = err.Error()
1082 }
1083 if len(test.expectedLocalError) != 0 {
1084 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1085 }
1086
1087 if failed != test.shouldFail || failed && !correctFailure {
1088 childError := "none"
1089 if childErr != nil {
1090 childError = childErr.Error()
1091 }
1092
1093 var msg string
1094 switch {
1095 case failed && !test.shouldFail:
1096 msg = "unexpected failure"
1097 case !failed && test.shouldFail:
1098 msg = "unexpected success"
1099 case failed && !correctFailure:
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1100 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1101 default:
1102 panic("internal error")
1103 }
1104
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1105 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1106 }
1107
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1108 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
Robert Sloan2424d842017-05-01 07:46:28 -0700[diff] [blame]1109 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1110 }
1111
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1112 if *useValgrind && isValgrindError {
1113 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1114 }
1115
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1116 return nil
1117}
1118
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]1119type tlsVersion struct {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1120 name string
1121 version uint16
1122 flag string
1123 hasDTLS bool
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]1124}
1125
1126var tlsVersions = []tlsVersion{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1127 {"SSL3", VersionSSL30, "-no-ssl3", false},
1128 {"TLS1", VersionTLS10, "-no-tls1", true},
1129 {"TLS11", VersionTLS11, "-no-tls11", false},
1130 {"TLS12", VersionTLS12, "-no-tls12", true},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1131 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1132}
1133
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]1134type testCipherSuite struct {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1135 name string
1136 id uint16
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]1137}
1138
1139var testCipherSuites = []testCipherSuite{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1140 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
1141 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
1142 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
1143 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
1144 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
1145 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
1146 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1147 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1148 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
1149 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1150 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
1151 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
1152 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1153 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1154 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1155 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1156 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
1157 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
1158 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
1159 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1160 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1161 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1162 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley0e6bb1c2015-06-15 13:52:15 -0700[diff] [blame]1163 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1164 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]1165 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]1166 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1167 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1168 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1169 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1170}
1171
1172func hasComponent(suiteName, component string) bool {
1173 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1174}
1175
1176func isTLS12Only(suiteName string) bool {
1177 return hasComponent(suiteName, "GCM") ||
1178 hasComponent(suiteName, "SHA256") ||
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]1179 hasComponent(suiteName, "SHA384") ||
1180 hasComponent(suiteName, "POLY1305")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1181}
1182
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1183func isTLS13Suite(suiteName string) bool {
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]1184 return strings.HasPrefix(suiteName, "AEAD-")
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1185}
1186
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1187func isDTLSCipher(suiteName string) bool {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1188 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1189}
1190
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]1191func bigFromHex(hex string) *big.Int {
1192 ret, ok := new(big.Int).SetString(hex, 16)
1193 if !ok {
1194 panic("failed to parse hex number 0x" + hex)
1195 }
1196 return ret
1197}
1198
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1199func addBasicTests() {
1200 basicTests := []testCase{
1201 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1202 name: "NoFallbackSCSV",
1203 config: Config{
1204 Bugs: ProtocolBugs{
1205 FailIfNotFallbackSCSV: true,
1206 },
1207 },
1208 shouldFail: true,
1209 expectedLocalError: "no fallback SCSV found",
1210 },
1211 {
1212 name: "SendFallbackSCSV",
1213 config: Config{
1214 Bugs: ProtocolBugs{
1215 FailIfNotFallbackSCSV: true,
1216 },
1217 },
1218 flags: []string{"-fallback-scsv"},
1219 },
1220 {
1221 name: "ClientCertificateTypes",
1222 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1223 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1224 ClientAuth: RequestClientCert,
1225 ClientCertificateTypes: []byte{
1226 CertTypeDSSSign,
1227 CertTypeRSASign,
1228 CertTypeECDSASign,
1229 },
1230 },
1231 flags: []string{
1232 "-expect-certificate-types",
1233 base64.StdEncoding.EncodeToString([]byte{
1234 CertTypeDSSSign,
1235 CertTypeRSASign,
1236 CertTypeECDSASign,
1237 }),
1238 },
1239 },
1240 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1241 name: "UnauthenticatedECDH",
1242 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1243 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1244 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1245 Bugs: ProtocolBugs{
1246 UnauthenticatedECDH: true,
1247 },
1248 },
1249 shouldFail: true,
1250 expectedError: ":UNEXPECTED_MESSAGE:",
1251 },
1252 {
1253 name: "SkipCertificateStatus",
1254 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1255 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1256 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1257 Bugs: ProtocolBugs{
1258 SkipCertificateStatus: true,
1259 },
1260 },
1261 flags: []string{
1262 "-enable-ocsp-stapling",
1263 },
1264 },
1265 {
1266 name: "SkipServerKeyExchange",
1267 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1268 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1269 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1270 Bugs: ProtocolBugs{
1271 SkipServerKeyExchange: true,
1272 },
1273 },
1274 shouldFail: true,
1275 expectedError: ":UNEXPECTED_MESSAGE:",
1276 },
1277 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1278 testType: serverTest,
1279 name: "Alert",
1280 config: Config{
1281 Bugs: ProtocolBugs{
1282 SendSpuriousAlert: alertRecordOverflow,
1283 },
1284 },
1285 shouldFail: true,
1286 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1287 },
1288 {
1289 protocol: dtls,
1290 testType: serverTest,
1291 name: "Alert-DTLS",
1292 config: Config{
1293 Bugs: ProtocolBugs{
1294 SendSpuriousAlert: alertRecordOverflow,
1295 },
1296 },
1297 shouldFail: true,
1298 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1299 },
1300 {
1301 testType: serverTest,
1302 name: "FragmentAlert",
1303 config: Config{
1304 Bugs: ProtocolBugs{
1305 FragmentAlert: true,
1306 SendSpuriousAlert: alertRecordOverflow,
1307 },
1308 },
1309 shouldFail: true,
1310 expectedError: ":BAD_ALERT:",
1311 },
1312 {
1313 protocol: dtls,
1314 testType: serverTest,
1315 name: "FragmentAlert-DTLS",
1316 config: Config{
1317 Bugs: ProtocolBugs{
1318 FragmentAlert: true,
1319 SendSpuriousAlert: alertRecordOverflow,
1320 },
1321 },
1322 shouldFail: true,
1323 expectedError: ":BAD_ALERT:",
1324 },
1325 {
1326 testType: serverTest,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]1327 name: "DoubleAlert",
1328 config: Config{
1329 Bugs: ProtocolBugs{
1330 DoubleAlert: true,
1331 SendSpuriousAlert: alertRecordOverflow,
1332 },
1333 },
1334 shouldFail: true,
1335 expectedError: ":BAD_ALERT:",
1336 },
1337 {
1338 protocol: dtls,
1339 testType: serverTest,
1340 name: "DoubleAlert-DTLS",
1341 config: Config{
1342 Bugs: ProtocolBugs{
1343 DoubleAlert: true,
1344 SendSpuriousAlert: alertRecordOverflow,
1345 },
1346 },
1347 shouldFail: true,
1348 expectedError: ":BAD_ALERT:",
1349 },
1350 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1351 name: "SkipNewSessionTicket",
1352 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1353 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1354 Bugs: ProtocolBugs{
1355 SkipNewSessionTicket: true,
1356 },
1357 },
1358 shouldFail: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]1359 expectedError: ":UNEXPECTED_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1360 },
1361 {
1362 testType: serverTest,
1363 name: "FallbackSCSV",
1364 config: Config{
1365 MaxVersion: VersionTLS11,
1366 Bugs: ProtocolBugs{
1367 SendFallbackSCSV: true,
1368 },
1369 },
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]1370 shouldFail: true,
1371 expectedError: ":INAPPROPRIATE_FALLBACK:",
1372 expectedLocalError: "remote error: inappropriate fallback",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1373 },
1374 {
1375 testType: serverTest,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]1376 name: "FallbackSCSV-VersionMatch-TLS13",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1377 config: Config{
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]1378 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1379 Bugs: ProtocolBugs{
1380 SendFallbackSCSV: true,
1381 },
1382 },
1383 },
1384 {
1385 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1386 name: "FallbackSCSV-VersionMatch-TLS12",
1387 config: Config{
1388 MaxVersion: VersionTLS12,
1389 Bugs: ProtocolBugs{
1390 SendFallbackSCSV: true,
1391 },
1392 },
1393 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1394 },
1395 {
1396 testType: serverTest,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1397 name: "FragmentedClientVersion",
1398 config: Config{
1399 Bugs: ProtocolBugs{
1400 MaxHandshakeRecordLength: 1,
1401 FragmentClientVersion: true,
1402 },
1403 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1404 expectedVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1405 },
1406 {
1407 testType: serverTest,
1408 name: "HttpGET",
1409 sendPrefix: "GET / HTTP/1.0\n",
1410 shouldFail: true,
1411 expectedError: ":HTTP_REQUEST:",
1412 },
1413 {
1414 testType: serverTest,
1415 name: "HttpPOST",
1416 sendPrefix: "POST / HTTP/1.0\n",
1417 shouldFail: true,
1418 expectedError: ":HTTP_REQUEST:",
1419 },
1420 {
1421 testType: serverTest,
1422 name: "HttpHEAD",
1423 sendPrefix: "HEAD / HTTP/1.0\n",
1424 shouldFail: true,
1425 expectedError: ":HTTP_REQUEST:",
1426 },
1427 {
1428 testType: serverTest,
1429 name: "HttpPUT",
1430 sendPrefix: "PUT / HTTP/1.0\n",
1431 shouldFail: true,
1432 expectedError: ":HTTP_REQUEST:",
1433 },
1434 {
1435 testType: serverTest,
1436 name: "HttpCONNECT",
1437 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1438 shouldFail: true,
1439 expectedError: ":HTTPS_PROXY_REQUEST:",
1440 },
1441 {
1442 testType: serverTest,
1443 name: "Garbage",
1444 sendPrefix: "blah",
1445 shouldFail: true,
1446 expectedError: ":WRONG_VERSION_NUMBER:",
1447 },
1448 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1449 name: "RSAEphemeralKey",
1450 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1451 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1452 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1453 Bugs: ProtocolBugs{
1454 RSAEphemeralKey: true,
1455 },
1456 },
1457 shouldFail: true,
1458 expectedError: ":UNEXPECTED_MESSAGE:",
1459 },
1460 {
1461 name: "DisableEverything",
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]1462 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1463 shouldFail: true,
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1464 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1465 },
1466 {
1467 protocol: dtls,
1468 name: "DisableEverything-DTLS",
1469 flags: []string{"-no-tls12", "-no-tls1"},
1470 shouldFail: true,
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]1471 expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1472 },
1473 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1474 protocol: dtls,
1475 testType: serverTest,
1476 name: "MTU",
1477 config: Config{
1478 Bugs: ProtocolBugs{
1479 MaxPacketLength: 256,
1480 },
1481 },
1482 flags: []string{"-mtu", "256"},
1483 },
1484 {
1485 protocol: dtls,
1486 testType: serverTest,
1487 name: "MTUExceeded",
1488 config: Config{
1489 Bugs: ProtocolBugs{
1490 MaxPacketLength: 255,
1491 },
1492 },
1493 flags: []string{"-mtu", "256"},
1494 shouldFail: true,
1495 expectedLocalError: "dtls: exceeded maximum packet length",
1496 },
1497 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1498 name: "EmptyCertificateList",
1499 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]1500 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1501 Bugs: ProtocolBugs{
1502 EmptyCertificateList: true,
1503 },
1504 },
1505 shouldFail: true,
1506 expectedError: ":DECODE_ERROR:",
1507 },
1508 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1509 name: "EmptyCertificateList-TLS13",
1510 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]1511 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1512 Bugs: ProtocolBugs{
1513 EmptyCertificateList: true,
1514 },
1515 },
1516 shouldFail: true,
1517 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
1518 },
1519 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1520 name: "TLSFatalBadPackets",
1521 damageFirstWrite: true,
1522 shouldFail: true,
1523 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1524 },
1525 {
1526 protocol: dtls,
1527 name: "DTLSIgnoreBadPackets",
1528 damageFirstWrite: true,
1529 },
1530 {
1531 protocol: dtls,
1532 name: "DTLSIgnoreBadPackets-Async",
1533 damageFirstWrite: true,
1534 flags: []string{"-async"},
1535 },
1536 {
1537 name: "AppDataBeforeHandshake",
1538 config: Config{
1539 Bugs: ProtocolBugs{
1540 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1541 },
1542 },
1543 shouldFail: true,
1544 expectedError: ":UNEXPECTED_RECORD:",
1545 },
1546 {
1547 name: "AppDataBeforeHandshake-Empty",
1548 config: Config{
1549 Bugs: ProtocolBugs{
1550 AppDataBeforeHandshake: []byte{},
1551 },
1552 },
1553 shouldFail: true,
1554 expectedError: ":UNEXPECTED_RECORD:",
1555 },
1556 {
1557 protocol: dtls,
1558 name: "AppDataBeforeHandshake-DTLS",
1559 config: Config{
1560 Bugs: ProtocolBugs{
1561 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1562 },
1563 },
1564 shouldFail: true,
1565 expectedError: ":UNEXPECTED_RECORD:",
1566 },
1567 {
1568 protocol: dtls,
1569 name: "AppDataBeforeHandshake-DTLS-Empty",
1570 config: Config{
1571 Bugs: ProtocolBugs{
1572 AppDataBeforeHandshake: []byte{},
1573 },
1574 },
1575 shouldFail: true,
1576 expectedError: ":UNEXPECTED_RECORD:",
1577 },
1578 {
1579 name: "AppDataAfterChangeCipherSpec",
1580 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1581 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1582 Bugs: ProtocolBugs{
1583 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1584 },
1585 },
1586 shouldFail: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]1587 expectedError: ":UNEXPECTED_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1588 },
1589 {
1590 name: "AppDataAfterChangeCipherSpec-Empty",
1591 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1592 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1593 Bugs: ProtocolBugs{
1594 AppDataAfterChangeCipherSpec: []byte{},
1595 },
1596 },
1597 shouldFail: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]1598 expectedError: ":UNEXPECTED_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1599 },
1600 {
1601 protocol: dtls,
1602 name: "AppDataAfterChangeCipherSpec-DTLS",
1603 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1604 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1605 Bugs: ProtocolBugs{
1606 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1607 },
1608 },
1609 // BoringSSL's DTLS implementation will drop the out-of-order
1610 // application data.
1611 },
1612 {
1613 protocol: dtls,
1614 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1615 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1616 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1617 Bugs: ProtocolBugs{
1618 AppDataAfterChangeCipherSpec: []byte{},
1619 },
1620 },
1621 // BoringSSL's DTLS implementation will drop the out-of-order
1622 // application data.
1623 },
1624 {
1625 name: "AlertAfterChangeCipherSpec",
1626 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1627 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1628 Bugs: ProtocolBugs{
1629 AlertAfterChangeCipherSpec: alertRecordOverflow,
1630 },
1631 },
1632 shouldFail: true,
1633 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1634 },
1635 {
1636 protocol: dtls,
1637 name: "AlertAfterChangeCipherSpec-DTLS",
1638 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1639 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1640 Bugs: ProtocolBugs{
1641 AlertAfterChangeCipherSpec: alertRecordOverflow,
1642 },
1643 },
1644 shouldFail: true,
1645 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1646 },
1647 {
1648 protocol: dtls,
1649 name: "ReorderHandshakeFragments-Small-DTLS",
1650 config: Config{
1651 Bugs: ProtocolBugs{
1652 ReorderHandshakeFragments: true,
1653 // Small enough that every handshake message is
1654 // fragmented.
1655 MaxHandshakeRecordLength: 2,
1656 },
1657 },
1658 },
1659 {
1660 protocol: dtls,
1661 name: "ReorderHandshakeFragments-Large-DTLS",
1662 config: Config{
1663 Bugs: ProtocolBugs{
1664 ReorderHandshakeFragments: true,
1665 // Large enough that no handshake message is
1666 // fragmented.
1667 MaxHandshakeRecordLength: 2048,
1668 },
1669 },
1670 },
1671 {
1672 protocol: dtls,
1673 name: "MixCompleteMessageWithFragments-DTLS",
1674 config: Config{
1675 Bugs: ProtocolBugs{
1676 ReorderHandshakeFragments: true,
1677 MixCompleteMessageWithFragments: true,
1678 MaxHandshakeRecordLength: 2,
1679 },
1680 },
1681 },
1682 {
1683 name: "SendInvalidRecordType",
1684 config: Config{
1685 Bugs: ProtocolBugs{
1686 SendInvalidRecordType: true,
1687 },
1688 },
1689 shouldFail: true,
1690 expectedError: ":UNEXPECTED_RECORD:",
1691 },
1692 {
1693 protocol: dtls,
1694 name: "SendInvalidRecordType-DTLS",
1695 config: Config{
1696 Bugs: ProtocolBugs{
1697 SendInvalidRecordType: true,
1698 },
1699 },
1700 shouldFail: true,
1701 expectedError: ":UNEXPECTED_RECORD:",
1702 },
1703 {
1704 name: "FalseStart-SkipServerSecondLeg",
1705 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1706 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1707 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1708 NextProtos: []string{"foo"},
1709 Bugs: ProtocolBugs{
1710 SkipNewSessionTicket: true,
1711 SkipChangeCipherSpec: true,
1712 SkipFinished: true,
1713 ExpectFalseStart: true,
1714 },
1715 },
1716 flags: []string{
1717 "-false-start",
1718 "-handshake-never-done",
1719 "-advertise-alpn", "\x03foo",
1720 },
1721 shimWritesFirst: true,
1722 shouldFail: true,
1723 expectedError: ":UNEXPECTED_RECORD:",
1724 },
1725 {
1726 name: "FalseStart-SkipServerSecondLeg-Implicit",
1727 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1728 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1729 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1730 NextProtos: []string{"foo"},
1731 Bugs: ProtocolBugs{
1732 SkipNewSessionTicket: true,
1733 SkipChangeCipherSpec: true,
1734 SkipFinished: true,
1735 },
1736 },
1737 flags: []string{
1738 "-implicit-handshake",
1739 "-false-start",
1740 "-handshake-never-done",
1741 "-advertise-alpn", "\x03foo",
1742 },
1743 shouldFail: true,
1744 expectedError: ":UNEXPECTED_RECORD:",
1745 },
1746 {
1747 testType: serverTest,
1748 name: "FailEarlyCallback",
1749 flags: []string{"-fail-early-callback"},
1750 shouldFail: true,
1751 expectedError: ":CONNECTION_REJECTED:",
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]1752 expectedLocalError: "remote error: handshake failure",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1753 },
1754 {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]1755 name: "FailCertCallback-Client-TLS12",
1756 config: Config{
1757 MaxVersion: VersionTLS12,
1758 ClientAuth: RequestClientCert,
1759 },
1760 flags: []string{"-fail-cert-callback"},
1761 shouldFail: true,
1762 expectedError: ":CERT_CB_ERROR:",
1763 expectedLocalError: "remote error: internal error",
1764 },
1765 {
1766 testType: serverTest,
1767 name: "FailCertCallback-Server-TLS12",
1768 config: Config{
1769 MaxVersion: VersionTLS12,
1770 },
1771 flags: []string{"-fail-cert-callback"},
1772 shouldFail: true,
1773 expectedError: ":CERT_CB_ERROR:",
1774 expectedLocalError: "remote error: internal error",
1775 },
1776 {
1777 name: "FailCertCallback-Client-TLS13",
1778 config: Config{
1779 MaxVersion: VersionTLS13,
1780 ClientAuth: RequestClientCert,
1781 },
1782 flags: []string{"-fail-cert-callback"},
1783 shouldFail: true,
1784 expectedError: ":CERT_CB_ERROR:",
1785 expectedLocalError: "remote error: internal error",
1786 },
1787 {
1788 testType: serverTest,
1789 name: "FailCertCallback-Server-TLS13",
1790 config: Config{
1791 MaxVersion: VersionTLS13,
1792 },
1793 flags: []string{"-fail-cert-callback"},
1794 shouldFail: true,
1795 expectedError: ":CERT_CB_ERROR:",
1796 expectedLocalError: "remote error: internal error",
1797 },
1798 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1799 protocol: dtls,
1800 name: "FragmentMessageTypeMismatch-DTLS",
1801 config: Config{
1802 Bugs: ProtocolBugs{
1803 MaxHandshakeRecordLength: 2,
1804 FragmentMessageTypeMismatch: true,
1805 },
1806 },
1807 shouldFail: true,
1808 expectedError: ":FRAGMENT_MISMATCH:",
1809 },
1810 {
1811 protocol: dtls,
1812 name: "FragmentMessageLengthMismatch-DTLS",
1813 config: Config{
1814 Bugs: ProtocolBugs{
1815 MaxHandshakeRecordLength: 2,
1816 FragmentMessageLengthMismatch: true,
1817 },
1818 },
1819 shouldFail: true,
1820 expectedError: ":FRAGMENT_MISMATCH:",
1821 },
1822 {
1823 protocol: dtls,
1824 name: "SplitFragments-Header-DTLS",
1825 config: Config{
1826 Bugs: ProtocolBugs{
1827 SplitFragments: 2,
1828 },
1829 },
1830 shouldFail: true,
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]1831 expectedError: ":BAD_HANDSHAKE_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1832 },
1833 {
1834 protocol: dtls,
1835 name: "SplitFragments-Boundary-DTLS",
1836 config: Config{
1837 Bugs: ProtocolBugs{
1838 SplitFragments: dtlsRecordHeaderLen,
1839 },
1840 },
1841 shouldFail: true,
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]1842 expectedError: ":BAD_HANDSHAKE_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1843 },
1844 {
1845 protocol: dtls,
1846 name: "SplitFragments-Body-DTLS",
1847 config: Config{
1848 Bugs: ProtocolBugs{
1849 SplitFragments: dtlsRecordHeaderLen + 1,
1850 },
1851 },
1852 shouldFail: true,
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]1853 expectedError: ":BAD_HANDSHAKE_RECORD:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1854 },
1855 {
1856 protocol: dtls,
1857 name: "SendEmptyFragments-DTLS",
1858 config: Config{
1859 Bugs: ProtocolBugs{
1860 SendEmptyFragments: true,
1861 },
1862 },
1863 },
1864 {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]1865 name: "BadFinished-Client",
1866 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1867 MaxVersion: VersionTLS12,
1868 Bugs: ProtocolBugs{
1869 BadFinished: true,
1870 },
1871 },
1872 shouldFail: true,
1873 expectedError: ":DIGEST_CHECK_FAILED:",
1874 },
1875 {
1876 name: "BadFinished-Client-TLS13",
1877 config: Config{
1878 MaxVersion: VersionTLS13,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]1879 Bugs: ProtocolBugs{
1880 BadFinished: true,
1881 },
1882 },
1883 shouldFail: true,
1884 expectedError: ":DIGEST_CHECK_FAILED:",
1885 },
1886 {
1887 testType: serverTest,
1888 name: "BadFinished-Server",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1889 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1890 MaxVersion: VersionTLS12,
1891 Bugs: ProtocolBugs{
1892 BadFinished: true,
1893 },
1894 },
1895 shouldFail: true,
1896 expectedError: ":DIGEST_CHECK_FAILED:",
1897 },
1898 {
1899 testType: serverTest,
1900 name: "BadFinished-Server-TLS13",
1901 config: Config{
1902 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1903 Bugs: ProtocolBugs{
1904 BadFinished: true,
1905 },
1906 },
1907 shouldFail: true,
1908 expectedError: ":DIGEST_CHECK_FAILED:",
1909 },
1910 {
1911 name: "FalseStart-BadFinished",
1912 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1913 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1914 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1915 NextProtos: []string{"foo"},
1916 Bugs: ProtocolBugs{
1917 BadFinished: true,
1918 ExpectFalseStart: true,
1919 },
1920 },
1921 flags: []string{
1922 "-false-start",
1923 "-handshake-never-done",
1924 "-advertise-alpn", "\x03foo",
1925 },
1926 shimWritesFirst: true,
1927 shouldFail: true,
1928 expectedError: ":DIGEST_CHECK_FAILED:",
1929 },
1930 {
1931 name: "NoFalseStart-NoALPN",
1932 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1933 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1934 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1935 Bugs: ProtocolBugs{
1936 ExpectFalseStart: true,
1937 AlertBeforeFalseStartTest: alertAccessDenied,
1938 },
1939 },
1940 flags: []string{
1941 "-false-start",
1942 },
1943 shimWritesFirst: true,
1944 shouldFail: true,
1945 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1946 expectedLocalError: "tls: peer did not false start: EOF",
1947 },
1948 {
1949 name: "NoFalseStart-NoAEAD",
1950 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1951 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1952 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1953 NextProtos: []string{"foo"},
1954 Bugs: ProtocolBugs{
1955 ExpectFalseStart: true,
1956 AlertBeforeFalseStartTest: alertAccessDenied,
1957 },
1958 },
1959 flags: []string{
1960 "-false-start",
1961 "-advertise-alpn", "\x03foo",
1962 },
1963 shimWritesFirst: true,
1964 shouldFail: true,
1965 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1966 expectedLocalError: "tls: peer did not false start: EOF",
1967 },
1968 {
1969 name: "NoFalseStart-RSA",
1970 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1971 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1972 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1973 NextProtos: []string{"foo"},
1974 Bugs: ProtocolBugs{
1975 ExpectFalseStart: true,
1976 AlertBeforeFalseStartTest: alertAccessDenied,
1977 },
1978 },
1979 flags: []string{
1980 "-false-start",
1981 "-advertise-alpn", "\x03foo",
1982 },
1983 shimWritesFirst: true,
1984 shouldFail: true,
1985 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1986 expectedLocalError: "tls: peer did not false start: EOF",
1987 },
1988 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]1989 protocol: dtls,
1990 name: "SendSplitAlert-Sync",
1991 config: Config{
1992 Bugs: ProtocolBugs{
1993 SendSplitAlert: true,
1994 },
1995 },
1996 },
1997 {
1998 protocol: dtls,
1999 name: "SendSplitAlert-Async",
2000 config: Config{
2001 Bugs: ProtocolBugs{
2002 SendSplitAlert: true,
2003 },
2004 },
2005 flags: []string{"-async"},
2006 },
2007 {
2008 protocol: dtls,
2009 name: "PackDTLSHandshake",
2010 config: Config{
2011 Bugs: ProtocolBugs{
2012 MaxHandshakeRecordLength: 2,
2013 PackHandshakeFragments: 20,
2014 PackHandshakeRecords: 200,
2015 },
2016 },
2017 },
2018 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2019 name: "SendEmptyRecords-Pass",
2020 sendEmptyRecords: 32,
2021 },
2022 {
2023 name: "SendEmptyRecords",
2024 sendEmptyRecords: 33,
2025 shouldFail: true,
2026 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2027 },
2028 {
2029 name: "SendEmptyRecords-Async",
2030 sendEmptyRecords: 33,
2031 flags: []string{"-async"},
2032 shouldFail: true,
2033 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2034 },
2035 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2036 name: "SendWarningAlerts-Pass",
2037 config: Config{
2038 MaxVersion: VersionTLS12,
2039 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2040 sendWarningAlerts: 4,
2041 },
2042 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2043 protocol: dtls,
2044 name: "SendWarningAlerts-DTLS-Pass",
2045 config: Config{
2046 MaxVersion: VersionTLS12,
2047 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2048 sendWarningAlerts: 4,
2049 },
2050 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2051 name: "SendWarningAlerts-TLS13",
2052 config: Config{
2053 MaxVersion: VersionTLS13,
2054 },
2055 sendWarningAlerts: 4,
2056 shouldFail: true,
2057 expectedError: ":BAD_ALERT:",
2058 expectedLocalError: "remote error: error decoding message",
2059 },
2060 {
2061 name: "SendWarningAlerts",
2062 config: Config{
2063 MaxVersion: VersionTLS12,
2064 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2065 sendWarningAlerts: 5,
2066 shouldFail: true,
2067 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2068 },
2069 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2070 name: "SendWarningAlerts-Async",
2071 config: Config{
2072 MaxVersion: VersionTLS12,
2073 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2074 sendWarningAlerts: 5,
2075 flags: []string{"-async"},
2076 shouldFail: true,
2077 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2078 },
2079 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2080 name: "TooManyKeyUpdates",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2081 config: Config{
2082 MaxVersion: VersionTLS13,
2083 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2084 sendKeyUpdates: 33,
2085 keyUpdateRequest: keyUpdateNotRequested,
2086 shouldFail: true,
2087 expectedError: ":TOO_MANY_KEY_UPDATES:",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2088 },
2089 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2090 name: "EmptySessionID",
2091 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2092 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2093 SessionTicketsDisabled: true,
2094 },
2095 noSessionCache: true,
2096 flags: []string{"-expect-no-session"},
2097 },
2098 {
2099 name: "Unclean-Shutdown",
2100 config: Config{
2101 Bugs: ProtocolBugs{
2102 NoCloseNotify: true,
2103 ExpectCloseNotify: true,
2104 },
2105 },
2106 shimShutsDown: true,
2107 flags: []string{"-check-close-notify"},
2108 shouldFail: true,
2109 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2110 },
2111 {
2112 name: "Unclean-Shutdown-Ignored",
2113 config: Config{
2114 Bugs: ProtocolBugs{
2115 NoCloseNotify: true,
2116 },
2117 },
2118 shimShutsDown: true,
2119 },
2120 {
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]2121 name: "Unclean-Shutdown-Alert",
2122 config: Config{
2123 Bugs: ProtocolBugs{
2124 SendAlertOnShutdown: alertDecompressionFailure,
2125 ExpectCloseNotify: true,
2126 },
2127 },
2128 shimShutsDown: true,
2129 flags: []string{"-check-close-notify"},
2130 shouldFail: true,
2131 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2132 },
2133 {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2134 name: "LargePlaintext",
2135 config: Config{
2136 Bugs: ProtocolBugs{
2137 SendLargeRecords: true,
2138 },
2139 },
2140 messageLen: maxPlaintext + 1,
2141 shouldFail: true,
2142 expectedError: ":DATA_LENGTH_TOO_LONG:",
2143 },
2144 {
2145 protocol: dtls,
2146 name: "LargePlaintext-DTLS",
2147 config: Config{
2148 Bugs: ProtocolBugs{
2149 SendLargeRecords: true,
2150 },
2151 },
2152 messageLen: maxPlaintext + 1,
2153 shouldFail: true,
2154 expectedError: ":DATA_LENGTH_TOO_LONG:",
2155 },
2156 {
2157 name: "LargeCiphertext",
2158 config: Config{
2159 Bugs: ProtocolBugs{
2160 SendLargeRecords: true,
2161 },
2162 },
2163 messageLen: maxPlaintext * 2,
2164 shouldFail: true,
2165 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2166 },
2167 {
2168 protocol: dtls,
2169 name: "LargeCiphertext-DTLS",
2170 config: Config{
2171 Bugs: ProtocolBugs{
2172 SendLargeRecords: true,
2173 },
2174 },
2175 messageLen: maxPlaintext * 2,
2176 // Unlike the other four cases, DTLS drops records which
2177 // are invalid before authentication, so the connection
2178 // does not fail.
2179 expectMessageDropped: true,
2180 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]2181 {
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2182 name: "BadHelloRequest-1",
2183 renegotiate: 1,
2184 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2185 MaxVersion: VersionTLS12,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2186 Bugs: ProtocolBugs{
2187 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2188 },
2189 },
2190 flags: []string{
2191 "-renegotiate-freely",
2192 "-expect-total-renegotiations", "1",
2193 },
2194 shouldFail: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2195 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2196 },
2197 {
2198 name: "BadHelloRequest-2",
2199 renegotiate: 1,
2200 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2201 MaxVersion: VersionTLS12,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]2202 Bugs: ProtocolBugs{
2203 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2204 },
2205 },
2206 flags: []string{
2207 "-renegotiate-freely",
2208 "-expect-total-renegotiations", "1",
2209 },
2210 shouldFail: true,
2211 expectedError: ":BAD_HELLO_REQUEST:",
2212 },
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2213 {
2214 testType: serverTest,
2215 name: "SupportTicketsWithSessionID",
2216 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2217 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2218 SessionTicketsDisabled: true,
2219 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2220 resumeConfig: &Config{
2221 MaxVersion: VersionTLS12,
2222 },
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2223 resumeSession: true,
2224 },
2225 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2226 protocol: dtls,
2227 name: "DTLS-SendExtraFinished",
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2228 config: Config{
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2229 Bugs: ProtocolBugs{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2230 SendExtraFinished: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2231 },
2232 },
2233 shouldFail: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2234 expectedError: ":UNEXPECTED_RECORD:",
2235 },
2236 {
2237 protocol: dtls,
2238 name: "DTLS-SendExtraFinished-Reordered",
2239 config: Config{
2240 Bugs: ProtocolBugs{
2241 MaxHandshakeRecordLength: 2,
2242 ReorderHandshakeFragments: true,
2243 SendExtraFinished: true,
2244 },
2245 },
2246 shouldFail: true,
2247 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2248 },
2249 {
2250 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2251 name: "V2ClientHello-EmptyRecordPrefix",
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2252 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2253 // Choose a cipher suite that does not involve
2254 // elliptic curves, so no extensions are
2255 // involved.
2256 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2257 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2258 Bugs: ProtocolBugs{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2259 SendV2ClientHello: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2260 },
2261 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2262 sendPrefix: string([]byte{
2263 byte(recordTypeHandshake),
2264 3, 1, // version
2265 0, 0, // length
2266 }),
2267 // A no-op empty record may not be sent before V2ClientHello.
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2268 shouldFail: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2269 expectedError: ":WRONG_VERSION_NUMBER:",
2270 },
2271 {
2272 testType: serverTest,
2273 name: "V2ClientHello-WarningAlertPrefix",
2274 config: Config{
2275 // Choose a cipher suite that does not involve
2276 // elliptic curves, so no extensions are
2277 // involved.
2278 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2279 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2280 Bugs: ProtocolBugs{
2281 SendV2ClientHello: true,
2282 },
2283 },
2284 sendPrefix: string([]byte{
2285 byte(recordTypeAlert),
2286 3, 1, // version
2287 0, 2, // length
2288 alertLevelWarning, byte(alertDecompressionFailure),
2289 }),
2290 // A no-op warning alert may not be sent before V2ClientHello.
2291 shouldFail: true,
2292 expectedError: ":WRONG_VERSION_NUMBER:",
2293 },
2294 {
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]2295 name: "KeyUpdate-Client",
2296 config: Config{
2297 MaxVersion: VersionTLS13,
2298 },
2299 sendKeyUpdates: 1,
2300 keyUpdateRequest: keyUpdateNotRequested,
2301 },
2302 {
2303 testType: serverTest,
2304 name: "KeyUpdate-Server",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2305 config: Config{
2306 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2307 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2308 sendKeyUpdates: 1,
2309 keyUpdateRequest: keyUpdateNotRequested,
2310 },
2311 {
2312 name: "KeyUpdate-InvalidRequestMode",
2313 config: Config{
2314 MaxVersion: VersionTLS13,
2315 },
2316 sendKeyUpdates: 1,
2317 keyUpdateRequest: 42,
2318 shouldFail: true,
2319 expectedError: ":DECODE_ERROR:",
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2320 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2321 {
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]2322 // Test that KeyUpdates are acknowledged properly.
2323 name: "KeyUpdate-RequestACK",
2324 config: Config{
2325 MaxVersion: VersionTLS13,
2326 Bugs: ProtocolBugs{
2327 RejectUnsolicitedKeyUpdate: true,
2328 },
2329 },
2330 // Test the shim receiving many KeyUpdates in a row.
2331 sendKeyUpdates: 5,
2332 messageCount: 5,
2333 keyUpdateRequest: keyUpdateRequested,
2334 },
2335 {
2336 // Test that KeyUpdates are acknowledged properly if the
2337 // peer's KeyUpdate is discovered while a write is
2338 // pending.
2339 name: "KeyUpdate-RequestACK-UnfinishedWrite",
2340 config: Config{
2341 MaxVersion: VersionTLS13,
2342 Bugs: ProtocolBugs{
2343 RejectUnsolicitedKeyUpdate: true,
2344 },
2345 },
2346 // Test the shim receiving many KeyUpdates in a row.
2347 sendKeyUpdates: 5,
2348 messageCount: 5,
2349 keyUpdateRequest: keyUpdateRequested,
2350 readWithUnfinishedWrite: true,
2351 flags: []string{"-async"},
2352 },
2353 {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2354 name: "SendSNIWarningAlert",
2355 config: Config{
2356 MaxVersion: VersionTLS12,
2357 Bugs: ProtocolBugs{
2358 SendSNIWarningAlert: true,
2359 },
2360 },
2361 },
2362 {
2363 testType: serverTest,
2364 name: "ExtraCompressionMethods-TLS12",
2365 config: Config{
2366 MaxVersion: VersionTLS12,
2367 Bugs: ProtocolBugs{
2368 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2369 },
2370 },
2371 },
2372 {
2373 testType: serverTest,
2374 name: "ExtraCompressionMethods-TLS13",
2375 config: Config{
2376 MaxVersion: VersionTLS13,
2377 Bugs: ProtocolBugs{
2378 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2379 },
2380 },
2381 shouldFail: true,
2382 expectedError: ":INVALID_COMPRESSION_LIST:",
2383 expectedLocalError: "remote error: illegal parameter",
2384 },
2385 {
2386 testType: serverTest,
2387 name: "NoNullCompression-TLS12",
2388 config: Config{
2389 MaxVersion: VersionTLS12,
2390 Bugs: ProtocolBugs{
2391 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2392 },
2393 },
2394 shouldFail: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]2395 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2396 expectedLocalError: "remote error: illegal parameter",
2397 },
2398 {
2399 testType: serverTest,
2400 name: "NoNullCompression-TLS13",
2401 config: Config{
2402 MaxVersion: VersionTLS13,
2403 Bugs: ProtocolBugs{
2404 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2405 },
2406 },
2407 shouldFail: true,
2408 expectedError: ":INVALID_COMPRESSION_LIST:",
2409 expectedLocalError: "remote error: illegal parameter",
2410 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2411 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2412 name: "GREASE-Client-TLS12",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2413 config: Config{
2414 MaxVersion: VersionTLS12,
2415 Bugs: ProtocolBugs{
2416 ExpectGREASE: true,
2417 },
2418 },
2419 flags: []string{"-enable-grease"},
2420 },
2421 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]2422 name: "GREASE-Client-TLS13",
2423 config: Config{
2424 MaxVersion: VersionTLS13,
2425 Bugs: ProtocolBugs{
2426 ExpectGREASE: true,
2427 },
2428 },
2429 flags: []string{"-enable-grease"},
2430 },
2431 {
2432 testType: serverTest,
2433 name: "GREASE-Server-TLS13",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2434 config: Config{
2435 MaxVersion: VersionTLS13,
2436 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]2437 // TLS 1.3 servers are expected to
2438 // always enable GREASE. TLS 1.3 is new,
2439 // so there is no existing ecosystem to
2440 // worry about.
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2441 ExpectGREASE: true,
2442 },
2443 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2444 },
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]2445 {
2446 // Test the server so there is a large certificate as
2447 // well as application data.
2448 testType: serverTest,
2449 name: "MaxSendFragment",
2450 config: Config{
2451 Bugs: ProtocolBugs{
2452 MaxReceivePlaintext: 512,
2453 },
2454 },
2455 messageLen: 1024,
2456 flags: []string{
2457 "-max-send-fragment", "512",
2458 "-read-size", "1024",
2459 },
2460 },
2461 {
2462 // Test the server so there is a large certificate as
2463 // well as application data.
2464 testType: serverTest,
2465 name: "MaxSendFragment-TooLarge",
2466 config: Config{
2467 Bugs: ProtocolBugs{
2468 // Ensure that some of the records are
2469 // 512.
2470 MaxReceivePlaintext: 511,
2471 },
2472 },
2473 messageLen: 1024,
2474 flags: []string{
2475 "-max-send-fragment", "512",
2476 "-read-size", "1024",
2477 },
2478 shouldFail: true,
2479 expectedLocalError: "local error: record overflow",
2480 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2481 }
2482 testCases = append(testCases, basicTests...)
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2483
2484 // Test that very large messages can be received.
2485 cert := rsaCertificate
2486 for i := 0; i < 50; i++ {
2487 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2488 }
2489 testCases = append(testCases, testCase{
2490 name: "LargeMessage",
2491 config: Config{
2492 Certificates: []Certificate{cert},
2493 },
2494 })
2495 testCases = append(testCases, testCase{
2496 protocol: dtls,
2497 name: "LargeMessage-DTLS",
2498 config: Config{
2499 Certificates: []Certificate{cert},
2500 },
2501 })
2502
2503 // They are rejected if the maximum certificate chain length is capped.
2504 testCases = append(testCases, testCase{
2505 name: "LargeMessage-Reject",
2506 config: Config{
2507 Certificates: []Certificate{cert},
2508 },
2509 flags: []string{"-max-cert-list", "16384"},
2510 shouldFail: true,
2511 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2512 })
2513 testCases = append(testCases, testCase{
2514 protocol: dtls,
2515 name: "LargeMessage-Reject-DTLS",
2516 config: Config{
2517 Certificates: []Certificate{cert},
2518 },
2519 flags: []string{"-max-cert-list", "16384"},
2520 shouldFail: true,
2521 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2522 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2523}
2524
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]2525func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2526 const psk = "12345"
2527 const pskIdentity = "luggage combo"
2528
2529 var prefix string
2530 if protocol == dtls {
2531 if !ver.hasDTLS {
2532 return
2533 }
2534 prefix = "D"
2535 }
2536
2537 var cert Certificate
2538 var certFile string
2539 var keyFile string
2540 if hasComponent(suite.name, "ECDSA") {
2541 cert = ecdsaP256Certificate
2542 certFile = ecdsaP256CertificateFile
2543 keyFile = ecdsaP256KeyFile
2544 } else {
2545 cert = rsaCertificate
2546 certFile = rsaCertificateFile
2547 keyFile = rsaKeyFile
2548 }
2549
2550 var flags []string
2551 if hasComponent(suite.name, "PSK") {
2552 flags = append(flags,
2553 "-psk", psk,
2554 "-psk-identity", pskIdentity)
2555 }
2556 if hasComponent(suite.name, "NULL") {
2557 // NULL ciphers must be explicitly enabled.
2558 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2559 }
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]2560
2561 var shouldServerFail, shouldClientFail bool
2562 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2563 // BoringSSL clients accept ECDHE on SSLv3, but
2564 // a BoringSSL server will never select it
2565 // because the extension is missing.
2566 shouldServerFail = true
2567 }
2568 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2569 shouldClientFail = true
2570 shouldServerFail = true
2571 }
2572 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2573 shouldClientFail = true
2574 shouldServerFail = true
2575 }
2576 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2577 shouldClientFail = true
2578 shouldServerFail = true
2579 }
2580 if !isDTLSCipher(suite.name) && protocol == dtls {
2581 shouldClientFail = true
2582 shouldServerFail = true
2583 }
2584
2585 var sendCipherSuite uint16
2586 var expectedServerError, expectedClientError string
2587 serverCipherSuites := []uint16{suite.id}
2588 if shouldServerFail {
2589 expectedServerError = ":NO_SHARED_CIPHER:"
2590 }
2591 if shouldClientFail {
2592 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2593 // Configure the server to select ciphers as normal but
2594 // select an incompatible cipher in ServerHello.
2595 serverCipherSuites = nil
2596 sendCipherSuite = suite.id
2597 }
2598
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]2599 // For cipher suites and versions where exporters are defined, verify
2600 // that they interoperate.
2601 var exportKeyingMaterial int
2602 if ver.version > VersionSSL30 {
2603 exportKeyingMaterial = 1024
2604 }
2605
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]2606 testCases = append(testCases, testCase{
2607 testType: serverTest,
2608 protocol: protocol,
2609 name: prefix + ver.name + "-" + suite.name + "-server",
2610 config: Config{
2611 MinVersion: ver.version,
2612 MaxVersion: ver.version,
2613 CipherSuites: []uint16{suite.id},
2614 Certificates: []Certificate{cert},
2615 PreSharedKey: []byte(psk),
2616 PreSharedKeyIdentity: pskIdentity,
2617 Bugs: ProtocolBugs{
2618 AdvertiseAllConfiguredCiphers: true,
2619 },
2620 },
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]2621 certFile: certFile,
2622 keyFile: keyFile,
2623 flags: flags,
2624 resumeSession: true,
2625 shouldFail: shouldServerFail,
2626 expectedError: expectedServerError,
2627 exportKeyingMaterial: exportKeyingMaterial,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]2628 })
2629
2630 testCases = append(testCases, testCase{
2631 testType: clientTest,
2632 protocol: protocol,
2633 name: prefix + ver.name + "-" + suite.name + "-client",
2634 config: Config{
2635 MinVersion: ver.version,
2636 MaxVersion: ver.version,
2637 CipherSuites: serverCipherSuites,
2638 Certificates: []Certificate{cert},
2639 PreSharedKey: []byte(psk),
2640 PreSharedKeyIdentity: pskIdentity,
2641 Bugs: ProtocolBugs{
2642 IgnorePeerCipherPreferences: shouldClientFail,
2643 SendCipherSuite: sendCipherSuite,
2644 },
2645 },
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]2646 flags: flags,
2647 resumeSession: true,
2648 shouldFail: shouldClientFail,
2649 expectedError: expectedClientError,
2650 exportKeyingMaterial: exportKeyingMaterial,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]2651 })
2652
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]2653 if shouldClientFail {
2654 return
2655 }
2656
2657 // Ensure the maximum record size is accepted.
2658 testCases = append(testCases, testCase{
2659 protocol: protocol,
2660 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2661 config: Config{
2662 MinVersion: ver.version,
2663 MaxVersion: ver.version,
2664 CipherSuites: []uint16{suite.id},
2665 Certificates: []Certificate{cert},
2666 PreSharedKey: []byte(psk),
2667 PreSharedKeyIdentity: pskIdentity,
2668 },
2669 flags: flags,
2670 messageLen: maxPlaintext,
2671 })
2672
2673 // Test bad records for all ciphers. Bad records are fatal in TLS
2674 // and ignored in DTLS.
2675 var shouldFail bool
2676 var expectedError string
2677 if protocol == tls {
2678 shouldFail = true
2679 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2680 }
2681
2682 testCases = append(testCases, testCase{
2683 protocol: protocol,
2684 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2685 config: Config{
2686 MinVersion: ver.version,
2687 MaxVersion: ver.version,
2688 CipherSuites: []uint16{suite.id},
2689 Certificates: []Certificate{cert},
2690 PreSharedKey: []byte(psk),
2691 PreSharedKeyIdentity: pskIdentity,
2692 },
2693 flags: flags,
2694 damageFirstWrite: true,
2695 messageLen: maxPlaintext,
2696 shouldFail: shouldFail,
2697 expectedError: expectedError,
2698 })
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]2699}
2700
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2701func addCipherSuiteTests() {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2702 const bogusCipher = 0xfe00
2703
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2704 for _, suite := range testCipherSuites {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2705 for _, ver := range tlsVersions {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2706 for _, protocol := range []protocol{tls, dtls} {
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]2707 addTestForCipherSuite(suite, ver, protocol)
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2708 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2709 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2710 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]2711
2712 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2713 name: "NoSharedCipher",
2714 config: Config{
2715 MaxVersion: VersionTLS12,
2716 CipherSuites: []uint16{},
2717 },
2718 shouldFail: true,
2719 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2720 })
2721
2722 testCases = append(testCases, testCase{
2723 name: "NoSharedCipher-TLS13",
2724 config: Config{
2725 MaxVersion: VersionTLS13,
2726 CipherSuites: []uint16{},
2727 },
2728 shouldFail: true,
2729 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2730 })
2731
2732 testCases = append(testCases, testCase{
2733 name: "UnsupportedCipherSuite",
2734 config: Config{
2735 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2736 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2737 Bugs: ProtocolBugs{
2738 IgnorePeerCipherPreferences: true,
2739 },
2740 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]2741 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2742 shouldFail: true,
2743 expectedError: ":WRONG_CIPHER_RETURNED:",
2744 })
2745
2746 testCases = append(testCases, testCase{
2747 name: "ServerHelloBogusCipher",
2748 config: Config{
2749 MaxVersion: VersionTLS12,
2750 Bugs: ProtocolBugs{
2751 SendCipherSuite: bogusCipher,
2752 },
2753 },
2754 shouldFail: true,
2755 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2756 })
2757 testCases = append(testCases, testCase{
2758 name: "ServerHelloBogusCipher-TLS13",
2759 config: Config{
2760 MaxVersion: VersionTLS13,
2761 Bugs: ProtocolBugs{
2762 SendCipherSuite: bogusCipher,
2763 },
2764 },
2765 shouldFail: true,
2766 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2767 })
2768
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2769 // The server must be tolerant to bogus ciphers.
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2770 testCases = append(testCases, testCase{
2771 testType: serverTest,
2772 name: "UnknownCipher",
2773 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2774 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2775 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2776 Bugs: ProtocolBugs{
2777 AdvertiseAllConfiguredCiphers: true,
2778 },
2779 },
2780 })
2781
2782 // The server must be tolerant to bogus ciphers.
2783 testCases = append(testCases, testCase{
2784 testType: serverTest,
2785 name: "UnknownCipher-TLS13",
2786 config: Config{
2787 MaxVersion: VersionTLS13,
2788 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
2789 Bugs: ProtocolBugs{
2790 AdvertiseAllConfiguredCiphers: true,
2791 },
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2792 },
2793 })
2794
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]2795 // Test empty ECDHE_PSK identity hints work as expected.
2796 testCases = append(testCases, testCase{
2797 name: "EmptyECDHEPSKHint",
2798 config: Config{
2799 MaxVersion: VersionTLS12,
2800 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2801 PreSharedKey: []byte("secret"),
2802 },
2803 flags: []string{"-psk", "secret"},
2804 })
2805
2806 // Test empty PSK identity hints work as expected, even if an explicit
2807 // ServerKeyExchange is sent.
2808 testCases = append(testCases, testCase{
2809 name: "ExplicitEmptyPSKHint",
2810 config: Config{
2811 MaxVersion: VersionTLS12,
2812 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2813 PreSharedKey: []byte("secret"),
2814 Bugs: ProtocolBugs{
2815 AlwaysSendPreSharedKeyIdentityHint: true,
2816 },
2817 },
2818 flags: []string{"-psk", "secret"},
2819 })
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]2820
2821 // Test that clients enforce that the server-sent certificate and cipher
2822 // suite match in TLS 1.2.
2823 testCases = append(testCases, testCase{
2824 name: "CertificateCipherMismatch-RSA",
2825 config: Config{
2826 MaxVersion: VersionTLS12,
2827 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2828 Certificates: []Certificate{rsaCertificate},
2829 Bugs: ProtocolBugs{
2830 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2831 },
2832 },
2833 shouldFail: true,
2834 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2835 })
2836 testCases = append(testCases, testCase{
2837 name: "CertificateCipherMismatch-ECDSA",
2838 config: Config{
2839 MaxVersion: VersionTLS12,
2840 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2841 Certificates: []Certificate{ecdsaP256Certificate},
2842 Bugs: ProtocolBugs{
2843 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2844 },
2845 },
2846 shouldFail: true,
2847 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2848 })
2849 testCases = append(testCases, testCase{
2850 name: "CertificateCipherMismatch-Ed25519",
2851 config: Config{
2852 MaxVersion: VersionTLS12,
2853 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2854 Certificates: []Certificate{ed25519Certificate},
2855 Bugs: ProtocolBugs{
2856 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2857 },
2858 },
2859 shouldFail: true,
2860 expectedError: ":WRONG_CERTIFICATE_TYPE:",
2861 })
2862
2863 // Test that servers decline to select a cipher suite which is
2864 // inconsistent with their configured certificate.
2865 testCases = append(testCases, testCase{
2866 testType: serverTest,
2867 name: "ServerCipherFilter-RSA",
2868 config: Config{
2869 MaxVersion: VersionTLS12,
2870 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
2871 },
2872 flags: []string{
2873 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2874 "-key-file", path.Join(*resourceDir, rsaKeyFile),
2875 },
2876 shouldFail: true,
2877 expectedError: ":NO_SHARED_CIPHER:",
2878 })
2879 testCases = append(testCases, testCase{
2880 testType: serverTest,
2881 name: "ServerCipherFilter-ECDSA",
2882 config: Config{
2883 MaxVersion: VersionTLS12,
2884 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2885 },
2886 flags: []string{
2887 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
2888 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
2889 },
2890 shouldFail: true,
2891 expectedError: ":NO_SHARED_CIPHER:",
2892 })
2893 testCases = append(testCases, testCase{
2894 testType: serverTest,
2895 name: "ServerCipherFilter-Ed25519",
2896 config: Config{
2897 MaxVersion: VersionTLS12,
2898 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2899 },
2900 flags: []string{
2901 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
2902 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
2903 },
2904 shouldFail: true,
2905 expectedError: ":NO_SHARED_CIPHER:",
2906 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2907}
2908
2909func addBadECDSASignatureTests() {
2910 for badR := BadValue(1); badR < NumBadValues; badR++ {
2911 for badS := BadValue(1); badS < NumBadValues; badS++ {
2912 testCases = append(testCases, testCase{
2913 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2914 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2915 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2916 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2917 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2918 Bugs: ProtocolBugs{
2919 BadECDSAR: badR,
2920 BadECDSAS: badS,
2921 },
2922 },
2923 shouldFail: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2924 expectedError: ":BAD_SIGNATURE:",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2925 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]2926 testCases = append(testCases, testCase{
2927 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2928 config: Config{
2929 MaxVersion: VersionTLS13,
2930 Certificates: []Certificate{ecdsaP256Certificate},
2931 Bugs: ProtocolBugs{
2932 BadECDSAR: badR,
2933 BadECDSAS: badS,
2934 },
2935 },
2936 shouldFail: true,
2937 expectedError: ":BAD_SIGNATURE:",
2938 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2939 }
2940 }
2941}
2942
2943func addCBCPaddingTests() {
2944 testCases = append(testCases, testCase{
2945 name: "MaxCBCPadding",
2946 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2947 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2948 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2949 Bugs: ProtocolBugs{
2950 MaxPadding: true,
2951 },
2952 },
2953 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2954 })
2955 testCases = append(testCases, testCase{
2956 name: "BadCBCPadding",
2957 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2958 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2959 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2960 Bugs: ProtocolBugs{
2961 PaddingFirstByteBad: true,
2962 },
2963 },
2964 shouldFail: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2965 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2966 })
2967 // OpenSSL previously had an issue where the first byte of padding in
2968 // 255 bytes of padding wasn't checked.
2969 testCases = append(testCases, testCase{
2970 name: "BadCBCPadding255",
2971 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]2972 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2973 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2974 Bugs: ProtocolBugs{
2975 MaxPadding: true,
2976 PaddingFirstByteBadIf255: true,
2977 },
2978 },
2979 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2980 shouldFail: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]2981 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2982 })
2983}
2984
2985func addCBCSplittingTests() {
2986 testCases = append(testCases, testCase{
2987 name: "CBCRecordSplitting",
2988 config: Config{
2989 MaxVersion: VersionTLS10,
2990 MinVersion: VersionTLS10,
2991 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2992 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]2993 messageLen: -1, // read until EOF
2994 resumeSession: true,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]2995 flags: []string{
2996 "-async",
2997 "-write-different-record-sizes",
2998 "-cbc-record-splitting",
2999 },
3000 })
3001 testCases = append(testCases, testCase{
3002 name: "CBCRecordSplittingPartialWrite",
3003 config: Config{
3004 MaxVersion: VersionTLS10,
3005 MinVersion: VersionTLS10,
3006 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3007 },
3008 messageLen: -1, // read until EOF
3009 flags: []string{
3010 "-async",
3011 "-write-different-record-sizes",
3012 "-cbc-record-splitting",
3013 "-partial-write",
3014 },
3015 })
3016}
3017
3018func addClientAuthTests() {
3019 // Add a dummy cert pool to stress certificate authority parsing.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3020 certPool := x509.NewCertPool()
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]3021 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3022 cert, err := x509.ParseCertificate(cert.Certificate[0])
3023 if err != nil {
3024 panic(err)
3025 }
3026 certPool.AddCert(cert)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3027 }
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]3028 caNames := certPool.Subjects()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3029
3030 for _, ver := range tlsVersions {
3031 testCases = append(testCases, testCase{
3032 testType: clientTest,
3033 name: ver.name + "-Client-ClientAuth-RSA",
3034 config: Config{
3035 MinVersion: ver.version,
3036 MaxVersion: ver.version,
3037 ClientAuth: RequireAnyClientCert,
3038 ClientCAs: certPool,
3039 },
3040 flags: []string{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3041 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3042 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3043 },
3044 })
3045 testCases = append(testCases, testCase{
3046 testType: serverTest,
3047 name: ver.name + "-Server-ClientAuth-RSA",
3048 config: Config{
3049 MinVersion: ver.version,
3050 MaxVersion: ver.version,
3051 Certificates: []Certificate{rsaCertificate},
3052 },
3053 flags: []string{"-require-any-client-certificate"},
3054 })
3055 if ver.version != VersionSSL30 {
3056 testCases = append(testCases, testCase{
3057 testType: serverTest,
3058 name: ver.name + "-Server-ClientAuth-ECDSA",
3059 config: Config{
3060 MinVersion: ver.version,
3061 MaxVersion: ver.version,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3062 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3063 },
3064 flags: []string{"-require-any-client-certificate"},
3065 })
3066 testCases = append(testCases, testCase{
3067 testType: clientTest,
3068 name: ver.name + "-Client-ClientAuth-ECDSA",
3069 config: Config{
3070 MinVersion: ver.version,
3071 MaxVersion: ver.version,
3072 ClientAuth: RequireAnyClientCert,
3073 ClientCAs: certPool,
3074 },
3075 flags: []string{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3076 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3077 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3078 },
3079 })
3080 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3081
3082 testCases = append(testCases, testCase{
3083 name: "NoClientCertificate-" + ver.name,
3084 config: Config{
3085 MinVersion: ver.version,
3086 MaxVersion: ver.version,
3087 ClientAuth: RequireAnyClientCert,
3088 },
3089 shouldFail: true,
3090 expectedLocalError: "client didn't provide a certificate",
3091 })
3092
3093 testCases = append(testCases, testCase{
3094 // Even if not configured to expect a certificate, OpenSSL will
3095 // return X509_V_OK as the verify_result.
3096 testType: serverTest,
3097 name: "NoClientCertificateRequested-Server-" + ver.name,
3098 config: Config{
3099 MinVersion: ver.version,
3100 MaxVersion: ver.version,
3101 },
3102 flags: []string{
3103 "-expect-verify-result",
3104 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3105 resumeSession: true,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3106 })
3107
3108 testCases = append(testCases, testCase{
3109 // If a client certificate is not provided, OpenSSL will still
3110 // return X509_V_OK as the verify_result.
3111 testType: serverTest,
3112 name: "NoClientCertificate-Server-" + ver.name,
3113 config: Config{
3114 MinVersion: ver.version,
3115 MaxVersion: ver.version,
3116 },
3117 flags: []string{
3118 "-expect-verify-result",
3119 "-verify-peer",
3120 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3121 resumeSession: true,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3122 })
3123
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3124 certificateRequired := "remote error: certificate required"
3125 if ver.version < VersionTLS13 {
3126 // Prior to TLS 1.3, the generic handshake_failure alert
3127 // was used.
3128 certificateRequired = "remote error: handshake failure"
3129 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3130 testCases = append(testCases, testCase{
3131 testType: serverTest,
3132 name: "RequireAnyClientCertificate-" + ver.name,
3133 config: Config{
3134 MinVersion: ver.version,
3135 MaxVersion: ver.version,
3136 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3137 flags: []string{"-require-any-client-certificate"},
3138 shouldFail: true,
3139 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3140 expectedLocalError: certificateRequired,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3141 })
3142
3143 if ver.version != VersionSSL30 {
3144 testCases = append(testCases, testCase{
3145 testType: serverTest,
3146 name: "SkipClientCertificate-" + ver.name,
3147 config: Config{
3148 MinVersion: ver.version,
3149 MaxVersion: ver.version,
3150 Bugs: ProtocolBugs{
3151 SkipClientCertificate: true,
3152 },
3153 },
3154 // Setting SSL_VERIFY_PEER allows anonymous clients.
3155 flags: []string{"-verify-peer"},
3156 shouldFail: true,
3157 expectedError: ":UNEXPECTED_MESSAGE:",
3158 })
3159 }
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]3160
3161 testCases = append(testCases, testCase{
3162 testType: serverTest,
3163 name: ver.name + "-Server-CertReq-CA-List",
3164 config: Config{
3165 MinVersion: ver.version,
3166 MaxVersion: ver.version,
3167 Certificates: []Certificate{rsaCertificate},
3168 Bugs: ProtocolBugs{
3169 ExpectCertificateReqNames: caNames,
3170 },
3171 },
3172 flags: []string{
3173 "-require-any-client-certificate",
3174 "-use-client-ca-list", encodeDERValues(caNames),
3175 },
3176 })
3177
3178 testCases = append(testCases, testCase{
3179 testType: clientTest,
3180 name: ver.name + "-Client-CertReq-CA-List",
3181 config: Config{
3182 MinVersion: ver.version,
3183 MaxVersion: ver.version,
3184 Certificates: []Certificate{rsaCertificate},
3185 ClientAuth: RequireAnyClientCert,
3186 ClientCAs: certPool,
3187 },
3188 flags: []string{
3189 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3190 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3191 "-expect-client-ca-list", encodeDERValues(caNames),
3192 },
3193 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3194 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3195
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]3196 // Client auth is only legal in certificate-based ciphers.
3197 testCases = append(testCases, testCase{
3198 testType: clientTest,
3199 name: "ClientAuth-PSK",
3200 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3201 MaxVersion: VersionTLS12,
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]3202 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3203 PreSharedKey: []byte("secret"),
3204 ClientAuth: RequireAnyClientCert,
3205 },
3206 flags: []string{
3207 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3208 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3209 "-psk", "secret",
3210 },
3211 shouldFail: true,
3212 expectedError: ":UNEXPECTED_MESSAGE:",
3213 })
3214 testCases = append(testCases, testCase{
3215 testType: clientTest,
3216 name: "ClientAuth-ECDHE_PSK",
3217 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3218 MaxVersion: VersionTLS12,
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]3219 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3220 PreSharedKey: []byte("secret"),
3221 ClientAuth: RequireAnyClientCert,
3222 },
3223 flags: []string{
3224 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3225 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3226 "-psk", "secret",
3227 },
3228 shouldFail: true,
3229 expectedError: ":UNEXPECTED_MESSAGE:",
3230 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3231
3232 // Regression test for a bug where the client CA list, if explicitly
3233 // set to NULL, was mis-encoded.
3234 testCases = append(testCases, testCase{
3235 testType: serverTest,
3236 name: "Null-Client-CA-List",
3237 config: Config{
3238 MaxVersion: VersionTLS12,
3239 Certificates: []Certificate{rsaCertificate},
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]3240 Bugs: ProtocolBugs{
3241 ExpectCertificateReqNames: [][]byte{},
3242 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3243 },
3244 flags: []string{
3245 "-require-any-client-certificate",
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]3246 "-use-client-ca-list", "<NULL>",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3247 },
3248 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3249}
3250
3251func addExtendedMasterSecretTests() {
3252 const expectEMSFlag = "-expect-extended-master-secret"
3253
3254 for _, with := range []bool{false, true} {
3255 prefix := "No"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3256 if with {
3257 prefix = ""
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3258 }
3259
3260 for _, isClient := range []bool{false, true} {
3261 suffix := "-Server"
3262 testType := serverTest
3263 if isClient {
3264 suffix = "-Client"
3265 testType = clientTest
3266 }
3267
3268 for _, ver := range tlsVersions {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3269 // In TLS 1.3, the extension is irrelevant and
3270 // always reports as enabled.
3271 var flags []string
3272 if with || ver.version >= VersionTLS13 {
3273 flags = []string{expectEMSFlag}
3274 }
3275
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3276 test := testCase{
3277 testType: testType,
3278 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3279 config: Config{
3280 MinVersion: ver.version,
3281 MaxVersion: ver.version,
3282 Bugs: ProtocolBugs{
3283 NoExtendedMasterSecret: !with,
3284 RequireExtendedMasterSecret: with,
3285 },
3286 },
3287 flags: flags,
3288 shouldFail: ver.version == VersionSSL30 && with,
3289 }
3290 if test.shouldFail {
3291 test.expectedLocalError = "extended master secret required but not supported by peer"
3292 }
3293 testCases = append(testCases, test)
3294 }
3295 }
3296 }
3297
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3298 for _, isClient := range []bool{false, true} {
3299 for _, supportedInFirstConnection := range []bool{false, true} {
3300 for _, supportedInResumeConnection := range []bool{false, true} {
3301 boolToWord := func(b bool) string {
3302 if b {
3303 return "Yes"
3304 }
3305 return "No"
3306 }
3307 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3308 if isClient {
3309 suffix += "Client"
3310 } else {
3311 suffix += "Server"
3312 }
3313
3314 supportedConfig := Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3315 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3316 Bugs: ProtocolBugs{
3317 RequireExtendedMasterSecret: true,
3318 },
3319 }
3320
3321 noSupportConfig := Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3322 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3323 Bugs: ProtocolBugs{
3324 NoExtendedMasterSecret: true,
3325 },
3326 }
3327
3328 test := testCase{
3329 name: "ExtendedMasterSecret-" + suffix,
3330 resumeSession: true,
3331 }
3332
3333 if !isClient {
3334 test.testType = serverTest
3335 }
3336
3337 if supportedInFirstConnection {
3338 test.config = supportedConfig
3339 } else {
3340 test.config = noSupportConfig
3341 }
3342
3343 if supportedInResumeConnection {
3344 test.resumeConfig = &supportedConfig
3345 } else {
3346 test.resumeConfig = &noSupportConfig
3347 }
3348
3349 switch suffix {
3350 case "YesToYes-Client", "YesToYes-Server":
3351 // When a session is resumed, it should
3352 // still be aware that its master
3353 // secret was generated via EMS and
3354 // thus it's safe to use tls-unique.
3355 test.flags = []string{expectEMSFlag}
3356 case "NoToYes-Server":
3357 // If an original connection did not
3358 // contain EMS, but a resumption
3359 // handshake does, then a server should
3360 // not resume the session.
3361 test.expectResumeRejected = true
3362 case "YesToNo-Server":
3363 // Resuming an EMS session without the
3364 // EMS extension should cause the
3365 // server to abort the connection.
3366 test.shouldFail = true
3367 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3368 case "NoToYes-Client":
3369 // A client should abort a connection
3370 // where the server resumed a non-EMS
3371 // session but echoed the EMS
3372 // extension.
3373 test.shouldFail = true
3374 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3375 case "YesToNo-Client":
3376 // A client should abort a connection
3377 // where the server didn't echo EMS
3378 // when the session used it.
3379 test.shouldFail = true
3380 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3381 }
3382
3383 testCases = append(testCases, test)
3384 }
3385 }
3386 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3387
3388 // Switching EMS on renegotiation is forbidden.
3389 testCases = append(testCases, testCase{
3390 name: "ExtendedMasterSecret-Renego-NoEMS",
3391 config: Config{
3392 MaxVersion: VersionTLS12,
3393 Bugs: ProtocolBugs{
3394 NoExtendedMasterSecret: true,
3395 NoExtendedMasterSecretOnRenegotiation: true,
3396 },
3397 },
3398 renegotiate: 1,
3399 flags: []string{
3400 "-renegotiate-freely",
3401 "-expect-total-renegotiations", "1",
3402 },
3403 })
3404
3405 testCases = append(testCases, testCase{
3406 name: "ExtendedMasterSecret-Renego-Upgrade",
3407 config: Config{
3408 MaxVersion: VersionTLS12,
3409 Bugs: ProtocolBugs{
3410 NoExtendedMasterSecret: true,
3411 },
3412 },
3413 renegotiate: 1,
3414 flags: []string{
3415 "-renegotiate-freely",
3416 "-expect-total-renegotiations", "1",
3417 },
3418 shouldFail: true,
3419 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3420 })
3421
3422 testCases = append(testCases, testCase{
3423 name: "ExtendedMasterSecret-Renego-Downgrade",
3424 config: Config{
3425 MaxVersion: VersionTLS12,
3426 Bugs: ProtocolBugs{
3427 NoExtendedMasterSecretOnRenegotiation: true,
3428 },
3429 },
3430 renegotiate: 1,
3431 flags: []string{
3432 "-renegotiate-freely",
3433 "-expect-total-renegotiations", "1",
3434 },
3435 shouldFail: true,
3436 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3437 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3438}
3439
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3440type stateMachineTestConfig struct {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]3441 protocol protocol
3442 async bool
3443 splitHandshake bool
3444 packHandshakeFlight bool
3445 implicitHandshake bool
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3446}
3447
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]3448// Adds tests that try to cover the range of the handshake state machine, under
3449// various conditions. Some of these are redundant with other tests, but they
3450// only cover the synchronous case.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3451func addAllStateMachineCoverageTests() {
3452 for _, async := range []bool{false, true} {
3453 for _, protocol := range []protocol{tls, dtls} {
3454 addStateMachineCoverageTests(stateMachineTestConfig{
3455 protocol: protocol,
3456 async: async,
3457 })
3458 addStateMachineCoverageTests(stateMachineTestConfig{
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]3459 protocol: protocol,
3460 async: async,
3461 implicitHandshake: true,
3462 })
3463 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3464 protocol: protocol,
3465 async: async,
3466 splitHandshake: true,
3467 })
3468 if protocol == tls {
3469 addStateMachineCoverageTests(stateMachineTestConfig{
3470 protocol: protocol,
3471 async: async,
3472 packHandshakeFlight: true,
3473 })
3474 }
3475 }
3476 }
3477}
3478
3479func addStateMachineCoverageTests(config stateMachineTestConfig) {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3480 var tests []testCase
3481
3482 // Basic handshake, with resumption. Client and server,
3483 // session ID and session ticket.
3484 tests = append(tests, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3485 name: "Basic-Client",
3486 config: Config{
3487 MaxVersion: VersionTLS12,
3488 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3489 resumeSession: true,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3490 // Ensure session tickets are used, not session IDs.
3491 noSessionCache: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3492 })
3493 tests = append(tests, testCase{
3494 name: "Basic-Client-RenewTicket",
3495 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3496 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3497 Bugs: ProtocolBugs{
3498 RenewTicketOnResume: true,
3499 },
3500 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3501 flags: []string{"-expect-ticket-renewal"},
3502 resumeSession: true,
3503 resumeRenewedSession: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3504 })
3505 tests = append(tests, testCase{
3506 name: "Basic-Client-NoTicket",
3507 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3508 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3509 SessionTicketsDisabled: true,
3510 },
3511 resumeSession: true,
3512 })
3513 tests = append(tests, testCase{
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3514 testType: serverTest,
3515 name: "Basic-Server",
3516 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3517 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3518 Bugs: ProtocolBugs{
3519 RequireSessionTickets: true,
3520 },
3521 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3522 resumeSession: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]3523 flags: []string{"-expect-no-session-id"},
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3524 })
3525 tests = append(tests, testCase{
3526 testType: serverTest,
3527 name: "Basic-Server-NoTickets",
3528 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3529 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3530 SessionTicketsDisabled: true,
3531 },
3532 resumeSession: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]3533 flags: []string{"-expect-session-id"},
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3534 })
3535 tests = append(tests, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3536 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3537 name: "Basic-Server-EarlyCallback",
3538 config: Config{
3539 MaxVersion: VersionTLS12,
3540 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3541 flags: []string{"-use-early-callback"},
3542 resumeSession: true,
3543 })
3544
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3545 // TLS 1.3 basic handshake shapes.
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3546 if config.protocol == tls {
3547 tests = append(tests, testCase{
3548 name: "TLS13-1RTT-Client",
3549 config: Config{
3550 MaxVersion: VersionTLS13,
3551 MinVersion: VersionTLS13,
3552 },
3553 resumeSession: true,
3554 resumeRenewedSession: true,
3555 })
3556
3557 tests = append(tests, testCase{
3558 testType: serverTest,
3559 name: "TLS13-1RTT-Server",
3560 config: Config{
3561 MaxVersion: VersionTLS13,
3562 MinVersion: VersionTLS13,
3563 },
3564 resumeSession: true,
3565 resumeRenewedSession: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]3566 // TLS 1.3 uses tickets, so the session should not be
3567 // cached statefully.
3568 flags: []string{"-expect-no-session-id"},
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3569 })
3570
3571 tests = append(tests, testCase{
3572 name: "TLS13-HelloRetryRequest-Client",
3573 config: Config{
3574 MaxVersion: VersionTLS13,
3575 MinVersion: VersionTLS13,
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]3576 // P-384 requires a HelloRetryRequest against BoringSSL's default
3577 // configuration. Assert this with ExpectMissingKeyShare.
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3578 CurvePreferences: []CurveID{CurveP384},
3579 Bugs: ProtocolBugs{
3580 ExpectMissingKeyShare: true,
3581 },
3582 },
3583 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3584 resumeSession: true,
3585 })
3586
3587 tests = append(tests, testCase{
3588 testType: serverTest,
3589 name: "TLS13-HelloRetryRequest-Server",
3590 config: Config{
3591 MaxVersion: VersionTLS13,
3592 MinVersion: VersionTLS13,
3593 // Require a HelloRetryRequest for every curve.
3594 DefaultCurves: []CurveID{},
3595 },
3596 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3597 resumeSession: true,
3598 })
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]3599
3600 // TODO(svaldez): Send data on early data once implemented.
3601 tests = append(tests, testCase{
3602 testType: clientTest,
3603 name: "TLS13-EarlyData-Client",
3604 config: Config{
3605 MaxVersion: VersionTLS13,
3606 MinVersion: VersionTLS13,
3607 MaxEarlyDataSize: 16384,
3608 },
3609 resumeSession: true,
3610 flags: []string{
3611 "-enable-early-data",
3612 "-expect-early-data-info",
3613 "-expect-accept-early-data",
3614 },
3615 })
3616
3617 tests = append(tests, testCase{
3618 testType: serverTest,
3619 name: "TLS13-EarlyData-Server",
3620 config: Config{
3621 MaxVersion: VersionTLS13,
3622 MinVersion: VersionTLS13,
3623 Bugs: ProtocolBugs{
3624 SendEarlyData: [][]byte{{1, 2, 3, 4}},
3625 ExpectEarlyDataAccepted: true,
3626 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
3627 },
3628 },
3629 messageCount: 2,
3630 resumeSession: true,
3631 flags: []string{
3632 "-enable-early-data",
3633 "-expect-accept-early-data",
3634 },
3635 })
Robert Sloan9254e682017-04-24 09:42:06 -0700[diff] [blame]3636
3637 tests = append(tests, testCase{
3638 testType: serverTest,
3639 name: "TLS13-MaxEarlyData-Server",
3640 config: Config{
3641 MaxVersion: VersionTLS13,
3642 MinVersion: VersionTLS13,
3643 Bugs: ProtocolBugs{
Robert Sloan2424d842017-05-01 07:46:28 -0700[diff] [blame]3644 SendEarlyData: [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
Robert Sloan9254e682017-04-24 09:42:06 -0700[diff] [blame]3645 ExpectEarlyDataAccepted: true,
3646 },
3647 },
3648 messageCount: 2,
3649 resumeSession: true,
3650 flags: []string{
3651 "-enable-early-data",
3652 "-expect-accept-early-data",
3653 },
3654 shouldFail: true,
3655 expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
3656 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3657 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3658
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3659 // TLS client auth.
3660 tests = append(tests, testCase{
3661 testType: clientTest,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3662 name: "ClientAuth-NoCertificate-Client",
3663 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3664 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3665 ClientAuth: RequestClientCert,
3666 },
3667 })
3668 tests = append(tests, testCase{
3669 testType: serverTest,
3670 name: "ClientAuth-NoCertificate-Server",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3671 config: Config{
3672 MaxVersion: VersionTLS12,
3673 },
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3674 // Setting SSL_VERIFY_PEER allows anonymous clients.
3675 flags: []string{"-verify-peer"},
3676 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3677 if config.protocol == tls {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3678 tests = append(tests, testCase{
3679 testType: clientTest,
3680 name: "ClientAuth-NoCertificate-Client-SSL3",
3681 config: Config{
3682 MaxVersion: VersionSSL30,
3683 ClientAuth: RequestClientCert,
3684 },
3685 })
3686 tests = append(tests, testCase{
3687 testType: serverTest,
3688 name: "ClientAuth-NoCertificate-Server-SSL3",
3689 config: Config{
3690 MaxVersion: VersionSSL30,
3691 },
3692 // Setting SSL_VERIFY_PEER allows anonymous clients.
3693 flags: []string{"-verify-peer"},
3694 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3695 tests = append(tests, testCase{
3696 testType: clientTest,
3697 name: "ClientAuth-NoCertificate-Client-TLS13",
3698 config: Config{
3699 MaxVersion: VersionTLS13,
3700 ClientAuth: RequestClientCert,
3701 },
3702 })
3703 tests = append(tests, testCase{
3704 testType: serverTest,
3705 name: "ClientAuth-NoCertificate-Server-TLS13",
3706 config: Config{
3707 MaxVersion: VersionTLS13,
3708 },
3709 // Setting SSL_VERIFY_PEER allows anonymous clients.
3710 flags: []string{"-verify-peer"},
3711 })
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3712 }
3713 tests = append(tests, testCase{
3714 testType: clientTest,
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]3715 name: "ClientAuth-RSA-Client",
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3716 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3717 MaxVersion: VersionTLS12,
3718 ClientAuth: RequireAnyClientCert,
3719 },
3720 flags: []string{
3721 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3722 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3723 },
3724 })
3725 tests = append(tests, testCase{
3726 testType: clientTest,
3727 name: "ClientAuth-RSA-Client-TLS13",
3728 config: Config{
3729 MaxVersion: VersionTLS13,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3730 ClientAuth: RequireAnyClientCert,
3731 },
3732 flags: []string{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3733 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3734 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3735 },
3736 })
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]3737 tests = append(tests, testCase{
3738 testType: clientTest,
3739 name: "ClientAuth-ECDSA-Client",
3740 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3741 MaxVersion: VersionTLS12,
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]3742 ClientAuth: RequireAnyClientCert,
3743 },
3744 flags: []string{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3745 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3746 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]3747 },
3748 })
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3749 tests = append(tests, testCase{
3750 testType: clientTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3751 name: "ClientAuth-ECDSA-Client-TLS13",
3752 config: Config{
3753 MaxVersion: VersionTLS13,
3754 ClientAuth: RequireAnyClientCert,
3755 },
3756 flags: []string{
3757 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3758 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3759 },
3760 })
3761 tests = append(tests, testCase{
3762 testType: clientTest,
3763 name: "ClientAuth-NoCertificate-OldCallback",
3764 config: Config{
3765 MaxVersion: VersionTLS12,
3766 ClientAuth: RequestClientCert,
3767 },
3768 flags: []string{"-use-old-client-cert-callback"},
3769 })
3770 tests = append(tests, testCase{
3771 testType: clientTest,
3772 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3773 config: Config{
3774 MaxVersion: VersionTLS13,
3775 ClientAuth: RequestClientCert,
3776 },
3777 flags: []string{"-use-old-client-cert-callback"},
3778 })
3779 tests = append(tests, testCase{
3780 testType: clientTest,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3781 name: "ClientAuth-OldCallback",
3782 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3783 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]3784 ClientAuth: RequireAnyClientCert,
3785 },
3786 flags: []string{
3787 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3788 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3789 "-use-old-client-cert-callback",
3790 },
3791 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3792 tests = append(tests, testCase{
3793 testType: clientTest,
3794 name: "ClientAuth-OldCallback-TLS13",
3795 config: Config{
3796 MaxVersion: VersionTLS13,
3797 ClientAuth: RequireAnyClientCert,
3798 },
3799 flags: []string{
3800 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3801 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3802 "-use-old-client-cert-callback",
3803 },
3804 })
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3805 tests = append(tests, testCase{
3806 testType: serverTest,
3807 name: "ClientAuth-Server",
3808 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3809 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3810 Certificates: []Certificate{rsaCertificate},
3811 },
3812 flags: []string{"-require-any-client-certificate"},
3813 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3814 tests = append(tests, testCase{
3815 testType: serverTest,
3816 name: "ClientAuth-Server-TLS13",
3817 config: Config{
3818 MaxVersion: VersionTLS13,
3819 Certificates: []Certificate{rsaCertificate},
3820 },
3821 flags: []string{"-require-any-client-certificate"},
3822 })
3823
3824 // Test each key exchange on the server side for async keys.
3825 tests = append(tests, testCase{
3826 testType: serverTest,
3827 name: "Basic-Server-RSA",
3828 config: Config{
3829 MaxVersion: VersionTLS12,
3830 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3831 },
3832 flags: []string{
3833 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3834 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3835 },
3836 })
3837 tests = append(tests, testCase{
3838 testType: serverTest,
3839 name: "Basic-Server-ECDHE-RSA",
3840 config: Config{
3841 MaxVersion: VersionTLS12,
3842 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3843 },
3844 flags: []string{
3845 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3846 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3847 },
3848 })
3849 tests = append(tests, testCase{
3850 testType: serverTest,
3851 name: "Basic-Server-ECDHE-ECDSA",
3852 config: Config{
3853 MaxVersion: VersionTLS12,
3854 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3855 },
3856 flags: []string{
3857 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3858 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3859 },
3860 })
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]3861 tests = append(tests, testCase{
3862 testType: serverTest,
3863 name: "Basic-Server-Ed25519",
3864 config: Config{
3865 MaxVersion: VersionTLS12,
3866 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3867 },
3868 flags: []string{
3869 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3870 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
3871 "-enable-ed25519",
3872 },
3873 })
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3874
3875 // No session ticket support; server doesn't send NewSessionTicket.
3876 tests = append(tests, testCase{
3877 name: "SessionTicketsDisabled-Client",
3878 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3879 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3880 SessionTicketsDisabled: true,
3881 },
3882 })
3883 tests = append(tests, testCase{
3884 testType: serverTest,
3885 name: "SessionTicketsDisabled-Server",
3886 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3887 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3888 SessionTicketsDisabled: true,
3889 },
3890 })
3891
3892 // Skip ServerKeyExchange in PSK key exchange if there's no
3893 // identity hint.
3894 tests = append(tests, testCase{
3895 name: "EmptyPSKHint-Client",
3896 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3897 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3898 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3899 PreSharedKey: []byte("secret"),
3900 },
3901 flags: []string{"-psk", "secret"},
3902 })
3903 tests = append(tests, testCase{
3904 testType: serverTest,
3905 name: "EmptyPSKHint-Server",
3906 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3907 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]3908 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3909 PreSharedKey: []byte("secret"),
3910 },
3911 flags: []string{"-psk", "secret"},
3912 })
3913
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3914 // OCSP stapling tests.
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3915 tests = append(tests, testCase{
3916 testType: clientTest,
3917 name: "OCSPStapling-Client",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3918 config: Config{
3919 MaxVersion: VersionTLS12,
3920 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3921 flags: []string{
3922 "-enable-ocsp-stapling",
3923 "-expect-ocsp-response",
3924 base64.StdEncoding.EncodeToString(testOCSPResponse),
3925 "-verify-peer",
3926 },
3927 resumeSession: true,
3928 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3929 tests = append(tests, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3930 testType: serverTest,
3931 name: "OCSPStapling-Server",
3932 config: Config{
3933 MaxVersion: VersionTLS12,
3934 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3935 expectedOCSPResponse: testOCSPResponse,
3936 flags: []string{
3937 "-ocsp-response",
3938 base64.StdEncoding.EncodeToString(testOCSPResponse),
3939 },
3940 resumeSession: true,
3941 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3942 tests = append(tests, testCase{
3943 testType: clientTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3944 name: "OCSPStapling-Client-TLS13",
3945 config: Config{
3946 MaxVersion: VersionTLS13,
3947 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3948 flags: []string{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3949 "-enable-ocsp-stapling",
3950 "-expect-ocsp-response",
3951 base64.StdEncoding.EncodeToString(testOCSPResponse),
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3952 "-verify-peer",
3953 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3954 resumeSession: true,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3955 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3956 tests = append(tests, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3957 testType: serverTest,
3958 name: "OCSPStapling-Server-TLS13",
3959 config: Config{
3960 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3961 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3962 expectedOCSPResponse: testOCSPResponse,
3963 flags: []string{
3964 "-ocsp-response",
3965 base64.StdEncoding.EncodeToString(testOCSPResponse),
3966 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3967 resumeSession: true,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3968 })
3969
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3970 // Certificate verification tests.
3971 for _, vers := range tlsVersions {
3972 if config.protocol == dtls && !vers.hasDTLS {
3973 continue
3974 }
3975 for _, testType := range []testType{clientTest, serverTest} {
3976 suffix := "-Client"
3977 if testType == serverTest {
3978 suffix = "-Server"
3979 }
3980 suffix += "-" + vers.name
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]3981
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3982 flag := "-verify-peer"
3983 if testType == serverTest {
3984 flag = "-require-any-client-certificate"
3985 }
3986
3987 tests = append(tests, testCase{
3988 testType: testType,
3989 name: "CertificateVerificationSucceed" + suffix,
3990 config: Config{
3991 MaxVersion: vers.version,
3992 Certificates: []Certificate{rsaCertificate},
3993 },
3994 flags: []string{
3995 flag,
3996 "-expect-verify-result",
3997 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]3998 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]3999 })
4000 tests = append(tests, testCase{
4001 testType: testType,
4002 name: "CertificateVerificationFail" + suffix,
4003 config: Config{
4004 MaxVersion: vers.version,
4005 Certificates: []Certificate{rsaCertificate},
4006 },
4007 flags: []string{
4008 flag,
4009 "-verify-fail",
4010 },
4011 shouldFail: true,
4012 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
4013 })
4014 }
4015
4016 // By default, the client is in a soft fail mode where the peer
4017 // certificate is verified but failures are non-fatal.
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4018 tests = append(tests, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4019 testType: clientTest,
4020 name: "CertificateVerificationSoftFail-" + vers.name,
4021 config: Config{
4022 MaxVersion: vers.version,
4023 Certificates: []Certificate{rsaCertificate},
4024 },
4025 flags: []string{
4026 "-verify-fail",
4027 "-expect-verify-result",
4028 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4029 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4030 })
4031 }
4032
4033 tests = append(tests, testCase{
4034 name: "ShimSendAlert",
4035 flags: []string{"-send-alert"},
4036 shimWritesFirst: true,
4037 shouldFail: true,
4038 expectedLocalError: "remote error: decompression failure",
4039 })
4040
4041 if config.protocol == tls {
4042 tests = append(tests, testCase{
4043 name: "Renegotiate-Client",
4044 config: Config{
4045 MaxVersion: VersionTLS12,
4046 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]4047 renegotiate: 1,
4048 flags: []string{
4049 "-renegotiate-freely",
4050 "-expect-total-renegotiations", "1",
4051 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4052 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4053
4054 tests = append(tests, testCase{
4055 name: "SendHalfHelloRequest",
4056 config: Config{
4057 MaxVersion: VersionTLS12,
4058 Bugs: ProtocolBugs{
4059 PackHelloRequestWithFinished: config.packHandshakeFlight,
4060 },
4061 },
4062 sendHalfHelloRequest: true,
4063 flags: []string{"-renegotiate-ignore"},
4064 shouldFail: true,
4065 expectedError: ":UNEXPECTED_RECORD:",
4066 })
4067
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4068 // NPN on client and server; results in post-handshake message.
4069 tests = append(tests, testCase{
4070 name: "NPN-Client",
4071 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4072 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4073 NextProtos: []string{"foo"},
4074 },
4075 flags: []string{"-select-next-proto", "foo"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4076 resumeSession: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4077 expectedNextProto: "foo",
4078 expectedNextProtoType: npn,
4079 })
4080 tests = append(tests, testCase{
4081 testType: serverTest,
4082 name: "NPN-Server",
4083 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4084 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4085 NextProtos: []string{"bar"},
4086 },
4087 flags: []string{
4088 "-advertise-npn", "\x03foo\x03bar\x03baz",
4089 "-expect-next-proto", "bar",
4090 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4091 resumeSession: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4092 expectedNextProto: "bar",
4093 expectedNextProtoType: npn,
4094 })
4095
4096 // TODO(davidben): Add tests for when False Start doesn't trigger.
4097
4098 // Client does False Start and negotiates NPN.
4099 tests = append(tests, testCase{
4100 name: "FalseStart",
4101 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4102 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4103 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4104 NextProtos: []string{"foo"},
4105 Bugs: ProtocolBugs{
4106 ExpectFalseStart: true,
4107 },
4108 },
4109 flags: []string{
4110 "-false-start",
4111 "-select-next-proto", "foo",
4112 },
4113 shimWritesFirst: true,
4114 resumeSession: true,
4115 })
4116
4117 // Client does False Start and negotiates ALPN.
4118 tests = append(tests, testCase{
4119 name: "FalseStart-ALPN",
4120 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4121 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4122 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4123 NextProtos: []string{"foo"},
4124 Bugs: ProtocolBugs{
4125 ExpectFalseStart: true,
4126 },
4127 },
4128 flags: []string{
4129 "-false-start",
4130 "-advertise-alpn", "\x03foo",
4131 },
4132 shimWritesFirst: true,
4133 resumeSession: true,
4134 })
4135
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4136 // False Start without session tickets.
4137 tests = append(tests, testCase{
4138 name: "FalseStart-SessionTicketsDisabled",
4139 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4140 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4141 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4142 NextProtos: []string{"foo"},
4143 SessionTicketsDisabled: true,
4144 Bugs: ProtocolBugs{
4145 ExpectFalseStart: true,
4146 },
4147 },
4148 flags: []string{
4149 "-false-start",
4150 "-select-next-proto", "foo",
4151 },
4152 shimWritesFirst: true,
4153 })
4154
4155 // Server parses a V2ClientHello.
4156 tests = append(tests, testCase{
4157 testType: serverTest,
4158 name: "SendV2ClientHello",
4159 config: Config{
4160 // Choose a cipher suite that does not involve
4161 // elliptic curves, so no extensions are
4162 // involved.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4163 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4164 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4165 Bugs: ProtocolBugs{
4166 SendV2ClientHello: true,
4167 },
4168 },
4169 })
4170
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]4171 // Test Channel ID
4172 for _, ver := range tlsVersions {
4173 if ver.version < VersionTLS10 {
4174 continue
4175 }
4176 // Client sends a Channel ID.
4177 tests = append(tests, testCase{
4178 name: "ChannelID-Client-" + ver.name,
4179 config: Config{
4180 MaxVersion: ver.version,
4181 RequestChannelID: true,
4182 },
4183 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4184 resumeSession: true,
4185 expectChannelID: true,
4186 })
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4187
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]4188 // Server accepts a Channel ID.
4189 tests = append(tests, testCase{
4190 testType: serverTest,
4191 name: "ChannelID-Server-" + ver.name,
4192 config: Config{
4193 MaxVersion: ver.version,
4194 ChannelID: channelIDKey,
4195 },
4196 flags: []string{
4197 "-expect-channel-id",
4198 base64.StdEncoding.EncodeToString(channelIDBytes),
4199 },
4200 resumeSession: true,
4201 expectChannelID: true,
4202 })
4203
4204 tests = append(tests, testCase{
4205 testType: serverTest,
4206 name: "InvalidChannelIDSignature-" + ver.name,
4207 config: Config{
4208 MaxVersion: ver.version,
4209 ChannelID: channelIDKey,
4210 Bugs: ProtocolBugs{
4211 InvalidChannelIDSignature: true,
4212 },
4213 },
4214 flags: []string{"-enable-channel-id"},
4215 shouldFail: true,
4216 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4217 })
4218 }
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]4219
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4220 // Channel ID and NPN at the same time, to ensure their relative
4221 // ordering is correct.
4222 tests = append(tests, testCase{
4223 name: "ChannelID-NPN-Client",
4224 config: Config{
4225 MaxVersion: VersionTLS12,
4226 RequestChannelID: true,
4227 NextProtos: []string{"foo"},
4228 },
4229 flags: []string{
4230 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4231 "-select-next-proto", "foo",
4232 },
4233 resumeSession: true,
4234 expectChannelID: true,
4235 expectedNextProto: "foo",
4236 expectedNextProtoType: npn,
4237 })
4238 tests = append(tests, testCase{
4239 testType: serverTest,
4240 name: "ChannelID-NPN-Server",
4241 config: Config{
4242 MaxVersion: VersionTLS12,
4243 ChannelID: channelIDKey,
4244 NextProtos: []string{"bar"},
4245 },
4246 flags: []string{
4247 "-expect-channel-id",
4248 base64.StdEncoding.EncodeToString(channelIDBytes),
4249 "-advertise-npn", "\x03foo\x03bar\x03baz",
4250 "-expect-next-proto", "bar",
4251 },
4252 resumeSession: true,
4253 expectChannelID: true,
4254 expectedNextProto: "bar",
4255 expectedNextProtoType: npn,
4256 })
4257
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]4258 // Bidirectional shutdown with the runner initiating.
4259 tests = append(tests, testCase{
4260 name: "Shutdown-Runner",
4261 config: Config{
4262 Bugs: ProtocolBugs{
4263 ExpectCloseNotify: true,
4264 },
4265 },
4266 flags: []string{"-check-close-notify"},
4267 })
4268
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]4269 if !config.implicitHandshake {
4270 // Bidirectional shutdown with the shim initiating. The runner,
4271 // in the meantime, sends garbage before the close_notify which
4272 // the shim must ignore. This test is disabled under implicit
4273 // handshake tests because the shim never reads or writes.
4274 tests = append(tests, testCase{
4275 name: "Shutdown-Shim",
4276 config: Config{
4277 MaxVersion: VersionTLS12,
4278 Bugs: ProtocolBugs{
4279 ExpectCloseNotify: true,
4280 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]4281 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]4282 shimShutsDown: true,
4283 sendEmptyRecords: 1,
4284 sendWarningAlerts: 1,
4285 flags: []string{"-check-close-notify"},
4286 })
4287 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4288 } else {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4289 // TODO(davidben): DTLS 1.3 will want a similar thing for
4290 // HelloRetryRequest.
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4291 tests = append(tests, testCase{
4292 name: "SkipHelloVerifyRequest",
4293 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4294 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4295 Bugs: ProtocolBugs{
4296 SkipHelloVerifyRequest: true,
4297 },
4298 },
4299 })
4300 }
4301
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4302 for _, test := range tests {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4303 test.protocol = config.protocol
4304 if config.protocol == dtls {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]4305 test.name += "-DTLS"
4306 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4307 if config.async {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]4308 test.name += "-Async"
4309 test.flags = append(test.flags, "-async")
4310 } else {
4311 test.name += "-Sync"
4312 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4313 if config.splitHandshake {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]4314 test.name += "-SplitHandshakeRecords"
4315 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4316 if config.protocol == dtls {
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]4317 test.config.Bugs.MaxPacketLength = 256
4318 test.flags = append(test.flags, "-mtu", "256")
4319 }
4320 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4321 if config.packHandshakeFlight {
4322 test.name += "-PackHandshakeFlight"
4323 test.config.Bugs.PackHandshakeFlight = true
4324 }
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]4325 if config.implicitHandshake {
4326 test.name += "-ImplicitHandshake"
4327 test.flags = append(test.flags, "-implicit-handshake")
4328 }
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]4329 testCases = append(testCases, test)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]4330 }
4331}
4332
4333func addDDoSCallbackTests() {
4334 // DDoS callback.
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]4335 for _, resume := range []bool{false, true} {
4336 suffix := "Resume"
4337 if resume {
4338 suffix = "No" + suffix
4339 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4340
4341 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4342 testType: serverTest,
4343 name: "Server-DDoS-OK-" + suffix,
4344 config: Config{
4345 MaxVersion: VersionTLS12,
4346 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]4347 flags: []string{"-install-ddos-callback"},
4348 resumeSession: resume,
4349 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4350 testCases = append(testCases, testCase{
4351 testType: serverTest,
4352 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4353 config: Config{
4354 MaxVersion: VersionTLS13,
4355 },
4356 flags: []string{"-install-ddos-callback"},
4357 resumeSession: resume,
4358 })
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]4359
4360 failFlag := "-fail-ddos-callback"
4361 if resume {
4362 failFlag = "-fail-second-ddos-callback"
4363 }
4364 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4365 testType: serverTest,
4366 name: "Server-DDoS-Reject-" + suffix,
4367 config: Config{
4368 MaxVersion: VersionTLS12,
4369 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]4370 flags: []string{"-install-ddos-callback", failFlag},
4371 resumeSession: resume,
4372 shouldFail: true,
4373 expectedError: ":CONNECTION_REJECTED:",
4374 expectedLocalError: "remote error: internal error",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4375 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4376 testCases = append(testCases, testCase{
4377 testType: serverTest,
4378 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4379 config: Config{
4380 MaxVersion: VersionTLS13,
4381 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]4382 flags: []string{"-install-ddos-callback", failFlag},
4383 resumeSession: resume,
4384 shouldFail: true,
4385 expectedError: ":CONNECTION_REJECTED:",
4386 expectedLocalError: "remote error: internal error",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4387 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4388 }
4389}
4390
4391func addVersionNegotiationTests() {
4392 for i, shimVers := range tlsVersions {
4393 // Assemble flags to disable all newer versions on the shim.
4394 var flags []string
4395 for _, vers := range tlsVersions[i+1:] {
4396 flags = append(flags, vers.flag)
4397 }
4398
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4399 // Test configuring the runner's maximum version.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4400 for _, runnerVers := range tlsVersions {
4401 protocols := []protocol{tls}
4402 if runnerVers.hasDTLS && shimVers.hasDTLS {
4403 protocols = append(protocols, dtls)
4404 }
4405 for _, protocol := range protocols {
4406 expectedVersion := shimVers.version
4407 if runnerVers.version < shimVers.version {
4408 expectedVersion = runnerVers.version
4409 }
4410
4411 suffix := shimVers.name + "-" + runnerVers.name
4412 if protocol == dtls {
4413 suffix += "-DTLS"
4414 }
4415
4416 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4417
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4418 // Determine the expected initial record-layer versions.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4419 clientVers := shimVers.version
4420 if clientVers > VersionTLS10 {
4421 clientVers = VersionTLS10
4422 }
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4423 clientVers = versionToWire(clientVers, protocol == dtls)
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4424 serverVers := expectedVersion
4425 if expectedVersion >= VersionTLS13 {
4426 serverVers = VersionTLS10
4427 }
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4428 serverVers = versionToWire(serverVers, protocol == dtls)
4429
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4430 testCases = append(testCases, testCase{
4431 protocol: protocol,
4432 testType: clientTest,
4433 name: "VersionNegotiation-Client-" + suffix,
4434 config: Config{
4435 MaxVersion: runnerVers.version,
4436 Bugs: ProtocolBugs{
4437 ExpectInitialRecordVersion: clientVers,
4438 },
4439 },
4440 flags: flags,
4441 expectedVersion: expectedVersion,
4442 })
4443 testCases = append(testCases, testCase{
4444 protocol: protocol,
4445 testType: clientTest,
4446 name: "VersionNegotiation-Client2-" + suffix,
4447 config: Config{
4448 MaxVersion: runnerVers.version,
4449 Bugs: ProtocolBugs{
4450 ExpectInitialRecordVersion: clientVers,
4451 },
4452 },
4453 flags: []string{"-max-version", shimVersFlag},
4454 expectedVersion: expectedVersion,
4455 })
4456
4457 testCases = append(testCases, testCase{
4458 protocol: protocol,
4459 testType: serverTest,
4460 name: "VersionNegotiation-Server-" + suffix,
4461 config: Config{
4462 MaxVersion: runnerVers.version,
4463 Bugs: ProtocolBugs{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4464 ExpectInitialRecordVersion: serverVers,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4465 },
4466 },
4467 flags: flags,
4468 expectedVersion: expectedVersion,
4469 })
4470 testCases = append(testCases, testCase{
4471 protocol: protocol,
4472 testType: serverTest,
4473 name: "VersionNegotiation-Server2-" + suffix,
4474 config: Config{
4475 MaxVersion: runnerVers.version,
4476 Bugs: ProtocolBugs{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4477 ExpectInitialRecordVersion: serverVers,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4478 },
4479 },
4480 flags: []string{"-max-version", shimVersFlag},
4481 expectedVersion: expectedVersion,
4482 })
4483 }
4484 }
4485 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4486
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4487 // Test the version extension at all versions.
4488 for _, vers := range tlsVersions {
4489 protocols := []protocol{tls}
4490 if vers.hasDTLS {
4491 protocols = append(protocols, dtls)
4492 }
4493 for _, protocol := range protocols {
4494 suffix := vers.name
4495 if protocol == dtls {
4496 suffix += "-DTLS"
4497 }
4498
4499 wireVersion := versionToWire(vers.version, protocol == dtls)
4500 testCases = append(testCases, testCase{
4501 protocol: protocol,
4502 testType: serverTest,
4503 name: "VersionNegotiationExtension-" + suffix,
4504 config: Config{
4505 Bugs: ProtocolBugs{
4506 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4507 },
4508 },
4509 expectedVersion: vers.version,
4510 })
4511 }
4512
4513 }
4514
4515 // If all versions are unknown, negotiation fails.
4516 testCases = append(testCases, testCase{
4517 testType: serverTest,
4518 name: "NoSupportedVersions",
4519 config: Config{
4520 Bugs: ProtocolBugs{
4521 SendSupportedVersions: []uint16{0x1111},
4522 },
4523 },
4524 shouldFail: true,
4525 expectedError: ":UNSUPPORTED_PROTOCOL:",
4526 })
4527 testCases = append(testCases, testCase{
4528 protocol: dtls,
4529 testType: serverTest,
4530 name: "NoSupportedVersions-DTLS",
4531 config: Config{
4532 Bugs: ProtocolBugs{
4533 SendSupportedVersions: []uint16{0x1111},
4534 },
4535 },
4536 shouldFail: true,
4537 expectedError: ":UNSUPPORTED_PROTOCOL:",
4538 })
4539
4540 testCases = append(testCases, testCase{
4541 testType: serverTest,
4542 name: "ClientHelloVersionTooHigh",
4543 config: Config{
4544 MaxVersion: VersionTLS13,
4545 Bugs: ProtocolBugs{
4546 SendClientVersion: 0x0304,
4547 OmitSupportedVersions: true,
4548 },
4549 },
4550 expectedVersion: VersionTLS12,
4551 })
4552
4553 testCases = append(testCases, testCase{
4554 testType: serverTest,
4555 name: "ConflictingVersionNegotiation",
4556 config: Config{
4557 Bugs: ProtocolBugs{
4558 SendClientVersion: VersionTLS12,
4559 SendSupportedVersions: []uint16{VersionTLS11},
4560 },
4561 },
4562 // The extension takes precedence over the ClientHello version.
4563 expectedVersion: VersionTLS11,
4564 })
4565
4566 testCases = append(testCases, testCase{
4567 testType: serverTest,
4568 name: "ConflictingVersionNegotiation-2",
4569 config: Config{
4570 Bugs: ProtocolBugs{
4571 SendClientVersion: VersionTLS11,
4572 SendSupportedVersions: []uint16{VersionTLS12},
4573 },
4574 },
4575 // The extension takes precedence over the ClientHello version.
4576 expectedVersion: VersionTLS12,
4577 })
4578
4579 testCases = append(testCases, testCase{
4580 testType: serverTest,
4581 name: "RejectFinalTLS13",
4582 config: Config{
4583 Bugs: ProtocolBugs{
4584 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4585 },
4586 },
4587 // We currently implement a draft TLS 1.3 version. Ensure that
4588 // the true TLS 1.3 value is ignored for now.
4589 expectedVersion: VersionTLS12,
4590 })
4591
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]4592 // Test that the maximum version is selected regardless of the
4593 // client-sent order.
4594 testCases = append(testCases, testCase{
4595 testType: serverTest,
4596 name: "IgnoreClientVersionOrder",
4597 config: Config{
4598 Bugs: ProtocolBugs{
4599 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4600 },
4601 },
4602 expectedVersion: VersionTLS13,
4603 })
4604
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4605 // Test for version tolerance.
4606 testCases = append(testCases, testCase{
4607 testType: serverTest,
4608 name: "MinorVersionTolerance",
4609 config: Config{
4610 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4611 SendClientVersion: 0x03ff,
4612 OmitSupportedVersions: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4613 },
4614 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4615 expectedVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4616 })
4617 testCases = append(testCases, testCase{
4618 testType: serverTest,
4619 name: "MajorVersionTolerance",
4620 config: Config{
4621 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4622 SendClientVersion: 0x0400,
4623 OmitSupportedVersions: true,
4624 },
4625 },
4626 // TLS 1.3 must be negotiated with the supported_versions
4627 // extension, not ClientHello.version.
4628 expectedVersion: VersionTLS12,
4629 })
4630 testCases = append(testCases, testCase{
4631 testType: serverTest,
4632 name: "VersionTolerance-TLS13",
4633 config: Config{
4634 Bugs: ProtocolBugs{
4635 // Although TLS 1.3 does not use
4636 // ClientHello.version, it still tolerates high
4637 // values there.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4638 SendClientVersion: 0x0400,
4639 },
4640 },
4641 expectedVersion: VersionTLS13,
4642 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4643
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4644 testCases = append(testCases, testCase{
4645 protocol: dtls,
4646 testType: serverTest,
4647 name: "MinorVersionTolerance-DTLS",
4648 config: Config{
4649 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4650 SendClientVersion: 0xfe00,
4651 OmitSupportedVersions: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4652 },
4653 },
4654 expectedVersion: VersionTLS12,
4655 })
4656 testCases = append(testCases, testCase{
4657 protocol: dtls,
4658 testType: serverTest,
4659 name: "MajorVersionTolerance-DTLS",
4660 config: Config{
4661 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4662 SendClientVersion: 0xfdff,
4663 OmitSupportedVersions: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4664 },
4665 },
4666 expectedVersion: VersionTLS12,
4667 })
4668
4669 // Test that versions below 3.0 are rejected.
4670 testCases = append(testCases, testCase{
4671 testType: serverTest,
4672 name: "VersionTooLow",
4673 config: Config{
4674 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4675 SendClientVersion: 0x0200,
4676 OmitSupportedVersions: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4677 },
4678 },
4679 shouldFail: true,
4680 expectedError: ":UNSUPPORTED_PROTOCOL:",
4681 })
4682 testCases = append(testCases, testCase{
4683 protocol: dtls,
4684 testType: serverTest,
4685 name: "VersionTooLow-DTLS",
4686 config: Config{
4687 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4688 SendClientVersion: 0xffff,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4689 },
4690 },
4691 shouldFail: true,
4692 expectedError: ":UNSUPPORTED_PROTOCOL:",
4693 })
4694
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]4695 testCases = append(testCases, testCase{
4696 name: "ServerBogusVersion",
4697 config: Config{
4698 Bugs: ProtocolBugs{
4699 SendServerHelloVersion: 0x1234,
4700 },
4701 },
4702 shouldFail: true,
4703 expectedError: ":UNSUPPORTED_PROTOCOL:",
4704 })
4705
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4706 // Test TLS 1.3's downgrade signal.
4707 testCases = append(testCases, testCase{
4708 name: "Downgrade-TLS12-Client",
4709 config: Config{
4710 Bugs: ProtocolBugs{
4711 NegotiateVersion: VersionTLS12,
4712 },
4713 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4714 expectedVersion: VersionTLS12,
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]4715 // TODO(davidben): This test should fail once TLS 1.3 is final
4716 // and the fallback signal restored.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4717 })
4718 testCases = append(testCases, testCase{
4719 testType: serverTest,
4720 name: "Downgrade-TLS12-Server",
4721 config: Config{
4722 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4723 SendSupportedVersions: []uint16{VersionTLS12},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4724 },
4725 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4726 expectedVersion: VersionTLS12,
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]4727 // TODO(davidben): This test should fail once TLS 1.3 is final
4728 // and the fallback signal restored.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4729 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4730}
4731
4732func addMinimumVersionTests() {
4733 for i, shimVers := range tlsVersions {
4734 // Assemble flags to disable all older versions on the shim.
4735 var flags []string
4736 for _, vers := range tlsVersions[:i] {
4737 flags = append(flags, vers.flag)
4738 }
4739
4740 for _, runnerVers := range tlsVersions {
4741 protocols := []protocol{tls}
4742 if runnerVers.hasDTLS && shimVers.hasDTLS {
4743 protocols = append(protocols, dtls)
4744 }
4745 for _, protocol := range protocols {
4746 suffix := shimVers.name + "-" + runnerVers.name
4747 if protocol == dtls {
4748 suffix += "-DTLS"
4749 }
4750 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4751
4752 var expectedVersion uint16
4753 var shouldFail bool
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4754 var expectedError, expectedLocalError string
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4755 if runnerVers.version >= shimVers.version {
4756 expectedVersion = runnerVers.version
4757 } else {
4758 shouldFail = true
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4759 expectedError = ":UNSUPPORTED_PROTOCOL:"
4760 expectedLocalError = "remote error: protocol version not supported"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4761 }
4762
4763 testCases = append(testCases, testCase{
4764 protocol: protocol,
4765 testType: clientTest,
4766 name: "MinimumVersion-Client-" + suffix,
4767 config: Config{
4768 MaxVersion: runnerVers.version,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4769 Bugs: ProtocolBugs{
4770 // Ensure the server does not decline to
4771 // select a version (versions extension) or
4772 // cipher (some ciphers depend on versions).
4773 NegotiateVersion: runnerVers.version,
4774 IgnorePeerCipherPreferences: shouldFail,
4775 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4776 },
4777 flags: flags,
4778 expectedVersion: expectedVersion,
4779 shouldFail: shouldFail,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4780 expectedError: expectedError,
4781 expectedLocalError: expectedLocalError,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4782 })
4783 testCases = append(testCases, testCase{
4784 protocol: protocol,
4785 testType: clientTest,
4786 name: "MinimumVersion-Client2-" + suffix,
4787 config: Config{
4788 MaxVersion: runnerVers.version,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4789 Bugs: ProtocolBugs{
4790 // Ensure the server does not decline to
4791 // select a version (versions extension) or
4792 // cipher (some ciphers depend on versions).
4793 NegotiateVersion: runnerVers.version,
4794 IgnorePeerCipherPreferences: shouldFail,
4795 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4796 },
4797 flags: []string{"-min-version", shimVersFlag},
4798 expectedVersion: expectedVersion,
4799 shouldFail: shouldFail,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4800 expectedError: expectedError,
4801 expectedLocalError: expectedLocalError,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4802 })
4803
4804 testCases = append(testCases, testCase{
4805 protocol: protocol,
4806 testType: serverTest,
4807 name: "MinimumVersion-Server-" + suffix,
4808 config: Config{
4809 MaxVersion: runnerVers.version,
4810 },
4811 flags: flags,
4812 expectedVersion: expectedVersion,
4813 shouldFail: shouldFail,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4814 expectedError: expectedError,
4815 expectedLocalError: expectedLocalError,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4816 })
4817 testCases = append(testCases, testCase{
4818 protocol: protocol,
4819 testType: serverTest,
4820 name: "MinimumVersion-Server2-" + suffix,
4821 config: Config{
4822 MaxVersion: runnerVers.version,
4823 },
4824 flags: []string{"-min-version", shimVersFlag},
4825 expectedVersion: expectedVersion,
4826 shouldFail: shouldFail,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]4827 expectedError: expectedError,
4828 expectedLocalError: expectedLocalError,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4829 })
4830 }
4831 }
4832 }
4833}
4834
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4835func addExtensionTests() {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4836 // TODO(davidben): Extensions, where applicable, all move their server
4837 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4838 // tests for both. Also test interaction with 0-RTT when implemented.
4839
4840 // Repeat extensions tests all versions except SSL 3.0.
4841 for _, ver := range tlsVersions {
4842 if ver.version == VersionSSL30 {
4843 continue
4844 }
4845
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4846 // Test that duplicate extensions are rejected.
4847 testCases = append(testCases, testCase{
4848 testType: clientTest,
4849 name: "DuplicateExtensionClient-" + ver.name,
4850 config: Config{
4851 MaxVersion: ver.version,
4852 Bugs: ProtocolBugs{
4853 DuplicateExtension: true,
4854 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4855 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4856 shouldFail: true,
4857 expectedLocalError: "remote error: error decoding message",
4858 })
4859 testCases = append(testCases, testCase{
4860 testType: serverTest,
4861 name: "DuplicateExtensionServer-" + ver.name,
4862 config: Config{
4863 MaxVersion: ver.version,
4864 Bugs: ProtocolBugs{
4865 DuplicateExtension: true,
4866 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4867 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4868 shouldFail: true,
4869 expectedLocalError: "remote error: error decoding message",
4870 })
4871
4872 // Test SNI.
4873 testCases = append(testCases, testCase{
4874 testType: clientTest,
4875 name: "ServerNameExtensionClient-" + ver.name,
4876 config: Config{
4877 MaxVersion: ver.version,
4878 Bugs: ProtocolBugs{
4879 ExpectServerName: "example.com",
4880 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4881 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4882 flags: []string{"-host-name", "example.com"},
4883 })
4884 testCases = append(testCases, testCase{
4885 testType: clientTest,
4886 name: "ServerNameExtensionClientMismatch-" + ver.name,
4887 config: Config{
4888 MaxVersion: ver.version,
4889 Bugs: ProtocolBugs{
4890 ExpectServerName: "mismatch.com",
4891 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4892 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4893 flags: []string{"-host-name", "example.com"},
4894 shouldFail: true,
4895 expectedLocalError: "tls: unexpected server name",
4896 })
4897 testCases = append(testCases, testCase{
4898 testType: clientTest,
4899 name: "ServerNameExtensionClientMissing-" + ver.name,
4900 config: Config{
4901 MaxVersion: ver.version,
4902 Bugs: ProtocolBugs{
4903 ExpectServerName: "missing.com",
4904 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4905 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4906 shouldFail: true,
4907 expectedLocalError: "tls: unexpected server name",
4908 })
4909 testCases = append(testCases, testCase{
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]4910 testType: clientTest,
4911 name: "TolerateServerNameAck-" + ver.name,
4912 config: Config{
4913 MaxVersion: ver.version,
4914 Bugs: ProtocolBugs{
4915 SendServerNameAck: true,
4916 },
4917 },
4918 flags: []string{"-host-name", "example.com"},
4919 resumeSession: true,
4920 })
4921 testCases = append(testCases, testCase{
4922 testType: clientTest,
4923 name: "UnsolicitedServerNameAck-" + ver.name,
4924 config: Config{
4925 MaxVersion: ver.version,
4926 Bugs: ProtocolBugs{
4927 SendServerNameAck: true,
4928 },
4929 },
4930 shouldFail: true,
4931 expectedError: ":UNEXPECTED_EXTENSION:",
4932 expectedLocalError: "remote error: unsupported extension",
4933 })
4934 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4935 testType: serverTest,
4936 name: "ServerNameExtensionServer-" + ver.name,
4937 config: Config{
4938 MaxVersion: ver.version,
4939 ServerName: "example.com",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]4940 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4941 flags: []string{"-expect-server-name", "example.com"},
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4942 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4943 })
4944
4945 // Test ALPN.
4946 testCases = append(testCases, testCase{
4947 testType: clientTest,
4948 name: "ALPNClient-" + ver.name,
4949 config: Config{
4950 MaxVersion: ver.version,
4951 NextProtos: []string{"foo"},
4952 },
4953 flags: []string{
4954 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4955 "-expect-alpn", "foo",
4956 },
4957 expectedNextProto: "foo",
4958 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]4959 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4960 })
4961 testCases = append(testCases, testCase{
4962 testType: clientTest,
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]4963 name: "ALPNClient-RejectUnknown-" + ver.name,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4964 config: Config{
4965 MaxVersion: ver.version,
4966 Bugs: ProtocolBugs{
4967 SendALPN: "baz",
4968 },
4969 },
4970 flags: []string{
4971 "-advertise-alpn", "\x03foo\x03bar",
4972 },
4973 shouldFail: true,
4974 expectedError: ":INVALID_ALPN_PROTOCOL:",
4975 expectedLocalError: "remote error: illegal parameter",
4976 })
4977 testCases = append(testCases, testCase{
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]4978 testType: clientTest,
4979 name: "ALPNClient-AllowUnknown-" + ver.name,
4980 config: Config{
4981 MaxVersion: ver.version,
4982 Bugs: ProtocolBugs{
4983 SendALPN: "baz",
4984 },
4985 },
4986 flags: []string{
4987 "-advertise-alpn", "\x03foo\x03bar",
4988 "-allow-unknown-alpn-protos",
4989 },
4990 })
4991 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]4992 testType: serverTest,
4993 name: "ALPNServer-" + ver.name,
4994 config: Config{
4995 MaxVersion: ver.version,
4996 NextProtos: []string{"foo", "bar", "baz"},
4997 },
4998 flags: []string{
4999 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5000 "-select-alpn", "foo",
5001 },
5002 expectedNextProto: "foo",
5003 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5004 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5005 })
5006 testCases = append(testCases, testCase{
5007 testType: serverTest,
5008 name: "ALPNServer-Decline-" + ver.name,
5009 config: Config{
5010 MaxVersion: ver.version,
5011 NextProtos: []string{"foo", "bar", "baz"},
5012 },
5013 flags: []string{"-decline-alpn"},
5014 expectNoNextProto: true,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5015 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5016 })
5017
5018 // Test ALPN in async mode as well to ensure that extensions callbacks are only
5019 // called once.
5020 testCases = append(testCases, testCase{
5021 testType: serverTest,
5022 name: "ALPNServer-Async-" + ver.name,
5023 config: Config{
5024 MaxVersion: ver.version,
5025 NextProtos: []string{"foo", "bar", "baz"},
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5026 // Prior to TLS 1.3, exercise the asynchronous session callback.
5027 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5028 },
5029 flags: []string{
5030 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5031 "-select-alpn", "foo",
5032 "-async",
5033 },
5034 expectedNextProto: "foo",
5035 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5036 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5037 })
5038
5039 var emptyString string
5040 testCases = append(testCases, testCase{
5041 testType: clientTest,
5042 name: "ALPNClient-EmptyProtocolName-" + ver.name,
5043 config: Config{
5044 MaxVersion: ver.version,
5045 NextProtos: []string{""},
5046 Bugs: ProtocolBugs{
5047 // A server returning an empty ALPN protocol
5048 // should be rejected.
5049 ALPNProtocol: &emptyString,
5050 },
5051 },
5052 flags: []string{
5053 "-advertise-alpn", "\x03foo",
5054 },
5055 shouldFail: true,
5056 expectedError: ":PARSE_TLSEXT:",
5057 })
5058 testCases = append(testCases, testCase{
5059 testType: serverTest,
5060 name: "ALPNServer-EmptyProtocolName-" + ver.name,
5061 config: Config{
5062 MaxVersion: ver.version,
5063 // A ClientHello containing an empty ALPN protocol
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5064 // should be rejected.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5065 NextProtos: []string{"foo", "", "baz"},
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5066 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5067 flags: []string{
5068 "-select-alpn", "foo",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5069 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5070 shouldFail: true,
5071 expectedError: ":PARSE_TLSEXT:",
5072 })
5073
5074 // Test NPN and the interaction with ALPN.
5075 if ver.version < VersionTLS13 {
5076 // Test that the server prefers ALPN over NPN.
5077 testCases = append(testCases, testCase{
5078 testType: serverTest,
5079 name: "ALPNServer-Preferred-" + ver.name,
5080 config: Config{
5081 MaxVersion: ver.version,
5082 NextProtos: []string{"foo", "bar", "baz"},
5083 },
5084 flags: []string{
5085 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5086 "-select-alpn", "foo",
5087 "-advertise-npn", "\x03foo\x03bar\x03baz",
5088 },
5089 expectedNextProto: "foo",
5090 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5091 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5092 })
5093 testCases = append(testCases, testCase{
5094 testType: serverTest,
5095 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5096 config: Config{
5097 MaxVersion: ver.version,
5098 NextProtos: []string{"foo", "bar", "baz"},
5099 Bugs: ProtocolBugs{
5100 SwapNPNAndALPN: true,
5101 },
5102 },
5103 flags: []string{
5104 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5105 "-select-alpn", "foo",
5106 "-advertise-npn", "\x03foo\x03bar\x03baz",
5107 },
5108 expectedNextProto: "foo",
5109 expectedNextProtoType: alpn,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5110 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5111 })
5112
5113 // Test that negotiating both NPN and ALPN is forbidden.
5114 testCases = append(testCases, testCase{
5115 name: "NegotiateALPNAndNPN-" + ver.name,
5116 config: Config{
5117 MaxVersion: ver.version,
5118 NextProtos: []string{"foo", "bar", "baz"},
5119 Bugs: ProtocolBugs{
5120 NegotiateALPNAndNPN: true,
5121 },
5122 },
5123 flags: []string{
5124 "-advertise-alpn", "\x03foo",
5125 "-select-next-proto", "foo",
5126 },
5127 shouldFail: true,
5128 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5129 })
5130 testCases = append(testCases, testCase{
5131 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5132 config: Config{
5133 MaxVersion: ver.version,
5134 NextProtos: []string{"foo", "bar", "baz"},
5135 Bugs: ProtocolBugs{
5136 NegotiateALPNAndNPN: true,
5137 SwapNPNAndALPN: true,
5138 },
5139 },
5140 flags: []string{
5141 "-advertise-alpn", "\x03foo",
5142 "-select-next-proto", "foo",
5143 },
5144 shouldFail: true,
5145 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5146 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5147 }
5148
5149 // Test ticket behavior.
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5150
5151 // Resume with a corrupt ticket.
5152 testCases = append(testCases, testCase{
5153 testType: serverTest,
5154 name: "CorruptTicket-" + ver.name,
5155 config: Config{
5156 MaxVersion: ver.version,
5157 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5158 FilterTicket: func(in []byte) ([]byte, error) {
5159 in[len(in)-1] ^= 1
5160 return in, nil
5161 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5162 },
5163 },
5164 resumeSession: true,
5165 expectResumeRejected: true,
5166 })
5167 // Test the ticket callback, with and without renewal.
5168 testCases = append(testCases, testCase{
5169 testType: serverTest,
5170 name: "TicketCallback-" + ver.name,
5171 config: Config{
5172 MaxVersion: ver.version,
5173 },
5174 resumeSession: true,
5175 flags: []string{"-use-ticket-callback"},
5176 })
5177 testCases = append(testCases, testCase{
5178 testType: serverTest,
5179 name: "TicketCallback-Renew-" + ver.name,
5180 config: Config{
5181 MaxVersion: ver.version,
5182 Bugs: ProtocolBugs{
5183 ExpectNewTicket: true,
5184 },
5185 },
5186 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5187 resumeSession: true,
5188 })
5189
5190 // Test that the ticket callback is only called once when everything before
5191 // it in the ClientHello is asynchronous. This corrupts the ticket so
5192 // certificate selection callbacks run.
5193 testCases = append(testCases, testCase{
5194 testType: serverTest,
5195 name: "TicketCallback-SingleCall-" + ver.name,
5196 config: Config{
5197 MaxVersion: ver.version,
5198 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5199 FilterTicket: func(in []byte) ([]byte, error) {
5200 in[len(in)-1] ^= 1
5201 return in, nil
5202 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5203 },
5204 },
5205 resumeSession: true,
5206 expectResumeRejected: true,
5207 flags: []string{
5208 "-use-ticket-callback",
5209 "-async",
5210 },
5211 })
5212
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]5213 // Resume with various lengths of ticket session id.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5214 if ver.version < VersionTLS13 {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5215 testCases = append(testCases, testCase{
5216 testType: serverTest,
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]5217 name: "TicketSessionIDLength-0-" + ver.name,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5218 config: Config{
5219 MaxVersion: ver.version,
5220 Bugs: ProtocolBugs{
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]5221 EmptyTicketSessionID: true,
5222 },
5223 },
5224 resumeSession: true,
5225 })
5226 testCases = append(testCases, testCase{
5227 testType: serverTest,
5228 name: "TicketSessionIDLength-16-" + ver.name,
5229 config: Config{
5230 MaxVersion: ver.version,
5231 Bugs: ProtocolBugs{
5232 TicketSessionIDLength: 16,
5233 },
5234 },
5235 resumeSession: true,
5236 })
5237 testCases = append(testCases, testCase{
5238 testType: serverTest,
5239 name: "TicketSessionIDLength-32-" + ver.name,
5240 config: Config{
5241 MaxVersion: ver.version,
5242 Bugs: ProtocolBugs{
5243 TicketSessionIDLength: 32,
5244 },
5245 },
5246 resumeSession: true,
5247 })
5248 testCases = append(testCases, testCase{
5249 testType: serverTest,
5250 name: "TicketSessionIDLength-33-" + ver.name,
5251 config: Config{
5252 MaxVersion: ver.version,
5253 Bugs: ProtocolBugs{
5254 TicketSessionIDLength: 33,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5255 },
5256 },
5257 resumeSession: true,
5258 shouldFail: true,
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]5259 // The maximum session ID length is 32.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5260 expectedError: ":DECODE_ERROR:",
5261 })
5262 }
5263
5264 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5265 // are ignored.
5266 if ver.hasDTLS {
5267 testCases = append(testCases, testCase{
5268 protocol: dtls,
5269 name: "SRTP-Client-" + ver.name,
5270 config: Config{
5271 MaxVersion: ver.version,
5272 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5273 },
5274 flags: []string{
5275 "-srtp-profiles",
5276 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5277 },
5278 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5279 })
5280 testCases = append(testCases, testCase{
5281 protocol: dtls,
5282 testType: serverTest,
5283 name: "SRTP-Server-" + ver.name,
5284 config: Config{
5285 MaxVersion: ver.version,
5286 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5287 },
5288 flags: []string{
5289 "-srtp-profiles",
5290 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5291 },
5292 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5293 })
5294 // Test that the MKI is ignored.
5295 testCases = append(testCases, testCase{
5296 protocol: dtls,
5297 testType: serverTest,
5298 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5299 config: Config{
5300 MaxVersion: ver.version,
5301 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5302 Bugs: ProtocolBugs{
5303 SRTPMasterKeyIdentifer: "bogus",
5304 },
5305 },
5306 flags: []string{
5307 "-srtp-profiles",
5308 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5309 },
5310 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5311 })
5312 // Test that SRTP isn't negotiated on the server if there were
5313 // no matching profiles.
5314 testCases = append(testCases, testCase{
5315 protocol: dtls,
5316 testType: serverTest,
5317 name: "SRTP-Server-NoMatch-" + ver.name,
5318 config: Config{
5319 MaxVersion: ver.version,
5320 SRTPProtectionProfiles: []uint16{100, 101, 102},
5321 },
5322 flags: []string{
5323 "-srtp-profiles",
5324 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5325 },
5326 expectedSRTPProtectionProfile: 0,
5327 })
5328 // Test that the server returning an invalid SRTP profile is
5329 // flagged as an error by the client.
5330 testCases = append(testCases, testCase{
5331 protocol: dtls,
5332 name: "SRTP-Client-NoMatch-" + ver.name,
5333 config: Config{
5334 MaxVersion: ver.version,
5335 Bugs: ProtocolBugs{
5336 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5337 },
5338 },
5339 flags: []string{
5340 "-srtp-profiles",
5341 "SRTP_AES128_CM_SHA1_80",
5342 },
5343 shouldFail: true,
5344 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5345 })
5346 }
5347
5348 // Test SCT list.
5349 testCases = append(testCases, testCase{
5350 name: "SignedCertificateTimestampList-Client-" + ver.name,
5351 testType: clientTest,
5352 config: Config{
5353 MaxVersion: ver.version,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5354 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5355 flags: []string{
5356 "-enable-signed-cert-timestamps",
5357 "-expect-signed-cert-timestamps",
5358 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5359 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5360 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5361 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5362
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5363 var differentSCTList []byte
5364 differentSCTList = append(differentSCTList, testSCTList...)
5365 differentSCTList[len(differentSCTList)-1] ^= 1
5366
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5367 // The SCT extension did not specify that it must only be sent on resumption as it
5368 // should have, so test that we tolerate but ignore it.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5369 testCases = append(testCases, testCase{
5370 name: "SendSCTListOnResume-" + ver.name,
5371 config: Config{
5372 MaxVersion: ver.version,
5373 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5374 SendSCTListOnResume: differentSCTList,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5375 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5376 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5377 flags: []string{
5378 "-enable-signed-cert-timestamps",
5379 "-expect-signed-cert-timestamps",
5380 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5381 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5382 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5383 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5384
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5385 testCases = append(testCases, testCase{
5386 name: "SignedCertificateTimestampList-Server-" + ver.name,
5387 testType: serverTest,
5388 config: Config{
5389 MaxVersion: ver.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5390 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5391 flags: []string{
5392 "-signed-cert-timestamps",
5393 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5394 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5395 expectedSCTList: testSCTList,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5396 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5397 })
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5398
5399 emptySCTListCert := *testCerts[0].cert
5400 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5401
5402 // Test empty SCT list.
5403 testCases = append(testCases, testCase{
5404 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5405 testType: clientTest,
5406 config: Config{
5407 MaxVersion: ver.version,
5408 Certificates: []Certificate{emptySCTListCert},
5409 },
5410 flags: []string{
5411 "-enable-signed-cert-timestamps",
5412 },
5413 shouldFail: true,
5414 expectedError: ":ERROR_PARSING_EXTENSION:",
5415 })
5416
5417 emptySCTCert := *testCerts[0].cert
5418 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5419
5420 // Test empty SCT in non-empty list.
5421 testCases = append(testCases, testCase{
5422 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5423 testType: clientTest,
5424 config: Config{
5425 MaxVersion: ver.version,
5426 Certificates: []Certificate{emptySCTCert},
5427 },
5428 flags: []string{
5429 "-enable-signed-cert-timestamps",
5430 },
5431 shouldFail: true,
5432 expectedError: ":ERROR_PARSING_EXTENSION:",
5433 })
5434
5435 // Test that certificate-related extensions are not sent unsolicited.
5436 testCases = append(testCases, testCase{
5437 testType: serverTest,
5438 name: "UnsolicitedCertificateExtensions-" + ver.name,
5439 config: Config{
5440 MaxVersion: ver.version,
5441 Bugs: ProtocolBugs{
5442 NoOCSPStapling: true,
5443 NoSignedCertificateTimestamps: true,
5444 },
5445 },
5446 flags: []string{
5447 "-ocsp-response",
5448 base64.StdEncoding.EncodeToString(testOCSPResponse),
5449 "-signed-cert-timestamps",
5450 base64.StdEncoding.EncodeToString(testSCTList),
5451 },
5452 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5453 }
5454
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]5455 testCases = append(testCases, testCase{
5456 testType: clientTest,
5457 name: "ClientHelloPadding",
5458 config: Config{
5459 Bugs: ProtocolBugs{
5460 RequireClientHelloSize: 512,
5461 },
5462 },
5463 // This hostname just needs to be long enough to push the
5464 // ClientHello into F5's danger zone between 256 and 511 bytes
5465 // long.
5466 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5467 })
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]5468
5469 // Extensions should not function in SSL 3.0.
5470 testCases = append(testCases, testCase{
5471 testType: serverTest,
5472 name: "SSLv3Extensions-NoALPN",
5473 config: Config{
5474 MaxVersion: VersionSSL30,
5475 NextProtos: []string{"foo", "bar", "baz"},
5476 },
5477 flags: []string{
5478 "-select-alpn", "foo",
5479 },
5480 expectNoNextProto: true,
5481 })
5482
5483 // Test session tickets separately as they follow a different codepath.
5484 testCases = append(testCases, testCase{
5485 testType: serverTest,
5486 name: "SSLv3Extensions-NoTickets",
5487 config: Config{
5488 MaxVersion: VersionSSL30,
5489 Bugs: ProtocolBugs{
5490 // Historically, session tickets in SSL 3.0
5491 // failed in different ways depending on whether
5492 // the client supported renegotiation_info.
5493 NoRenegotiationInfo: true,
5494 },
5495 },
5496 resumeSession: true,
5497 })
5498 testCases = append(testCases, testCase{
5499 testType: serverTest,
5500 name: "SSLv3Extensions-NoTickets2",
5501 config: Config{
5502 MaxVersion: VersionSSL30,
5503 },
5504 resumeSession: true,
5505 })
5506
5507 // But SSL 3.0 does send and process renegotiation_info.
5508 testCases = append(testCases, testCase{
5509 testType: serverTest,
5510 name: "SSLv3Extensions-RenegotiationInfo",
5511 config: Config{
5512 MaxVersion: VersionSSL30,
5513 Bugs: ProtocolBugs{
5514 RequireRenegotiationInfo: true,
5515 },
5516 },
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]5517 flags: []string{"-expect-secure-renegotiation"},
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]5518 })
5519 testCases = append(testCases, testCase{
5520 testType: serverTest,
5521 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5522 config: Config{
5523 MaxVersion: VersionSSL30,
5524 Bugs: ProtocolBugs{
5525 NoRenegotiationInfo: true,
5526 SendRenegotiationSCSV: true,
5527 RequireRenegotiationInfo: true,
5528 },
5529 },
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]5530 flags: []string{"-expect-secure-renegotiation"},
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]5531 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5532
5533 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5534 // in ServerHello.
5535 testCases = append(testCases, testCase{
5536 name: "NPN-Forbidden-TLS13",
5537 config: Config{
5538 MaxVersion: VersionTLS13,
5539 NextProtos: []string{"foo"},
5540 Bugs: ProtocolBugs{
5541 NegotiateNPNAtAllVersions: true,
5542 },
5543 },
5544 flags: []string{"-select-next-proto", "foo"},
5545 shouldFail: true,
5546 expectedError: ":ERROR_PARSING_EXTENSION:",
5547 })
5548 testCases = append(testCases, testCase{
5549 name: "EMS-Forbidden-TLS13",
5550 config: Config{
5551 MaxVersion: VersionTLS13,
5552 Bugs: ProtocolBugs{
5553 NegotiateEMSAtAllVersions: true,
5554 },
5555 },
5556 shouldFail: true,
5557 expectedError: ":ERROR_PARSING_EXTENSION:",
5558 })
5559 testCases = append(testCases, testCase{
5560 name: "RenegotiationInfo-Forbidden-TLS13",
5561 config: Config{
5562 MaxVersion: VersionTLS13,
5563 Bugs: ProtocolBugs{
5564 NegotiateRenegotiationInfoAtAllVersions: true,
5565 },
5566 },
5567 shouldFail: true,
5568 expectedError: ":ERROR_PARSING_EXTENSION:",
5569 })
5570 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5571 name: "Ticket-Forbidden-TLS13",
5572 config: Config{
5573 MaxVersion: VersionTLS12,
5574 },
5575 resumeConfig: &Config{
5576 MaxVersion: VersionTLS13,
5577 Bugs: ProtocolBugs{
5578 AdvertiseTicketExtension: true,
5579 },
5580 },
5581 resumeSession: true,
5582 shouldFail: true,
5583 expectedError: ":ERROR_PARSING_EXTENSION:",
5584 })
5585
5586 // Test that illegal extensions in TLS 1.3 are declined by the server if
5587 // offered in ClientHello. The runner's server will fail if this occurs,
5588 // so we exercise the offering path. (EMS and Renegotiation Info are
5589 // implicit in every test.)
5590 testCases = append(testCases, testCase{
5591 testType: serverTest,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5592 name: "NPN-Declined-TLS13",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5593 config: Config{
5594 MaxVersion: VersionTLS13,
5595 NextProtos: []string{"bar"},
5596 },
5597 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5598 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5599
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5600 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5601 // tolerated.
5602 testCases = append(testCases, testCase{
5603 name: "SendOCSPResponseOnResume-TLS12",
5604 config: Config{
5605 MaxVersion: VersionTLS12,
5606 Bugs: ProtocolBugs{
5607 SendOCSPResponseOnResume: []byte("bogus"),
5608 },
5609 },
5610 flags: []string{
5611 "-enable-ocsp-stapling",
5612 "-expect-ocsp-response",
5613 base64.StdEncoding.EncodeToString(testOCSPResponse),
5614 },
5615 resumeSession: true,
5616 })
5617
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5618 testCases = append(testCases, testCase{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5619 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5620 config: Config{
5621 MaxVersion: VersionTLS13,
5622 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5623 SendExtensionOnCertificate: testOCSPExtension,
5624 },
5625 },
5626 shouldFail: true,
5627 expectedError: ":UNEXPECTED_EXTENSION:",
5628 })
5629
5630 testCases = append(testCases, testCase{
5631 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5632 config: Config{
5633 MaxVersion: VersionTLS13,
5634 Bugs: ProtocolBugs{
5635 SendExtensionOnCertificate: testSCTExtension,
5636 },
5637 },
5638 shouldFail: true,
5639 expectedError: ":UNEXPECTED_EXTENSION:",
5640 })
5641
5642 // Test that extensions on client certificates are never accepted.
5643 testCases = append(testCases, testCase{
5644 name: "SendExtensionOnClientCertificate-TLS13",
5645 testType: serverTest,
5646 config: Config{
5647 MaxVersion: VersionTLS13,
5648 Certificates: []Certificate{rsaCertificate},
5649 Bugs: ProtocolBugs{
5650 SendExtensionOnCertificate: testOCSPExtension,
5651 },
5652 },
5653 flags: []string{
5654 "-enable-ocsp-stapling",
5655 "-require-any-client-certificate",
5656 },
5657 shouldFail: true,
5658 expectedError: ":UNEXPECTED_EXTENSION:",
5659 })
5660
5661 testCases = append(testCases, testCase{
5662 name: "SendUnknownExtensionOnCertificate-TLS13",
5663 config: Config{
5664 MaxVersion: VersionTLS13,
5665 Bugs: ProtocolBugs{
5666 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5667 },
5668 },
5669 shouldFail: true,
5670 expectedError: ":UNEXPECTED_EXTENSION:",
5671 })
5672
5673 var differentSCTList []byte
5674 differentSCTList = append(differentSCTList, testSCTList...)
5675 differentSCTList[len(differentSCTList)-1] ^= 1
5676
5677 // Test that extensions on intermediates are allowed but ignored.
5678 testCases = append(testCases, testCase{
5679 name: "IgnoreExtensionsOnIntermediates-TLS13",
5680 config: Config{
5681 MaxVersion: VersionTLS13,
5682 Certificates: []Certificate{rsaChainCertificate},
5683 Bugs: ProtocolBugs{
5684 // Send different values on the intermediate. This tests
5685 // the intermediate's extensions do not override the
5686 // leaf's.
5687 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
5688 SendSCTOnIntermediates: differentSCTList,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5689 },
5690 },
5691 flags: []string{
5692 "-enable-ocsp-stapling",
5693 "-expect-ocsp-response",
5694 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5695 "-enable-signed-cert-timestamps",
5696 "-expect-signed-cert-timestamps",
5697 base64.StdEncoding.EncodeToString(testSCTList),
5698 },
5699 resumeSession: true,
5700 })
5701
5702 // Test that extensions are not sent on intermediates when configured
5703 // only for a leaf.
5704 testCases = append(testCases, testCase{
5705 testType: serverTest,
5706 name: "SendNoExtensionsOnIntermediate-TLS13",
5707 config: Config{
5708 MaxVersion: VersionTLS13,
5709 Bugs: ProtocolBugs{
5710 ExpectNoExtensionsOnIntermediate: true,
5711 },
5712 },
5713 flags: []string{
5714 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5715 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5716 "-ocsp-response",
5717 base64.StdEncoding.EncodeToString(testOCSPResponse),
5718 "-signed-cert-timestamps",
5719 base64.StdEncoding.EncodeToString(testSCTList),
5720 },
5721 })
5722
5723 // Test that extensions are not sent on client certificates.
5724 testCases = append(testCases, testCase{
5725 name: "SendNoClientCertificateExtensions-TLS13",
5726 config: Config{
5727 MaxVersion: VersionTLS13,
5728 ClientAuth: RequireAnyClientCert,
5729 },
5730 flags: []string{
5731 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5732 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5733 "-ocsp-response",
5734 base64.StdEncoding.EncodeToString(testOCSPResponse),
5735 "-signed-cert-timestamps",
5736 base64.StdEncoding.EncodeToString(testSCTList),
5737 },
5738 })
5739
5740 testCases = append(testCases, testCase{
5741 name: "SendDuplicateExtensionsOnCerts-TLS13",
5742 config: Config{
5743 MaxVersion: VersionTLS13,
5744 Bugs: ProtocolBugs{
5745 SendDuplicateCertExtensions: true,
5746 },
5747 },
5748 flags: []string{
5749 "-enable-ocsp-stapling",
5750 "-enable-signed-cert-timestamps",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5751 },
5752 resumeSession: true,
5753 shouldFail: true,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5754 expectedError: ":DUPLICATE_EXTENSION:",
5755 })
5756
5757 testCases = append(testCases, testCase{
5758 name: "SignedCertificateTimestampListInvalid-Server",
5759 testType: serverTest,
5760 flags: []string{
5761 "-signed-cert-timestamps",
5762 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5763 },
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]5764 shouldFail: true,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5765 expectedError: ":INVALID_SCT_LIST:",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5766 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5767}
5768
5769func addResumptionVersionTests() {
5770 for _, sessionVers := range tlsVersions {
5771 for _, resumeVers := range tlsVersions {
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5772 // SSL 3.0 does not have tickets and TLS 1.3 does not
5773 // have session IDs, so skip their cross-resumption
5774 // tests.
5775 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5776 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5777 continue
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]5778 }
5779
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5780 protocols := []protocol{tls}
5781 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5782 protocols = append(protocols, dtls)
5783 }
5784 for _, protocol := range protocols {
5785 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5786 if protocol == dtls {
5787 suffix += "-DTLS"
5788 }
5789
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5790 if sessionVers.version == resumeVers.version {
5791 testCases = append(testCases, testCase{
5792 protocol: protocol,
5793 name: "Resume-Client" + suffix,
5794 resumeSession: true,
5795 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5796 MaxVersion: sessionVers.version,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5797 Bugs: ProtocolBugs{
5798 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5799 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5800 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5801 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5802 expectedVersion: sessionVers.version,
5803 expectedResumeVersion: resumeVers.version,
5804 })
5805 } else {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5806 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5807
5808 // Offering a TLS 1.3 session sends an empty session ID, so
5809 // there is no way to convince a non-lookahead client the
5810 // session was resumed. It will appear to the client that a
5811 // stray ChangeCipherSpec was sent.
5812 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5813 error = ":UNEXPECTED_RECORD:"
5814 }
5815
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5816 testCases = append(testCases, testCase{
5817 protocol: protocol,
5818 name: "Resume-Client-Mismatch" + suffix,
5819 resumeSession: true,
5820 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5821 MaxVersion: sessionVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5822 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5823 expectedVersion: sessionVers.version,
5824 resumeConfig: &Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5825 MaxVersion: resumeVers.version,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5826 Bugs: ProtocolBugs{
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5827 AcceptAnySession: true,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5828 },
5829 },
5830 expectedResumeVersion: resumeVers.version,
5831 shouldFail: true,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5832 expectedError: error,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5833 })
5834 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5835
5836 testCases = append(testCases, testCase{
5837 protocol: protocol,
5838 name: "Resume-Client-NoResume" + suffix,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5839 resumeSession: true,
5840 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5841 MaxVersion: sessionVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5842 },
5843 expectedVersion: sessionVers.version,
5844 resumeConfig: &Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5845 MaxVersion: resumeVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5846 },
5847 newSessionsOnResume: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5848 expectResumeRejected: true,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5849 expectedResumeVersion: resumeVers.version,
5850 })
5851
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5852 testCases = append(testCases, testCase{
5853 protocol: protocol,
5854 testType: serverTest,
5855 name: "Resume-Server" + suffix,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5856 resumeSession: true,
5857 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5858 MaxVersion: sessionVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5859 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]5860 expectedVersion: sessionVers.version,
5861 expectResumeRejected: sessionVers.version != resumeVers.version,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5862 resumeConfig: &Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]5863 MaxVersion: resumeVers.version,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]5864 Bugs: ProtocolBugs{
5865 SendBothTickets: true,
5866 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]5867 },
5868 expectedResumeVersion: resumeVers.version,
5869 })
5870 }
5871 }
5872 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]5873
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]5874 // Make sure shim ticket mutations are functional.
5875 testCases = append(testCases, testCase{
5876 testType: serverTest,
5877 name: "ShimTicketRewritable",
5878 resumeSession: true,
5879 config: Config{
5880 MaxVersion: VersionTLS12,
5881 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5882 Bugs: ProtocolBugs{
5883 FilterTicket: func(in []byte) ([]byte, error) {
5884 in, err := SetShimTicketVersion(in, VersionTLS12)
5885 if err != nil {
5886 return nil, err
5887 }
5888 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5889 },
5890 },
5891 },
5892 flags: []string{
5893 "-ticket-key",
5894 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5895 },
5896 })
5897
5898 // Resumptions are declined if the version does not match.
5899 testCases = append(testCases, testCase{
5900 testType: serverTest,
5901 name: "Resume-Server-DeclineCrossVersion",
5902 resumeSession: true,
5903 config: Config{
5904 MaxVersion: VersionTLS12,
5905 Bugs: ProtocolBugs{
5906 ExpectNewTicket: true,
5907 FilterTicket: func(in []byte) ([]byte, error) {
5908 return SetShimTicketVersion(in, VersionTLS13)
5909 },
5910 },
5911 },
5912 flags: []string{
5913 "-ticket-key",
5914 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5915 },
5916 expectResumeRejected: true,
5917 })
5918
5919 testCases = append(testCases, testCase{
5920 testType: serverTest,
5921 name: "Resume-Server-DeclineCrossVersion-TLS13",
5922 resumeSession: true,
5923 config: Config{
5924 MaxVersion: VersionTLS13,
5925 Bugs: ProtocolBugs{
5926 FilterTicket: func(in []byte) ([]byte, error) {
5927 return SetShimTicketVersion(in, VersionTLS12)
5928 },
5929 },
5930 },
5931 flags: []string{
5932 "-ticket-key",
5933 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5934 },
5935 expectResumeRejected: true,
5936 })
5937
5938 // Resumptions are declined if the cipher is invalid or disabled.
5939 testCases = append(testCases, testCase{
5940 testType: serverTest,
5941 name: "Resume-Server-DeclineBadCipher",
5942 resumeSession: true,
5943 config: Config{
5944 MaxVersion: VersionTLS12,
5945 Bugs: ProtocolBugs{
5946 ExpectNewTicket: true,
5947 FilterTicket: func(in []byte) ([]byte, error) {
5948 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5949 },
5950 },
5951 },
5952 flags: []string{
5953 "-ticket-key",
5954 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5955 },
5956 expectResumeRejected: true,
5957 })
5958
5959 testCases = append(testCases, testCase{
5960 testType: serverTest,
5961 name: "Resume-Server-DeclineBadCipher-2",
5962 resumeSession: true,
5963 config: Config{
5964 MaxVersion: VersionTLS12,
5965 Bugs: ProtocolBugs{
5966 ExpectNewTicket: true,
5967 FilterTicket: func(in []byte) ([]byte, error) {
5968 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5969 },
5970 },
5971 },
5972 flags: []string{
5973 "-cipher", "AES128",
5974 "-ticket-key",
5975 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5976 },
5977 expectResumeRejected: true,
5978 })
5979
5980 // Sessions are not resumed if they do not use the preferred cipher.
5981 testCases = append(testCases, testCase{
5982 testType: serverTest,
5983 name: "Resume-Server-CipherNotPreferred",
5984 resumeSession: true,
5985 config: Config{
5986 MaxVersion: VersionTLS12,
5987 Bugs: ProtocolBugs{
5988 ExpectNewTicket: true,
5989 FilterTicket: func(in []byte) ([]byte, error) {
5990 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5991 },
5992 },
5993 },
5994 flags: []string{
5995 "-ticket-key",
5996 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5997 },
5998 shouldFail: false,
5999 expectResumeRejected: true,
6000 })
6001
6002 // TLS 1.3 allows sessions to be resumed at a different cipher if their
6003 // PRF hashes match, but BoringSSL will always decline such resumptions.
6004 testCases = append(testCases, testCase{
6005 testType: serverTest,
6006 name: "Resume-Server-CipherNotPreferred-TLS13",
6007 resumeSession: true,
6008 config: Config{
6009 MaxVersion: VersionTLS13,
6010 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
6011 Bugs: ProtocolBugs{
6012 FilterTicket: func(in []byte) ([]byte, error) {
6013 // If the client (runner) offers ChaCha20-Poly1305 first, the
6014 // server (shim) always prefers it. Switch it to AES-GCM.
6015 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
6016 },
6017 },
6018 },
6019 flags: []string{
6020 "-ticket-key",
6021 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6022 },
6023 shouldFail: false,
6024 expectResumeRejected: true,
6025 })
6026
6027 // Sessions may not be resumed if they contain another version's cipher.
6028 testCases = append(testCases, testCase{
6029 testType: serverTest,
6030 name: "Resume-Server-DeclineBadCipher-TLS13",
6031 resumeSession: true,
6032 config: Config{
6033 MaxVersion: VersionTLS13,
6034 Bugs: ProtocolBugs{
6035 FilterTicket: func(in []byte) ([]byte, error) {
6036 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
6037 },
6038 },
6039 },
6040 flags: []string{
6041 "-ticket-key",
6042 base64.StdEncoding.EncodeToString(TestShimTicketKey),
6043 },
6044 expectResumeRejected: true,
6045 })
6046
6047 // If the client does not offer the cipher from the session, decline to
6048 // resume. Clients are forbidden from doing this, but BoringSSL selects
6049 // the cipher first, so we only decline.
6050 testCases = append(testCases, testCase{
6051 testType: serverTest,
6052 name: "Resume-Server-UnofferedCipher",
6053 resumeSession: true,
6054 config: Config{
6055 MaxVersion: VersionTLS12,
6056 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6057 },
6058 resumeConfig: &Config{
6059 MaxVersion: VersionTLS12,
6060 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
6061 Bugs: ProtocolBugs{
6062 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6063 },
6064 },
6065 expectResumeRejected: true,
6066 })
6067
6068 // In TLS 1.3, clients may advertise a cipher list which does not
6069 // include the selected cipher. Test that we tolerate this. Servers may
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]6070 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
6071 // BoringSSL will always decline.
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]6072 testCases = append(testCases, testCase{
6073 testType: serverTest,
6074 name: "Resume-Server-UnofferedCipher-TLS13",
6075 resumeSession: true,
6076 config: Config{
6077 MaxVersion: VersionTLS13,
6078 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6079 },
6080 resumeConfig: &Config{
6081 MaxVersion: VersionTLS13,
6082 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6083 Bugs: ProtocolBugs{
6084 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6085 },
6086 },
6087 expectResumeRejected: true,
6088 })
6089
6090 // Sessions may not be resumed at a different cipher.
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6091 testCases = append(testCases, testCase{
6092 name: "Resume-Client-CipherMismatch",
6093 resumeSession: true,
6094 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6095 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6096 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6097 },
6098 resumeConfig: &Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6099 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6100 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6101 Bugs: ProtocolBugs{
6102 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6103 },
6104 },
6105 shouldFail: true,
6106 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6107 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6108
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]6109 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6110 // matches.
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6111 testCases = append(testCases, testCase{
6112 name: "Resume-Client-CipherMismatch-TLS13",
6113 resumeSession: true,
6114 config: Config{
6115 MaxVersion: VersionTLS13,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6116 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6117 },
6118 resumeConfig: &Config{
6119 MaxVersion: VersionTLS13,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]6120 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6121 },
6122 })
6123
6124 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6125 testCases = append(testCases, testCase{
6126 name: "Resume-Client-PRFMismatch-TLS13",
6127 resumeSession: true,
6128 config: Config{
6129 MaxVersion: VersionTLS13,
6130 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6131 },
6132 resumeConfig: &Config{
6133 MaxVersion: VersionTLS13,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6134 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6135 Bugs: ProtocolBugs{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6136 SendCipherSuite: TLS_AES_256_GCM_SHA384,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6137 },
6138 },
6139 shouldFail: true,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]6140 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
6141 })
6142
6143 testCases = append(testCases, testCase{
6144 testType: serverTest,
6145 name: "Resume-Server-BinderWrongLength",
6146 resumeSession: true,
6147 config: Config{
6148 MaxVersion: VersionTLS13,
6149 Bugs: ProtocolBugs{
6150 SendShortPSKBinder: true,
6151 },
6152 },
6153 shouldFail: true,
6154 expectedLocalError: "remote error: error decrypting message",
6155 expectedError: ":DIGEST_CHECK_FAILED:",
6156 })
6157
6158 testCases = append(testCases, testCase{
6159 testType: serverTest,
6160 name: "Resume-Server-NoPSKBinder",
6161 resumeSession: true,
6162 config: Config{
6163 MaxVersion: VersionTLS13,
6164 Bugs: ProtocolBugs{
6165 SendNoPSKBinder: true,
6166 },
6167 },
6168 shouldFail: true,
6169 expectedLocalError: "remote error: error decoding message",
6170 expectedError: ":DECODE_ERROR:",
6171 })
6172
6173 testCases = append(testCases, testCase{
6174 testType: serverTest,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]6175 name: "Resume-Server-ExtraPSKBinder",
6176 resumeSession: true,
6177 config: Config{
6178 MaxVersion: VersionTLS13,
6179 Bugs: ProtocolBugs{
6180 SendExtraPSKBinder: true,
6181 },
6182 },
6183 shouldFail: true,
6184 expectedLocalError: "remote error: illegal parameter",
6185 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6186 })
6187
6188 testCases = append(testCases, testCase{
6189 testType: serverTest,
6190 name: "Resume-Server-ExtraIdentityNoBinder",
6191 resumeSession: true,
6192 config: Config{
6193 MaxVersion: VersionTLS13,
6194 Bugs: ProtocolBugs{
6195 ExtraPSKIdentity: true,
6196 },
6197 },
6198 shouldFail: true,
6199 expectedLocalError: "remote error: illegal parameter",
6200 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6201 })
6202
6203 testCases = append(testCases, testCase{
6204 testType: serverTest,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]6205 name: "Resume-Server-InvalidPSKBinder",
6206 resumeSession: true,
6207 config: Config{
6208 MaxVersion: VersionTLS13,
6209 Bugs: ProtocolBugs{
6210 SendInvalidPSKBinder: true,
6211 },
6212 },
6213 shouldFail: true,
6214 expectedLocalError: "remote error: error decrypting message",
6215 expectedError: ":DIGEST_CHECK_FAILED:",
6216 })
6217
6218 testCases = append(testCases, testCase{
6219 testType: serverTest,
6220 name: "Resume-Server-PSKBinderFirstExtension",
6221 resumeSession: true,
6222 config: Config{
6223 MaxVersion: VersionTLS13,
6224 Bugs: ProtocolBugs{
6225 PSKBinderFirst: true,
6226 },
6227 },
6228 shouldFail: true,
6229 expectedLocalError: "remote error: illegal parameter",
6230 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6231 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6232}
6233
6234func addRenegotiationTests() {
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6235 // Servers cannot renegotiate.
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6236 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6237 testType: serverTest,
6238 name: "Renegotiate-Server-Forbidden",
6239 config: Config{
6240 MaxVersion: VersionTLS12,
6241 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6242 renegotiate: 1,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6243 shouldFail: true,
6244 expectedError: ":NO_RENEGOTIATION:",
6245 expectedLocalError: "remote error: no renegotiation",
6246 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6247 // The server shouldn't echo the renegotiation extension unless
6248 // requested by the client.
6249 testCases = append(testCases, testCase{
6250 testType: serverTest,
6251 name: "Renegotiate-Server-NoExt",
6252 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6253 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6254 Bugs: ProtocolBugs{
6255 NoRenegotiationInfo: true,
6256 RequireRenegotiationInfo: true,
6257 },
6258 },
6259 shouldFail: true,
6260 expectedLocalError: "renegotiation extension missing",
6261 })
6262 // The renegotiation SCSV should be sufficient for the server to echo
6263 // the extension.
6264 testCases = append(testCases, testCase{
6265 testType: serverTest,
6266 name: "Renegotiate-Server-NoExt-SCSV",
6267 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6268 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6269 Bugs: ProtocolBugs{
6270 NoRenegotiationInfo: true,
6271 SendRenegotiationSCSV: true,
6272 RequireRenegotiationInfo: true,
6273 },
6274 },
6275 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6276 testCases = append(testCases, testCase{
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6277 name: "Renegotiate-Client",
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6278 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6279 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6280 Bugs: ProtocolBugs{
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6281 FailIfResumeOnRenego: true,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6282 },
6283 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6284 renegotiate: 1,
6285 flags: []string{
6286 "-renegotiate-freely",
6287 "-expect-total-renegotiations", "1",
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]6288 "-expect-secure-renegotiation",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6289 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6290 })
6291 testCases = append(testCases, testCase{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6292 name: "Renegotiate-Client-EmptyExt",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6293 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6294 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6295 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6296 Bugs: ProtocolBugs{
6297 EmptyRenegotiationInfo: true,
6298 },
6299 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6300 flags: []string{"-renegotiate-freely"},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6301 shouldFail: true,
6302 expectedError: ":RENEGOTIATION_MISMATCH:",
6303 })
6304 testCases = append(testCases, testCase{
6305 name: "Renegotiate-Client-BadExt",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6306 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6307 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6308 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6309 Bugs: ProtocolBugs{
6310 BadRenegotiationInfo: true,
6311 },
6312 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6313 flags: []string{"-renegotiate-freely"},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6314 shouldFail: true,
6315 expectedError: ":RENEGOTIATION_MISMATCH:",
6316 })
6317 testCases = append(testCases, testCase{
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]6318 name: "Renegotiate-Client-Downgrade",
6319 renegotiate: 1,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6320 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6321 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6322 Bugs: ProtocolBugs{
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]6323 NoRenegotiationInfoAfterInitial: true,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6324 },
6325 },
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]6326 flags: []string{"-renegotiate-freely"},
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6327 shouldFail: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]6328 expectedError: ":RENEGOTIATION_MISMATCH:",
6329 })
6330 testCases = append(testCases, testCase{
6331 name: "Renegotiate-Client-Upgrade",
6332 renegotiate: 1,
6333 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6334 MaxVersion: VersionTLS12,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]6335 Bugs: ProtocolBugs{
6336 NoRenegotiationInfoInInitial: true,
6337 },
6338 },
6339 flags: []string{"-renegotiate-freely"},
6340 shouldFail: true,
6341 expectedError: ":RENEGOTIATION_MISMATCH:",
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6342 })
6343 testCases = append(testCases, testCase{
6344 name: "Renegotiate-Client-NoExt-Allowed",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6345 renegotiate: 1,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6346 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6347 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6348 Bugs: ProtocolBugs{
6349 NoRenegotiationInfo: true,
6350 },
6351 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6352 flags: []string{
6353 "-renegotiate-freely",
6354 "-expect-total-renegotiations", "1",
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]6355 "-expect-no-secure-renegotiation",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6356 },
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6357 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6358
6359 // Test that the server may switch ciphers on renegotiation without
6360 // problems.
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]6361 testCases = append(testCases, testCase{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6362 name: "Renegotiate-Client-SwitchCiphers",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6363 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6364 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6365 MaxVersion: VersionTLS12,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6366 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6367 },
6368 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6369 flags: []string{
6370 "-renegotiate-freely",
6371 "-expect-total-renegotiations", "1",
6372 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6373 })
6374 testCases = append(testCases, testCase{
6375 name: "Renegotiate-Client-SwitchCiphers2",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6376 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6377 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6378 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6379 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6380 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6381 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6382 flags: []string{
6383 "-renegotiate-freely",
6384 "-expect-total-renegotiations", "1",
6385 },
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6386 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6387
6388 // Test that the server may not switch versions on renegotiation.
6389 testCases = append(testCases, testCase{
6390 name: "Renegotiate-Client-SwitchVersion",
6391 config: Config{
6392 MaxVersion: VersionTLS12,
6393 // Pick a cipher which exists at both versions.
6394 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6395 Bugs: ProtocolBugs{
6396 NegotiateVersionOnRenego: VersionTLS11,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]6397 // Avoid failing early at the record layer.
6398 SendRecordVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6399 },
6400 },
6401 renegotiate: 1,
6402 flags: []string{
6403 "-renegotiate-freely",
6404 "-expect-total-renegotiations", "1",
6405 },
6406 shouldFail: true,
6407 expectedError: ":WRONG_SSL_VERSION:",
6408 })
6409
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]6410 testCases = append(testCases, testCase{
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6411 name: "Renegotiate-SameClientVersion",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6412 renegotiate: 1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6413 config: Config{
6414 MaxVersion: VersionTLS10,
6415 Bugs: ProtocolBugs{
6416 RequireSameRenegoClientVersion: true,
6417 },
6418 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6419 flags: []string{
6420 "-renegotiate-freely",
6421 "-expect-total-renegotiations", "1",
6422 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6423 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6424 testCases = append(testCases, testCase{
6425 name: "Renegotiate-FalseStart",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6426 renegotiate: 1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6427 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6428 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6429 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6430 NextProtos: []string{"foo"},
6431 },
6432 flags: []string{
6433 "-false-start",
6434 "-select-next-proto", "foo",
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6435 "-renegotiate-freely",
6436 "-expect-total-renegotiations", "1",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6437 },
6438 shimWritesFirst: true,
6439 })
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6440
6441 // Client-side renegotiation controls.
6442 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6443 name: "Renegotiate-Client-Forbidden-1",
6444 config: Config{
6445 MaxVersion: VersionTLS12,
6446 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6447 renegotiate: 1,
6448 shouldFail: true,
6449 expectedError: ":NO_RENEGOTIATION:",
6450 expectedLocalError: "remote error: no renegotiation",
6451 })
6452 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6453 name: "Renegotiate-Client-Once-1",
6454 config: Config{
6455 MaxVersion: VersionTLS12,
6456 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6457 renegotiate: 1,
6458 flags: []string{
6459 "-renegotiate-once",
6460 "-expect-total-renegotiations", "1",
6461 },
6462 })
6463 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6464 name: "Renegotiate-Client-Freely-1",
6465 config: Config{
6466 MaxVersion: VersionTLS12,
6467 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6468 renegotiate: 1,
6469 flags: []string{
6470 "-renegotiate-freely",
6471 "-expect-total-renegotiations", "1",
6472 },
6473 })
6474 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6475 name: "Renegotiate-Client-Once-2",
6476 config: Config{
6477 MaxVersion: VersionTLS12,
6478 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6479 renegotiate: 2,
6480 flags: []string{"-renegotiate-once"},
6481 shouldFail: true,
6482 expectedError: ":NO_RENEGOTIATION:",
6483 expectedLocalError: "remote error: no renegotiation",
6484 })
6485 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6486 name: "Renegotiate-Client-Freely-2",
6487 config: Config{
6488 MaxVersion: VersionTLS12,
6489 },
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]6490 renegotiate: 2,
6491 flags: []string{
6492 "-renegotiate-freely",
6493 "-expect-total-renegotiations", "2",
6494 },
6495 })
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]6496 testCases = append(testCases, testCase{
6497 name: "Renegotiate-Client-NoIgnore",
6498 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6499 MaxVersion: VersionTLS12,
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]6500 Bugs: ProtocolBugs{
6501 SendHelloRequestBeforeEveryAppDataRecord: true,
6502 },
6503 },
6504 shouldFail: true,
6505 expectedError: ":NO_RENEGOTIATION:",
6506 })
6507 testCases = append(testCases, testCase{
6508 name: "Renegotiate-Client-Ignore",
6509 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6510 MaxVersion: VersionTLS12,
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]6511 Bugs: ProtocolBugs{
6512 SendHelloRequestBeforeEveryAppDataRecord: true,
6513 },
6514 },
6515 flags: []string{
6516 "-renegotiate-ignore",
6517 "-expect-total-renegotiations", "0",
6518 },
6519 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6520
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6521 // Renegotiation is not allowed at SSL 3.0.
6522 testCases = append(testCases, testCase{
6523 name: "Renegotiate-Client-SSL3",
6524 config: Config{
6525 MaxVersion: VersionSSL30,
6526 },
6527 renegotiate: 1,
6528 flags: []string{
6529 "-renegotiate-freely",
6530 "-expect-total-renegotiations", "1",
6531 },
6532 shouldFail: true,
6533 expectedError: ":NO_RENEGOTIATION:",
6534 expectedLocalError: "remote error: no renegotiation",
6535 })
6536
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]6537 // Renegotiation is not allowed when there is an unfinished write.
6538 testCases = append(testCases, testCase{
6539 name: "Renegotiate-Client-UnfinishedWrite",
6540 config: Config{
6541 MaxVersion: VersionTLS12,
6542 },
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6543 renegotiate: 1,
6544 readWithUnfinishedWrite: true,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]6545 flags: []string{
6546 "-async",
6547 "-renegotiate-freely",
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]6548 },
6549 shouldFail: true,
6550 expectedError: ":NO_RENEGOTIATION:",
6551 // We do not successfully send the no_renegotiation alert in
6552 // this case. https://crbug.com/boringssl/130
6553 })
6554
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]6555 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6556 testCases = append(testCases, testCase{
6557 name: "StrayHelloRequest",
6558 config: Config{
6559 MaxVersion: VersionTLS12,
6560 Bugs: ProtocolBugs{
6561 SendHelloRequestBeforeEveryHandshakeMessage: true,
6562 },
6563 },
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]6564 shouldFail: true,
6565 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6566 })
6567 testCases = append(testCases, testCase{
6568 name: "StrayHelloRequest-Packed",
6569 config: Config{
6570 MaxVersion: VersionTLS12,
6571 Bugs: ProtocolBugs{
6572 PackHandshakeFlight: true,
6573 SendHelloRequestBeforeEveryHandshakeMessage: true,
6574 },
6575 },
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]6576 shouldFail: true,
6577 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6578 })
6579
6580 // Test renegotiation works if HelloRequest and server Finished come in
6581 // the same record.
6582 testCases = append(testCases, testCase{
6583 name: "Renegotiate-Client-Packed",
6584 config: Config{
6585 MaxVersion: VersionTLS12,
6586 Bugs: ProtocolBugs{
6587 PackHandshakeFlight: true,
6588 PackHelloRequestWithFinished: true,
6589 },
6590 },
6591 renegotiate: 1,
6592 flags: []string{
6593 "-renegotiate-freely",
6594 "-expect-total-renegotiations", "1",
6595 },
6596 })
6597
6598 // Renegotiation is forbidden in TLS 1.3.
6599 testCases = append(testCases, testCase{
6600 name: "Renegotiate-Client-TLS13",
6601 config: Config{
6602 MaxVersion: VersionTLS13,
6603 Bugs: ProtocolBugs{
6604 SendHelloRequestBeforeEveryAppDataRecord: true,
6605 },
6606 },
6607 flags: []string{
6608 "-renegotiate-freely",
6609 },
6610 shouldFail: true,
6611 expectedError: ":UNEXPECTED_MESSAGE:",
6612 })
6613
6614 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6615 testCases = append(testCases, testCase{
6616 name: "StrayHelloRequest-TLS13",
6617 config: Config{
6618 MaxVersion: VersionTLS13,
6619 Bugs: ProtocolBugs{
6620 SendHelloRequestBeforeEveryHandshakeMessage: true,
6621 },
6622 },
6623 shouldFail: true,
6624 expectedError: ":UNEXPECTED_MESSAGE:",
6625 })
Steven Valdezb0b45c62017-01-17 16:23:54 -0500[diff] [blame]6626
6627 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6628 // always reads as supporting it, regardless of whether it was
6629 // negotiated.
6630 testCases = append(testCases, testCase{
6631 name: "AlwaysReportRenegotiationInfo-TLS13",
6632 config: Config{
6633 MaxVersion: VersionTLS13,
6634 Bugs: ProtocolBugs{
6635 NoRenegotiationInfo: true,
6636 },
6637 },
6638 flags: []string{
6639 "-expect-secure-renegotiation",
6640 },
6641 })
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]6642
6643 // Certificates may not change on renegotiation.
6644 testCases = append(testCases, testCase{
6645 name: "Renegotiation-CertificateChange",
6646 config: Config{
6647 MaxVersion: VersionTLS12,
6648 Certificates: []Certificate{rsaCertificate},
6649 Bugs: ProtocolBugs{
6650 RenegotiationCertificate: &rsaChainCertificate,
6651 },
6652 },
6653 renegotiate: 1,
6654 flags: []string{"-renegotiate-freely"},
6655 shouldFail: true,
6656 expectedError: ":SERVER_CERT_CHANGED:",
6657 })
6658 testCases = append(testCases, testCase{
6659 name: "Renegotiation-CertificateChange-2",
6660 config: Config{
6661 MaxVersion: VersionTLS12,
6662 Certificates: []Certificate{rsaCertificate},
6663 Bugs: ProtocolBugs{
6664 RenegotiationCertificate: &rsa1024Certificate,
6665 },
6666 },
6667 renegotiate: 1,
6668 flags: []string{"-renegotiate-freely"},
6669 shouldFail: true,
6670 expectedError: ":SERVER_CERT_CHANGED:",
6671 })
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]6672
6673 // We do not negotiate ALPN after the initial handshake. This is
6674 // error-prone and only risks bugs in consumers.
6675 testCases = append(testCases, testCase{
6676 testType: clientTest,
6677 name: "Renegotiation-ForbidALPN",
6678 config: Config{
6679 MaxVersion: VersionTLS12,
6680 Bugs: ProtocolBugs{
6681 // Forcibly negotiate ALPN on both initial and
6682 // renegotiation handshakes. The test stack will
6683 // internally check the client does not offer
6684 // it.
6685 SendALPN: "foo",
6686 },
6687 },
6688 flags: []string{
6689 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6690 "-expect-alpn", "foo",
6691 "-renegotiate-freely",
6692 },
6693 renegotiate: 1,
6694 shouldFail: true,
6695 expectedError: ":UNEXPECTED_EXTENSION:",
6696 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6697}
6698
6699func addDTLSReplayTests() {
6700 // Test that sequence number replays are detected.
6701 testCases = append(testCases, testCase{
6702 protocol: dtls,
6703 name: "DTLS-Replay",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6704 messageCount: 200,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6705 replayWrites: true,
6706 })
6707
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6708 // Test the incoming sequence number skipping by values larger
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6709 // than the retransmit window.
6710 testCases = append(testCases, testCase{
6711 protocol: dtls,
6712 name: "DTLS-Replay-LargeGaps",
6713 config: Config{
6714 Bugs: ProtocolBugs{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6715 SequenceNumberMapping: func(in uint64) uint64 {
6716 return in * 127
6717 },
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6718 },
6719 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6720 messageCount: 200,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6721 replayWrites: true,
6722 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6723
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6724 // Test the incoming sequence number changing non-monotonically.
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]6725 testCases = append(testCases, testCase{
6726 protocol: dtls,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6727 name: "DTLS-Replay-NonMonotonic",
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]6728 config: Config{
6729 Bugs: ProtocolBugs{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6730 SequenceNumberMapping: func(in uint64) uint64 {
6731 return in ^ 31
6732 },
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]6733 },
6734 },
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]6735 messageCount: 200,
6736 replayWrites: true,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6737 })
6738}
6739
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6740var testSignatureAlgorithms = []struct {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6741 name string
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6742 id signatureAlgorithm
6743 cert testCert
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6744}{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6745 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6746 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6747 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6748 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
6749 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]6750 // The “P256” in the following line is not a mistake. In TLS 1.2 the
6751 // hash function doesn't have to match the curve and so the same
6752 // signature algorithm works with P-224.
6753 {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6754 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6755 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6756 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
6757 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6758 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6759 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6760 {"Ed25519", signatureEd25519, testCertEd25519},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6761 // Tests for key types prior to TLS 1.2.
6762 {"RSA", 0, testCertRSA},
6763 {"ECDSA", 0, testCertECDSAP256},
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6764}
6765
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6766const fakeSigAlg1 signatureAlgorithm = 0x2a01
6767const fakeSigAlg2 signatureAlgorithm = 0xff01
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6768
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6769func addSignatureAlgorithmTests() {
6770 // Not all ciphers involve a signature. Advertise a list which gives all
6771 // versions a signing cipher.
6772 signingCiphers := []uint16{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]6773 TLS_AES_128_GCM_SHA256,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6774 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6775 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6776 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6777 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]6778 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]6779
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6780 var allAlgorithms []signatureAlgorithm
6781 for _, alg := range testSignatureAlgorithms {
6782 if alg.id != 0 {
6783 allAlgorithms = append(allAlgorithms, alg.id)
6784 }
6785 }
6786
6787 // Make sure each signature algorithm works. Include some fake values in
6788 // the list and ensure they're ignored.
6789 for _, alg := range testSignatureAlgorithms {
6790 for _, ver := range tlsVersions {
6791 if (ver.version < VersionTLS12) != (alg.id == 0) {
6792 continue
6793 }
6794
6795 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6796 // or remove it in C.
6797 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
6798 continue
6799 }
6800
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6801 var shouldSignFail, shouldVerifyFail bool
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6802 // ecdsa_sha1 does not exist in TLS 1.3.
6803 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6804 shouldSignFail = true
6805 shouldVerifyFail = true
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6806 }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]6807 // RSA-PKCS1 does not exist in TLS 1.3.
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]6808 if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
6809 shouldSignFail = true
6810 shouldVerifyFail = true
6811 }
6812 // SHA-224 has been removed from TLS 1.3 and, in 1.3,
6813 // the curve has to match the hash size.
6814 if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6815 shouldSignFail = true
6816 shouldVerifyFail = true
6817 }
6818
6819 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6820 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6821 shouldVerifyFail = true
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6822 }
6823
6824 var signError, verifyError string
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6825 if shouldSignFail {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6826 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6827 }
6828 if shouldVerifyFail {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6829 verifyError = ":WRONG_SIGNATURE_TYPE:"
6830 }
6831
6832 suffix := "-" + alg.name + "-" + ver.name
6833
6834 testCases = append(testCases, testCase{
6835 name: "ClientAuth-Sign" + suffix,
6836 config: Config{
6837 MaxVersion: ver.version,
6838 ClientAuth: RequireAnyClientCert,
6839 VerifySignatureAlgorithms: []signatureAlgorithm{
6840 fakeSigAlg1,
6841 alg.id,
6842 fakeSigAlg2,
6843 },
6844 },
6845 flags: []string{
6846 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6847 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6848 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6849 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6850 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6851 shouldFail: shouldSignFail,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6852 expectedError: signError,
6853 expectedPeerSignatureAlgorithm: alg.id,
6854 })
6855
6856 testCases = append(testCases, testCase{
6857 testType: serverTest,
6858 name: "ClientAuth-Verify" + suffix,
6859 config: Config{
6860 MaxVersion: ver.version,
6861 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6862 SignSignatureAlgorithms: []signatureAlgorithm{
6863 alg.id,
6864 },
6865 Bugs: ProtocolBugs{
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6866 SkipECDSACurveCheck: shouldVerifyFail,
6867 IgnoreSignatureVersionChecks: shouldVerifyFail,
6868 // Some signature algorithms may not be advertised.
6869 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6870 },
6871 },
6872 flags: []string{
6873 "-require-any-client-certificate",
6874 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6875 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6876 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6877 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]6878 // Resume the session to assert the peer signature
6879 // algorithm is reported on both handshakes.
6880 resumeSession: !shouldVerifyFail,
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6881 shouldFail: shouldVerifyFail,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6882 expectedError: verifyError,
6883 })
6884
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]6885 // No signing cipher for SSL 3.0.
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6886 if ver.version > VersionSSL30 {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]6887 testCases = append(testCases, testCase{
6888 testType: serverTest,
6889 name: "ServerAuth-Sign" + suffix,
6890 config: Config{
6891 MaxVersion: ver.version,
6892 CipherSuites: signingCiphers,
6893 VerifySignatureAlgorithms: []signatureAlgorithm{
6894 fakeSigAlg1,
6895 alg.id,
6896 fakeSigAlg2,
6897 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6898 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]6899 flags: []string{
6900 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6901 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6902 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6903 "-enable-ed25519",
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]6904 },
6905 shouldFail: shouldSignFail,
6906 expectedError: signError,
6907 expectedPeerSignatureAlgorithm: alg.id,
6908 })
6909 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6910
6911 testCases = append(testCases, testCase{
6912 name: "ServerAuth-Verify" + suffix,
6913 config: Config{
6914 MaxVersion: ver.version,
6915 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6916 CipherSuites: signingCiphers,
6917 SignSignatureAlgorithms: []signatureAlgorithm{
6918 alg.id,
6919 },
6920 Bugs: ProtocolBugs{
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6921 SkipECDSACurveCheck: shouldVerifyFail,
6922 IgnoreSignatureVersionChecks: shouldVerifyFail,
6923 // Some signature algorithms may not be advertised.
6924 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6925 },
6926 },
6927 flags: []string{
6928 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6929 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6930 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6931 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]6932 // Resume the session to assert the peer signature
6933 // algorithm is reported on both handshakes.
6934 resumeSession: !shouldVerifyFail,
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6935 shouldFail: shouldVerifyFail,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6936 expectedError: verifyError,
6937 })
6938
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6939 if !shouldVerifyFail {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6940 testCases = append(testCases, testCase{
6941 testType: serverTest,
6942 name: "ClientAuth-InvalidSignature" + suffix,
6943 config: Config{
6944 MaxVersion: ver.version,
6945 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6946 SignSignatureAlgorithms: []signatureAlgorithm{
6947 alg.id,
6948 },
6949 Bugs: ProtocolBugs{
6950 InvalidSignature: true,
6951 },
6952 },
6953 flags: []string{
6954 "-require-any-client-certificate",
6955 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6956 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6957 },
6958 shouldFail: true,
6959 expectedError: ":BAD_SIGNATURE:",
6960 })
6961
6962 testCases = append(testCases, testCase{
6963 name: "ServerAuth-InvalidSignature" + suffix,
6964 config: Config{
6965 MaxVersion: ver.version,
6966 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6967 CipherSuites: signingCiphers,
6968 SignSignatureAlgorithms: []signatureAlgorithm{
6969 alg.id,
6970 },
6971 Bugs: ProtocolBugs{
6972 InvalidSignature: true,
6973 },
6974 },
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6975 flags: []string{
6976 "-enable-all-curves",
6977 "-enable-ed25519",
6978 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6979 shouldFail: true,
6980 expectedError: ":BAD_SIGNATURE:",
6981 })
6982 }
6983
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]6984 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6985 testCases = append(testCases, testCase{
6986 name: "ClientAuth-Sign-Negotiate" + suffix,
6987 config: Config{
6988 MaxVersion: ver.version,
6989 ClientAuth: RequireAnyClientCert,
6990 VerifySignatureAlgorithms: allAlgorithms,
6991 },
6992 flags: []string{
6993 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6994 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6995 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]6996 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]6997 "-signing-prefs", strconv.Itoa(int(alg.id)),
6998 },
6999 expectedPeerSignatureAlgorithm: alg.id,
7000 })
7001
7002 testCases = append(testCases, testCase{
7003 testType: serverTest,
7004 name: "ServerAuth-Sign-Negotiate" + suffix,
7005 config: Config{
7006 MaxVersion: ver.version,
7007 CipherSuites: signingCiphers,
7008 VerifySignatureAlgorithms: allAlgorithms,
7009 },
7010 flags: []string{
7011 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
7012 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
7013 "-enable-all-curves",
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]7014 "-enable-ed25519",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7015 "-signing-prefs", strconv.Itoa(int(alg.id)),
7016 },
7017 expectedPeerSignatureAlgorithm: alg.id,
7018 })
7019 }
7020 }
7021 }
7022
7023 // Test that algorithm selection takes the key type into account.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7024 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7025 name: "ClientAuth-SignatureType",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7026 config: Config{
7027 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7028 MaxVersion: VersionTLS12,
7029 VerifySignatureAlgorithms: []signatureAlgorithm{
7030 signatureECDSAWithP521AndSHA512,
7031 signatureRSAPKCS1WithSHA384,
7032 signatureECDSAWithSHA1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7033 },
7034 },
7035 flags: []string{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7036 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7037 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7038 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7039 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7040 })
7041
7042 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7043 name: "ClientAuth-SignatureType-TLS13",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7044 config: Config{
7045 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7046 MaxVersion: VersionTLS13,
7047 VerifySignatureAlgorithms: []signatureAlgorithm{
7048 signatureECDSAWithP521AndSHA512,
7049 signatureRSAPKCS1WithSHA384,
7050 signatureRSAPSSWithSHA384,
7051 signatureECDSAWithSHA1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7052 },
7053 },
7054 flags: []string{
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7055 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7056 "-key-file", path.Join(*resourceDir, rsaKeyFile),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7057 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7058 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7059 })
7060
7061 testCases = append(testCases, testCase{
7062 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7063 name: "ServerAuth-SignatureType",
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7064 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7065 MaxVersion: VersionTLS12,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7066 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7067 VerifySignatureAlgorithms: []signatureAlgorithm{
7068 signatureECDSAWithP521AndSHA512,
7069 signatureRSAPKCS1WithSHA384,
7070 signatureECDSAWithSHA1,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7071 },
7072 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7073 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]7074 })
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7075
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7076 testCases = append(testCases, testCase{
7077 testType: serverTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7078 name: "ServerAuth-SignatureType-TLS13",
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7079 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7080 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7081 VerifySignatureAlgorithms: []signatureAlgorithm{
7082 signatureECDSAWithP521AndSHA512,
7083 signatureRSAPKCS1WithSHA384,
7084 signatureRSAPSSWithSHA384,
7085 signatureECDSAWithSHA1,
7086 },
7087 },
7088 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
7089 })
7090
7091 // Test that signature verification takes the key type into account.
7092 testCases = append(testCases, testCase{
7093 testType: serverTest,
7094 name: "Verify-ClientAuth-SignatureType",
7095 config: Config{
7096 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7097 Certificates: []Certificate{rsaCertificate},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7098 SignSignatureAlgorithms: []signatureAlgorithm{
7099 signatureRSAPKCS1WithSHA256,
7100 },
7101 Bugs: ProtocolBugs{
7102 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7103 },
7104 },
7105 flags: []string{
7106 "-require-any-client-certificate",
7107 },
7108 shouldFail: true,
7109 expectedError: ":WRONG_SIGNATURE_TYPE:",
7110 })
7111
7112 testCases = append(testCases, testCase{
7113 testType: serverTest,
7114 name: "Verify-ClientAuth-SignatureType-TLS13",
7115 config: Config{
7116 MaxVersion: VersionTLS13,
7117 Certificates: []Certificate{rsaCertificate},
7118 SignSignatureAlgorithms: []signatureAlgorithm{
7119 signatureRSAPSSWithSHA256,
7120 },
7121 Bugs: ProtocolBugs{
7122 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7123 },
7124 },
7125 flags: []string{
7126 "-require-any-client-certificate",
7127 },
7128 shouldFail: true,
7129 expectedError: ":WRONG_SIGNATURE_TYPE:",
7130 })
7131
7132 testCases = append(testCases, testCase{
7133 name: "Verify-ServerAuth-SignatureType",
7134 config: Config{
7135 MaxVersion: VersionTLS12,
7136 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7137 SignSignatureAlgorithms: []signatureAlgorithm{
7138 signatureRSAPKCS1WithSHA256,
7139 },
7140 Bugs: ProtocolBugs{
7141 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7142 },
7143 },
7144 shouldFail: true,
7145 expectedError: ":WRONG_SIGNATURE_TYPE:",
7146 })
7147
7148 testCases = append(testCases, testCase{
7149 name: "Verify-ServerAuth-SignatureType-TLS13",
7150 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7151 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7152 SignSignatureAlgorithms: []signatureAlgorithm{
7153 signatureRSAPSSWithSHA256,
7154 },
7155 Bugs: ProtocolBugs{
7156 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7157 },
7158 },
7159 shouldFail: true,
7160 expectedError: ":WRONG_SIGNATURE_TYPE:",
7161 })
7162
7163 // Test that, if the list is missing, the peer falls back to SHA-1 in
7164 // TLS 1.2, but not TLS 1.3.
7165 testCases = append(testCases, testCase{
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7166 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7167 config: Config{
7168 MaxVersion: VersionTLS12,
7169 ClientAuth: RequireAnyClientCert,
7170 VerifySignatureAlgorithms: []signatureAlgorithm{
7171 signatureRSAPKCS1WithSHA1,
7172 },
7173 Bugs: ProtocolBugs{
7174 NoSignatureAlgorithms: true,
7175 },
7176 },
7177 flags: []string{
7178 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7179 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7180 },
7181 })
7182
7183 testCases = append(testCases, testCase{
7184 testType: serverTest,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7185 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7186 config: Config{
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7187 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7188 VerifySignatureAlgorithms: []signatureAlgorithm{
7189 signatureRSAPKCS1WithSHA1,
7190 },
7191 Bugs: ProtocolBugs{
7192 NoSignatureAlgorithms: true,
7193 },
7194 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7195 flags: []string{
7196 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7197 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7198 },
7199 })
7200
7201 testCases = append(testCases, testCase{
7202 name: "ClientAuth-SHA1-Fallback-ECDSA",
7203 config: Config{
7204 MaxVersion: VersionTLS12,
7205 ClientAuth: RequireAnyClientCert,
7206 VerifySignatureAlgorithms: []signatureAlgorithm{
7207 signatureECDSAWithSHA1,
7208 },
7209 Bugs: ProtocolBugs{
7210 NoSignatureAlgorithms: true,
7211 },
7212 },
7213 flags: []string{
7214 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7215 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7216 },
7217 })
7218
7219 testCases = append(testCases, testCase{
7220 testType: serverTest,
7221 name: "ServerAuth-SHA1-Fallback-ECDSA",
7222 config: Config{
7223 MaxVersion: VersionTLS12,
7224 VerifySignatureAlgorithms: []signatureAlgorithm{
7225 signatureECDSAWithSHA1,
7226 },
7227 Bugs: ProtocolBugs{
7228 NoSignatureAlgorithms: true,
7229 },
7230 },
7231 flags: []string{
7232 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7233 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7234 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7235 })
7236
7237 testCases = append(testCases, testCase{
7238 name: "ClientAuth-NoFallback-TLS13",
7239 config: Config{
7240 MaxVersion: VersionTLS13,
7241 ClientAuth: RequireAnyClientCert,
7242 VerifySignatureAlgorithms: []signatureAlgorithm{
7243 signatureRSAPKCS1WithSHA1,
7244 },
7245 Bugs: ProtocolBugs{
7246 NoSignatureAlgorithms: true,
7247 },
7248 },
7249 flags: []string{
7250 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7251 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7252 },
7253 shouldFail: true,
7254 // An empty CertificateRequest signature algorithm list is a
7255 // syntax error in TLS 1.3.
7256 expectedError: ":DECODE_ERROR:",
7257 expectedLocalError: "remote error: error decoding message",
7258 })
7259
7260 testCases = append(testCases, testCase{
7261 testType: serverTest,
7262 name: "ServerAuth-NoFallback-TLS13",
7263 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7264 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7265 VerifySignatureAlgorithms: []signatureAlgorithm{
7266 signatureRSAPKCS1WithSHA1,
7267 },
7268 Bugs: ProtocolBugs{
7269 NoSignatureAlgorithms: true,
7270 },
7271 },
7272 shouldFail: true,
7273 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7274 })
7275
7276 // Test that hash preferences are enforced. BoringSSL does not implement
7277 // MD5 signatures.
7278 testCases = append(testCases, testCase{
7279 testType: serverTest,
7280 name: "ClientAuth-Enforced",
7281 config: Config{
7282 MaxVersion: VersionTLS12,
7283 Certificates: []Certificate{rsaCertificate},
7284 SignSignatureAlgorithms: []signatureAlgorithm{
7285 signatureRSAPKCS1WithMD5,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7286 },
7287 Bugs: ProtocolBugs{
7288 IgnorePeerSignatureAlgorithmPreferences: true,
7289 },
7290 },
7291 flags: []string{"-require-any-client-certificate"},
7292 shouldFail: true,
7293 expectedError: ":WRONG_SIGNATURE_TYPE:",
7294 })
7295
7296 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7297 name: "ServerAuth-Enforced",
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7298 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7299 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7300 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7301 SignSignatureAlgorithms: []signatureAlgorithm{
7302 signatureRSAPKCS1WithMD5,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7303 },
7304 Bugs: ProtocolBugs{
7305 IgnorePeerSignatureAlgorithmPreferences: true,
7306 },
7307 },
7308 shouldFail: true,
7309 expectedError: ":WRONG_SIGNATURE_TYPE:",
7310 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7311 testCases = append(testCases, testCase{
7312 testType: serverTest,
7313 name: "ClientAuth-Enforced-TLS13",
7314 config: Config{
7315 MaxVersion: VersionTLS13,
7316 Certificates: []Certificate{rsaCertificate},
7317 SignSignatureAlgorithms: []signatureAlgorithm{
7318 signatureRSAPKCS1WithMD5,
7319 },
7320 Bugs: ProtocolBugs{
7321 IgnorePeerSignatureAlgorithmPreferences: true,
7322 IgnoreSignatureVersionChecks: true,
7323 },
7324 },
7325 flags: []string{"-require-any-client-certificate"},
7326 shouldFail: true,
7327 expectedError: ":WRONG_SIGNATURE_TYPE:",
7328 })
7329
7330 testCases = append(testCases, testCase{
7331 name: "ServerAuth-Enforced-TLS13",
7332 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7333 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7334 SignSignatureAlgorithms: []signatureAlgorithm{
7335 signatureRSAPKCS1WithMD5,
7336 },
7337 Bugs: ProtocolBugs{
7338 IgnorePeerSignatureAlgorithmPreferences: true,
7339 IgnoreSignatureVersionChecks: true,
7340 },
7341 },
7342 shouldFail: true,
7343 expectedError: ":WRONG_SIGNATURE_TYPE:",
7344 })
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7345
7346 // Test that the agreed upon digest respects the client preferences and
7347 // the server digests.
7348 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7349 name: "NoCommonAlgorithms-Digests",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7350 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7351 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7352 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7353 VerifySignatureAlgorithms: []signatureAlgorithm{
7354 signatureRSAPKCS1WithSHA512,
7355 signatureRSAPKCS1WithSHA1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7356 },
7357 },
7358 flags: []string{
7359 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7360 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7361 "-digest-prefs", "SHA256",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7362 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7363 shouldFail: true,
7364 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7365 })
7366 testCases = append(testCases, testCase{
7367 name: "NoCommonAlgorithms",
7368 config: Config{
7369 MaxVersion: VersionTLS12,
7370 ClientAuth: RequireAnyClientCert,
7371 VerifySignatureAlgorithms: []signatureAlgorithm{
7372 signatureRSAPKCS1WithSHA512,
7373 signatureRSAPKCS1WithSHA1,
7374 },
7375 },
7376 flags: []string{
7377 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7378 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7379 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7380 },
7381 shouldFail: true,
7382 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7383 })
7384 testCases = append(testCases, testCase{
7385 name: "NoCommonAlgorithms-TLS13",
7386 config: Config{
7387 MaxVersion: VersionTLS13,
7388 ClientAuth: RequireAnyClientCert,
7389 VerifySignatureAlgorithms: []signatureAlgorithm{
7390 signatureRSAPSSWithSHA512,
7391 signatureRSAPSSWithSHA384,
7392 },
7393 },
7394 flags: []string{
7395 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7396 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7397 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7398 },
7399 shouldFail: true,
7400 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7401 })
7402 testCases = append(testCases, testCase{
7403 name: "Agree-Digest-SHA256",
7404 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7405 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7406 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7407 VerifySignatureAlgorithms: []signatureAlgorithm{
7408 signatureRSAPKCS1WithSHA1,
7409 signatureRSAPKCS1WithSHA256,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7410 },
7411 },
7412 flags: []string{
7413 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7414 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7415 "-digest-prefs", "SHA256,SHA1",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7416 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7417 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7418 })
7419 testCases = append(testCases, testCase{
7420 name: "Agree-Digest-SHA1",
7421 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7422 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7423 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7424 VerifySignatureAlgorithms: []signatureAlgorithm{
7425 signatureRSAPKCS1WithSHA1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7426 },
7427 },
7428 flags: []string{
7429 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7430 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7431 "-digest-prefs", "SHA512,SHA256,SHA1",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7432 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7433 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7434 })
7435 testCases = append(testCases, testCase{
7436 name: "Agree-Digest-Default",
7437 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7438 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7439 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7440 VerifySignatureAlgorithms: []signatureAlgorithm{
7441 signatureRSAPKCS1WithSHA256,
7442 signatureECDSAWithP256AndSHA256,
7443 signatureRSAPKCS1WithSHA1,
7444 signatureECDSAWithSHA1,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7445 },
7446 },
7447 flags: []string{
7448 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7449 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7450 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7451 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7452 })
7453
7454 // Test that the signing preference list may include extra algorithms
7455 // without negotiation problems.
7456 testCases = append(testCases, testCase{
7457 testType: serverTest,
7458 name: "FilterExtraAlgorithms",
7459 config: Config{
7460 MaxVersion: VersionTLS12,
7461 VerifySignatureAlgorithms: []signatureAlgorithm{
7462 signatureRSAPKCS1WithSHA256,
7463 },
7464 },
7465 flags: []string{
7466 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7467 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7468 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7469 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7470 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7471 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7472 },
7473 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7474 })
7475
7476 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7477 // signature algorithms.
7478 testCases = append(testCases, testCase{
7479 name: "CheckLeafCurve",
7480 config: Config{
7481 MaxVersion: VersionTLS12,
7482 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7483 Certificates: []Certificate{ecdsaP256Certificate},
7484 },
7485 flags: []string{"-p384-only"},
7486 shouldFail: true,
7487 expectedError: ":BAD_ECC_CERT:",
7488 })
7489
7490 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7491 testCases = append(testCases, testCase{
7492 name: "CheckLeafCurve-TLS13",
7493 config: Config{
7494 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7495 Certificates: []Certificate{ecdsaP256Certificate},
7496 },
7497 flags: []string{"-p384-only"},
7498 })
7499
7500 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7501 testCases = append(testCases, testCase{
7502 name: "ECDSACurveMismatch-Verify-TLS12",
7503 config: Config{
7504 MaxVersion: VersionTLS12,
7505 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7506 Certificates: []Certificate{ecdsaP256Certificate},
7507 SignSignatureAlgorithms: []signatureAlgorithm{
7508 signatureECDSAWithP384AndSHA384,
7509 },
7510 },
7511 })
7512
7513 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7514 testCases = append(testCases, testCase{
7515 name: "ECDSACurveMismatch-Verify-TLS13",
7516 config: Config{
7517 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7518 Certificates: []Certificate{ecdsaP256Certificate},
7519 SignSignatureAlgorithms: []signatureAlgorithm{
7520 signatureECDSAWithP384AndSHA384,
7521 },
7522 Bugs: ProtocolBugs{
7523 SkipECDSACurveCheck: true,
7524 },
7525 },
7526 shouldFail: true,
7527 expectedError: ":WRONG_SIGNATURE_TYPE:",
7528 })
7529
7530 // Signature algorithm selection in TLS 1.3 should take the curve into
7531 // account.
7532 testCases = append(testCases, testCase{
7533 testType: serverTest,
7534 name: "ECDSACurveMismatch-Sign-TLS13",
7535 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]7536 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7537 VerifySignatureAlgorithms: []signatureAlgorithm{
7538 signatureECDSAWithP384AndSHA384,
7539 signatureECDSAWithP256AndSHA256,
7540 },
7541 },
7542 flags: []string{
7543 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7544 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7545 },
7546 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7547 })
7548
7549 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7550 // server does not attempt to sign in that case.
7551 testCases = append(testCases, testCase{
7552 testType: serverTest,
7553 name: "RSA-PSS-Large",
7554 config: Config{
7555 MaxVersion: VersionTLS13,
7556 VerifySignatureAlgorithms: []signatureAlgorithm{
7557 signatureRSAPSSWithSHA512,
7558 },
7559 },
7560 flags: []string{
7561 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7562 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7563 },
7564 shouldFail: true,
7565 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]7566 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]7567
7568 // Test that RSA-PSS is enabled by default for TLS 1.2.
7569 testCases = append(testCases, testCase{
7570 testType: clientTest,
7571 name: "RSA-PSS-Default-Verify",
7572 config: Config{
7573 MaxVersion: VersionTLS12,
7574 SignSignatureAlgorithms: []signatureAlgorithm{
7575 signatureRSAPSSWithSHA256,
7576 },
7577 },
7578 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7579 })
7580
7581 testCases = append(testCases, testCase{
7582 testType: serverTest,
7583 name: "RSA-PSS-Default-Sign",
7584 config: Config{
7585 MaxVersion: VersionTLS12,
7586 VerifySignatureAlgorithms: []signatureAlgorithm{
7587 signatureRSAPSSWithSHA256,
7588 },
7589 },
7590 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7591 })
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]7592
7593 // TLS 1.1 and below has no way to advertise support for or negotiate
7594 // Ed25519's signature algorithm.
7595 testCases = append(testCases, testCase{
7596 testType: clientTest,
7597 name: "NoEd25519-TLS11-ServerAuth-Verify",
7598 config: Config{
7599 MaxVersion: VersionTLS11,
7600 Certificates: []Certificate{ed25519Certificate},
7601 Bugs: ProtocolBugs{
7602 // Sign with Ed25519 even though it is TLS 1.1.
7603 UseLegacySigningAlgorithm: signatureEd25519,
7604 },
7605 },
7606 flags: []string{"-enable-ed25519"},
7607 shouldFail: true,
7608 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7609 })
7610 testCases = append(testCases, testCase{
7611 testType: serverTest,
7612 name: "NoEd25519-TLS11-ServerAuth-Sign",
7613 config: Config{
7614 MaxVersion: VersionTLS11,
7615 },
7616 flags: []string{
7617 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7618 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7619 },
7620 shouldFail: true,
7621 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7622 })
7623 testCases = append(testCases, testCase{
7624 testType: serverTest,
7625 name: "NoEd25519-TLS11-ClientAuth-Verify",
7626 config: Config{
7627 MaxVersion: VersionTLS11,
7628 Certificates: []Certificate{ed25519Certificate},
7629 Bugs: ProtocolBugs{
7630 // Sign with Ed25519 even though it is TLS 1.1.
7631 UseLegacySigningAlgorithm: signatureEd25519,
7632 },
7633 },
7634 flags: []string{
7635 "-enable-ed25519",
7636 "-require-any-client-certificate",
7637 },
7638 shouldFail: true,
7639 expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
7640 })
7641 testCases = append(testCases, testCase{
7642 testType: clientTest,
7643 name: "NoEd25519-TLS11-ClientAuth-Sign",
7644 config: Config{
7645 MaxVersion: VersionTLS11,
7646 ClientAuth: RequireAnyClientCert,
7647 },
7648 flags: []string{
7649 "-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
7650 "-key-file", path.Join(*resourceDir, ed25519KeyFile),
7651 },
7652 shouldFail: true,
7653 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7654 })
7655
7656 // Test Ed25519 is not advertised by default.
7657 testCases = append(testCases, testCase{
7658 testType: clientTest,
7659 name: "Ed25519DefaultDisable-NoAdvertise",
7660 config: Config{
7661 Certificates: []Certificate{ed25519Certificate},
7662 },
7663 shouldFail: true,
7664 expectedLocalError: "tls: no common signature algorithms",
7665 })
7666
7667 // Test Ed25519, when disabled, is not accepted if the peer ignores our
7668 // preferences.
7669 testCases = append(testCases, testCase{
7670 testType: clientTest,
7671 name: "Ed25519DefaultDisable-NoAccept",
7672 config: Config{
7673 Certificates: []Certificate{ed25519Certificate},
7674 Bugs: ProtocolBugs{
7675 IgnorePeerSignatureAlgorithmPreferences: true,
7676 },
7677 },
7678 shouldFail: true,
7679 expectedLocalError: "remote error: illegal parameter",
7680 expectedError: ":WRONG_SIGNATURE_TYPE:",
7681 })
7682
7683 // Test that configuring verify preferences changes what the client
7684 // advertises.
7685 testCases = append(testCases, testCase{
7686 name: "VerifyPreferences-Advertised",
7687 config: Config{
7688 Certificates: []Certificate{rsaCertificate},
7689 SignSignatureAlgorithms: []signatureAlgorithm{
7690 signatureRSAPSSWithSHA256,
7691 signatureRSAPSSWithSHA384,
7692 signatureRSAPSSWithSHA512,
7693 },
7694 },
7695 flags: []string{
7696 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7697 "-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7698 },
7699 })
7700
7701 // Test that the client advertises a set which the runner can find
7702 // nothing in common with.
7703 testCases = append(testCases, testCase{
7704 name: "VerifyPreferences-NoCommonAlgorithms",
7705 config: Config{
7706 Certificates: []Certificate{rsaCertificate},
7707 SignSignatureAlgorithms: []signatureAlgorithm{
7708 signatureRSAPSSWithSHA256,
7709 signatureRSAPSSWithSHA512,
7710 },
7711 },
7712 flags: []string{
7713 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7714 },
7715 shouldFail: true,
7716 expectedLocalError: "tls: no common signature algorithms",
7717 })
7718
7719 // Test that the client enforces its preferences when configured.
7720 testCases = append(testCases, testCase{
7721 name: "VerifyPreferences-Enforced",
7722 config: Config{
7723 Certificates: []Certificate{rsaCertificate},
7724 SignSignatureAlgorithms: []signatureAlgorithm{
7725 signatureRSAPSSWithSHA256,
7726 signatureRSAPSSWithSHA512,
7727 },
7728 Bugs: ProtocolBugs{
7729 IgnorePeerSignatureAlgorithmPreferences: true,
7730 },
7731 },
7732 flags: []string{
7733 "-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
7734 },
7735 shouldFail: true,
7736 expectedLocalError: "remote error: illegal parameter",
7737 expectedError: ":WRONG_SIGNATURE_TYPE:",
7738 })
7739
7740 // Test that explicitly configuring Ed25519 is as good as changing the
7741 // boolean toggle.
7742 testCases = append(testCases, testCase{
7743 name: "VerifyPreferences-Ed25519",
7744 config: Config{
7745 Certificates: []Certificate{ed25519Certificate},
7746 },
7747 flags: []string{
7748 "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
7749 },
7750 })
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7751}
7752
7753// timeouts is the retransmit schedule for BoringSSL. It doubles and
7754// caps at 60 seconds. On the 13th timeout, it gives up.
7755var timeouts = []time.Duration{
7756 1 * time.Second,
7757 2 * time.Second,
7758 4 * time.Second,
7759 8 * time.Second,
7760 16 * time.Second,
7761 32 * time.Second,
7762 60 * time.Second,
7763 60 * time.Second,
7764 60 * time.Second,
7765 60 * time.Second,
7766 60 * time.Second,
7767 60 * time.Second,
7768 60 * time.Second,
7769}
7770
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]7771// shortTimeouts is an alternate set of timeouts which would occur if the
7772// initial timeout duration was set to 250ms.
7773var shortTimeouts = []time.Duration{
7774 250 * time.Millisecond,
7775 500 * time.Millisecond,
7776 1 * time.Second,
7777 2 * time.Second,
7778 4 * time.Second,
7779 8 * time.Second,
7780 16 * time.Second,
7781 32 * time.Second,
7782 60 * time.Second,
7783 60 * time.Second,
7784 60 * time.Second,
7785 60 * time.Second,
7786 60 * time.Second,
7787}
7788
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7789func addDTLSRetransmitTests() {
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]7790 // These tests work by coordinating some behavior on both the shim and
7791 // the runner.
7792 //
7793 // TimeoutSchedule configures the runner to send a series of timeout
7794 // opcodes to the shim (see packetAdaptor) immediately before reading
7795 // each peer handshake flight N. The timeout opcode both simulates a
7796 // timeout in the shim and acts as a synchronization point to help the
7797 // runner bracket each handshake flight.
7798 //
7799 // We assume the shim does not read from the channel eagerly. It must
7800 // first wait until it has sent flight N and is ready to receive
7801 // handshake flight N+1. At this point, it will process the timeout
7802 // opcode. It must then immediately respond with a timeout ACK and act
7803 // as if the shim was idle for the specified amount of time.
7804 //
7805 // The runner then drops all packets received before the ACK and
7806 // continues waiting for flight N. This ordering results in one attempt
7807 // at sending flight N to be dropped. For the test to complete, the
7808 // shim must send flight N again, testing that the shim implements DTLS
7809 // retransmit on a timeout.
7810
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7811 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
7812 // likely be more epochs to cross and the final message's retransmit may
7813 // be more complex.
7814
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7815 // Test that this is indeed the timeout schedule. Stress all
7816 // four patterns of handshake.
7817 for i := 1; i < len(timeouts); i++ {
7818 number := strconv.Itoa(i)
7819 testCases = append(testCases, testCase{
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7820 protocol: dtls,
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7821 name: "DTLS-Retransmit-Client-" + number,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7822 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7823 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7824 Bugs: ProtocolBugs{
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7825 TimeoutSchedule: timeouts[:i],
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7826 },
7827 },
7828 resumeSession: true,
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7829 flags: []string{"-async"},
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7830 })
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7831 testCases = append(testCases, testCase{
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7832 protocol: dtls,
7833 testType: serverTest,
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7834 name: "DTLS-Retransmit-Server-" + number,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7835 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]7836 MaxVersion: VersionTLS12,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7837 Bugs: ProtocolBugs{
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7838 TimeoutSchedule: timeouts[:i],
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7839 },
7840 },
7841 resumeSession: true,
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7842 flags: []string{"-async"},
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7843 })
7844 }
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]7845
7846 // Test that exceeding the timeout schedule hits a read
7847 // timeout.
7848 testCases = append(testCases, testCase{
7849 protocol: dtls,
7850 name: "DTLS-Retransmit-Timeout",
7851 config: Config{
7852 MaxVersion: VersionTLS12,
7853 Bugs: ProtocolBugs{
7854 TimeoutSchedule: timeouts,
7855 },
7856 },
7857 resumeSession: true,
7858 flags: []string{"-async"},
7859 shouldFail: true,
7860 expectedError: ":READ_TIMEOUT_EXPIRED:",
7861 })
7862
7863 // Test that timeout handling has a fudge factor, due to API
7864 // problems.
7865 testCases = append(testCases, testCase{
7866 protocol: dtls,
7867 name: "DTLS-Retransmit-Fudge",
7868 config: Config{
7869 MaxVersion: VersionTLS12,
7870 Bugs: ProtocolBugs{
7871 TimeoutSchedule: []time.Duration{
7872 timeouts[0] - 10*time.Millisecond,
7873 },
7874 },
7875 },
7876 resumeSession: true,
7877 flags: []string{"-async"},
7878 })
7879
7880 // Test that the final Finished retransmitting isn't
7881 // duplicated if the peer badly fragments everything.
7882 testCases = append(testCases, testCase{
7883 testType: serverTest,
7884 protocol: dtls,
7885 name: "DTLS-Retransmit-Fragmented",
7886 config: Config{
7887 MaxVersion: VersionTLS12,
7888 Bugs: ProtocolBugs{
7889 TimeoutSchedule: []time.Duration{timeouts[0]},
7890 MaxHandshakeRecordLength: 2,
7891 },
7892 },
7893 flags: []string{"-async"},
7894 })
7895
7896 // Test the timeout schedule when a shorter initial timeout duration is set.
7897 testCases = append(testCases, testCase{
7898 protocol: dtls,
7899 name: "DTLS-Retransmit-Short-Client",
7900 config: Config{
7901 MaxVersion: VersionTLS12,
7902 Bugs: ProtocolBugs{
7903 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7904 },
7905 },
7906 resumeSession: true,
7907 flags: []string{
7908 "-async",
7909 "-initial-timeout-duration-ms", "250",
7910 },
7911 })
7912 testCases = append(testCases, testCase{
7913 protocol: dtls,
7914 testType: serverTest,
7915 name: "DTLS-Retransmit-Short-Server",
7916 config: Config{
7917 MaxVersion: VersionTLS12,
7918 Bugs: ProtocolBugs{
7919 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7920 },
7921 },
7922 resumeSession: true,
7923 flags: []string{
7924 "-async",
7925 "-initial-timeout-duration-ms", "250",
7926 },
7927 })
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7928}
7929
7930func addExportKeyingMaterialTests() {
7931 for _, vers := range tlsVersions {
7932 if vers.version == VersionSSL30 {
7933 continue
7934 }
7935 testCases = append(testCases, testCase{
7936 name: "ExportKeyingMaterial-" + vers.name,
7937 config: Config{
7938 MaxVersion: vers.version,
7939 },
7940 exportKeyingMaterial: 1024,
7941 exportLabel: "label",
7942 exportContext: "context",
7943 useExportContext: true,
7944 })
7945 testCases = append(testCases, testCase{
7946 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7947 config: Config{
7948 MaxVersion: vers.version,
7949 },
7950 exportKeyingMaterial: 1024,
7951 })
7952 testCases = append(testCases, testCase{
7953 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7954 config: Config{
7955 MaxVersion: vers.version,
7956 },
7957 exportKeyingMaterial: 1024,
7958 useExportContext: true,
7959 })
7960 testCases = append(testCases, testCase{
7961 name: "ExportKeyingMaterial-Small-" + vers.name,
7962 config: Config{
7963 MaxVersion: vers.version,
7964 },
7965 exportKeyingMaterial: 1,
7966 exportLabel: "label",
7967 exportContext: "context",
7968 useExportContext: true,
7969 })
7970 }
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7971
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]7972 testCases = append(testCases, testCase{
7973 name: "ExportKeyingMaterial-SSL3",
7974 config: Config{
7975 MaxVersion: VersionSSL30,
7976 },
7977 exportKeyingMaterial: 1024,
7978 exportLabel: "label",
7979 exportContext: "context",
7980 useExportContext: true,
7981 shouldFail: true,
7982 expectedError: "failed to export keying material",
7983 })
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]7984
7985 // Exporters work during a False Start.
7986 testCases = append(testCases, testCase{
7987 name: "ExportKeyingMaterial-FalseStart",
7988 config: Config{
7989 MaxVersion: VersionTLS12,
7990 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7991 NextProtos: []string{"foo"},
7992 Bugs: ProtocolBugs{
7993 ExpectFalseStart: true,
7994 },
7995 },
7996 flags: []string{
7997 "-false-start",
7998 "-advertise-alpn", "\x03foo",
7999 },
8000 shimWritesFirst: true,
8001 exportKeyingMaterial: 1024,
8002 exportLabel: "label",
8003 exportContext: "context",
8004 useExportContext: true,
8005 })
8006
8007 // Exporters do not work in the middle of a renegotiation. Test this by
8008 // triggering the exporter after every SSL_read call and configuring the
8009 // shim to run asynchronously.
8010 testCases = append(testCases, testCase{
8011 name: "ExportKeyingMaterial-Renegotiate",
8012 config: Config{
8013 MaxVersion: VersionTLS12,
8014 },
8015 renegotiate: 1,
8016 flags: []string{
8017 "-async",
8018 "-use-exporter-between-reads",
8019 "-renegotiate-freely",
8020 "-expect-total-renegotiations", "1",
8021 },
8022 shouldFail: true,
8023 expectedError: "failed to export keying material",
8024 })
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]8025}
8026
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8027func addTLSUniqueTests() {
8028 for _, isClient := range []bool{false, true} {
8029 for _, isResumption := range []bool{false, true} {
8030 for _, hasEMS := range []bool{false, true} {
8031 var suffix string
8032 if isResumption {
8033 suffix = "Resume-"
8034 } else {
8035 suffix = "Full-"
8036 }
8037
8038 if hasEMS {
8039 suffix += "EMS-"
8040 } else {
8041 suffix += "NoEMS-"
8042 }
8043
8044 if isClient {
8045 suffix += "Client"
8046 } else {
8047 suffix += "Server"
8048 }
8049
8050 test := testCase{
8051 name: "TLSUnique-" + suffix,
8052 testTLSUnique: true,
8053 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8054 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8055 Bugs: ProtocolBugs{
8056 NoExtendedMasterSecret: !hasEMS,
8057 },
8058 },
8059 }
8060
8061 if isResumption {
8062 test.resumeSession = true
8063 test.resumeConfig = &Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8064 MaxVersion: VersionTLS12,
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]8065 Bugs: ProtocolBugs{
8066 NoExtendedMasterSecret: !hasEMS,
8067 },
8068 }
8069 }
8070
8071 if isResumption && !hasEMS {
8072 test.shouldFail = true
8073 test.expectedError = "failed to get tls-unique"
8074 }
8075
8076 testCases = append(testCases, test)
8077 }
8078 }
8079 }
8080}
8081
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8082func addCustomExtensionTests() {
8083 expectedContents := "custom extension"
8084 emptyString := ""
8085
8086 for _, isClient := range []bool{false, true} {
8087 suffix := "Server"
8088 flag := "-enable-server-custom-extension"
8089 testType := serverTest
8090 if isClient {
8091 suffix = "Client"
8092 flag = "-enable-client-custom-extension"
8093 testType = clientTest
8094 }
8095
8096 testCases = append(testCases, testCase{
8097 testType: testType,
8098 name: "CustomExtensions-" + suffix,
8099 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8100 MaxVersion: VersionTLS12,
8101 Bugs: ProtocolBugs{
8102 CustomExtension: expectedContents,
8103 ExpectedCustomExtension: &expectedContents,
8104 },
8105 },
8106 flags: []string{flag},
8107 })
8108 testCases = append(testCases, testCase{
8109 testType: testType,
8110 name: "CustomExtensions-" + suffix + "-TLS13",
8111 config: Config{
8112 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8113 Bugs: ProtocolBugs{
8114 CustomExtension: expectedContents,
8115 ExpectedCustomExtension: &expectedContents,
8116 },
8117 },
8118 flags: []string{flag},
8119 })
8120
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]8121 // 0-RTT is not currently supported with Custom Extensions.
8122 testCases = append(testCases, testCase{
8123 testType: testType,
8124 name: "CustomExtensions-" + suffix + "-EarlyData",
8125 config: Config{
8126 MaxVersion: VersionTLS13,
8127 Bugs: ProtocolBugs{
8128 CustomExtension: expectedContents,
8129 ExpectedCustomExtension: &expectedContents,
8130 },
8131 },
8132 shouldFail: true,
8133 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8134 flags: []string{flag, "-enable-early-data"},
8135 })
8136
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8137 // If the parse callback fails, the handshake should also fail.
8138 testCases = append(testCases, testCase{
8139 testType: testType,
8140 name: "CustomExtensions-ParseError-" + suffix,
8141 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8142 MaxVersion: VersionTLS12,
8143 Bugs: ProtocolBugs{
8144 CustomExtension: expectedContents + "foo",
8145 ExpectedCustomExtension: &expectedContents,
8146 },
8147 },
8148 flags: []string{flag},
8149 shouldFail: true,
8150 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8151 })
8152 testCases = append(testCases, testCase{
8153 testType: testType,
8154 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
8155 config: Config{
8156 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8157 Bugs: ProtocolBugs{
8158 CustomExtension: expectedContents + "foo",
8159 ExpectedCustomExtension: &expectedContents,
8160 },
8161 },
8162 flags: []string{flag},
8163 shouldFail: true,
8164 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8165 })
8166
8167 // If the add callback fails, the handshake should also fail.
8168 testCases = append(testCases, testCase{
8169 testType: testType,
8170 name: "CustomExtensions-FailAdd-" + suffix,
8171 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8172 MaxVersion: VersionTLS12,
8173 Bugs: ProtocolBugs{
8174 CustomExtension: expectedContents,
8175 ExpectedCustomExtension: &expectedContents,
8176 },
8177 },
8178 flags: []string{flag, "-custom-extension-fail-add"},
8179 shouldFail: true,
8180 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8181 })
8182 testCases = append(testCases, testCase{
8183 testType: testType,
8184 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
8185 config: Config{
8186 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8187 Bugs: ProtocolBugs{
8188 CustomExtension: expectedContents,
8189 ExpectedCustomExtension: &expectedContents,
8190 },
8191 },
8192 flags: []string{flag, "-custom-extension-fail-add"},
8193 shouldFail: true,
8194 expectedError: ":CUSTOM_EXTENSION_ERROR:",
8195 })
8196
8197 // If the add callback returns zero, no extension should be
8198 // added.
8199 skipCustomExtension := expectedContents
8200 if isClient {
8201 // For the case where the client skips sending the
8202 // custom extension, the server must not “echo” it.
8203 skipCustomExtension = ""
8204 }
8205 testCases = append(testCases, testCase{
8206 testType: testType,
8207 name: "CustomExtensions-Skip-" + suffix,
8208 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8209 MaxVersion: VersionTLS12,
8210 Bugs: ProtocolBugs{
8211 CustomExtension: skipCustomExtension,
8212 ExpectedCustomExtension: &emptyString,
8213 },
8214 },
8215 flags: []string{flag, "-custom-extension-skip"},
8216 })
8217 testCases = append(testCases, testCase{
8218 testType: testType,
8219 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
8220 config: Config{
8221 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8222 Bugs: ProtocolBugs{
8223 CustomExtension: skipCustomExtension,
8224 ExpectedCustomExtension: &emptyString,
8225 },
8226 },
8227 flags: []string{flag, "-custom-extension-skip"},
8228 })
8229 }
8230
8231 // The custom extension add callback should not be called if the client
8232 // doesn't send the extension.
8233 testCases = append(testCases, testCase{
8234 testType: serverTest,
8235 name: "CustomExtensions-NotCalled-Server",
8236 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8237 MaxVersion: VersionTLS12,
8238 Bugs: ProtocolBugs{
8239 ExpectedCustomExtension: &emptyString,
8240 },
8241 },
8242 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8243 })
8244
8245 testCases = append(testCases, testCase{
8246 testType: serverTest,
8247 name: "CustomExtensions-NotCalled-Server-TLS13",
8248 config: Config{
8249 MaxVersion: VersionTLS13,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8250 Bugs: ProtocolBugs{
8251 ExpectedCustomExtension: &emptyString,
8252 },
8253 },
8254 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
8255 })
8256
8257 // Test an unknown extension from the server.
8258 testCases = append(testCases, testCase{
8259 testType: clientTest,
8260 name: "UnknownExtension-Client",
8261 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8262 MaxVersion: VersionTLS12,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8263 Bugs: ProtocolBugs{
8264 CustomExtension: expectedContents,
8265 },
8266 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8267 shouldFail: true,
8268 expectedError: ":UNEXPECTED_EXTENSION:",
8269 expectedLocalError: "remote error: unsupported extension",
8270 })
8271 testCases = append(testCases, testCase{
8272 testType: clientTest,
8273 name: "UnknownExtension-Client-TLS13",
8274 config: Config{
8275 MaxVersion: VersionTLS13,
8276 Bugs: ProtocolBugs{
8277 CustomExtension: expectedContents,
8278 },
8279 },
8280 shouldFail: true,
8281 expectedError: ":UNEXPECTED_EXTENSION:",
8282 expectedLocalError: "remote error: unsupported extension",
8283 })
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]8284 testCases = append(testCases, testCase{
8285 testType: clientTest,
8286 name: "UnknownUnencryptedExtension-Client-TLS13",
8287 config: Config{
8288 MaxVersion: VersionTLS13,
8289 Bugs: ProtocolBugs{
8290 CustomUnencryptedExtension: expectedContents,
8291 },
8292 },
8293 shouldFail: true,
8294 expectedError: ":UNEXPECTED_EXTENSION:",
8295 // The shim must send an alert, but alerts at this point do not
8296 // get successfully decrypted by the runner.
8297 expectedLocalError: "local error: bad record MAC",
8298 })
8299 testCases = append(testCases, testCase{
8300 testType: clientTest,
8301 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8302 config: Config{
8303 MaxVersion: VersionTLS13,
8304 Bugs: ProtocolBugs{
8305 SendUnencryptedALPN: "foo",
8306 },
8307 },
8308 flags: []string{
8309 "-advertise-alpn", "\x03foo\x03bar",
8310 },
8311 shouldFail: true,
8312 expectedError: ":UNEXPECTED_EXTENSION:",
8313 // The shim must send an alert, but alerts at this point do not
8314 // get successfully decrypted by the runner.
8315 expectedLocalError: "local error: bad record MAC",
8316 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8317
8318 // Test a known but unoffered extension from the server.
8319 testCases = append(testCases, testCase{
8320 testType: clientTest,
8321 name: "UnofferedExtension-Client",
8322 config: Config{
8323 MaxVersion: VersionTLS12,
8324 Bugs: ProtocolBugs{
8325 SendALPN: "alpn",
8326 },
8327 },
8328 shouldFail: true,
8329 expectedError: ":UNEXPECTED_EXTENSION:",
8330 expectedLocalError: "remote error: unsupported extension",
8331 })
8332 testCases = append(testCases, testCase{
8333 testType: clientTest,
8334 name: "UnofferedExtension-Client-TLS13",
8335 config: Config{
8336 MaxVersion: VersionTLS13,
8337 Bugs: ProtocolBugs{
8338 SendALPN: "alpn",
8339 },
8340 },
8341 shouldFail: true,
8342 expectedError: ":UNEXPECTED_EXTENSION:",
8343 expectedLocalError: "remote error: unsupported extension",
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]8344 })
8345}
8346
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8347func addRSAClientKeyExchangeTests() {
8348 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8349 testCases = append(testCases, testCase{
8350 testType: serverTest,
8351 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8352 config: Config{
8353 // Ensure the ClientHello version and final
8354 // version are different, to detect if the
8355 // server uses the wrong one.
8356 MaxVersion: VersionTLS11,
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8357 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8358 Bugs: ProtocolBugs{
8359 BadRSAClientKeyExchange: bad,
8360 },
8361 },
8362 shouldFail: true,
8363 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8364 })
8365 }
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]8366
8367 // The server must compare whatever was in ClientHello.version for the
8368 // RSA premaster.
8369 testCases = append(testCases, testCase{
8370 testType: serverTest,
8371 name: "SendClientVersion-RSA",
8372 config: Config{
8373 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8374 Bugs: ProtocolBugs{
8375 SendClientVersion: 0x1234,
8376 },
8377 },
8378 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8379 })
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8380}
8381
8382var testCurves = []struct {
8383 name string
8384 id CurveID
8385}{
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]8386 {"P-224", CurveP224},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8387 {"P-256", CurveP256},
8388 {"P-384", CurveP384},
8389 {"P-521", CurveP521},
8390 {"X25519", CurveX25519},
8391}
8392
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8393const bogusCurve = 0x1234
8394
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8395func addCurveTests() {
8396 for _, curve := range testCurves {
8397 testCases = append(testCases, testCase{
8398 name: "CurveTest-Client-" + curve.name,
8399 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8400 MaxVersion: VersionTLS12,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8401 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8402 CurvePreferences: []CurveID{curve.id},
8403 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8404 flags: []string{
8405 "-enable-all-curves",
8406 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8407 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8408 expectedCurveID: curve.id,
8409 })
8410 testCases = append(testCases, testCase{
8411 name: "CurveTest-Client-" + curve.name + "-TLS13",
8412 config: Config{
8413 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8414 CurvePreferences: []CurveID{curve.id},
8415 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8416 flags: []string{
8417 "-enable-all-curves",
8418 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8419 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8420 expectedCurveID: curve.id,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8421 })
8422 testCases = append(testCases, testCase{
8423 testType: serverTest,
8424 name: "CurveTest-Server-" + curve.name,
8425 config: Config{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8426 MaxVersion: VersionTLS12,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8427 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8428 CurvePreferences: []CurveID{curve.id},
8429 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8430 flags: []string{
8431 "-enable-all-curves",
8432 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8433 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8434 expectedCurveID: curve.id,
8435 })
8436 testCases = append(testCases, testCase{
8437 testType: serverTest,
8438 name: "CurveTest-Server-" + curve.name + "-TLS13",
8439 config: Config{
8440 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8441 CurvePreferences: []CurveID{curve.id},
8442 },
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]8443 flags: []string{
8444 "-enable-all-curves",
8445 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8446 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8447 expectedCurveID: curve.id,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8448 })
8449 }
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]8450
8451 // The server must be tolerant to bogus curves.
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]8452 testCases = append(testCases, testCase{
8453 testType: serverTest,
8454 name: "UnknownCurve",
8455 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8456 MaxVersion: VersionTLS12,
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]8457 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8458 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8459 },
8460 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8461
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8462 // The server must be tolerant to bogus curves.
8463 testCases = append(testCases, testCase{
8464 testType: serverTest,
8465 name: "UnknownCurve-TLS13",
8466 config: Config{
8467 MaxVersion: VersionTLS13,
8468 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8469 },
8470 })
8471
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8472 // The server must not consider ECDHE ciphers when there are no
8473 // supported curves.
8474 testCases = append(testCases, testCase{
8475 testType: serverTest,
8476 name: "NoSupportedCurves",
8477 config: Config{
8478 MaxVersion: VersionTLS12,
8479 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8480 Bugs: ProtocolBugs{
8481 NoSupportedCurves: true,
8482 },
8483 },
8484 shouldFail: true,
8485 expectedError: ":NO_SHARED_CIPHER:",
8486 })
8487 testCases = append(testCases, testCase{
8488 testType: serverTest,
8489 name: "NoSupportedCurves-TLS13",
8490 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8491 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8492 Bugs: ProtocolBugs{
8493 NoSupportedCurves: true,
8494 },
8495 },
8496 shouldFail: true,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8497 expectedError: ":NO_SHARED_GROUP:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8498 })
8499
8500 // The server must fall back to another cipher when there are no
8501 // supported curves.
8502 testCases = append(testCases, testCase{
8503 testType: serverTest,
8504 name: "NoCommonCurves",
8505 config: Config{
8506 MaxVersion: VersionTLS12,
8507 CipherSuites: []uint16{
8508 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]8509 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8510 },
8511 CurvePreferences: []CurveID{CurveP224},
8512 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]8513 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8514 })
8515
8516 // The client must reject bogus curves and disabled curves.
8517 testCases = append(testCases, testCase{
8518 name: "BadECDHECurve",
8519 config: Config{
8520 MaxVersion: VersionTLS12,
8521 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8522 Bugs: ProtocolBugs{
8523 SendCurve: bogusCurve,
8524 },
8525 },
8526 shouldFail: true,
8527 expectedError: ":WRONG_CURVE:",
8528 })
8529 testCases = append(testCases, testCase{
8530 name: "BadECDHECurve-TLS13",
8531 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8532 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8533 Bugs: ProtocolBugs{
8534 SendCurve: bogusCurve,
8535 },
8536 },
8537 shouldFail: true,
8538 expectedError: ":WRONG_CURVE:",
8539 })
8540
8541 testCases = append(testCases, testCase{
8542 name: "UnsupportedCurve",
8543 config: Config{
8544 MaxVersion: VersionTLS12,
8545 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8546 CurvePreferences: []CurveID{CurveP256},
8547 Bugs: ProtocolBugs{
8548 IgnorePeerCurvePreferences: true,
8549 },
8550 },
8551 flags: []string{"-p384-only"},
8552 shouldFail: true,
8553 expectedError: ":WRONG_CURVE:",
8554 })
8555
8556 testCases = append(testCases, testCase{
8557 // TODO(davidben): Add a TLS 1.3 version where
8558 // HelloRetryRequest requests an unsupported curve.
8559 name: "UnsupportedCurve-ServerHello-TLS13",
8560 config: Config{
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8561 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8562 CurvePreferences: []CurveID{CurveP384},
8563 Bugs: ProtocolBugs{
8564 SendCurve: CurveP256,
8565 },
8566 },
8567 flags: []string{"-p384-only"},
8568 shouldFail: true,
8569 expectedError: ":WRONG_CURVE:",
8570 })
8571
8572 // Test invalid curve points.
8573 testCases = append(testCases, testCase{
8574 name: "InvalidECDHPoint-Client",
8575 config: Config{
8576 MaxVersion: VersionTLS12,
8577 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8578 CurvePreferences: []CurveID{CurveP256},
8579 Bugs: ProtocolBugs{
8580 InvalidECDHPoint: true,
8581 },
8582 },
8583 shouldFail: true,
8584 expectedError: ":INVALID_ENCODING:",
8585 })
8586 testCases = append(testCases, testCase{
8587 name: "InvalidECDHPoint-Client-TLS13",
8588 config: Config{
8589 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8590 CurvePreferences: []CurveID{CurveP256},
8591 Bugs: ProtocolBugs{
8592 InvalidECDHPoint: true,
8593 },
8594 },
8595 shouldFail: true,
8596 expectedError: ":INVALID_ENCODING:",
8597 })
8598 testCases = append(testCases, testCase{
8599 testType: serverTest,
8600 name: "InvalidECDHPoint-Server",
8601 config: Config{
8602 MaxVersion: VersionTLS12,
8603 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8604 CurvePreferences: []CurveID{CurveP256},
8605 Bugs: ProtocolBugs{
8606 InvalidECDHPoint: true,
8607 },
8608 },
8609 shouldFail: true,
8610 expectedError: ":INVALID_ENCODING:",
8611 })
8612 testCases = append(testCases, testCase{
8613 testType: serverTest,
8614 name: "InvalidECDHPoint-Server-TLS13",
8615 config: Config{
8616 MaxVersion: VersionTLS13,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8617 CurvePreferences: []CurveID{CurveP256},
8618 Bugs: ProtocolBugs{
8619 InvalidECDHPoint: true,
8620 },
8621 },
8622 shouldFail: true,
8623 expectedError: ":INVALID_ENCODING:",
8624 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8625
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8626 // The previous curve ID should be reported on TLS 1.2 resumption.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8627 testCases = append(testCases, testCase{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8628 name: "CurveID-Resume-Client",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8629 config: Config{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8630 MaxVersion: VersionTLS12,
8631 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8632 CurvePreferences: []CurveID{CurveX25519},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8633 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8634 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8635 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8636 })
8637 testCases = append(testCases, testCase{
8638 testType: serverTest,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8639 name: "CurveID-Resume-Server",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8640 config: Config{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8641 MaxVersion: VersionTLS12,
8642 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8643 CurvePreferences: []CurveID{CurveX25519},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8644 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8645 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8646 resumeSession: true,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8647 })
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8648
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8649 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8650 // one should be reported.
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8651 testCases = append(testCases, testCase{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8652 name: "CurveID-Resume-Client-TLS13",
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8653 config: Config{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8654 MaxVersion: VersionTLS13,
8655 CurvePreferences: []CurveID{CurveX25519},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8656 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8657 resumeConfig: &Config{
8658 MaxVersion: VersionTLS13,
8659 CurvePreferences: []CurveID{CurveP256},
8660 },
8661 flags: []string{
8662 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8663 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8664 },
8665 resumeSession: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8666 })
8667 testCases = append(testCases, testCase{
8668 testType: serverTest,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8669 name: "CurveID-Resume-Server-TLS13",
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8670 config: Config{
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8671 MaxVersion: VersionTLS13,
8672 CurvePreferences: []CurveID{CurveX25519},
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8673 },
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]8674 resumeConfig: &Config{
8675 MaxVersion: VersionTLS13,
8676 CurvePreferences: []CurveID{CurveP256},
8677 },
8678 flags: []string{
8679 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8680 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8681 },
8682 resumeSession: true,
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]8683 })
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8684
8685 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8686 testCases = append(testCases, testCase{
8687 name: "PointFormat-ServerHello-TLS12",
8688 config: Config{
8689 MaxVersion: VersionTLS12,
8690 Bugs: ProtocolBugs{
8691 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8692 },
8693 },
8694 })
8695 testCases = append(testCases, testCase{
8696 name: "PointFormat-EncryptedExtensions-TLS13",
8697 config: Config{
8698 MaxVersion: VersionTLS13,
8699 Bugs: ProtocolBugs{
8700 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8701 },
8702 },
8703 shouldFail: true,
8704 expectedError: ":ERROR_PARSING_EXTENSION:",
8705 })
8706
8707 // Test that we tolerate unknown point formats, as long as
8708 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8709 // check they are still functional.
8710 testCases = append(testCases, testCase{
8711 name: "PointFormat-Client-Tolerance",
8712 config: Config{
8713 MaxVersion: VersionTLS12,
8714 Bugs: ProtocolBugs{
8715 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8716 },
8717 },
8718 })
8719 testCases = append(testCases, testCase{
8720 testType: serverTest,
8721 name: "PointFormat-Server-Tolerance",
8722 config: Config{
8723 MaxVersion: VersionTLS12,
8724 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8725 Bugs: ProtocolBugs{
8726 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8727 },
8728 },
8729 })
8730
8731 // Test TLS 1.2 does not require the point format extension to be
8732 // present.
8733 testCases = append(testCases, testCase{
8734 name: "PointFormat-Client-Missing",
8735 config: Config{
8736 MaxVersion: VersionTLS12,
8737 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8738 Bugs: ProtocolBugs{
8739 SendSupportedPointFormats: []byte{},
8740 },
8741 },
8742 })
8743 testCases = append(testCases, testCase{
8744 testType: serverTest,
8745 name: "PointFormat-Server-Missing",
8746 config: Config{
8747 MaxVersion: VersionTLS12,
8748 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8749 Bugs: ProtocolBugs{
8750 SendSupportedPointFormats: []byte{},
8751 },
8752 },
8753 })
8754
8755 // If the point format extension is present, uncompressed points must be
8756 // offered. BoringSSL requires this whether or not ECDHE is used.
8757 testCases = append(testCases, testCase{
8758 name: "PointFormat-Client-MissingUncompressed",
8759 config: Config{
8760 MaxVersion: VersionTLS12,
8761 Bugs: ProtocolBugs{
8762 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8763 },
8764 },
8765 shouldFail: true,
8766 expectedError: ":ERROR_PARSING_EXTENSION:",
8767 })
8768 testCases = append(testCases, testCase{
8769 testType: serverTest,
8770 name: "PointFormat-Server-MissingUncompressed",
8771 config: Config{
8772 MaxVersion: VersionTLS12,
8773 Bugs: ProtocolBugs{
8774 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8775 },
8776 },
8777 shouldFail: true,
8778 expectedError: ":ERROR_PARSING_EXTENSION:",
8779 })
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]8780}
8781
8782func addTLS13RecordTests() {
8783 testCases = append(testCases, testCase{
8784 name: "TLS13-RecordPadding",
8785 config: Config{
8786 MaxVersion: VersionTLS13,
8787 MinVersion: VersionTLS13,
8788 Bugs: ProtocolBugs{
8789 RecordPadding: 10,
8790 },
8791 },
8792 })
8793
8794 testCases = append(testCases, testCase{
8795 name: "TLS13-EmptyRecords",
8796 config: Config{
8797 MaxVersion: VersionTLS13,
8798 MinVersion: VersionTLS13,
8799 Bugs: ProtocolBugs{
8800 OmitRecordContents: true,
8801 },
8802 },
8803 shouldFail: true,
8804 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8805 })
8806
8807 testCases = append(testCases, testCase{
8808 name: "TLS13-OnlyPadding",
8809 config: Config{
8810 MaxVersion: VersionTLS13,
8811 MinVersion: VersionTLS13,
8812 Bugs: ProtocolBugs{
8813 OmitRecordContents: true,
8814 RecordPadding: 10,
8815 },
8816 },
8817 shouldFail: true,
8818 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8819 })
8820
8821 testCases = append(testCases, testCase{
8822 name: "TLS13-WrongOuterRecord",
8823 config: Config{
8824 MaxVersion: VersionTLS13,
8825 MinVersion: VersionTLS13,
8826 Bugs: ProtocolBugs{
8827 OuterRecordType: recordTypeHandshake,
8828 },
8829 },
8830 shouldFail: true,
8831 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8832 })
8833}
8834
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8835func addSessionTicketTests() {
8836 testCases = append(testCases, testCase{
8837 // In TLS 1.2 and below, empty NewSessionTicket messages
8838 // mean the server changed its mind on sending a ticket.
8839 name: "SendEmptySessionTicket",
8840 config: Config{
8841 MaxVersion: VersionTLS12,
8842 Bugs: ProtocolBugs{
8843 SendEmptySessionTicket: true,
8844 },
8845 },
8846 flags: []string{"-expect-no-session"},
8847 })
8848
8849 // Test that the server ignores unknown PSK modes.
8850 testCases = append(testCases, testCase{
8851 testType: serverTest,
8852 name: "TLS13-SendUnknownModeSessionTicket-Server",
8853 config: Config{
8854 MaxVersion: VersionTLS13,
8855 Bugs: ProtocolBugs{
8856 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8857 },
8858 },
8859 resumeSession: true,
8860 expectedResumeVersion: VersionTLS13,
8861 })
8862
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8863 // Test that the server does not send session tickets with no matching key exchange mode.
8864 testCases = append(testCases, testCase{
8865 testType: serverTest,
8866 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8867 config: Config{
8868 MaxVersion: VersionTLS13,
8869 Bugs: ProtocolBugs{
8870 SendPSKKeyExchangeModes: []byte{0x1a},
8871 ExpectNoNewSessionTicket: true,
8872 },
8873 },
8874 })
8875
8876 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8877 testCases = append(testCases, testCase{
8878 testType: serverTest,
8879 name: "TLS13-SendBadKEModeSessionTicket-Server",
8880 config: Config{
8881 MaxVersion: VersionTLS13,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8882 },
8883 resumeConfig: &Config{
8884 MaxVersion: VersionTLS13,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8885 Bugs: ProtocolBugs{
8886 SendPSKKeyExchangeModes: []byte{0x1a},
8887 },
8888 },
8889 resumeSession: true,
8890 expectResumeRejected: true,
8891 })
8892
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8893 // Test that the client ticket age is sent correctly.
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8894 testCases = append(testCases, testCase{
8895 testType: clientTest,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8896 name: "TLS13-TestValidTicketAge-Client",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8897 config: Config{
8898 MaxVersion: VersionTLS13,
8899 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8900 ExpectTicketAge: 10 * time.Second,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8901 },
8902 },
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8903 resumeSession: true,
8904 flags: []string{
8905 "-resumption-delay", "10",
8906 },
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8907 })
8908
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8909 // Test that the client ticket age is enforced.
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8910 testCases = append(testCases, testCase{
8911 testType: clientTest,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8912 name: "TLS13-TestBadTicketAge-Client",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8913 config: Config{
8914 MaxVersion: VersionTLS13,
8915 Bugs: ProtocolBugs{
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8916 ExpectTicketAge: 1000 * time.Second,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8917 },
8918 },
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]8919 resumeSession: true,
8920 shouldFail: true,
8921 expectedLocalError: "tls: invalid ticket age",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]8922 })
8923
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]8924 // Test that the server's ticket age skew reporting works.
8925 testCases = append(testCases, testCase{
8926 testType: serverTest,
8927 name: "TLS13-TicketAgeSkew-Forward",
8928 config: Config{
8929 MaxVersion: VersionTLS13,
8930 Bugs: ProtocolBugs{
8931 SendTicketAge: 15 * time.Second,
8932 },
8933 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]8934 resumeSession: true,
8935 resumeRenewedSession: true,
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]8936 flags: []string{
8937 "-resumption-delay", "10",
8938 "-expect-ticket-age-skew", "5",
8939 },
8940 })
8941 testCases = append(testCases, testCase{
8942 testType: serverTest,
8943 name: "TLS13-TicketAgeSkew-Backward",
8944 config: Config{
8945 MaxVersion: VersionTLS13,
8946 Bugs: ProtocolBugs{
8947 SendTicketAge: 5 * time.Second,
8948 },
8949 },
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]8950 resumeSession: true,
8951 resumeRenewedSession: true,
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]8952 flags: []string{
8953 "-resumption-delay", "10",
8954 "-expect-ticket-age-skew", "-5",
8955 },
8956 })
8957
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8958 testCases = append(testCases, testCase{
8959 testType: clientTest,
8960 name: "TLS13-SendTicketEarlyDataInfo",
8961 config: Config{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]8962 MaxVersion: VersionTLS13,
8963 MaxEarlyDataSize: 16384,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8964 },
8965 flags: []string{
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]8966 "-enable-early-data",
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8967 "-expect-early-data-info",
8968 },
8969 })
8970
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]8971 // Test that 0-RTT tickets are ignored in clients unless opted in.
8972 testCases = append(testCases, testCase{
8973 testType: clientTest,
8974 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8975 config: Config{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]8976 MaxVersion: VersionTLS13,
8977 MaxEarlyDataSize: 16384,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]8978 },
8979 })
8980
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8981 testCases = append(testCases, testCase{
8982 testType: clientTest,
8983 name: "TLS13-DuplicateTicketEarlyDataInfo",
8984 config: Config{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]8985 MaxVersion: VersionTLS13,
8986 MaxEarlyDataSize: 16384,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8987 Bugs: ProtocolBugs{
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]8988 DuplicateTicketEarlyDataInfo: true,
8989 },
8990 },
8991 shouldFail: true,
8992 expectedError: ":DUPLICATE_EXTENSION:",
8993 expectedLocalError: "remote error: illegal parameter",
8994 })
8995
8996 testCases = append(testCases, testCase{
8997 testType: serverTest,
8998 name: "TLS13-ExpectTicketEarlyDataInfo",
8999 config: Config{
9000 MaxVersion: VersionTLS13,
9001 Bugs: ProtocolBugs{
9002 ExpectTicketEarlyDataInfo: true,
9003 },
9004 },
9005 flags: []string{
9006 "-enable-early-data",
9007 },
9008 })
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]9009
9010 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
9011 // is honored.
9012 testCases = append(testCases, testCase{
9013 testType: clientTest,
9014 name: "TLS13-HonorServerSessionTicketLifetime",
9015 config: Config{
9016 MaxVersion: VersionTLS13,
9017 Bugs: ProtocolBugs{
9018 SendTicketLifetime: 20 * time.Second,
9019 },
9020 },
9021 flags: []string{
9022 "-resumption-delay", "19",
9023 },
9024 resumeSession: true,
9025 })
9026 testCases = append(testCases, testCase{
9027 testType: clientTest,
9028 name: "TLS13-HonorServerSessionTicketLifetime-2",
9029 config: Config{
9030 MaxVersion: VersionTLS13,
9031 Bugs: ProtocolBugs{
9032 SendTicketLifetime: 20 * time.Second,
9033 // The client should not offer the expired session.
9034 ExpectNoTLS13PSK: true,
9035 },
9036 },
9037 flags: []string{
9038 "-resumption-delay", "21",
9039 },
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]9040 resumeSession: true,
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]9041 expectResumeRejected: true,
9042 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]9043}
9044
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9045func addChangeCipherSpecTests() {
9046 // Test missing ChangeCipherSpecs.
9047 testCases = append(testCases, testCase{
9048 name: "SkipChangeCipherSpec-Client",
9049 config: Config{
9050 MaxVersion: VersionTLS12,
9051 Bugs: ProtocolBugs{
9052 SkipChangeCipherSpec: true,
9053 },
9054 },
9055 shouldFail: true,
9056 expectedError: ":UNEXPECTED_RECORD:",
9057 })
9058 testCases = append(testCases, testCase{
9059 testType: serverTest,
9060 name: "SkipChangeCipherSpec-Server",
9061 config: Config{
9062 MaxVersion: VersionTLS12,
9063 Bugs: ProtocolBugs{
9064 SkipChangeCipherSpec: true,
9065 },
9066 },
9067 shouldFail: true,
9068 expectedError: ":UNEXPECTED_RECORD:",
9069 })
9070 testCases = append(testCases, testCase{
9071 testType: serverTest,
9072 name: "SkipChangeCipherSpec-Server-NPN",
9073 config: Config{
9074 MaxVersion: VersionTLS12,
9075 NextProtos: []string{"bar"},
9076 Bugs: ProtocolBugs{
9077 SkipChangeCipherSpec: true,
9078 },
9079 },
9080 flags: []string{
9081 "-advertise-npn", "\x03foo\x03bar\x03baz",
9082 },
9083 shouldFail: true,
9084 expectedError: ":UNEXPECTED_RECORD:",
9085 })
9086
9087 // Test synchronization between the handshake and ChangeCipherSpec.
9088 // Partial post-CCS handshake messages before ChangeCipherSpec should be
9089 // rejected. Test both with and without handshake packing to handle both
9090 // when the partial post-CCS message is in its own record and when it is
9091 // attached to the pre-CCS message.
9092 for _, packed := range []bool{false, true} {
9093 var suffix string
9094 if packed {
9095 suffix = "-Packed"
9096 }
9097
9098 testCases = append(testCases, testCase{
9099 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
9100 config: Config{
9101 MaxVersion: VersionTLS12,
9102 Bugs: ProtocolBugs{
9103 FragmentAcrossChangeCipherSpec: true,
9104 PackHandshakeFlight: packed,
9105 },
9106 },
9107 shouldFail: true,
9108 expectedError: ":UNEXPECTED_RECORD:",
9109 })
9110 testCases = append(testCases, testCase{
9111 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
9112 config: Config{
9113 MaxVersion: VersionTLS12,
9114 },
9115 resumeSession: true,
9116 resumeConfig: &Config{
9117 MaxVersion: VersionTLS12,
9118 Bugs: ProtocolBugs{
9119 FragmentAcrossChangeCipherSpec: true,
9120 PackHandshakeFlight: packed,
9121 },
9122 },
9123 shouldFail: true,
9124 expectedError: ":UNEXPECTED_RECORD:",
9125 })
9126 testCases = append(testCases, testCase{
9127 testType: serverTest,
9128 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
9129 config: Config{
9130 MaxVersion: VersionTLS12,
9131 Bugs: ProtocolBugs{
9132 FragmentAcrossChangeCipherSpec: true,
9133 PackHandshakeFlight: packed,
9134 },
9135 },
9136 shouldFail: true,
9137 expectedError: ":UNEXPECTED_RECORD:",
9138 })
9139 testCases = append(testCases, testCase{
9140 testType: serverTest,
9141 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
9142 config: Config{
9143 MaxVersion: VersionTLS12,
9144 },
9145 resumeSession: true,
9146 resumeConfig: &Config{
9147 MaxVersion: VersionTLS12,
9148 Bugs: ProtocolBugs{
9149 FragmentAcrossChangeCipherSpec: true,
9150 PackHandshakeFlight: packed,
9151 },
9152 },
9153 shouldFail: true,
9154 expectedError: ":UNEXPECTED_RECORD:",
9155 })
9156 testCases = append(testCases, testCase{
9157 testType: serverTest,
9158 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
9159 config: Config{
9160 MaxVersion: VersionTLS12,
9161 NextProtos: []string{"bar"},
9162 Bugs: ProtocolBugs{
9163 FragmentAcrossChangeCipherSpec: true,
9164 PackHandshakeFlight: packed,
9165 },
9166 },
9167 flags: []string{
9168 "-advertise-npn", "\x03foo\x03bar\x03baz",
9169 },
9170 shouldFail: true,
9171 expectedError: ":UNEXPECTED_RECORD:",
9172 })
9173 }
9174
9175 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
9176 // messages in the handshake queue. Do this by testing the server
9177 // reading the client Finished, reversing the flight so Finished comes
9178 // first.
9179 testCases = append(testCases, testCase{
9180 protocol: dtls,
9181 testType: serverTest,
9182 name: "SendUnencryptedFinished-DTLS",
9183 config: Config{
9184 MaxVersion: VersionTLS12,
9185 Bugs: ProtocolBugs{
9186 SendUnencryptedFinished: true,
9187 ReverseHandshakeFragments: true,
9188 },
9189 },
9190 shouldFail: true,
9191 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9192 })
9193
9194 // Test synchronization between encryption changes and the handshake in
9195 // TLS 1.3, where ChangeCipherSpec is implicit.
9196 testCases = append(testCases, testCase{
9197 name: "PartialEncryptedExtensionsWithServerHello",
9198 config: Config{
9199 MaxVersion: VersionTLS13,
9200 Bugs: ProtocolBugs{
9201 PartialEncryptedExtensionsWithServerHello: true,
9202 },
9203 },
9204 shouldFail: true,
9205 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9206 })
9207 testCases = append(testCases, testCase{
9208 testType: serverTest,
9209 name: "PartialClientFinishedWithClientHello",
9210 config: Config{
9211 MaxVersion: VersionTLS13,
9212 Bugs: ProtocolBugs{
9213 PartialClientFinishedWithClientHello: true,
9214 },
9215 },
9216 shouldFail: true,
9217 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
9218 })
9219
9220 // Test that early ChangeCipherSpecs are handled correctly.
9221 testCases = append(testCases, testCase{
9222 testType: serverTest,
9223 name: "EarlyChangeCipherSpec-server-1",
9224 config: Config{
9225 MaxVersion: VersionTLS12,
9226 Bugs: ProtocolBugs{
9227 EarlyChangeCipherSpec: 1,
9228 },
9229 },
9230 shouldFail: true,
9231 expectedError: ":UNEXPECTED_RECORD:",
9232 })
9233 testCases = append(testCases, testCase{
9234 testType: serverTest,
9235 name: "EarlyChangeCipherSpec-server-2",
9236 config: Config{
9237 MaxVersion: VersionTLS12,
9238 Bugs: ProtocolBugs{
9239 EarlyChangeCipherSpec: 2,
9240 },
9241 },
9242 shouldFail: true,
9243 expectedError: ":UNEXPECTED_RECORD:",
9244 })
9245 testCases = append(testCases, testCase{
9246 protocol: dtls,
9247 name: "StrayChangeCipherSpec",
9248 config: Config{
9249 // TODO(davidben): Once DTLS 1.3 exists, test
9250 // that stray ChangeCipherSpec messages are
9251 // rejected.
9252 MaxVersion: VersionTLS12,
9253 Bugs: ProtocolBugs{
9254 StrayChangeCipherSpec: true,
9255 },
9256 },
9257 })
9258
9259 // Test that the contents of ChangeCipherSpec are checked.
9260 testCases = append(testCases, testCase{
9261 name: "BadChangeCipherSpec-1",
9262 config: Config{
9263 MaxVersion: VersionTLS12,
9264 Bugs: ProtocolBugs{
9265 BadChangeCipherSpec: []byte{2},
9266 },
9267 },
9268 shouldFail: true,
9269 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9270 })
9271 testCases = append(testCases, testCase{
9272 name: "BadChangeCipherSpec-2",
9273 config: Config{
9274 MaxVersion: VersionTLS12,
9275 Bugs: ProtocolBugs{
9276 BadChangeCipherSpec: []byte{1, 1},
9277 },
9278 },
9279 shouldFail: true,
9280 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9281 })
9282 testCases = append(testCases, testCase{
9283 protocol: dtls,
9284 name: "BadChangeCipherSpec-DTLS-1",
9285 config: Config{
9286 MaxVersion: VersionTLS12,
9287 Bugs: ProtocolBugs{
9288 BadChangeCipherSpec: []byte{2},
9289 },
9290 },
9291 shouldFail: true,
9292 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9293 })
9294 testCases = append(testCases, testCase{
9295 protocol: dtls,
9296 name: "BadChangeCipherSpec-DTLS-2",
9297 config: Config{
9298 MaxVersion: VersionTLS12,
9299 Bugs: ProtocolBugs{
9300 BadChangeCipherSpec: []byte{1, 1},
9301 },
9302 },
9303 shouldFail: true,
9304 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9305 })
9306}
9307
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9308type perMessageTest struct {
9309 messageType uint8
9310 test testCase
9311}
9312
9313// makePerMessageTests returns a series of test templates which cover each
9314// message in the TLS handshake. These may be used with bugs like
9315// WrongMessageType to fully test a per-message bug.
9316func makePerMessageTests() []perMessageTest {
9317 var ret []perMessageTest
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9318 for _, protocol := range []protocol{tls, dtls} {
9319 var suffix string
9320 if protocol == dtls {
9321 suffix = "-DTLS"
9322 }
9323
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9324 ret = append(ret, perMessageTest{
9325 messageType: typeClientHello,
9326 test: testCase{
9327 protocol: protocol,
9328 testType: serverTest,
9329 name: "ClientHello" + suffix,
9330 config: Config{
9331 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9332 },
9333 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9334 })
9335
9336 if protocol == dtls {
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9337 ret = append(ret, perMessageTest{
9338 messageType: typeHelloVerifyRequest,
9339 test: testCase{
9340 protocol: protocol,
9341 name: "HelloVerifyRequest" + suffix,
9342 config: Config{
9343 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9344 },
9345 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9346 })
9347 }
9348
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9349 ret = append(ret, perMessageTest{
9350 messageType: typeServerHello,
9351 test: testCase{
9352 protocol: protocol,
9353 name: "ServerHello" + suffix,
9354 config: Config{
9355 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9356 },
9357 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9358 })
9359
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9360 ret = append(ret, perMessageTest{
9361 messageType: typeCertificate,
9362 test: testCase{
9363 protocol: protocol,
9364 name: "ServerCertificate" + suffix,
9365 config: Config{
9366 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9367 },
9368 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9369 })
9370
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9371 ret = append(ret, perMessageTest{
9372 messageType: typeCertificateStatus,
9373 test: testCase{
9374 protocol: protocol,
9375 name: "CertificateStatus" + suffix,
9376 config: Config{
9377 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9378 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9379 flags: []string{"-enable-ocsp-stapling"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9380 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9381 })
9382
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9383 ret = append(ret, perMessageTest{
9384 messageType: typeServerKeyExchange,
9385 test: testCase{
9386 protocol: protocol,
9387 name: "ServerKeyExchange" + suffix,
9388 config: Config{
9389 MaxVersion: VersionTLS12,
9390 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9391 },
9392 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9393 })
9394
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9395 ret = append(ret, perMessageTest{
9396 messageType: typeCertificateRequest,
9397 test: testCase{
9398 protocol: protocol,
9399 name: "CertificateRequest" + suffix,
9400 config: Config{
9401 MaxVersion: VersionTLS12,
9402 ClientAuth: RequireAnyClientCert,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9403 },
9404 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9405 })
9406
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9407 ret = append(ret, perMessageTest{
9408 messageType: typeServerHelloDone,
9409 test: testCase{
9410 protocol: protocol,
9411 name: "ServerHelloDone" + suffix,
9412 config: Config{
9413 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9414 },
9415 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9416 })
9417
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9418 ret = append(ret, perMessageTest{
9419 messageType: typeCertificate,
9420 test: testCase{
9421 testType: serverTest,
9422 protocol: protocol,
9423 name: "ClientCertificate" + suffix,
9424 config: Config{
9425 Certificates: []Certificate{rsaCertificate},
9426 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9427 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9428 flags: []string{"-require-any-client-certificate"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9429 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9430 })
9431
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9432 ret = append(ret, perMessageTest{
9433 messageType: typeCertificateVerify,
9434 test: testCase{
9435 testType: serverTest,
9436 protocol: protocol,
9437 name: "CertificateVerify" + suffix,
9438 config: Config{
9439 Certificates: []Certificate{rsaCertificate},
9440 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9441 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9442 flags: []string{"-require-any-client-certificate"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9443 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9444 })
9445
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9446 ret = append(ret, perMessageTest{
9447 messageType: typeClientKeyExchange,
9448 test: testCase{
9449 testType: serverTest,
9450 protocol: protocol,
9451 name: "ClientKeyExchange" + suffix,
9452 config: Config{
9453 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9454 },
9455 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9456 })
9457
9458 if protocol != dtls {
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9459 ret = append(ret, perMessageTest{
9460 messageType: typeNextProtocol,
9461 test: testCase{
9462 testType: serverTest,
9463 protocol: protocol,
9464 name: "NextProtocol" + suffix,
9465 config: Config{
9466 MaxVersion: VersionTLS12,
9467 NextProtos: []string{"bar"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9468 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9469 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9470 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9471 })
9472
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9473 ret = append(ret, perMessageTest{
9474 messageType: typeChannelID,
9475 test: testCase{
9476 testType: serverTest,
9477 protocol: protocol,
9478 name: "ChannelID" + suffix,
9479 config: Config{
9480 MaxVersion: VersionTLS12,
9481 ChannelID: channelIDKey,
9482 },
9483 flags: []string{
9484 "-expect-channel-id",
9485 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9486 },
9487 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9488 })
9489 }
9490
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9491 ret = append(ret, perMessageTest{
9492 messageType: typeFinished,
9493 test: testCase{
9494 testType: serverTest,
9495 protocol: protocol,
9496 name: "ClientFinished" + suffix,
9497 config: Config{
9498 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9499 },
9500 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9501 })
9502
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9503 ret = append(ret, perMessageTest{
9504 messageType: typeNewSessionTicket,
9505 test: testCase{
9506 protocol: protocol,
9507 name: "NewSessionTicket" + suffix,
9508 config: Config{
9509 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9510 },
9511 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9512 })
9513
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9514 ret = append(ret, perMessageTest{
9515 messageType: typeFinished,
9516 test: testCase{
9517 protocol: protocol,
9518 name: "ServerFinished" + suffix,
9519 config: Config{
9520 MaxVersion: VersionTLS12,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9521 },
9522 },
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9523 })
9524
9525 }
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9526
9527 ret = append(ret, perMessageTest{
9528 messageType: typeClientHello,
9529 test: testCase{
9530 testType: serverTest,
9531 name: "TLS13-ClientHello",
9532 config: Config{
9533 MaxVersion: VersionTLS13,
9534 },
9535 },
9536 })
9537
9538 ret = append(ret, perMessageTest{
9539 messageType: typeServerHello,
9540 test: testCase{
9541 name: "TLS13-ServerHello",
9542 config: Config{
9543 MaxVersion: VersionTLS13,
9544 },
9545 },
9546 })
9547
9548 ret = append(ret, perMessageTest{
9549 messageType: typeEncryptedExtensions,
9550 test: testCase{
9551 name: "TLS13-EncryptedExtensions",
9552 config: Config{
9553 MaxVersion: VersionTLS13,
9554 },
9555 },
9556 })
9557
9558 ret = append(ret, perMessageTest{
9559 messageType: typeCertificateRequest,
9560 test: testCase{
9561 name: "TLS13-CertificateRequest",
9562 config: Config{
9563 MaxVersion: VersionTLS13,
9564 ClientAuth: RequireAnyClientCert,
9565 },
9566 },
9567 })
9568
9569 ret = append(ret, perMessageTest{
9570 messageType: typeCertificate,
9571 test: testCase{
9572 name: "TLS13-ServerCertificate",
9573 config: Config{
9574 MaxVersion: VersionTLS13,
9575 },
9576 },
9577 })
9578
9579 ret = append(ret, perMessageTest{
9580 messageType: typeCertificateVerify,
9581 test: testCase{
9582 name: "TLS13-ServerCertificateVerify",
9583 config: Config{
9584 MaxVersion: VersionTLS13,
9585 },
9586 },
9587 })
9588
9589 ret = append(ret, perMessageTest{
9590 messageType: typeFinished,
9591 test: testCase{
9592 name: "TLS13-ServerFinished",
9593 config: Config{
9594 MaxVersion: VersionTLS13,
9595 },
9596 },
9597 })
9598
9599 ret = append(ret, perMessageTest{
9600 messageType: typeCertificate,
9601 test: testCase{
9602 testType: serverTest,
9603 name: "TLS13-ClientCertificate",
9604 config: Config{
9605 Certificates: []Certificate{rsaCertificate},
9606 MaxVersion: VersionTLS13,
9607 },
9608 flags: []string{"-require-any-client-certificate"},
9609 },
9610 })
9611
9612 ret = append(ret, perMessageTest{
9613 messageType: typeCertificateVerify,
9614 test: testCase{
9615 testType: serverTest,
9616 name: "TLS13-ClientCertificateVerify",
9617 config: Config{
9618 Certificates: []Certificate{rsaCertificate},
9619 MaxVersion: VersionTLS13,
9620 },
9621 flags: []string{"-require-any-client-certificate"},
9622 },
9623 })
9624
9625 ret = append(ret, perMessageTest{
9626 messageType: typeFinished,
9627 test: testCase{
9628 testType: serverTest,
9629 name: "TLS13-ClientFinished",
9630 config: Config{
9631 MaxVersion: VersionTLS13,
9632 },
9633 },
9634 })
9635
9636 return ret
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9637}
9638
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9639func addWrongMessageTypeTests() {
9640 for _, t := range makePerMessageTests() {
9641 t.test.name = "WrongMessageType-" + t.test.name
9642 t.test.config.Bugs.SendWrongMessageType = t.messageType
9643 t.test.shouldFail = true
9644 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9645 t.test.expectedLocalError = "remote error: unexpected message"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9646
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9647 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9648 // In TLS 1.3, a bad ServerHello means the client sends
9649 // an unencrypted alert while the server expects
9650 // encryption, so the alert is not readable by runner.
9651 t.test.expectedLocalError = "local error: bad record MAC"
9652 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9653
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9654 testCases = append(testCases, t.test)
9655 }
Robert Sloan572a4e22017-04-17 10:52:19 -0700[diff] [blame]9656
9657 // The processing order for TLS 1.3 version negotiation is such that one
9658 // may accidentally accept a HelloRetryRequest in lieu of ServerHello in
9659 // TLS 1.2. Test that we do not do this.
9660 testCases = append(testCases, testCase{
9661 name: "SendServerHelloAsHelloRetryRequest",
9662 config: Config{
9663 MaxVersion: VersionTLS12,
9664 Bugs: ProtocolBugs{
9665 SendServerHelloAsHelloRetryRequest: true,
9666 },
9667 },
9668 shouldFail: true,
9669 expectedError: ":UNEXPECTED_MESSAGE:",
9670 expectedLocalError: "remote error: unexpected message",
9671 })
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9672}
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9673
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9674func addTrailingMessageDataTests() {
9675 for _, t := range makePerMessageTests() {
9676 t.test.name = "TrailingMessageData-" + t.test.name
9677 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9678 t.test.shouldFail = true
9679 t.test.expectedError = ":DECODE_ERROR:"
9680 t.test.expectedLocalError = "remote error: error decoding message"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9681
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9682 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9683 // In TLS 1.3, a bad ServerHello means the client sends
9684 // an unencrypted alert while the server expects
9685 // encryption, so the alert is not readable by runner.
9686 t.test.expectedLocalError = "local error: bad record MAC"
9687 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9688
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9689 if t.messageType == typeFinished {
9690 // Bad Finished messages read as the verify data having
9691 // the wrong length.
9692 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9693 t.test.expectedLocalError = "remote error: error decrypting message"
9694 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9695
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9696 testCases = append(testCases, t.test)
9697 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9698}
9699
9700func addTLS13HandshakeTests() {
9701 testCases = append(testCases, testCase{
9702 testType: clientTest,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]9703 name: "NegotiatePSKResumption-TLS13",
9704 config: Config{
9705 MaxVersion: VersionTLS13,
9706 Bugs: ProtocolBugs{
9707 NegotiatePSKResumption: true,
9708 },
9709 },
9710 resumeSession: true,
9711 shouldFail: true,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]9712 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]9713 })
9714
9715 testCases = append(testCases, testCase{
9716 testType: clientTest,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9717 name: "MissingKeyShare-Client",
9718 config: Config{
9719 MaxVersion: VersionTLS13,
9720 Bugs: ProtocolBugs{
9721 MissingKeyShare: true,
9722 },
9723 },
9724 shouldFail: true,
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]9725 expectedError: ":MISSING_KEY_SHARE:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9726 })
9727
9728 testCases = append(testCases, testCase{
9729 testType: serverTest,
9730 name: "MissingKeyShare-Server",
9731 config: Config{
9732 MaxVersion: VersionTLS13,
9733 Bugs: ProtocolBugs{
9734 MissingKeyShare: true,
9735 },
9736 },
9737 shouldFail: true,
9738 expectedError: ":MISSING_KEY_SHARE:",
9739 })
9740
9741 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9742 testType: serverTest,
9743 name: "DuplicateKeyShares",
9744 config: Config{
9745 MaxVersion: VersionTLS13,
9746 Bugs: ProtocolBugs{
9747 DuplicateKeyShares: true,
9748 },
9749 },
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]9750 shouldFail: true,
9751 expectedError: ":DUPLICATE_KEY_SHARE:",
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9752 })
9753
9754 testCases = append(testCases, testCase{
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9755 testType: serverTest,
9756 name: "SkipEarlyData",
9757 config: Config{
9758 MaxVersion: VersionTLS13,
9759 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9760 SendFakeEarlyDataLength: 4,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9761 },
9762 },
9763 })
9764
9765 testCases = append(testCases, testCase{
9766 testType: serverTest,
9767 name: "SkipEarlyData-OmitEarlyDataExtension",
9768 config: Config{
9769 MaxVersion: VersionTLS13,
9770 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9771 SendFakeEarlyDataLength: 4,
9772 OmitEarlyDataExtension: true,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9773 },
9774 },
9775 shouldFail: true,
9776 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9777 })
9778
9779 testCases = append(testCases, testCase{
9780 testType: serverTest,
9781 name: "SkipEarlyData-TooMuchData",
9782 config: Config{
9783 MaxVersion: VersionTLS13,
9784 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9785 SendFakeEarlyDataLength: 16384 + 1,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9786 },
9787 },
9788 shouldFail: true,
9789 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9790 })
9791
9792 testCases = append(testCases, testCase{
9793 testType: serverTest,
9794 name: "SkipEarlyData-Interleaved",
9795 config: Config{
9796 MaxVersion: VersionTLS13,
9797 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9798 SendFakeEarlyDataLength: 4,
9799 InterleaveEarlyData: true,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9800 },
9801 },
9802 shouldFail: true,
9803 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9804 })
9805
9806 testCases = append(testCases, testCase{
9807 testType: serverTest,
9808 name: "SkipEarlyData-EarlyDataInTLS12",
9809 config: Config{
9810 MaxVersion: VersionTLS13,
9811 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9812 SendFakeEarlyDataLength: 4,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9813 },
9814 },
9815 shouldFail: true,
9816 expectedError: ":UNEXPECTED_RECORD:",
9817 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9818 })
9819
9820 testCases = append(testCases, testCase{
9821 testType: serverTest,
9822 name: "SkipEarlyData-HRR",
9823 config: Config{
9824 MaxVersion: VersionTLS13,
9825 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9826 SendFakeEarlyDataLength: 4,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9827 },
9828 DefaultCurves: []CurveID{},
9829 },
9830 })
9831
9832 testCases = append(testCases, testCase{
9833 testType: serverTest,
9834 name: "SkipEarlyData-HRR-Interleaved",
9835 config: Config{
9836 MaxVersion: VersionTLS13,
9837 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9838 SendFakeEarlyDataLength: 4,
9839 InterleaveEarlyData: true,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9840 },
9841 DefaultCurves: []CurveID{},
9842 },
9843 shouldFail: true,
9844 expectedError: ":UNEXPECTED_RECORD:",
9845 })
9846
9847 testCases = append(testCases, testCase{
9848 testType: serverTest,
9849 name: "SkipEarlyData-HRR-TooMuchData",
9850 config: Config{
9851 MaxVersion: VersionTLS13,
9852 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9853 SendFakeEarlyDataLength: 16384 + 1,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9854 },
9855 DefaultCurves: []CurveID{},
9856 },
9857 shouldFail: true,
9858 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9859 })
9860
9861 // Test that skipping early data looking for cleartext correctly
9862 // processes an alert record.
9863 testCases = append(testCases, testCase{
9864 testType: serverTest,
9865 name: "SkipEarlyData-HRR-FatalAlert",
9866 config: Config{
9867 MaxVersion: VersionTLS13,
9868 Bugs: ProtocolBugs{
Robert Sloan47f43ed2017-02-06 14:55:15 -0800[diff] [blame]9869 SendEarlyAlert: true,
9870 SendFakeEarlyDataLength: 4,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]9871 },
9872 DefaultCurves: []CurveID{},
9873 },
9874 shouldFail: true,
9875 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9876 })
9877
9878 testCases = append(testCases, testCase{
9879 testType: serverTest,
9880 name: "SkipEarlyData-SecondClientHelloEarlyData",
9881 config: Config{
9882 MaxVersion: VersionTLS13,
9883 Bugs: ProtocolBugs{
9884 SendEarlyDataOnSecondClientHello: true,
9885 },
9886 DefaultCurves: []CurveID{},
9887 },
9888 shouldFail: true,
9889 expectedLocalError: "remote error: bad record MAC",
9890 })
9891
9892 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9893 testType: clientTest,
9894 name: "EmptyEncryptedExtensions",
9895 config: Config{
9896 MaxVersion: VersionTLS13,
9897 Bugs: ProtocolBugs{
9898 EmptyEncryptedExtensions: true,
9899 },
9900 },
9901 shouldFail: true,
9902 expectedLocalError: "remote error: error decoding message",
9903 })
9904
9905 testCases = append(testCases, testCase{
9906 testType: clientTest,
9907 name: "EncryptedExtensionsWithKeyShare",
9908 config: Config{
9909 MaxVersion: VersionTLS13,
9910 Bugs: ProtocolBugs{
9911 EncryptedExtensionsWithKeyShare: true,
9912 },
9913 },
9914 shouldFail: true,
9915 expectedLocalError: "remote error: unsupported extension",
9916 })
9917
9918 testCases = append(testCases, testCase{
9919 testType: serverTest,
9920 name: "SendHelloRetryRequest",
9921 config: Config{
9922 MaxVersion: VersionTLS13,
9923 // Require a HelloRetryRequest for every curve.
9924 DefaultCurves: []CurveID{},
9925 },
9926 expectedCurveID: CurveX25519,
9927 })
9928
9929 testCases = append(testCases, testCase{
9930 testType: serverTest,
9931 name: "SendHelloRetryRequest-2",
9932 config: Config{
9933 MaxVersion: VersionTLS13,
9934 DefaultCurves: []CurveID{CurveP384},
9935 },
9936 // Although the ClientHello did not predict our preferred curve,
9937 // we always select it whether it is predicted or not.
9938 expectedCurveID: CurveX25519,
9939 })
9940
9941 testCases = append(testCases, testCase{
9942 name: "UnknownCurve-HelloRetryRequest",
9943 config: Config{
9944 MaxVersion: VersionTLS13,
9945 // P-384 requires HelloRetryRequest in BoringSSL.
9946 CurvePreferences: []CurveID{CurveP384},
9947 Bugs: ProtocolBugs{
9948 SendHelloRetryRequestCurve: bogusCurve,
9949 },
9950 },
9951 shouldFail: true,
9952 expectedError: ":WRONG_CURVE:",
9953 })
9954
9955 testCases = append(testCases, testCase{
9956 name: "DisabledCurve-HelloRetryRequest",
9957 config: Config{
9958 MaxVersion: VersionTLS13,
9959 CurvePreferences: []CurveID{CurveP256},
9960 Bugs: ProtocolBugs{
9961 IgnorePeerCurvePreferences: true,
9962 },
9963 },
9964 flags: []string{"-p384-only"},
9965 shouldFail: true,
9966 expectedError: ":WRONG_CURVE:",
9967 })
9968
9969 testCases = append(testCases, testCase{
9970 name: "UnnecessaryHelloRetryRequest",
9971 config: Config{
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]9972 MaxVersion: VersionTLS13,
9973 CurvePreferences: []CurveID{CurveX25519},
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9974 Bugs: ProtocolBugs{
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]9975 SendHelloRetryRequestCurve: CurveX25519,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]9976 },
9977 },
9978 shouldFail: true,
9979 expectedError: ":WRONG_CURVE:",
9980 })
9981
9982 testCases = append(testCases, testCase{
9983 name: "SecondHelloRetryRequest",
9984 config: Config{
9985 MaxVersion: VersionTLS13,
9986 // P-384 requires HelloRetryRequest in BoringSSL.
9987 CurvePreferences: []CurveID{CurveP384},
9988 Bugs: ProtocolBugs{
9989 SecondHelloRetryRequest: true,
9990 },
9991 },
9992 shouldFail: true,
9993 expectedError: ":UNEXPECTED_MESSAGE:",
9994 })
9995
9996 testCases = append(testCases, testCase{
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]9997 name: "HelloRetryRequest-Empty",
9998 config: Config{
9999 MaxVersion: VersionTLS13,
10000 Bugs: ProtocolBugs{
10001 AlwaysSendHelloRetryRequest: true,
10002 },
10003 },
10004 shouldFail: true,
10005 expectedError: ":DECODE_ERROR:",
10006 })
10007
10008 testCases = append(testCases, testCase{
10009 name: "HelloRetryRequest-DuplicateCurve",
10010 config: Config{
10011 MaxVersion: VersionTLS13,
10012 // P-384 requires a HelloRetryRequest against BoringSSL's default
10013 // configuration. Assert this ExpectMissingKeyShare.
10014 CurvePreferences: []CurveID{CurveP384},
10015 Bugs: ProtocolBugs{
10016 ExpectMissingKeyShare: true,
10017 DuplicateHelloRetryRequestExtensions: true,
10018 },
10019 },
10020 shouldFail: true,
10021 expectedError: ":DUPLICATE_EXTENSION:",
10022 expectedLocalError: "remote error: illegal parameter",
10023 })
10024
10025 testCases = append(testCases, testCase{
10026 name: "HelloRetryRequest-Cookie",
10027 config: Config{
10028 MaxVersion: VersionTLS13,
10029 Bugs: ProtocolBugs{
10030 SendHelloRetryRequestCookie: []byte("cookie"),
10031 },
10032 },
10033 })
10034
10035 testCases = append(testCases, testCase{
10036 name: "HelloRetryRequest-DuplicateCookie",
10037 config: Config{
10038 MaxVersion: VersionTLS13,
10039 Bugs: ProtocolBugs{
10040 SendHelloRetryRequestCookie: []byte("cookie"),
10041 DuplicateHelloRetryRequestExtensions: true,
10042 },
10043 },
10044 shouldFail: true,
10045 expectedError: ":DUPLICATE_EXTENSION:",
10046 expectedLocalError: "remote error: illegal parameter",
10047 })
10048
10049 testCases = append(testCases, testCase{
10050 name: "HelloRetryRequest-EmptyCookie",
10051 config: Config{
10052 MaxVersion: VersionTLS13,
10053 Bugs: ProtocolBugs{
10054 SendHelloRetryRequestCookie: []byte{},
10055 },
10056 },
10057 shouldFail: true,
10058 expectedError: ":DECODE_ERROR:",
10059 })
10060
10061 testCases = append(testCases, testCase{
10062 name: "HelloRetryRequest-Cookie-Curve",
10063 config: Config{
10064 MaxVersion: VersionTLS13,
10065 // P-384 requires HelloRetryRequest in BoringSSL.
10066 CurvePreferences: []CurveID{CurveP384},
10067 Bugs: ProtocolBugs{
10068 SendHelloRetryRequestCookie: []byte("cookie"),
10069 ExpectMissingKeyShare: true,
10070 },
10071 },
10072 })
10073
10074 testCases = append(testCases, testCase{
10075 name: "HelloRetryRequest-Unknown",
10076 config: Config{
10077 MaxVersion: VersionTLS13,
10078 Bugs: ProtocolBugs{
10079 CustomHelloRetryRequestExtension: "extension",
10080 },
10081 },
10082 shouldFail: true,
10083 expectedError: ":UNEXPECTED_EXTENSION:",
10084 expectedLocalError: "remote error: unsupported extension",
10085 })
10086
10087 testCases = append(testCases, testCase{
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]10088 testType: serverTest,
10089 name: "SecondClientHelloMissingKeyShare",
10090 config: Config{
10091 MaxVersion: VersionTLS13,
10092 DefaultCurves: []CurveID{},
10093 Bugs: ProtocolBugs{
10094 SecondClientHelloMissingKeyShare: true,
10095 },
10096 },
10097 shouldFail: true,
10098 expectedError: ":MISSING_KEY_SHARE:",
10099 })
10100
10101 testCases = append(testCases, testCase{
10102 testType: serverTest,
10103 name: "SecondClientHelloWrongCurve",
10104 config: Config{
10105 MaxVersion: VersionTLS13,
10106 DefaultCurves: []CurveID{},
10107 Bugs: ProtocolBugs{
10108 MisinterpretHelloRetryRequestCurve: CurveP521,
10109 },
10110 },
10111 shouldFail: true,
10112 expectedError: ":WRONG_CURVE:",
10113 })
10114
10115 testCases = append(testCases, testCase{
10116 name: "HelloRetryRequestVersionMismatch",
10117 config: Config{
10118 MaxVersion: VersionTLS13,
10119 // P-384 requires HelloRetryRequest in BoringSSL.
10120 CurvePreferences: []CurveID{CurveP384},
10121 Bugs: ProtocolBugs{
10122 SendServerHelloVersion: 0x0305,
10123 },
10124 },
10125 shouldFail: true,
10126 expectedError: ":WRONG_VERSION_NUMBER:",
10127 })
10128
10129 testCases = append(testCases, testCase{
10130 name: "HelloRetryRequestCurveMismatch",
10131 config: Config{
10132 MaxVersion: VersionTLS13,
10133 // P-384 requires HelloRetryRequest in BoringSSL.
10134 CurvePreferences: []CurveID{CurveP384},
10135 Bugs: ProtocolBugs{
10136 // Send P-384 (correct) in the HelloRetryRequest.
10137 SendHelloRetryRequestCurve: CurveP384,
10138 // But send P-256 in the ServerHello.
10139 SendCurve: CurveP256,
10140 },
10141 },
10142 shouldFail: true,
10143 expectedError: ":WRONG_CURVE:",
10144 })
10145
10146 // Test the server selecting a curve that requires a HelloRetryRequest
10147 // without sending it.
10148 testCases = append(testCases, testCase{
10149 name: "SkipHelloRetryRequest",
10150 config: Config{
10151 MaxVersion: VersionTLS13,
10152 // P-384 requires HelloRetryRequest in BoringSSL.
10153 CurvePreferences: []CurveID{CurveP384},
10154 Bugs: ProtocolBugs{
10155 SkipHelloRetryRequest: true,
10156 },
10157 },
10158 shouldFail: true,
10159 expectedError: ":WRONG_CURVE:",
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10160 })
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]10161
10162 testCases = append(testCases, testCase{
10163 name: "TLS13-RequestContextInHandshake",
10164 config: Config{
10165 MaxVersion: VersionTLS13,
10166 MinVersion: VersionTLS13,
10167 ClientAuth: RequireAnyClientCert,
10168 Bugs: ProtocolBugs{
10169 SendRequestContext: []byte("request context"),
10170 },
10171 },
10172 flags: []string{
10173 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
10174 "-key-file", path.Join(*resourceDir, rsaKeyFile),
10175 },
10176 shouldFail: true,
10177 expectedError: ":DECODE_ERROR:",
10178 })
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]10179
10180 testCases = append(testCases, testCase{
10181 testType: serverTest,
10182 name: "TLS13-TrailingKeyShareData",
10183 config: Config{
10184 MaxVersion: VersionTLS13,
10185 Bugs: ProtocolBugs{
10186 TrailingKeyShareData: true,
10187 },
10188 },
10189 shouldFail: true,
10190 expectedError: ":DECODE_ERROR:",
10191 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10192
10193 testCases = append(testCases, testCase{
10194 name: "TLS13-AlwaysSelectPSKIdentity",
10195 config: Config{
10196 MaxVersion: VersionTLS13,
10197 Bugs: ProtocolBugs{
10198 AlwaysSelectPSKIdentity: true,
10199 },
10200 },
10201 shouldFail: true,
10202 expectedError: ":UNEXPECTED_EXTENSION:",
10203 })
10204
10205 testCases = append(testCases, testCase{
10206 name: "TLS13-InvalidPSKIdentity",
10207 config: Config{
10208 MaxVersion: VersionTLS13,
10209 Bugs: ProtocolBugs{
10210 SelectPSKIdentityOnResume: 1,
10211 },
10212 },
10213 resumeSession: true,
10214 shouldFail: true,
10215 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
10216 })
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]10217
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10218 testCases = append(testCases, testCase{
10219 testType: serverTest,
10220 name: "TLS13-ExtraPSKIdentity",
10221 config: Config{
10222 MaxVersion: VersionTLS13,
10223 Bugs: ProtocolBugs{
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]10224 ExtraPSKIdentity: true,
10225 SendExtraPSKBinder: true,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10226 },
10227 },
10228 resumeSession: true,
10229 })
10230
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]10231 // Test that unknown NewSessionTicket extensions are tolerated.
10232 testCases = append(testCases, testCase{
10233 name: "TLS13-CustomTicketExtension",
10234 config: Config{
10235 MaxVersion: VersionTLS13,
10236 Bugs: ProtocolBugs{
10237 CustomTicketExtension: "1234",
10238 },
10239 },
10240 })
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10241
10242 testCases = append(testCases, testCase{
10243 testType: clientTest,
10244 name: "TLS13-DataLessEarlyData-Reject-Client",
10245 config: Config{
10246 MaxVersion: VersionTLS13,
10247 MaxEarlyDataSize: 16384,
10248 },
10249 resumeConfig: &Config{
10250 MaxVersion: VersionTLS13,
10251 MaxEarlyDataSize: 16384,
10252 Bugs: ProtocolBugs{
10253 AlwaysRejectEarlyData: true,
10254 },
10255 },
10256 resumeSession: true,
10257 flags: []string{
10258 "-enable-early-data",
10259 "-expect-early-data-info",
10260 "-expect-reject-early-data",
10261 },
10262 })
10263
10264 testCases = append(testCases, testCase{
10265 testType: clientTest,
10266 name: "TLS13-DataLessEarlyData-HRR-Client",
10267 config: Config{
10268 MaxVersion: VersionTLS13,
10269 MaxEarlyDataSize: 16384,
10270 },
10271 resumeConfig: &Config{
10272 MaxVersion: VersionTLS13,
10273 MaxEarlyDataSize: 16384,
10274 Bugs: ProtocolBugs{
10275 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10276 },
10277 },
10278 resumeSession: true,
10279 flags: []string{
10280 "-enable-early-data",
10281 "-expect-early-data-info",
10282 "-expect-reject-early-data",
10283 },
10284 })
10285
10286 // The client must check the server does not send the early_data
10287 // extension while rejecting the session.
10288 testCases = append(testCases, testCase{
10289 testType: clientTest,
10290 name: "TLS13-EarlyDataWithoutResume-Client",
10291 config: Config{
10292 MaxVersion: VersionTLS13,
10293 MaxEarlyDataSize: 16384,
10294 },
10295 resumeConfig: &Config{
10296 MaxVersion: VersionTLS13,
10297 SessionTicketsDisabled: true,
10298 Bugs: ProtocolBugs{
10299 SendEarlyDataExtension: true,
10300 },
10301 },
10302 resumeSession: true,
10303 flags: []string{
10304 "-enable-early-data",
10305 "-expect-early-data-info",
10306 },
10307 shouldFail: true,
10308 expectedError: ":UNEXPECTED_EXTENSION:",
10309 })
10310
10311 // The client must fail with a dedicated error code if the server
10312 // responds with TLS 1.2 when offering 0-RTT.
10313 testCases = append(testCases, testCase{
10314 testType: clientTest,
10315 name: "TLS13-EarlyDataVersionDowngrade-Client",
10316 config: Config{
10317 MaxVersion: VersionTLS13,
10318 MaxEarlyDataSize: 16384,
10319 },
10320 resumeConfig: &Config{
10321 MaxVersion: VersionTLS12,
10322 },
10323 resumeSession: true,
10324 flags: []string{
10325 "-enable-early-data",
10326 "-expect-early-data-info",
10327 },
10328 shouldFail: true,
10329 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10330 })
10331
10332 // Test that the client rejects an (unsolicited) early_data extension if
10333 // the server sent an HRR.
10334 testCases = append(testCases, testCase{
10335 testType: clientTest,
10336 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10337 config: Config{
10338 MaxVersion: VersionTLS13,
10339 MaxEarlyDataSize: 16384,
10340 },
10341 resumeConfig: &Config{
10342 MaxVersion: VersionTLS13,
10343 MaxEarlyDataSize: 16384,
10344 Bugs: ProtocolBugs{
10345 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10346 SendEarlyDataExtension: true,
10347 },
10348 },
10349 resumeSession: true,
10350 flags: []string{
10351 "-enable-early-data",
10352 "-expect-early-data-info",
10353 },
10354 shouldFail: true,
10355 expectedError: ":UNEXPECTED_EXTENSION:",
10356 })
10357
10358 fooString := "foo"
10359 barString := "bar"
10360
10361 // Test that the client reports the correct ALPN after a 0-RTT reject
10362 // that changed it.
10363 testCases = append(testCases, testCase{
10364 testType: clientTest,
10365 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10366 config: Config{
10367 MaxVersion: VersionTLS13,
10368 MaxEarlyDataSize: 16384,
10369 Bugs: ProtocolBugs{
10370 ALPNProtocol: &fooString,
10371 },
10372 },
10373 resumeConfig: &Config{
10374 MaxVersion: VersionTLS13,
10375 MaxEarlyDataSize: 16384,
10376 Bugs: ProtocolBugs{
10377 ALPNProtocol: &barString,
10378 },
10379 },
10380 resumeSession: true,
10381 flags: []string{
10382 "-advertise-alpn", "\x03foo\x03bar",
10383 "-enable-early-data",
10384 "-expect-early-data-info",
10385 "-expect-reject-early-data",
10386 "-expect-alpn", "foo",
10387 "-expect-resume-alpn", "bar",
10388 },
10389 })
10390
10391 // Test that the client reports the correct ALPN after a 0-RTT reject if
10392 // ALPN was omitted from the first connection.
10393 testCases = append(testCases, testCase{
10394 testType: clientTest,
10395 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10396 config: Config{
10397 MaxVersion: VersionTLS13,
10398 MaxEarlyDataSize: 16384,
10399 },
10400 resumeConfig: &Config{
10401 MaxVersion: VersionTLS13,
10402 MaxEarlyDataSize: 16384,
10403 NextProtos: []string{"foo"},
10404 },
10405 resumeSession: true,
10406 flags: []string{
10407 "-advertise-alpn", "\x03foo\x03bar",
10408 "-enable-early-data",
10409 "-expect-early-data-info",
10410 "-expect-reject-early-data",
10411 "-expect-no-alpn",
10412 "-expect-resume-alpn", "foo",
10413 },
10414 })
10415
10416 // Test that the client reports the correct ALPN after a 0-RTT reject if
10417 // ALPN was omitted from the second connection.
10418 testCases = append(testCases, testCase{
10419 testType: clientTest,
10420 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10421 config: Config{
10422 MaxVersion: VersionTLS13,
10423 MaxEarlyDataSize: 16384,
10424 NextProtos: []string{"foo"},
10425 },
10426 resumeConfig: &Config{
10427 MaxVersion: VersionTLS13,
10428 MaxEarlyDataSize: 16384,
10429 },
10430 resumeSession: true,
10431 flags: []string{
10432 "-advertise-alpn", "\x03foo\x03bar",
10433 "-enable-early-data",
10434 "-expect-early-data-info",
10435 "-expect-reject-early-data",
10436 "-expect-alpn", "foo",
10437 "-expect-no-resume-alpn",
10438 },
10439 })
10440
10441 // Test that the client enforces ALPN match on 0-RTT accept.
10442 testCases = append(testCases, testCase{
10443 testType: clientTest,
10444 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10445 config: Config{
10446 MaxVersion: VersionTLS13,
10447 MaxEarlyDataSize: 16384,
10448 Bugs: ProtocolBugs{
10449 ALPNProtocol: &fooString,
10450 },
10451 },
10452 resumeConfig: &Config{
10453 MaxVersion: VersionTLS13,
10454 MaxEarlyDataSize: 16384,
10455 Bugs: ProtocolBugs{
10456 AlwaysAcceptEarlyData: true,
10457 ALPNProtocol: &barString,
10458 },
10459 },
10460 resumeSession: true,
10461 flags: []string{
10462 "-advertise-alpn", "\x03foo\x03bar",
10463 "-enable-early-data",
10464 "-expect-early-data-info",
10465 },
10466 shouldFail: true,
10467 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10468 })
10469
10470 // Test that the server correctly rejects 0-RTT when the previous
10471 // session did not allow early data on resumption.
10472 testCases = append(testCases, testCase{
10473 testType: serverTest,
10474 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10475 config: Config{
10476 MaxVersion: VersionTLS13,
10477 },
10478 resumeConfig: &Config{
10479 MaxVersion: VersionTLS13,
10480 Bugs: ProtocolBugs{
10481 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10482 ExpectEarlyDataAccepted: false,
10483 },
10484 },
10485 resumeSession: true,
10486 flags: []string{
10487 "-enable-resume-early-data",
10488 "-expect-reject-early-data",
10489 },
10490 })
10491
10492 // Test that we reject early data where ALPN is omitted from the first
10493 // connection.
10494 testCases = append(testCases, testCase{
10495 testType: serverTest,
10496 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10497 config: Config{
10498 MaxVersion: VersionTLS13,
10499 NextProtos: []string{},
10500 },
10501 resumeConfig: &Config{
10502 MaxVersion: VersionTLS13,
10503 NextProtos: []string{"foo"},
10504 Bugs: ProtocolBugs{
10505 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10506 ExpectEarlyDataAccepted: false,
10507 },
10508 },
10509 resumeSession: true,
10510 flags: []string{
10511 "-enable-early-data",
10512 "-select-alpn", "",
10513 "-select-resume-alpn", "foo",
10514 },
10515 })
10516
10517 // Test that we reject early data where ALPN is omitted from the second
10518 // connection.
10519 testCases = append(testCases, testCase{
10520 testType: serverTest,
10521 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10522 config: Config{
10523 MaxVersion: VersionTLS13,
10524 NextProtos: []string{"foo"},
10525 },
10526 resumeConfig: &Config{
10527 MaxVersion: VersionTLS13,
10528 NextProtos: []string{},
10529 Bugs: ProtocolBugs{
10530 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10531 ExpectEarlyDataAccepted: false,
10532 },
10533 },
10534 resumeSession: true,
10535 flags: []string{
10536 "-enable-early-data",
10537 "-select-alpn", "foo",
10538 "-select-resume-alpn", "",
10539 },
10540 })
10541
10542 // Test that we reject early data with mismatched ALPN.
10543 testCases = append(testCases, testCase{
10544 testType: serverTest,
10545 name: "TLS13-EarlyData-ALPNMismatch-Server",
10546 config: Config{
10547 MaxVersion: VersionTLS13,
10548 NextProtos: []string{"foo"},
10549 },
10550 resumeConfig: &Config{
10551 MaxVersion: VersionTLS13,
10552 NextProtos: []string{"bar"},
10553 Bugs: ProtocolBugs{
10554 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10555 ExpectEarlyDataAccepted: false,
10556 },
10557 },
10558 resumeSession: true,
10559 flags: []string{
10560 "-enable-early-data",
10561 "-select-alpn", "foo",
10562 "-select-resume-alpn", "bar",
10563 },
10564 })
10565
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]10566 // Test that the client offering 0-RTT and Channel ID forbids the server
10567 // from accepting both.
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10568 testCases = append(testCases, testCase{
10569 testType: clientTest,
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]10570 name: "TLS13-EarlyDataChannelID-AcceptBoth-Client",
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10571 config: Config{
10572 MaxVersion: VersionTLS13,
10573 MaxEarlyDataSize: 16384,
10574 RequestChannelID: true,
10575 },
10576 resumeSession: true,
10577 expectChannelID: true,
10578 shouldFail: true,
10579 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
10580 flags: []string{
10581 "-enable-early-data",
10582 "-expect-early-data-info",
10583 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10584 },
10585 })
10586
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]10587 // Test that the client offering Channel ID and 0-RTT allows the server
10588 // to decline 0-RTT.
10589 testCases = append(testCases, testCase{
10590 testType: clientTest,
10591 name: "TLS13-EarlyDataChannelID-AcceptChannelID-Client",
10592 config: Config{
10593 MaxVersion: VersionTLS13,
10594 MaxEarlyDataSize: 16384,
10595 RequestChannelID: true,
10596 Bugs: ProtocolBugs{
10597 AlwaysRejectEarlyData: true,
10598 },
10599 },
10600 resumeSession: true,
10601 expectChannelID: true,
10602 flags: []string{
10603 "-enable-early-data",
10604 "-expect-early-data-info",
10605 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10606 "-expect-reject-early-data",
10607 },
10608 })
10609
10610 // Test that the client offering Channel ID and 0-RTT allows the server
10611 // to decline Channel ID.
10612 testCases = append(testCases, testCase{
10613 testType: clientTest,
10614 name: "TLS13-EarlyDataChannelID-AcceptEarlyData-Client",
10615 config: Config{
10616 MaxVersion: VersionTLS13,
10617 MaxEarlyDataSize: 16384,
10618 },
10619 resumeSession: true,
10620 flags: []string{
10621 "-enable-early-data",
10622 "-expect-early-data-info",
10623 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
10624 "-expect-accept-early-data",
10625 },
10626 })
10627
10628 // Test that the server supporting Channel ID and 0-RTT declines 0-RTT
10629 // if it would negotiate Channel ID.
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10630 testCases = append(testCases, testCase{
10631 testType: serverTest,
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]10632 name: "TLS13-EarlyDataChannelID-OfferBoth-Server",
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10633 config: Config{
10634 MaxVersion: VersionTLS13,
10635 ChannelID: channelIDKey,
10636 Bugs: ProtocolBugs{
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]10637 SendEarlyData: [][]byte{{1, 2, 3, 4}},
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10638 ExpectEarlyDataAccepted: false,
10639 },
10640 },
10641 resumeSession: true,
10642 expectChannelID: true,
10643 flags: []string{
10644 "-enable-early-data",
10645 "-expect-reject-early-data",
10646 "-expect-channel-id",
10647 base64.StdEncoding.EncodeToString(channelIDBytes),
10648 },
10649 })
10650
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]10651 // Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
10652 // if not offered Channel ID.
10653 testCases = append(testCases, testCase{
10654 testType: serverTest,
10655 name: "TLS13-EarlyDataChannelID-OfferEarlyData-Server",
10656 config: Config{
10657 MaxVersion: VersionTLS13,
10658 Bugs: ProtocolBugs{
10659 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10660 ExpectEarlyDataAccepted: true,
10661 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
10662 },
10663 },
10664 resumeSession: true,
10665 expectChannelID: false,
10666 flags: []string{
10667 "-enable-early-data",
10668 "-expect-accept-early-data",
10669 "-enable-channel-id",
10670 },
10671 })
10672
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]10673 // Test that the server rejects 0-RTT streams without end_of_early_data.
10674 // The subsequent records should fail to decrypt.
10675 testCases = append(testCases, testCase{
10676 testType: serverTest,
10677 name: "TLS13-EarlyData-SkipEndOfEarlyData",
10678 config: Config{
10679 MaxVersion: VersionTLS13,
10680 Bugs: ProtocolBugs{
10681 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10682 ExpectEarlyDataAccepted: true,
10683 SkipEndOfEarlyData: true,
10684 },
10685 },
10686 resumeSession: true,
10687 flags: []string{"-enable-early-data"},
10688 shouldFail: true,
10689 expectedLocalError: "remote error: bad record MAC",
10690 expectedError: ":BAD_DECRYPT:",
10691 })
10692
10693 testCases = append(testCases, testCase{
10694 testType: serverTest,
10695 name: "TLS13-EarlyData-UnexpectedHandshake-Server",
10696 config: Config{
10697 MaxVersion: VersionTLS13,
10698 },
10699 resumeConfig: &Config{
10700 MaxVersion: VersionTLS13,
10701 Bugs: ProtocolBugs{
10702 SendEarlyData: [][]byte{{1, 2, 3, 4}},
10703 SendStrayEarlyHandshake: true,
10704 ExpectEarlyDataAccepted: true},
10705 },
10706 resumeSession: true,
10707 shouldFail: true,
10708 expectedError: ":UNEXPECTED_RECORD:",
10709 expectedLocalError: "remote error: unexpected message",
10710 flags: []string{
10711 "-enable-early-data",
10712 },
10713 })
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10714}
10715
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10716func addTLS13CipherPreferenceTests() {
10717 // Test that client preference is honored if the shim has AES hardware
10718 // and ChaCha20-Poly1305 is preferred otherwise.
10719 testCases = append(testCases, testCase{
10720 testType: serverTest,
10721 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10722 config: Config{
10723 MaxVersion: VersionTLS13,
10724 CipherSuites: []uint16{
10725 TLS_CHACHA20_POLY1305_SHA256,
10726 TLS_AES_128_GCM_SHA256,
10727 },
10728 },
10729 flags: []string{
10730 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10731 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10732 },
10733 })
10734
10735 testCases = append(testCases, testCase{
10736 testType: serverTest,
10737 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10738 config: Config{
10739 MaxVersion: VersionTLS13,
10740 CipherSuites: []uint16{
10741 TLS_AES_128_GCM_SHA256,
10742 TLS_CHACHA20_POLY1305_SHA256,
10743 },
10744 },
10745 flags: []string{
10746 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10747 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10748 },
10749 })
10750
10751 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10752 // whether it has AES hardware.
10753 testCases = append(testCases, testCase{
10754 name: "TLS13-CipherPreference-Client",
10755 config: Config{
10756 MaxVersion: VersionTLS13,
10757 // Use the client cipher order. (This is the default but
10758 // is listed to be explicit.)
10759 PreferServerCipherSuites: false,
10760 },
10761 flags: []string{
10762 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10763 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10764 },
10765 })
10766}
10767
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10768func addPeekTests() {
10769 // Test SSL_peek works, including on empty records.
10770 testCases = append(testCases, testCase{
10771 name: "Peek-Basic",
10772 sendEmptyRecords: 1,
10773 flags: []string{"-peek-then-read"},
10774 })
10775
10776 // Test SSL_peek can drive the initial handshake.
10777 testCases = append(testCases, testCase{
10778 name: "Peek-ImplicitHandshake",
10779 flags: []string{
10780 "-peek-then-read",
10781 "-implicit-handshake",
10782 },
10783 })
10784
10785 // Test SSL_peek can discover and drive a renegotiation.
10786 testCases = append(testCases, testCase{
10787 name: "Peek-Renegotiate",
10788 config: Config{
10789 MaxVersion: VersionTLS12,
10790 },
10791 renegotiate: 1,
10792 flags: []string{
10793 "-peek-then-read",
10794 "-renegotiate-freely",
10795 "-expect-total-renegotiations", "1",
10796 },
10797 })
10798
10799 // Test SSL_peek can discover a close_notify.
10800 testCases = append(testCases, testCase{
10801 name: "Peek-Shutdown",
10802 config: Config{
10803 Bugs: ProtocolBugs{
10804 ExpectCloseNotify: true,
10805 },
10806 },
10807 flags: []string{
10808 "-peek-then-read",
10809 "-check-close-notify",
10810 },
10811 })
10812
10813 // Test SSL_peek can discover an alert.
10814 testCases = append(testCases, testCase{
10815 name: "Peek-Alert",
10816 config: Config{
10817 Bugs: ProtocolBugs{
10818 SendSpuriousAlert: alertRecordOverflow,
10819 },
10820 },
10821 flags: []string{"-peek-then-read"},
10822 shouldFail: true,
10823 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10824 })
10825
10826 // Test SSL_peek can handle KeyUpdate.
10827 testCases = append(testCases, testCase{
10828 name: "Peek-KeyUpdate",
10829 config: Config{
10830 MaxVersion: VersionTLS13,
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10831 },
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]10832 sendKeyUpdates: 1,
10833 keyUpdateRequest: keyUpdateNotRequested,
10834 flags: []string{"-peek-then-read"},
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]10835 })
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]10836}
10837
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10838func addRecordVersionTests() {
10839 for _, ver := range tlsVersions {
10840 // Test that the record version is enforced.
10841 testCases = append(testCases, testCase{
10842 name: "CheckRecordVersion-" + ver.name,
10843 config: Config{
10844 MinVersion: ver.version,
10845 MaxVersion: ver.version,
10846 Bugs: ProtocolBugs{
10847 SendRecordVersion: 0x03ff,
10848 },
10849 },
10850 shouldFail: true,
10851 expectedError: ":WRONG_VERSION_NUMBER:",
10852 })
10853
10854 // Test that the ClientHello may use any record version, for
10855 // compatibility reasons.
10856 testCases = append(testCases, testCase{
10857 testType: serverTest,
10858 name: "LooseInitialRecordVersion-" + ver.name,
10859 config: Config{
10860 MinVersion: ver.version,
10861 MaxVersion: ver.version,
10862 Bugs: ProtocolBugs{
10863 SendInitialRecordVersion: 0x03ff,
10864 },
10865 },
10866 })
10867
10868 // Test that garbage ClientHello record versions are rejected.
10869 testCases = append(testCases, testCase{
10870 testType: serverTest,
10871 name: "GarbageInitialRecordVersion-" + ver.name,
10872 config: Config{
10873 MinVersion: ver.version,
10874 MaxVersion: ver.version,
10875 Bugs: ProtocolBugs{
10876 SendInitialRecordVersion: 0xffff,
10877 },
10878 },
10879 shouldFail: true,
10880 expectedError: ":WRONG_VERSION_NUMBER:",
10881 })
10882 }
10883}
10884
10885func addCertificateTests() {
10886 // Test that a certificate chain with intermediate may be sent and
10887 // received as both client and server.
10888 for _, ver := range tlsVersions {
10889 testCases = append(testCases, testCase{
10890 testType: clientTest,
10891 name: "SendReceiveIntermediate-Client-" + ver.name,
10892 config: Config{
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]10893 MinVersion: ver.version,
10894 MaxVersion: ver.version,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10895 Certificates: []Certificate{rsaChainCertificate},
10896 ClientAuth: RequireAnyClientCert,
10897 },
10898 expectPeerCertificate: &rsaChainCertificate,
10899 flags: []string{
10900 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10901 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10902 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10903 },
10904 })
10905
10906 testCases = append(testCases, testCase{
10907 testType: serverTest,
10908 name: "SendReceiveIntermediate-Server-" + ver.name,
10909 config: Config{
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]10910 MinVersion: ver.version,
10911 MaxVersion: ver.version,
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]10912 Certificates: []Certificate{rsaChainCertificate},
10913 },
10914 expectPeerCertificate: &rsaChainCertificate,
10915 flags: []string{
10916 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10917 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10918 "-require-any-client-certificate",
10919 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10920 },
10921 })
10922 }
10923}
10924
10925func addRetainOnlySHA256ClientCertTests() {
10926 for _, ver := range tlsVersions {
10927 // Test that enabling
10928 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10929 // actually requesting a client certificate is a no-op.
10930 testCases = append(testCases, testCase{
10931 testType: serverTest,
10932 name: "RetainOnlySHA256-NoCert-" + ver.name,
10933 config: Config{
10934 MinVersion: ver.version,
10935 MaxVersion: ver.version,
10936 },
10937 flags: []string{
10938 "-retain-only-sha256-client-cert-initial",
10939 "-retain-only-sha256-client-cert-resume",
10940 },
10941 resumeSession: true,
10942 })
10943
10944 // Test that when retaining only a SHA-256 certificate is
10945 // enabled, the hash appears as expected.
10946 testCases = append(testCases, testCase{
10947 testType: serverTest,
10948 name: "RetainOnlySHA256-Cert-" + ver.name,
10949 config: Config{
10950 MinVersion: ver.version,
10951 MaxVersion: ver.version,
10952 Certificates: []Certificate{rsaCertificate},
10953 },
10954 flags: []string{
10955 "-verify-peer",
10956 "-retain-only-sha256-client-cert-initial",
10957 "-retain-only-sha256-client-cert-resume",
10958 "-expect-sha256-client-cert-initial",
10959 "-expect-sha256-client-cert-resume",
10960 },
10961 resumeSession: true,
10962 })
10963
10964 // Test that when the config changes from on to off, a
10965 // resumption is rejected because the server now wants the full
10966 // certificate chain.
10967 testCases = append(testCases, testCase{
10968 testType: serverTest,
10969 name: "RetainOnlySHA256-OnOff-" + ver.name,
10970 config: Config{
10971 MinVersion: ver.version,
10972 MaxVersion: ver.version,
10973 Certificates: []Certificate{rsaCertificate},
10974 },
10975 flags: []string{
10976 "-verify-peer",
10977 "-retain-only-sha256-client-cert-initial",
10978 "-expect-sha256-client-cert-initial",
10979 },
10980 resumeSession: true,
10981 expectResumeRejected: true,
10982 })
10983
10984 // Test that when the config changes from off to on, a
10985 // resumption is rejected because the server now wants just the
10986 // hash.
10987 testCases = append(testCases, testCase{
10988 testType: serverTest,
10989 name: "RetainOnlySHA256-OffOn-" + ver.name,
10990 config: Config{
10991 MinVersion: ver.version,
10992 MaxVersion: ver.version,
10993 Certificates: []Certificate{rsaCertificate},
10994 },
10995 flags: []string{
10996 "-verify-peer",
10997 "-retain-only-sha256-client-cert-resume",
10998 "-expect-sha256-client-cert-resume",
10999 },
11000 resumeSession: true,
11001 expectResumeRejected: true,
11002 })
11003 }
11004}
11005
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]11006func addECDSAKeyUsageTests() {
11007 p256 := elliptic.P256()
11008 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
11009 if err != nil {
11010 panic(err)
11011 }
11012
11013 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
11014 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
11015 if err != nil {
11016 panic(err)
11017 }
11018
11019 template := x509.Certificate{
11020 SerialNumber: serialNumber,
11021 Subject: pkix.Name{
11022 Organization: []string{"Acme Co"},
11023 },
11024 NotBefore: time.Now(),
11025 NotAfter: time.Now(),
11026
11027 // An ECC certificate with only the keyAgreement key usgae may
11028 // be used with ECDH, but not ECDSA.
11029 KeyUsage: x509.KeyUsageKeyAgreement,
11030 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
11031 BasicConstraintsValid: true,
11032 }
11033
11034 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
11035 if err != nil {
11036 panic(err)
11037 }
11038
11039 cert := Certificate{
11040 Certificate: [][]byte{derBytes},
11041 PrivateKey: priv,
11042 }
11043
11044 for _, ver := range tlsVersions {
11045 if ver.version < VersionTLS12 {
11046 continue
11047 }
11048
11049 testCases = append(testCases, testCase{
11050 testType: clientTest,
11051 name: "ECDSAKeyUsage-" + ver.name,
11052 config: Config{
11053 MinVersion: ver.version,
11054 MaxVersion: ver.version,
11055 Certificates: []Certificate{cert},
11056 },
11057 shouldFail: true,
11058 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
11059 })
11060 }
11061}
11062
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]11063func addExtraHandshakeTests() {
11064 // An extra SSL_do_handshake is normally a no-op. These tests use -async
11065 // to ensure there is no transport I/O.
11066 testCases = append(testCases, testCase{
11067 testType: clientTest,
11068 name: "ExtraHandshake-Client-TLS12",
11069 config: Config{
11070 MinVersion: VersionTLS12,
11071 MaxVersion: VersionTLS12,
11072 },
11073 flags: []string{
11074 "-async",
11075 "-no-op-extra-handshake",
11076 },
11077 })
11078 testCases = append(testCases, testCase{
11079 testType: serverTest,
11080 name: "ExtraHandshake-Server-TLS12",
11081 config: Config{
11082 MinVersion: VersionTLS12,
11083 MaxVersion: VersionTLS12,
11084 },
11085 flags: []string{
11086 "-async",
11087 "-no-op-extra-handshake",
11088 },
11089 })
11090 testCases = append(testCases, testCase{
11091 testType: clientTest,
11092 name: "ExtraHandshake-Client-TLS13",
11093 config: Config{
11094 MinVersion: VersionTLS13,
11095 MaxVersion: VersionTLS13,
11096 },
11097 flags: []string{
11098 "-async",
11099 "-no-op-extra-handshake",
11100 },
11101 })
11102 testCases = append(testCases, testCase{
11103 testType: serverTest,
11104 name: "ExtraHandshake-Server-TLS13",
11105 config: Config{
11106 MinVersion: VersionTLS13,
11107 MaxVersion: VersionTLS13,
11108 },
11109 flags: []string{
11110 "-async",
11111 "-no-op-extra-handshake",
11112 },
11113 })
11114
11115 // An extra SSL_do_handshake is a no-op in server 0-RTT.
11116 testCases = append(testCases, testCase{
11117 testType: serverTest,
11118 name: "ExtraHandshake-Server-EarlyData-TLS13",
11119 config: Config{
11120 MaxVersion: VersionTLS13,
11121 MinVersion: VersionTLS13,
11122 Bugs: ProtocolBugs{
11123 SendEarlyData: [][]byte{{1, 2, 3, 4}},
11124 ExpectEarlyDataAccepted: true,
11125 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
11126 },
11127 },
11128 messageCount: 2,
11129 resumeSession: true,
11130 flags: []string{
11131 "-async",
11132 "-enable-early-data",
11133 "-expect-accept-early-data",
11134 "-no-op-extra-handshake",
11135 },
11136 })
11137
11138 // An extra SSL_do_handshake drives the handshake to completion in False
11139 // Start. We test this by handshaking twice and asserting the False
11140 // Start does not appear to happen. See AlertBeforeFalseStartTest for
11141 // how the test works.
11142 testCases = append(testCases, testCase{
11143 testType: clientTest,
11144 name: "ExtraHandshake-FalseStart",
11145 config: Config{
11146 MaxVersion: VersionTLS12,
11147 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11148 NextProtos: []string{"foo"},
11149 Bugs: ProtocolBugs{
11150 ExpectFalseStart: true,
11151 AlertBeforeFalseStartTest: alertAccessDenied,
11152 },
11153 },
11154 flags: []string{
11155 "-handshake-twice",
11156 "-false-start",
11157 "-advertise-alpn", "\x03foo",
11158 },
11159 shimWritesFirst: true,
11160 shouldFail: true,
11161 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
11162 expectedLocalError: "tls: peer did not false start: EOF",
11163 })
11164}
11165
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]11166func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11167 defer wg.Done()
11168
11169 for test := range c {
11170 var err error
11171
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11172 if *mallocTest >= 0 {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11173 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
11174 statusChan <- statusMsg{test: test, started: true}
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]11175 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11176 if err != nil {
11177 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
11178 }
11179 break
11180 }
11181 }
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11182 } else if *repeatUntilFailure {
11183 for err == nil {
11184 statusChan <- statusMsg{test: test, started: true}
11185 err = runTest(test, shimPath, -1)
11186 }
11187 } else {
11188 statusChan <- statusMsg{test: test, started: true}
11189 err = runTest(test, shimPath, -1)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11190 }
11191 statusChan <- statusMsg{test: test, err: err}
11192 }
11193}
11194
11195type statusMsg struct {
11196 test *testCase
11197 started bool
11198 err error
11199}
11200
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11201func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11202 var started, done, failed, unimplemented, lineLen int
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11203
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11204 testOutput := newTestOutput()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11205 for msg := range statusChan {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11206 if !*pipe {
11207 // Erase the previous status line.
11208 var erase string
11209 for i := 0; i < lineLen; i++ {
11210 erase += "\b \b"
11211 }
11212 fmt.Print(erase)
11213 }
11214
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11215 if msg.started {
11216 started++
11217 } else {
11218 done++
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11219
11220 if msg.err != nil {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11221 if msg.err == errUnimplemented {
11222 if *pipe {
11223 // Print each test instead of a status line.
11224 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
11225 }
11226 unimplemented++
11227 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
11228 } else {
11229 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
11230 failed++
11231 testOutput.addResult(msg.test.name, "FAIL")
11232 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11233 } else {
11234 if *pipe {
11235 // Print each test instead of a status line.
11236 fmt.Printf("PASSED (%s)\n", msg.test.name)
11237 }
11238 testOutput.addResult(msg.test.name, "PASS")
11239 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11240 }
11241
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11242 if !*pipe {
11243 // Print a new status line.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11244 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11245 lineLen = len(line)
11246 os.Stdout.WriteString(line)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11247 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11248 }
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11249
11250 doneChan <- testOutput
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11251}
11252
11253func main() {
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]11254 flag.Parse()
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]11255 *resourceDir = path.Clean(*resourceDir)
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11256 initCertificates()
Kenny Roota04d78d2015-09-25 00:26:37 +0000[diff] [blame]11257
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]11258 addBasicTests()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11259 addCipherSuiteTests()
11260 addBadECDSASignatureTests()
11261 addCBCPaddingTests()
11262 addCBCSplittingTests()
11263 addClientAuthTests()
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11264 addDDoSCallbackTests()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11265 addVersionNegotiationTests()
11266 addMinimumVersionTests()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11267 addExtensionTests()
11268 addResumptionVersionTests()
11269 addExtendedMasterSecretTests()
11270 addRenegotiationTests()
11271 addDTLSReplayTests()
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11272 addSignatureAlgorithmTests()
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11273 addDTLSRetransmitTests()
11274 addExportKeyingMaterialTests()
Adam Langleyf4e42722015-06-04 17:45:09 -0700[diff] [blame]11275 addTLSUniqueTests()
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]11276 addCustomExtensionTests()
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]11277 addRSAClientKeyExchangeTests()
11278 addCurveTests()
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11279 addSessionTicketTests()
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11280 addTLS13RecordTests()
11281 addAllStateMachineCoverageTests()
11282 addChangeCipherSpecTests()
11283 addWrongMessageTypeTests()
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]11284 addTrailingMessageDataTests()
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11285 addTLS13HandshakeTests()
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11286 addTLS13CipherPreferenceTests()
Steven Valdezbb1ceac2016-10-07 10:34:51 -0400[diff] [blame]11287 addPeekTests()
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11288 addRecordVersionTests()
11289 addCertificateTests()
11290 addRetainOnlySHA256ClientCertTests()
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]11291 addECDSAKeyUsageTests()
Robert Sloan6f79a502017-04-03 09:16:40 -0700[diff] [blame]11292 addExtraHandshakeTests()
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11293
11294 var wg sync.WaitGroup
11295
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]11296 statusChan := make(chan statusMsg, *numWorkers)
11297 testChan := make(chan *testCase, *numWorkers)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11298 doneChan := make(chan *testOutput)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11299
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11300 if len(*shimConfigFile) != 0 {
11301 encoded, err := ioutil.ReadFile(*shimConfigFile)
11302 if err != nil {
11303 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
11304 os.Exit(1)
11305 }
11306
11307 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
11308 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
11309 os.Exit(1)
11310 }
11311 }
11312
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11313 go statusPrinter(doneChan, statusChan, len(testCases))
11314
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]11315 for i := 0; i < *numWorkers; i++ {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11316 wg.Add(1)
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]11317 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11318 }
11319
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]11320 var foundTest bool
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11321 for i := range testCases {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11322 matched := true
11323 if len(*testToRun) != 0 {
11324 var err error
11325 matched, err = filepath.Match(*testToRun, testCases[i].name)
11326 if err != nil {
11327 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
11328 os.Exit(1)
11329 }
11330 }
11331
11332 if !*includeDisabled {
11333 for pattern := range shimConfig.DisabledTests {
11334 isDisabled, err := filepath.Match(pattern, testCases[i].name)
11335 if err != nil {
11336 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
11337 os.Exit(1)
11338 }
11339
11340 if isDisabled {
11341 matched = false
11342 break
11343 }
11344 }
11345 }
11346
11347 if matched {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]11348 foundTest = true
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11349 testChan <- &testCases[i]
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]11350
11351 // Only run one test if repeating until failure.
11352 if *repeatUntilFailure {
11353 break
11354 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11355 }
11356 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11357
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]11358 if !foundTest {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11359 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]11360 os.Exit(1)
11361 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11362
11363 close(testChan)
11364 wg.Wait()
11365 close(statusChan)
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11366 testOutput := <-doneChan
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11367
11368 fmt.Printf("\n")
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11369
11370 if *jsonOutput != "" {
11371 if err := testOutput.writeTo(*jsonOutput); err != nil {
11372 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
11373 }
11374 }
11375
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]11376 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
11377 os.Exit(1)
11378 }
11379
11380 if !testOutput.noneFailed {
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]11381 os.Exit(1)
11382 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]11383}