kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
e820df9371
boringssl/ssl/test/runner/runner.go

2821 lines
72 KiB
Go
Raw Normal View History

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
package main
import (
"bytes"
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
"crypto/ecdsa"
"crypto/elliptic"
Fix parsing of CertificateRequests. Got one of the conditions flipped. Change-Id: I327a9c13e42865459e8d69a431b0d3a2bc6b54a5 Reviewed-on: https://boringssl-review.googlesource.com/1210 Reviewed-by: Adam Langley <agl@google.com>
2014-07-16 17:58:59 +01:00
"crypto/x509"
Introduce a mechanism for base64 options. We may wish to pass data to the runner that contains NULs. Change-Id: Id78dad0ad0b5b6d0537481c818e3febdf1740cc9 Reviewed-on: https://boringssl-review.googlesource.com/1603 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:25:27 +01:00
"encoding/base64"
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
"encoding/pem"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
"flag"
"fmt"
"io"
Retry sending record split fragment when SSL write fails. When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record splitting is needed, an extra byte would be added to the max size of the message to be written. This would cause the requested size to not exceed the max. If the SSL_WANT_WRITE error were returned, the next packet would not get the extra byte added to the max packet size since record_split_done is set. Since a different set of arguments (SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed to do_ssl3_write, it would return an "SSL3_WRITE_PENDING:bad write retry" error. To avoid a failure in the opposite direction, the max variable increment is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE is not enabled and the call to ssl3_write_bytes contains, e.g., a buffer of 2*SSL3_RT_MAX_PLAIN_LENGTH, where the first call into do_ssl3_write succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but writing the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the first time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has called do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes in turn calls into do_ssl3_write with "max+1" bytes. Change-Id: Icf8453195c1145a54d31b8e8146801118207df03 Reviewed-on: https://boringssl-review.googlesource.com/1420 Reviewed-by: Kenny Root <kroot@google.com> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 23:23:37 +01:00
"io/ioutil"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
"net"
"os"
"os/exec"
runner: Take the build directory as flag. Don't hardcode the directory. Change-Id: I5c778a4ff16e00abbac2959ca9c9b4f4c40576f7 Reviewed-on: https://boringssl-review.googlesource.com/1376 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 20:28:23 +01:00
"path"
runner: Take the number of workers as a flag. Default to the number of CPUs. Avoids the tests launching 64 valgrinds in parallel on machines without gobs of memory. Change-Id: I9eeb365b48aa7407e303d161f90ce69a591a884c Reviewed-on: https://boringssl-review.googlesource.com/1375 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 20:22:37 +01:00
"runtime"
Add malloc failure tests. This commit fixes a number of crashes caused by malloc failures. They were found using the -malloc-test=0 option to runner.go which runs tests many times, causing a different allocation call to fail in each case. (This test only works on Linux and only looks for crashes caused by allocation failures, not memory leaks or other errors.) This is not the complete set of crashes! More can be found by collecting core dumps from running with -malloc-test=0. Change-Id: Ia61d19f51e373bccb7bc604642c51e043a74bd83 Reviewed-on: https://boringssl-review.googlesource.com/2320 Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 01:26:55 +00:00
"strconv"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
"strings"
"sync"
"syscall"
Add DTLS timeout and retransmit tests. This extends the packet adaptor protocol to send three commands: type command = | Packet of []byte | Timeout of time.Duration | TimeoutAck When the shim processes a Timeout in BIO_read, it sends TimeoutAck, fails the BIO_read, returns out of the SSL stack, advances the clock, calls DTLSv1_handle_timeout, and continues. If the Go side sends Timeout right between sending handshake flight N and reading flight N+1, the shim won't read the Timeout until it has sent flight N+1 (it only processes packet commands in BIO_read), so the TimeoutAck comes after N+1. Go then drops all packets before the TimeoutAck, thus dropping one transmit of flight N+1 without having to actually process the packets to determine the end of the flight. The shim then sees the updated clock, calls DTLSv1_handle_timeout, and re-sends flight N+1 for Go to process for real. When dropping packets, Go checks the epoch and increments sequence numbers so that we can continue to be strict here. This requires tracking the initial sequence number of the next epoch. The final Finished message takes an additional special-case to test. DTLS triggers retransmits on either a timeout or seeing a stale flight. OpenSSL only implements the former which should be sufficient (and is necessary) EXCEPT for the final Finished message. If the peer's final Finished message is lost, it won't be waiting for a message from us, so it won't time out anything. That retransmit must be triggered on stale message, so we retransmit the Finished message in Go. Change-Id: I3ffbdb1de525beb2ee831b304670a3387877634c Reviewed-on: https://boringssl-review.googlesource.com/3212 Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 06:09:43 +00:00
"time"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
)
Add malloc failure tests. This commit fixes a number of crashes caused by malloc failures. They were found using the -malloc-test=0 option to runner.go which runs tests many times, causing a different allocation call to fail in each case. (This test only works on Linux and only looks for crashes caused by allocation failures, not memory leaks or other errors.) This is not the complete set of crashes! More can be found by collecting core dumps from running with -malloc-test=0. Change-Id: Ia61d19f51e373bccb7bc604642c51e043a74bd83 Reviewed-on: https://boringssl-review.googlesource.com/2320 Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 01:26:55 +00:00
var (
useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
flagDebug *bool = flag.Bool("debug", false, "Hexdump the contents of the connection")
mallocTest *int64 = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
mallocTestDebug *bool = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
const (
rsaCertificateFile = "cert.pem"
ecdsaCertificateFile = "ecdsa_cert.pem"
)
const (
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
rsaKeyFile = "key.pem"
ecdsaKeyFile = "ecdsa_key.pem"
channelIDKeyFile = "channel_id_key.pem"
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
var rsaCertificate, ecdsaCertificate Certificate
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
var channelIDKey *ecdsa.PrivateKey
var channelIDBytes []byte
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Add tests for OCSP stapling and SCT lists. We forgot to add those when we implemented the features. (Also relevant because they will provide test coverage later for configuring features when using the generic method tables rather than *_client_method.) Change-Id: Ie08b27de893095e01a05a7084775676616459807 Reviewed-on: https://boringssl-review.googlesource.com/2410 Reviewed-by: Adam Langley <agl@google.com>
2014-11-25 06:55:35 +00:00
var testOCSPResponse = []byte{1, 2, 3, 4}
var testSCTList = []byte{5, 6, 7, 8}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
func initCertificates() {
var err error
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
rsaCertificate, err = LoadX509KeyPair(rsaCertificateFile, rsaKeyFile)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if err != nil {
panic(err)
}
Add tests for OCSP stapling and SCT lists. We forgot to add those when we implemented the features. (Also relevant because they will provide test coverage later for configuring features when using the generic method tables rather than *_client_method.) Change-Id: Ie08b27de893095e01a05a7084775676616459807 Reviewed-on: https://boringssl-review.googlesource.com/2410 Reviewed-by: Adam Langley <agl@google.com>
2014-11-25 06:55:35 +00:00
rsaCertificate.OCSPStaple = testOCSPResponse
rsaCertificate.SignedCertificateTimestampList = testSCTList
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
ecdsaCertificate, err = LoadX509KeyPair(ecdsaCertificateFile, ecdsaKeyFile)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if err != nil {
panic(err)
}
Add tests for OCSP stapling and SCT lists. We forgot to add those when we implemented the features. (Also relevant because they will provide test coverage later for configuring features when using the generic method tables rather than *_client_method.) Change-Id: Ie08b27de893095e01a05a7084775676616459807 Reviewed-on: https://boringssl-review.googlesource.com/2410 Reviewed-by: Adam Langley <agl@google.com>
2014-11-25 06:55:35 +00:00
ecdsaCertificate.OCSPStaple = testOCSPResponse
ecdsaCertificate.SignedCertificateTimestampList = testSCTList
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
channelIDPEMBlock, err := ioutil.ReadFile(channelIDKeyFile)
if err != nil {
panic(err)
}
channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
if channelIDDERBlock.Type != "EC PRIVATE KEY" {
panic("bad key type")
}
channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
if err != nil {
panic(err)
}
if channelIDKey.Curve != elliptic.P256() {
panic("bad curve")
}
channelIDBytes = make([]byte, 64)
writeIntPadded(channelIDBytes[:32], channelIDKey.X)
writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
var certificateOnce sync.Once
func getRSACertificate() Certificate {
certificateOnce.Do(initCertificates)
return rsaCertificate
}
func getECDSACertificate() Certificate {
certificateOnce.Do(initCertificates)
return ecdsaCertificate
}
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
type testType int
const (
clientTest testType = iota
serverTest
)
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
type protocol int
const (
tls protocol = iota
dtls
)
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 18:21:53 +01:00
const (
alpn = 1
npn = 2
)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
type testCase struct {
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
testType testType
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
protocol protocol
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
name string
config Config
shouldFail bool
expectedError string
Implement TLS_FALLBACK_SCSV support for the client. With this change, calling SSL_enable_fallback_scsv on a client SSL* will cause the fallback SCSV to be sent. This is intended to be set when the client is performing TLS fallback after a failed connection. (This only happens if the application itself implements this behaviour: OpenSSL does not do fallback automatically.) The fallback SCSV indicates to the server that it should reject the connection if the version indicated by the client is less than the version supported by the server. See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02. Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6
2014-06-23 20:03:11 +01:00
// expectedLocalError, if not empty, contains a substring that must be
// found in the local error.
expectedLocalError string
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
// expectedVersion, if non-zero, specifies the TLS version that must be
// negotiated.
expectedVersion uint16
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
// expectedResumeVersion, if non-zero, specifies the TLS version that
// must be negotiated on resumption. If zero, expectedVersion is used.
expectedResumeVersion uint16
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
// expectChannelID controls whether the connection should have
// negotiated a Channel ID with channelIDKey.
expectChannelID bool
Add tests for ALPN support. Both as client and as server. Also tests that ALPN causes False Start to kick in. Change-Id: Ib570346f3c511834152cd2df2ef29541946d3ab4 Reviewed-on: https://boringssl-review.googlesource.com/1753 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:58:58 +01:00
// expectedNextProto controls whether the connection should
// negotiate a next protocol via NPN or ALPN.
expectedNextProto string
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 18:21:53 +01:00
// expectedNextProtoType, if non-zero, is the expected next
// protocol negotiation mechanism.
expectedNextProtoType int
Add DTLS-SRTP tests. Just the negotiation portion as everything else is external. This feature is used in WebRTC. Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116 Reviewed-on: https://boringssl-review.googlesource.com/2310 Reviewed-by: Adam Langley <agl@google.com>
2014-11-16 00:06:08 +00:00
// expectedSRTPProtectionProfile is the DTLS-SRTP profile that
// should be negotiated. If zero, none should be negotiated.
expectedSRTPProtectionProfile uint16
Fix test of first of 255 CBC padding bytes. Thanks to Peter Gijsels for pointing out that if a CBC record has 255 bytes of padding, the first was not being checked.
2014-06-20 20:00:00 +01:00
// messageLen is the length, in bytes, of the test message that will be
// sent.
messageLen int
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
// certFile is the path to the certificate to use for the server.
certFile string
// keyFile is the path to the private key to use for the server.
keyFile string
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
// resumeSession controls whether a second connection should be tested
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
// which attempts to resume the first session.
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
resumeSession bool
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
// resumeConfig, if not nil, points to a Config to be used on
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
// resumption. Unless newSessionsOnResume is set,
// SessionTicketKey, ServerSessionCache, and
// ClientSessionCache are copied from the initial connection's
// config. If nil, the initial connection's config is used.
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
resumeConfig *Config
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
// newSessionsOnResume, if true, will cause resumeConfig to
// use a different session resumption context.
newSessionsOnResume bool
Clean up s23_srvr.c. ssl23_get_client_hello has lots of remnants of SSLv2 support and remnants of an even older SSL_OP_NON_EXPORT_FIRST option (see upstream's d92f0bb6e9ed94ac0c3aa0c939f2565f2ed95935) which complicates the logic. Split it into three states and move V2ClientHello parsing into its own function. Port it to CBS and CBB to give bounds checks on the V2ClientHello parse. This fixes a minor bug where, if the SSL_accept call in ssl23_get_client_hello failed, cb would not be NULL'd and SSL_CB_ACCEPT_LOOP would get reported an extra time. It also unbreaks the invariant between s->packet, s->packet_length, s->s3->rbuf.buf, and s->s3->rbuf.offset at the point the switch, although this was of no consequence because the first ssl3_read_n call passes extend = 0 which resets s->packet and s->packet_length. It also makes us tolerant to major version bumps in the ClientHello. Add tests for TLS tolerance of both minor and major version bumps as well as the HTTP request error codes. Change-Id: I948337f4dc483f4ebe1742d3eba53b045b260257 Reviewed-on: https://boringssl-review.googlesource.com/1455 Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 18:24:34 +01:00
// sendPrefix sends a prefix on the socket before actually performing a
// handshake.
sendPrefix string
Add a test to ensure False Start occurs. This adds the missing test coverage for 7e3305eebd7fb06d57e7f25b3bbf9c10d526f7d5. Change-Id: I8c9f1dc998afa9bb1f6fb2a7872a651037bb4844 Reviewed-on: https://boringssl-review.googlesource.com/1610 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 08:47:07 +01:00
// shimWritesFirst controls whether the shim sends an initial "hello"
// message before doing a roundtrip with the runner.
shimWritesFirst bool
Test renegotiation with BoringSSL as the client. This also contains a test for the issue fixed in 88333ef7d7d47221ede66a2a31626fc426466297. Change-Id: Id705a82cee34c018491dc301eba8b5097b9c83d5 Reviewed-on: https://boringssl-review.googlesource.com/2083 Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 02:06:14 +00:00
// renegotiate indicates the the connection should be renegotiated
// during the exchange.
renegotiate bool
// renegotiateCiphers is a list of ciphersuite ids that will be
// switched in just before renegotiation.
renegotiateCiphers []uint16
Add DTLS replay tests. At the record layer, DTLS maintains a window of seen sequence numbers to detect replays. Add tests to cover that case. Test both repeated sequence numbers within the window and sequence numbers past the window's left edge. Also test receiving sequence numbers far past the window's right edge. Change-Id: If6a7a24869db37fdd8fb3c4b3521b730e31f8f86 Reviewed-on: https://boringssl-review.googlesource.com/2221 Reviewed-by: Adam Langley <agl@google.com>
2014-11-07 06:48:35 +00:00
// replayWrites, if true, configures the underlying transport
// to replay every write it makes in DTLS tests.
replayWrites bool
Clear the error queue when dropping a bad DTLS packet. This regressed in e95d20dcb80523bf9bc6a9c5682856c8371e0a96. EVP_AEAD will push errors on the error queue (unlike the EVP_CIPHER codepath which checked everything internally to ssl/ and didn't bother pushing anything). This meant that a dropped packet would leave junk in the error queue. Later, when SSL_read returns <= 0 (EOF or EWOULDBLOCK), the non-empty error queue check in SSL_get_error kicks in and SSL_read looks to have failed. BUG=https://code.google.com/p/webrtc/issues/detail?id=4214 Change-Id: I1e5e41c77a3e5b71e9eb0c72294abf0da677f840 Reviewed-on: https://boringssl-review.googlesource.com/2982 Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 21:35:40 +00:00
// damageFirstWrite, if true, configures the underlying transport to
// damage the final byte of the first application data write.
damageFirstWrite bool
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
// flags, if not empty, contains a list of command-line flags that will
// be passed to the shim program.
flags []string
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
var testCases = []testCase{
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{
name: "BadRSASignature",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
InvalidSKXSignature: true,
},
},
shouldFail: true,
expectedError: ":BAD_SIGNATURE:",
},
{
name: "BadECDSASignature",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
InvalidSKXSignature: true,
},
Certificates: []Certificate{getECDSACertificate()},
},
shouldFail: true,
expectedError: ":BAD_SIGNATURE:",
},
{
name: "BadECDSACurve",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
InvalidSKXCurve: true,
},
Certificates: []Certificate{getECDSACertificate()},
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
},
Remove SSL_OP_TLS_ROLLBACK_BUG. It's not part of SSL_OP_ALL and is unused, so remove it. Add a test that asserts the version check works. Change-Id: I917516594ec5a4998a8316782f035697c33d99b0 Reviewed-on: https://boringssl-review.googlesource.com/1418 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 03:11:10 +01:00
{
testType: serverTest,
name: "BadRSAVersion",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
Bugs: ProtocolBugs{
RsaClientKeyExchangeVersion: VersionTLS11,
},
},
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
},
Implement TLS_FALLBACK_SCSV support for the client. With this change, calling SSL_enable_fallback_scsv on a client SSL* will cause the fallback SCSV to be sent. This is intended to be set when the client is performing TLS fallback after a failed connection. (This only happens if the application itself implements this behaviour: OpenSSL does not do fallback automatically.) The fallback SCSV indicates to the server that it should reject the connection if the version indicated by the client is less than the version supported by the server. See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02. Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6
2014-06-23 20:03:11 +01:00
{
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
name: "NoFallbackSCSV",
Implement TLS_FALLBACK_SCSV support for the client. With this change, calling SSL_enable_fallback_scsv on a client SSL* will cause the fallback SCSV to be sent. This is intended to be set when the client is performing TLS fallback after a failed connection. (This only happens if the application itself implements this behaviour: OpenSSL does not do fallback automatically.) The fallback SCSV indicates to the server that it should reject the connection if the version indicated by the client is less than the version supported by the server. See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02. Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6
2014-06-23 20:03:11 +01:00
config: Config{
Bugs: ProtocolBugs{
FailIfNotFallbackSCSV: true,
},
},
shouldFail: true,
expectedLocalError: "no fallback SCSV found",
},
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
{
Fix duplicate test name. Change-Id: I16be575e4a6a13c74bd45a8fe3e1473502a80c86 Reviewed-on: https://boringssl-review.googlesource.com/1600 Reviewed-by: Adam Langley <agl@google.com>
2014-08-23 04:46:35 +01:00
name: "SendFallbackSCSV",
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
config: Config{
Bugs: ProtocolBugs{
FailIfNotFallbackSCSV: true,
},
},
flags: []string{"-fallback-scsv"},
},
Add a test for certificate types parsing. Change-Id: Icddd39ae183f981f78a65427a4dda34449ca389a Reviewed-on: https://boringssl-review.googlesource.com/1111 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:30:11 +01:00
{
name: "ClientCertificateTypes",
config: Config{
ClientAuth: RequestClientCert,
ClientCertificateTypes: []byte{
CertTypeDSSSign,
CertTypeRSASign,
CertTypeECDSASign,
},
},
Introduce a mechanism for base64 options. We may wish to pass data to the runner that contains NULs. Change-Id: Id78dad0ad0b5b6d0537481c818e3febdf1740cc9 Reviewed-on: https://boringssl-review.googlesource.com/1603 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:25:27 +01:00
flags: []string{
"-expect-certificate-types",
base64.StdEncoding.EncodeToString([]byte{
CertTypeDSSSign,
CertTypeRSASign,
CertTypeECDSASign,
}),
},
Add a test for certificate types parsing. Change-Id: Icddd39ae183f981f78a65427a4dda34449ca389a Reviewed-on: https://boringssl-review.googlesource.com/1111 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:30:11 +01:00
},
Add client auth tests. Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97 Reviewed-on: https://boringssl-review.googlesource.com/1112 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:59:18 +01:00
{
name: "NoClientCertificate",
config: Config{
ClientAuth: RequireAnyClientCert,
},
shouldFail: true,
expectedLocalError: "client didn't provide a certificate",
},
Add UnauthenticatedECDH bug test. This works, but there's enough shared codepaths that it's worth a test to ensure it stays that way. Change-Id: I5d5a729811e35832170322957258304213204e3b Reviewed-on: https://boringssl-review.googlesource.com/1155 Reviewed-by: Adam Langley <agl@google.com>
2014-07-12 05:48:23 +01:00
{
name: "UnauthenticatedECDH",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
UnauthenticatedECDH: true,
},
},
shouldFail: true,
Be strict about expecting a server Certificate message. Introduce a ssl_cipher_has_server_public_key to save the repeated NULL/PSK/RSA_PSK[*] check. Don't allow skipping to ServerKeyExchange when expecting Certificate; the messages expected are determined by the cipher suite. The ssl3_get_server_public_key call is already guarded. As the previous test demonstrates, this is safe because of the ssl3_check_cert_and_algorithm call, but avoid the looseness in the parsing there. [*] NB: we don't implement RSA_PSK, and OpenSSL has never implemented it. Change-Id: I0571e6bcbeb8eb883f77878bdc98d1aa3a287cf3 Reviewed-on: https://boringssl-review.googlesource.com/1156 Reviewed-by: Adam Langley <agl@google.com>
2014-07-12 06:10:19 +01:00
expectedError: ":UNEXPECTED_MESSAGE:",
Add UnauthenticatedECDH bug test. This works, but there's enough shared codepaths that it's worth a test to ensure it stays that way. Change-Id: I5d5a729811e35832170322957258304213204e3b Reviewed-on: https://boringssl-review.googlesource.com/1155 Reviewed-by: Adam Langley <agl@google.com>
2014-07-12 05:48:23 +01:00
},
Be strict about requiring ServerKeyExchange. Missing ServerKeyExchange is handled, but only because it hits an ERR_R_INTERNAL_ERROR in ssl3_send_client_key_exchange in trying to find the server ECDH parameters. Be strict about requiring it for ECDHE. Change-Id: Ifce5b73c8bd14746b8a2185f479d550e9e3f84df Reviewed-on: https://boringssl-review.googlesource.com/1157 Reviewed-by: Adam Langley <agl@google.com>
2014-07-12 18:27:45 +01:00
{
name: "SkipServerKeyExchange",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SkipServerKeyExchange: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
},
Add SkipChangeCipherSpec tests. They pass, but this is an error case that is probably worth a test. Change-Id: I37b2eec34a1781fa8342eea57ee4f9da81ce17ed Reviewed-on: https://boringssl-review.googlesource.com/1257 Reviewed-by: Adam Langley <agl@google.com>
2014-07-19 22:39:58 +01:00
{
name: "SkipChangeCipherSpec-Client",
config: Config{
Bugs: ProtocolBugs{
SkipChangeCipherSpec: true,
},
},
shouldFail: true,
Change CCS_OK to EXPECT_CCS. Now that the flag is set accurately, use it to enforce that the handshake and CCS synchronization. If EXPECT_CCS is set, enforce that: (a) No handshake records may be received before ChangeCipherSpec. (b) There is no pending handshake data at the point EXPECT_CCS is set. Change-Id: I04b228fe6a7a771cf6600b7d38aa762b2d553f08 Reviewed-on: https://boringssl-review.googlesource.com/1299 Reviewed-by: Adam Langley <agl@google.com>
2014-07-21 21:14:03 +01:00
expectedError: ":HANDSHAKE_RECORD_BEFORE_CCS:",
Add SkipChangeCipherSpec tests. They pass, but this is an error case that is probably worth a test. Change-Id: I37b2eec34a1781fa8342eea57ee4f9da81ce17ed Reviewed-on: https://boringssl-review.googlesource.com/1257 Reviewed-by: Adam Langley <agl@google.com>
2014-07-19 22:39:58 +01:00
},
{
testType: serverTest,
name: "SkipChangeCipherSpec-Server",
config: Config{
Bugs: ProtocolBugs{
SkipChangeCipherSpec: true,
},
},
shouldFail: true,
Change CCS_OK to EXPECT_CCS. Now that the flag is set accurately, use it to enforce that the handshake and CCS synchronization. If EXPECT_CCS is set, enforce that: (a) No handshake records may be received before ChangeCipherSpec. (b) There is no pending handshake data at the point EXPECT_CCS is set. Change-Id: I04b228fe6a7a771cf6600b7d38aa762b2d553f08 Reviewed-on: https://boringssl-review.googlesource.com/1299 Reviewed-by: Adam Langley <agl@google.com>
2014-07-21 21:14:03 +01:00
expectedError: ":HANDSHAKE_RECORD_BEFORE_CCS:",
Add SkipChangeCipherSpec tests. They pass, but this is an error case that is probably worth a test. Change-Id: I37b2eec34a1781fa8342eea57ee4f9da81ce17ed Reviewed-on: https://boringssl-review.googlesource.com/1257 Reviewed-by: Adam Langley <agl@google.com>
2014-07-19 22:39:58 +01:00
},
Add SkipChangeCipherSpec-Server-NPN test. Finished isn't always the first post-CCS message. Change-Id: I4f70eeed57cf732693d07212b096efb2594c5b3c Reviewed-on: https://boringssl-review.googlesource.com/1288 Reviewed-by: Adam Langley <agl@google.com>
2014-07-21 19:50:23 +01:00
{
testType: serverTest,
name: "SkipChangeCipherSpec-Server-NPN",
config: Config{
NextProtos: []string{"bar"},
Bugs: ProtocolBugs{
SkipChangeCipherSpec: true,
},
},
flags: []string{
"-advertise-npn", "\x03foo\x03bar\x03baz",
},
shouldFail: true,
Change CCS_OK to EXPECT_CCS. Now that the flag is set accurately, use it to enforce that the handshake and CCS synchronization. If EXPECT_CCS is set, enforce that: (a) No handshake records may be received before ChangeCipherSpec. (b) There is no pending handshake data at the point EXPECT_CCS is set. Change-Id: I04b228fe6a7a771cf6600b7d38aa762b2d553f08 Reviewed-on: https://boringssl-review.googlesource.com/1299 Reviewed-by: Adam Langley <agl@google.com>
2014-07-21 21:14:03 +01:00
expectedError: ":HANDSHAKE_RECORD_BEFORE_CCS:",
},
{
name: "FragmentAcrossChangeCipherSpec-Client",
config: Config{
Bugs: ProtocolBugs{
FragmentAcrossChangeCipherSpec: true,
},
},
shouldFail: true,
expectedError: ":HANDSHAKE_RECORD_BEFORE_CCS:",
},
{
testType: serverTest,
name: "FragmentAcrossChangeCipherSpec-Server",
config: Config{
Bugs: ProtocolBugs{
FragmentAcrossChangeCipherSpec: true,
},
},
shouldFail: true,
expectedError: ":HANDSHAKE_RECORD_BEFORE_CCS:",
},
{
testType: serverTest,
name: "FragmentAcrossChangeCipherSpec-Server-NPN",
config: Config{
NextProtos: []string{"bar"},
Bugs: ProtocolBugs{
FragmentAcrossChangeCipherSpec: true,
},
},
flags: []string{
"-advertise-npn", "\x03foo\x03bar\x03baz",
},
shouldFail: true,
expectedError: ":HANDSHAKE_RECORD_BEFORE_CCS:",
Add SkipChangeCipherSpec-Server-NPN test. Finished isn't always the first post-CCS message. Change-Id: I4f70eeed57cf732693d07212b096efb2594c5b3c Reviewed-on: https://boringssl-review.googlesource.com/1288 Reviewed-by: Adam Langley <agl@google.com>
2014-07-21 19:50:23 +01:00
},
Add test coverage for normal alert parsing. We have test coverage for invalid alerts, but not for normal ones on the DTLS side. Change-Id: I359dce8d4dc80dfa99b5d8bacd73f48a8e4ac310 Reviewed-on: https://boringssl-review.googlesource.com/3291 Reviewed-by: Adam Langley <agl@google.com>
2015-02-03 21:07:32 +00:00
{
testType: serverTest,
name: "Alert",
config: Config{
Bugs: ProtocolBugs{
SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
},
{
protocol: dtls,
testType: serverTest,
name: "Alert-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
},
Remove support for processing fragmented alerts Prior to this change, BoringSSL maintained a 2-byte buffer for alerts, and would support reassembly of fragmented alerts. NSS does not support fragmented alerts, nor would any reasonable implementation produce them. Remove fragmented alert handling and produce an error if a fragmented alert has ever been encountered. Change-Id: I31530ac372e8a90b47cf89404630c1c207cfb048 Reviewed-on: https://boringssl-review.googlesource.com/2125 Reviewed-by: Adam Langley <agl@google.com>
2014-11-01 23:39:08 +00:00
{
testType: serverTest,
name: "FragmentAlert",
config: Config{
Bugs: ProtocolBugs{
Add DTLS-SRTP tests. Just the negotiation portion as everything else is external. This feature is used in WebRTC. Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116 Reviewed-on: https://boringssl-review.googlesource.com/2310 Reviewed-by: Adam Langley <agl@google.com>
2014-11-16 00:06:08 +00:00
FragmentAlert: true,
Add test coverage for normal alert parsing. We have test coverage for invalid alerts, but not for normal ones on the DTLS side. Change-Id: I359dce8d4dc80dfa99b5d8bacd73f48a8e4ac310 Reviewed-on: https://boringssl-review.googlesource.com/3291 Reviewed-by: Adam Langley <agl@google.com>
2015-02-03 21:07:32 +00:00
SendSpuriousAlert: alertRecordOverflow,
Remove support for processing fragmented alerts Prior to this change, BoringSSL maintained a 2-byte buffer for alerts, and would support reassembly of fragmented alerts. NSS does not support fragmented alerts, nor would any reasonable implementation produce them. Remove fragmented alert handling and produce an error if a fragmented alert has ever been encountered. Change-Id: I31530ac372e8a90b47cf89404630c1c207cfb048 Reviewed-on: https://boringssl-review.googlesource.com/2125 Reviewed-by: Adam Langley <agl@google.com>
2014-11-01 23:39:08 +00:00
},
},
shouldFail: true,
expectedError: ":BAD_ALERT:",
},
Remove alert_fragment and handshake_fragment. Nothing recognized through those codepaths is fragmentable in DTLS. Also remove an unnecessary epoch check. It's not possible to process a record from the wrong epoch. Change-Id: I9d0f592860bb096563e2bdcd2c8e50a0d2b65f59 Reviewed-on: https://boringssl-review.googlesource.com/3232 Reviewed-by: Adam Langley <agl@google.com>
2015-02-01 01:33:40 +00:00
{
protocol: dtls,
testType: serverTest,
name: "FragmentAlert-DTLS",
config: Config{
Bugs: ProtocolBugs{
FragmentAlert: true,
Add test coverage for normal alert parsing. We have test coverage for invalid alerts, but not for normal ones on the DTLS side. Change-Id: I359dce8d4dc80dfa99b5d8bacd73f48a8e4ac310 Reviewed-on: https://boringssl-review.googlesource.com/3291 Reviewed-by: Adam Langley <agl@google.com>
2015-02-03 21:07:32 +00:00
SendSpuriousAlert: alertRecordOverflow,
Remove alert_fragment and handshake_fragment. Nothing recognized through those codepaths is fragmentable in DTLS. Also remove an unnecessary epoch check. It's not possible to process a record from the wrong epoch. Change-Id: I9d0f592860bb096563e2bdcd2c8e50a0d2b65f59 Reviewed-on: https://boringssl-review.googlesource.com/3232 Reviewed-by: Adam Langley <agl@google.com>
2015-02-01 01:33:40 +00:00
},
},
shouldFail: true,
expectedError: ":BAD_ALERT:",
},
Add EarlyChangeCipherSpec tests. Adapted from patch in https://www.imperialviolet.org/2014/06/05/earlyccs.html. Change-Id: I14bf314d105780e23e6bd09217870deff5744979 Reviewed-on: https://boringssl-review.googlesource.com/1292 Reviewed-by: Adam Langley <agl@google.com>
2014-07-22 03:42:34 +01:00
{
testType: serverTest,
name: "EarlyChangeCipherSpec-server-1",
config: Config{
Bugs: ProtocolBugs{
EarlyChangeCipherSpec: 1,
},
},
shouldFail: true,
expectedError: ":CCS_RECEIVED_EARLY:",
},
{
testType: serverTest,
name: "EarlyChangeCipherSpec-server-2",
config: Config{
Bugs: ProtocolBugs{
EarlyChangeCipherSpec: 2,
},
},
shouldFail: true,
expectedError: ":CCS_RECEIVED_EARLY:",
},
Improve test coverage around NewSessionTicket message. Test both when the peer doesn't support session tickets and when the server promises a NewSessionTicket message but doesn't deliver. Change-Id: I48f338094002beac2e6b80e41851c72822b3b9d5 Reviewed-on: https://boringssl-review.googlesource.com/1300 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 20:09:48 +01:00
{
name: "SkipNewSessionTicket",
config: Config{
Bugs: ProtocolBugs{
SkipNewSessionTicket: true,
},
},
shouldFail: true,
expectedError: ":CCS_RECEIVED_EARLY:",
},
Add server-side FallbackSCSV tests. Assert that inappropriate fallbacks are detected, but if the client_version matches the server's highest version, do not abort the handshake. Change-Id: I9d72570bce45e1eb23fc2b74a3c5fca10562e573 Reviewed-on: https://boringssl-review.googlesource.com/1373 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 09:22:02 +01:00
{
testType: serverTest,
name: "FallbackSCSV",
config: Config{
MaxVersion: VersionTLS11,
Bugs: ProtocolBugs{
SendFallbackSCSV: true,
},
},
shouldFail: true,
expectedError: ":INAPPROPRIATE_FALLBACK:",
},
{
testType: serverTest,
name: "FallbackSCSV-VersionMatch",
config: Config{
Bugs: ProtocolBugs{
SendFallbackSCSV: true,
},
},
},
Add tests for CVE-2014-3511. Also change MaxHandshakeRecordLength to 1 in the handshake coverage tests to better stress the state machine. Change-Id: I27fce2c000b3d4818fd2e9a47fb09d3f646dd1bd Reviewed-on: https://boringssl-review.googlesource.com/1452 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 23:02:39 +01:00
{
testType: serverTest,
name: "FragmentedClientVersion",
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: 1,
FragmentClientVersion: true,
},
},
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
expectedVersion: VersionTLS12,
Add tests for CVE-2014-3511. Also change MaxHandshakeRecordLength to 1 in the handshake coverage tests to better stress the state machine. Change-Id: I27fce2c000b3d4818fd2e9a47fb09d3f646dd1bd Reviewed-on: https://boringssl-review.googlesource.com/1452 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 23:02:39 +01:00
},
Clean up s23_srvr.c. ssl23_get_client_hello has lots of remnants of SSLv2 support and remnants of an even older SSL_OP_NON_EXPORT_FIRST option (see upstream's d92f0bb6e9ed94ac0c3aa0c939f2565f2ed95935) which complicates the logic. Split it into three states and move V2ClientHello parsing into its own function. Port it to CBS and CBB to give bounds checks on the V2ClientHello parse. This fixes a minor bug where, if the SSL_accept call in ssl23_get_client_hello failed, cb would not be NULL'd and SSL_CB_ACCEPT_LOOP would get reported an extra time. It also unbreaks the invariant between s->packet, s->packet_length, s->s3->rbuf.buf, and s->s3->rbuf.offset at the point the switch, although this was of no consequence because the first ssl3_read_n call passes extend = 0 which resets s->packet and s->packet_length. It also makes us tolerant to major version bumps in the ClientHello. Add tests for TLS tolerance of both minor and major version bumps as well as the HTTP request error codes. Change-Id: I948337f4dc483f4ebe1742d3eba53b045b260257 Reviewed-on: https://boringssl-review.googlesource.com/1455 Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 18:24:34 +01:00
{
testType: serverTest,
name: "MinorVersionTolerance",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0x03ff,
},
},
expectedVersion: VersionTLS12,
},
{
testType: serverTest,
name: "MajorVersionTolerance",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0x0400,
},
},
expectedVersion: VersionTLS12,
},
{
testType: serverTest,
name: "VersionTooLow",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0x0200,
},
},
shouldFail: true,
expectedError: ":UNSUPPORTED_PROTOCOL:",
},
{
testType: serverTest,
name: "HttpGET",
sendPrefix: "GET / HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTP_REQUEST:",
},
{
testType: serverTest,
name: "HttpPOST",
sendPrefix: "POST / HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTP_REQUEST:",
},
{
testType: serverTest,
name: "HttpHEAD",
sendPrefix: "HEAD / HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTP_REQUEST:",
},
{
testType: serverTest,
name: "HttpPUT",
sendPrefix: "PUT / HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTP_REQUEST:",
},
{
testType: serverTest,
name: "HttpCONNECT",
sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTPS_PROXY_REQUEST:",
},
Don't infinite loop on garbage server input. else block got lost in a rewrite of this code. Change-Id: I51f1655474ec8bbd4eccb4297124e8584329444e Reviewed-on: https://boringssl-review.googlesource.com/2560 Reviewed-by: Adam Langley <agl@google.com>
2014-12-11 23:48:59 +00:00
{
testType: serverTest,
name: "Garbage",
sendPrefix: "blah",
shouldFail: true,
expectedError: ":UNKNOWN_PROTOCOL:",
},
Check the server did not use a TLS 1.2 cipher suite pre-TLS 1.2. This check got refactored in OpenSSL 1.0.2 and broke in the process. Fix this and add a test. Otherwise things like client auth can get slightly confused; it will try to sign the MD5/SHA-1 hash, but the TLS 1.2 cipher suite may not use SSL_HANDSHAKE_MAC_DEFAULT, so those digests won't be available. Based on upstream's 226751ae4a1f3e00021c43399d7bb51a99c22c17. Change-Id: I5b864d3a696f3187b849c53b872c24fb7df27924 Reviewed-on: https://boringssl-review.googlesource.com/1696 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:23:49 +01:00
{
name: "SkipCipherVersionCheck",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
MaxVersion: VersionTLS11,
Bugs: ProtocolBugs{
SkipCipherVersionCheck: true,
},
},
shouldFail: true,
expectedError: ":WRONG_CIPHER_RETURNED:",
},
Add a test for RSA ServerKeyExchange. Ensure that the client rejects it with UNEXPECTED_MESSAGE, not by attempting to decode it. Change-Id: Ifc5613cf1152e0f7dcbee73e05df1ef367dfbfd5 Reviewed-on: https://boringssl-review.googlesource.com/2232 Reviewed-by: Adam Langley <agl@google.com>
2014-11-08 16:41:14 +00:00
{
name: "RSAServerKeyExchange",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
RSAServerKeyExchange: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
},
Factor out the client max-version logic into a helper function. Replace the comment with a clearer one and reimplement it much more tidily. The mask thing was more complicated than was needed. This slightly changes behavior on the DTLS_ANY_VERSION side in that, if only one method is enabled, we no longer short-circuit to the version-locked method early. This "optimization" seems unnecessary. Change-Id: I571c8b60ed16bd4357c67d65df0dd1ef9cc5eb57 Reviewed-on: https://boringssl-review.googlesource.com/2451 Reviewed-by: Adam Langley <agl@google.com>
2014-12-01 06:27:42 +00:00
{
name: "DisableEverything",
flags: []string{"-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
shouldFail: true,
expectedError: ":WRONG_SSL_VERSION:",
},
{
protocol: dtls,
name: "DisableEverything-DTLS",
flags: []string{"-no-tls12", "-no-tls1"},
shouldFail: true,
expectedError: ":WRONG_SSL_VERSION:",
},
Treat handshake_failure in response to ClientHello special. Add a dedicated error code to the queue for a handshake_failure alert in response to ClientHello. This matches NSS's client behavior and gives a better error on a (probable) failure to negotiate initial parameters. BUG=https://crbug.com/446505 Change-Id: I34368712085a6cbf0031902daf2c00393783d96d Reviewed-on: https://boringssl-review.googlesource.com/2751 Reviewed-by: Adam Langley <agl@google.com>
2015-01-06 17:03:19 +00:00
{
name: "NoSharedCipher",
config: Config{
CipherSuites: []uint16{},
},
shouldFail: true,
expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
},
Add a basic MTU test. The minimum MTU (not consistently enforced) is just under 256, so it's difficult to test everything, but this is a basic test. (E.g., without renego, the only handshake message with encryption is Finished which fits in the MTU.) It tests the server side because the Certificate message is large enough to require fragmentation. Change-Id: Ida11f1057cebae2b800ad13696f98bb3a7fbbc5e Reviewed-on: https://boringssl-review.googlesource.com/2824 Reviewed-by: Adam Langley <agl@google.com>
2015-01-11 21:29:36 +00:00
{
protocol: dtls,
testType: serverTest,
name: "MTU",
config: Config{
Bugs: ProtocolBugs{
MaxPacketLength: 256,
},
},
flags: []string{"-mtu", "256"},
},
{
protocol: dtls,
testType: serverTest,
name: "MTUExceeded",
config: Config{
Bugs: ProtocolBugs{
MaxPacketLength: 255,
},
},
flags: []string{"-mtu", "256"},
shouldFail: true,
expectedLocalError: "dtls: exceeded maximum packet length",
},
Add tests for certificate mismatch. Cover another mildly interesting error case. Change-Id: Ice773af79f5e03f39f0cd2a9e158bae03e065392 Reviewed-on: https://boringssl-review.googlesource.com/2841 Reviewed-by: Adam Langley <agl@google.com>
2014-12-27 06:50:38 +00:00
{
name: "CertMismatchRSA",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{getECDSACertificate()},
Bugs: ProtocolBugs{
SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
},
shouldFail: true,
expectedError: ":WRONG_CERTIFICATE_TYPE:",
},
{
name: "CertMismatchECDSA",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{getRSACertificate()},
Bugs: ProtocolBugs{
SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
},
shouldFail: true,
expectedError: ":WRONG_CERTIFICATE_TYPE:",
},
Clear the error queue when dropping a bad DTLS packet. This regressed in e95d20dcb80523bf9bc6a9c5682856c8371e0a96. EVP_AEAD will push errors on the error queue (unlike the EVP_CIPHER codepath which checked everything internally to ssl/ and didn't bother pushing anything). This meant that a dropped packet would leave junk in the error queue. Later, when SSL_read returns <= 0 (EOF or EWOULDBLOCK), the non-empty error queue check in SSL_get_error kicks in and SSL_read looks to have failed. BUG=https://code.google.com/p/webrtc/issues/detail?id=4214 Change-Id: I1e5e41c77a3e5b71e9eb0c72294abf0da677f840 Reviewed-on: https://boringssl-review.googlesource.com/2982 Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 21:35:40 +00:00
{
name: "TLSFatalBadPackets",
damageFirstWrite: true,
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
},
{
protocol: dtls,
name: "DTLSIgnoreBadPackets",
damageFirstWrite: true,
},
{
protocol: dtls,
name: "DTLSIgnoreBadPackets-Async",
damageFirstWrite: true,
flags: []string{"-async"},
},
Test application data and Finished reordering. This is fatal for TLS but buffered in DTLS. The buffering isn't strictly necessary (it would be just as valid to drop the record on the floor), but so long as we want this behavior it should have a test. Change-Id: I5846bb2fe80d78e25b6dfad51bcfcff2dc427c3f Reviewed-on: https://boringssl-review.googlesource.com/3029 Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 04:52:39 +00:00
{
name: "AppDataAfterChangeCipherSpec",
config: Config{
Bugs: ProtocolBugs{
AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
},
},
shouldFail: true,
expectedError: ":DATA_BETWEEN_CCS_AND_FINISHED:",
},
{
protocol: dtls,
name: "AppDataAfterChangeCipherSpec-DTLS",
config: Config{
Bugs: ProtocolBugs{
AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
},
Add initial handshake reassembly tests. For now, only test reorderings when we always or never fragment messages. There's a third untested case: when full messages and fragments are mixed. That will be tested later after making it actually work. Change-Id: Ic4efb3f5e87b1319baf2d4af31eafa40f6a50fa6 Reviewed-on: https://boringssl-review.googlesource.com/3216 Reviewed-by: Adam Langley <agl@google.com>
2015-01-31 22:16:01 +00:00
},
},
{
protocol: dtls,
name: "ReorderHandshakeFragments-Small-DTLS",
config: Config{
Bugs: ProtocolBugs{
ReorderHandshakeFragments: true,
// Small enough that every handshake message is
// fragmented.
MaxHandshakeRecordLength: 2,
},
},
},
{
protocol: dtls,
name: "ReorderHandshakeFragments-Large-DTLS",
config: Config{
Bugs: ProtocolBugs{
ReorderHandshakeFragments: true,
// Large enough that no handshake message is
// fragmented.
//
// TODO(davidben): Also test interaction of
// complete handshake messages with
// fragments. The current logic is full of bugs
// here, so the reassembly logic needs a rewrite
// before those tests will pass.
MaxHandshakeRecordLength: 2048,
},
Test application data and Finished reordering. This is fatal for TLS but buffered in DTLS. The buffering isn't strictly necessary (it would be just as valid to drop the record on the floor), but so long as we want this behavior it should have a test. Change-Id: I5846bb2fe80d78e25b6dfad51bcfcff2dc427c3f Reviewed-on: https://boringssl-review.googlesource.com/3029 Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 04:52:39 +00:00
},
},
Reject all invalid records. The check on the DTLS side was broken anyway. On the TLS side, the spec does say to ignore them, but there should be no need for this in future-proofing and NSS doesn't appear to be lenient here. See also https://boringssl-review.googlesource.com/#/c/3233/ Change-Id: I0846222936c5e08acdcfd9d6f854a99df767e468 Reviewed-on: https://boringssl-review.googlesource.com/3290 Reviewed-by: Adam Langley <agl@google.com>
2015-02-03 20:44:39 +00:00
{
name: "SendInvalidRecordType",
config: Config{
Bugs: ProtocolBugs{
SendInvalidRecordType: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
protocol: dtls,
name: "SendInvalidRecordType-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendInvalidRecordType: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {
Debug resumption connections with -debug too. Change-Id: Ib33cceed561698310f369d63de602123af146a45 Reviewed-on: https://boringssl-review.googlesource.com/2402 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 08:01:00 +00:00
var connDebug *recordingConn
Clear the error queue when dropping a bad DTLS packet. This regressed in e95d20dcb80523bf9bc6a9c5682856c8371e0a96. EVP_AEAD will push errors on the error queue (unlike the EVP_CIPHER codepath which checked everything internally to ssl/ and didn't bother pushing anything). This meant that a dropped packet would leave junk in the error queue. Later, when SSL_read returns <= 0 (EOF or EWOULDBLOCK), the non-empty error queue check in SSL_get_error kicks in and SSL_read looks to have failed. BUG=https://code.google.com/p/webrtc/issues/detail?id=4214 Change-Id: I1e5e41c77a3e5b71e9eb0c72294abf0da677f840 Reviewed-on: https://boringssl-review.googlesource.com/2982 Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 21:35:40 +00:00
var connDamage *damageAdaptor
Debug resumption connections with -debug too. Change-Id: Ib33cceed561698310f369d63de602123af146a45 Reviewed-on: https://boringssl-review.googlesource.com/2402 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 08:01:00 +00:00
if *flagDebug {
connDebug = &recordingConn{Conn: conn}
conn = connDebug
defer func() {
connDebug.WriteTo(os.Stdout)
}()
}
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if test.protocol == dtls {
Add DTLS timeout and retransmit tests. This extends the packet adaptor protocol to send three commands: type command = | Packet of []byte | Timeout of time.Duration | TimeoutAck When the shim processes a Timeout in BIO_read, it sends TimeoutAck, fails the BIO_read, returns out of the SSL stack, advances the clock, calls DTLSv1_handle_timeout, and continues. If the Go side sends Timeout right between sending handshake flight N and reading flight N+1, the shim won't read the Timeout until it has sent flight N+1 (it only processes packet commands in BIO_read), so the TimeoutAck comes after N+1. Go then drops all packets before the TimeoutAck, thus dropping one transmit of flight N+1 without having to actually process the packets to determine the end of the flight. The shim then sees the updated clock, calls DTLSv1_handle_timeout, and re-sends flight N+1 for Go to process for real. When dropping packets, Go checks the epoch and increments sequence numbers so that we can continue to be strict here. This requires tracking the initial sequence number of the next epoch. The final Finished message takes an additional special-case to test. DTLS triggers retransmits on either a timeout or seeing a stale flight. OpenSSL only implements the former which should be sufficient (and is necessary) EXCEPT for the final Finished message. If the peer's final Finished message is lost, it won't be waiting for a message from us, so it won't time out anything. That retransmit must be triggered on stale message, so we retransmit the Finished message in Go. Change-Id: I3ffbdb1de525beb2ee831b304670a3387877634c Reviewed-on: https://boringssl-review.googlesource.com/3212 Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 06:09:43 +00:00
config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
conn = config.Bugs.PacketAdaptor
Add DTLS replay tests. At the record layer, DTLS maintains a window of seen sequence numbers to detect replays. Add tests to cover that case. Test both repeated sequence numbers within the window and sequence numbers past the window's left edge. Also test receiving sequence numbers far past the window's right edge. Change-Id: If6a7a24869db37fdd8fb3c4b3521b730e31f8f86 Reviewed-on: https://boringssl-review.googlesource.com/2221 Reviewed-by: Adam Langley <agl@google.com>
2014-11-07 06:48:35 +00:00
if test.replayWrites {
conn = newReplayAdaptor(conn)
}
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
}
Clear the error queue when dropping a bad DTLS packet. This regressed in e95d20dcb80523bf9bc6a9c5682856c8371e0a96. EVP_AEAD will push errors on the error queue (unlike the EVP_CIPHER codepath which checked everything internally to ssl/ and didn't bother pushing anything). This meant that a dropped packet would leave junk in the error queue. Later, when SSL_read returns <= 0 (EOF or EWOULDBLOCK), the non-empty error queue check in SSL_get_error kicks in and SSL_read looks to have failed. BUG=https://code.google.com/p/webrtc/issues/detail?id=4214 Change-Id: I1e5e41c77a3e5b71e9eb0c72294abf0da677f840 Reviewed-on: https://boringssl-review.googlesource.com/2982 Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 21:35:40 +00:00
if test.damageFirstWrite {
connDamage = newDamageAdaptor(conn)
conn = connDamage
}
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if test.sendPrefix != "" {
if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
return err
}
Clean up s23_srvr.c. ssl23_get_client_hello has lots of remnants of SSLv2 support and remnants of an even older SSL_OP_NON_EXPORT_FIRST option (see upstream's d92f0bb6e9ed94ac0c3aa0c939f2565f2ed95935) which complicates the logic. Split it into three states and move V2ClientHello parsing into its own function. Port it to CBS and CBB to give bounds checks on the V2ClientHello parse. This fixes a minor bug where, if the SSL_accept call in ssl23_get_client_hello failed, cb would not be NULL'd and SSL_CB_ACCEPT_LOOP would get reported an extra time. It also unbreaks the invariant between s->packet, s->packet_length, s->s3->rbuf.buf, and s->s3->rbuf.offset at the point the switch, although this was of no consequence because the first ssl3_read_n call passes extend = 0 which resets s->packet and s->packet_length. It also makes us tolerant to major version bumps in the ClientHello. Add tests for TLS tolerance of both minor and major version bumps as well as the HTTP request error codes. Change-Id: I948337f4dc483f4ebe1742d3eba53b045b260257 Reviewed-on: https://boringssl-review.googlesource.com/1455 Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 18:24:34 +01:00
}
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
var tlsConn *Conn
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
if test.testType == clientTest {
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if test.protocol == dtls {
tlsConn = DTLSServer(conn, config)
} else {
tlsConn = Server(conn, config)
}
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
} else {
config.InsecureSkipVerify = true
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if test.protocol == dtls {
tlsConn = DTLSClient(conn, config)
} else {
tlsConn = Client(conn, config)
}
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if err := tlsConn.Handshake(); err != nil {
return err
}
Retry sending record split fragment when SSL write fails. When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record splitting is needed, an extra byte would be added to the max size of the message to be written. This would cause the requested size to not exceed the max. If the SSL_WANT_WRITE error were returned, the next packet would not get the extra byte added to the max packet size since record_split_done is set. Since a different set of arguments (SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed to do_ssl3_write, it would return an "SSL3_WRITE_PENDING:bad write retry" error. To avoid a failure in the opposite direction, the max variable increment is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE is not enabled and the call to ssl3_write_bytes contains, e.g., a buffer of 2*SSL3_RT_MAX_PLAIN_LENGTH, where the first call into do_ssl3_write succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but writing the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the first time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has called do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes in turn calls into do_ssl3_write with "max+1" bytes. Change-Id: Icf8453195c1145a54d31b8e8146801118207df03 Reviewed-on: https://boringssl-review.googlesource.com/1420 Reviewed-by: Kenny Root <kroot@google.com> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 23:23:37 +01:00
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
// TODO(davidben): move all per-connection expectations into a dedicated
// expectations struct that can be specified separately for the two
// legs.
expectedVersion := test.expectedVersion
if isResume && test.expectedResumeVersion != 0 {
expectedVersion = test.expectedResumeVersion
}
if vers := tlsConn.ConnectionState().Version; expectedVersion != 0 && vers != expectedVersion {
return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
}
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
if test.expectChannelID {
channelID := tlsConn.ConnectionState().ChannelID
if channelID == nil {
return fmt.Errorf("no channel ID negotiated")
}
if channelID.Curve != channelIDKey.Curve ||
channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
return fmt.Errorf("incorrect channel ID")
}
}
Add tests for ALPN support. Both as client and as server. Also tests that ALPN causes False Start to kick in. Change-Id: Ib570346f3c511834152cd2df2ef29541946d3ab4 Reviewed-on: https://boringssl-review.googlesource.com/1753 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:58:58 +01:00
if expected := test.expectedNextProto; expected != "" {
if actual := tlsConn.ConnectionState().NegotiatedProtocol; actual != expected {
return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
}
}
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 18:21:53 +01:00
if test.expectedNextProtoType != 0 {
if (test.expectedNextProtoType == alpn) != tlsConn.ConnectionState().NegotiatedProtocolFromALPN {
return fmt.Errorf("next proto type mismatch")
}
}
Add DTLS-SRTP tests. Just the negotiation portion as everything else is external. This feature is used in WebRTC. Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116 Reviewed-on: https://boringssl-review.googlesource.com/2310 Reviewed-by: Adam Langley <agl@google.com>
2014-11-16 00:06:08 +00:00
if p := tlsConn.ConnectionState().SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
}
Add a test to ensure False Start occurs. This adds the missing test coverage for 7e3305eebd7fb06d57e7f25b3bbf9c10d526f7d5. Change-Id: I8c9f1dc998afa9bb1f6fb2a7872a651037bb4844 Reviewed-on: https://boringssl-review.googlesource.com/1610 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 08:47:07 +01:00
if test.shimWritesFirst {
var buf [5]byte
_, err := io.ReadFull(tlsConn, buf[:])
if err != nil {
return err
}
if string(buf[:]) != "hello" {
return fmt.Errorf("bad initial message")
}
}
Test renegotiation with BoringSSL as the client. This also contains a test for the issue fixed in 88333ef7d7d47221ede66a2a31626fc426466297. Change-Id: Id705a82cee34c018491dc301eba8b5097b9c83d5 Reviewed-on: https://boringssl-review.googlesource.com/2083 Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 02:06:14 +00:00
if test.renegotiate {
if test.renegotiateCiphers != nil {
config.CipherSuites = test.renegotiateCiphers
}
if err := tlsConn.Renegotiate(); err != nil {
return err
}
} else if test.renegotiateCiphers != nil {
panic("renegotiateCiphers without renegotiate")
}
Clear the error queue when dropping a bad DTLS packet. This regressed in e95d20dcb80523bf9bc6a9c5682856c8371e0a96. EVP_AEAD will push errors on the error queue (unlike the EVP_CIPHER codepath which checked everything internally to ssl/ and didn't bother pushing anything). This meant that a dropped packet would leave junk in the error queue. Later, when SSL_read returns <= 0 (EOF or EWOULDBLOCK), the non-empty error queue check in SSL_get_error kicks in and SSL_read looks to have failed. BUG=https://code.google.com/p/webrtc/issues/detail?id=4214 Change-Id: I1e5e41c77a3e5b71e9eb0c72294abf0da677f840 Reviewed-on: https://boringssl-review.googlesource.com/2982 Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 21:35:40 +00:00
if test.damageFirstWrite {
connDamage.setDamage(true)
tlsConn.Write([]byte("DAMAGED WRITE"))
connDamage.setDamage(false)
}
Retry sending record split fragment when SSL write fails. When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record splitting is needed, an extra byte would be added to the max size of the message to be written. This would cause the requested size to not exceed the max. If the SSL_WANT_WRITE error were returned, the next packet would not get the extra byte added to the max packet size since record_split_done is set. Since a different set of arguments (SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed to do_ssl3_write, it would return an "SSL3_WRITE_PENDING:bad write retry" error. To avoid a failure in the opposite direction, the max variable increment is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE is not enabled and the call to ssl3_write_bytes contains, e.g., a buffer of 2*SSL3_RT_MAX_PLAIN_LENGTH, where the first call into do_ssl3_write succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but writing the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the first time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has called do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes in turn calls into do_ssl3_write with "max+1" bytes. Change-Id: Icf8453195c1145a54d31b8e8146801118207df03 Reviewed-on: https://boringssl-review.googlesource.com/1420 Reviewed-by: Kenny Root <kroot@google.com> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 23:23:37 +01:00
if messageLen < 0 {
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if test.protocol == dtls {
return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
}
Retry sending record split fragment when SSL write fails. When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record splitting is needed, an extra byte would be added to the max size of the message to be written. This would cause the requested size to not exceed the max. If the SSL_WANT_WRITE error were returned, the next packet would not get the extra byte added to the max packet size since record_split_done is set. Since a different set of arguments (SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed to do_ssl3_write, it would return an "SSL3_WRITE_PENDING:bad write retry" error. To avoid a failure in the opposite direction, the max variable increment is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE is not enabled and the call to ssl3_write_bytes contains, e.g., a buffer of 2*SSL3_RT_MAX_PLAIN_LENGTH, where the first call into do_ssl3_write succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but writing the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the first time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has called do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes in turn calls into do_ssl3_write with "max+1" bytes. Change-Id: Icf8453195c1145a54d31b8e8146801118207df03 Reviewed-on: https://boringssl-review.googlesource.com/1420 Reviewed-by: Kenny Root <kroot@google.com> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 23:23:37 +01:00
// Read until EOF.
_, err := io.Copy(ioutil.Discard, tlsConn)
return err
}
Test application data and Finished reordering. This is fatal for TLS but buffered in DTLS. The buffering isn't strictly necessary (it would be just as valid to drop the record on the floor), but so long as we want this behavior it should have a test. Change-Id: I5846bb2fe80d78e25b6dfad51bcfcff2dc427c3f Reviewed-on: https://boringssl-review.googlesource.com/3029 Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 04:52:39 +00:00
var testMessage []byte
if config.Bugs.AppDataAfterChangeCipherSpec != nil {
// We've already sent a message. Expect the shim to echo it
// back.
testMessage = config.Bugs.AppDataAfterChangeCipherSpec
} else {
if messageLen == 0 {
messageLen = 32
}
testMessage = make([]byte, messageLen)
for i := range testMessage {
testMessage[i] = 0x42
}
tlsConn.Write(testMessage)
Fix test of first of 255 CBC padding bytes. Thanks to Peter Gijsels for pointing out that if a CBC record has 255 bytes of padding, the first was not being checked.
2014-06-20 20:00:00 +01:00
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
buf := make([]byte, len(testMessage))
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if test.protocol == dtls {
bufTmp := make([]byte, len(buf)+1)
n, err := tlsConn.Read(bufTmp)
if err != nil {
return err
}
if n != len(buf) {
return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
}
copy(buf, bufTmp)
} else {
_, err := io.ReadFull(tlsConn, buf)
if err != nil {
return err
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
for i, v := range buf {
if v != testMessage[i]^0xff {
return fmt.Errorf("bad reply contents at byte %d", i)
}
}
return nil
}
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full"}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if dbAttach {
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
valgrindArgs = append(valgrindArgs, path)
valgrindArgs = append(valgrindArgs, args...)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
return exec.Command("valgrind", valgrindArgs...)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
func gdbOf(path string, args ...string) *exec.Cmd {
xtermArgs := []string{"-e", "gdb", "--args"}
xtermArgs = append(xtermArgs, path)
xtermArgs = append(xtermArgs, args...)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Fix FallbackSCSV test. It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a test that asserts it does get sent when expected. (Make it a []string since Go doesn't distinguish nil string from "" and for flexibility.) Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3 Reviewed-on: https://boringssl-review.googlesource.com/1071 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:40:31 +01:00
return exec.Command("xterm", xtermArgs...)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
func openSocketPair() (shimEnd *os.File, conn net.Conn) {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
socks, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
if err != nil {
panic(err)
}
syscall.CloseOnExec(socks[0])
syscall.CloseOnExec(socks[1])
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
shimEnd = os.NewFile(uintptr(socks[0]), "shim end")
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
connFile := os.NewFile(uintptr(socks[1]), "our end")
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
conn, err = net.FileConn(connFile)
if err != nil {
panic(err)
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
connFile.Close()
if err != nil {
panic(err)
}
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
return shimEnd, conn
}
Add malloc failure tests. This commit fixes a number of crashes caused by malloc failures. They were found using the -malloc-test=0 option to runner.go which runs tests many times, causing a different allocation call to fail in each case. (This test only works on Linux and only looks for crashes caused by allocation failures, not memory leaks or other errors.) This is not the complete set of crashes! More can be found by collecting core dumps from running with -malloc-test=0. Change-Id: Ia61d19f51e373bccb7bc604642c51e043a74bd83 Reviewed-on: https://boringssl-review.googlesource.com/2320 Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 01:26:55 +00:00
type moreMallocsError struct{}
func (moreMallocsError) Error() string {
return "child process did not exhaust all allocation calls"
}
var errMoreMallocs = moreMallocsError{}
func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
Fix memory leak when decoding corrupt tickets. This is CVE-2014-3567 from upstream. See https://www.openssl.org/news/secadv_20141015.txt Change-Id: I9aad422bf1b8055cb251c7ff9346cf47a448a815 Reviewed-on: https://boringssl-review.googlesource.com/1970 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-10-17 03:04:35 +01:00
if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
panic("Error expected without shouldFail in " + test.name)
}
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
shimEnd, conn := openSocketPair()
shimEndResume, connResume := openSocketPair()
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
runner: Take the build directory as flag. Don't hardcode the directory. Change-Id: I5c778a4ff16e00abbac2959ca9c9b4f4c40576f7 Reviewed-on: https://boringssl-review.googlesource.com/1376 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 20:28:23 +01:00
shim_path := path.Join(buildDir, "ssl/test/bssl_shim")
Move configuration into a dedicated TestConfig struct. This removes some duplicate code in parsing command-line flags and, more importantly, makes configuration available when constructing the SSL_CTX and avoids a number of globals. Change-Id: I26e2d2285b732f855a2c82752bc8e0db480c3b30 Reviewed-on: https://boringssl-review.googlesource.com/1502 Reviewed-by: Adam Langley <agl@google.com>
2014-08-12 00:51:50 +01:00
var flags []string
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
if test.testType == serverTest {
Move configuration into a dedicated TestConfig struct. This removes some duplicate code in parsing command-line flags and, more importantly, makes configuration available when constructing the SSL_CTX and avoids a number of globals. Change-Id: I26e2d2285b732f855a2c82752bc8e0db480c3b30 Reviewed-on: https://boringssl-review.googlesource.com/1502 Reviewed-by: Adam Langley <agl@google.com>
2014-08-12 00:51:50 +01:00
flags = append(flags, "-server")
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
flags = append(flags, "-key-file")
if test.keyFile == "" {
flags = append(flags, rsaKeyFile)
} else {
flags = append(flags, test.keyFile)
}
flags = append(flags, "-cert-file")
if test.certFile == "" {
flags = append(flags, rsaCertificateFile)
} else {
flags = append(flags, test.certFile)
}
}
Move configuration into a dedicated TestConfig struct. This removes some duplicate code in parsing command-line flags and, more importantly, makes configuration available when constructing the SSL_CTX and avoids a number of globals. Change-Id: I26e2d2285b732f855a2c82752bc8e0db480c3b30 Reviewed-on: https://boringssl-review.googlesource.com/1502 Reviewed-by: Adam Langley <agl@google.com>
2014-08-12 00:51:50 +01:00
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if test.protocol == dtls {
flags = append(flags, "-dtls")
}
Move configuration into a dedicated TestConfig struct. This removes some duplicate code in parsing command-line flags and, more importantly, makes configuration available when constructing the SSL_CTX and avoids a number of globals. Change-Id: I26e2d2285b732f855a2c82752bc8e0db480c3b30 Reviewed-on: https://boringssl-review.googlesource.com/1502 Reviewed-by: Adam Langley <agl@google.com>
2014-08-12 00:51:50 +01:00
if test.resumeSession {
flags = append(flags, "-resume")
}
Add a test to ensure False Start occurs. This adds the missing test coverage for 7e3305eebd7fb06d57e7f25b3bbf9c10d526f7d5. Change-Id: I8c9f1dc998afa9bb1f6fb2a7872a651037bb4844 Reviewed-on: https://boringssl-review.googlesource.com/1610 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 08:47:07 +01:00
if test.shimWritesFirst {
flags = append(flags, "-shim-writes-first")
}
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
flags = append(flags, test.flags...)
var shim *exec.Cmd
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if *useValgrind {
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
shim = valgrindOf(false, shim_path, flags...)
Extended master secret support. This change implements support for the extended master secret. See https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 https://secure-resumption.com/ Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93 Reviewed-on: https://boringssl-review.googlesource.com/1930 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-10-11 00:23:43 +01:00
} else if *useGDB {
shim = gdbOf(shim_path, flags...)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
} else {
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
shim = exec.Command(shim_path, flags...)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
shim.ExtraFiles = []*os.File{shimEnd, shimEndResume}
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
shim.Stdin = os.Stdin
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
var stdoutBuf, stderrBuf bytes.Buffer
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
shim.Stdout = &stdoutBuf
shim.Stderr = &stderrBuf
Add malloc failure tests. This commit fixes a number of crashes caused by malloc failures. They were found using the -malloc-test=0 option to runner.go which runs tests many times, causing a different allocation call to fail in each case. (This test only works on Linux and only looks for crashes caused by allocation failures, not memory leaks or other errors.) This is not the complete set of crashes! More can be found by collecting core dumps from running with -malloc-test=0. Change-Id: Ia61d19f51e373bccb7bc604642c51e043a74bd83 Reviewed-on: https://boringssl-review.googlesource.com/2320 Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 01:26:55 +00:00
if mallocNumToFail >= 0 {
shim.Env = []string{"MALLOC_NUMBER_TO_FAIL=" + strconv.FormatInt(mallocNumToFail, 10)}
if *mallocTestDebug {
shim.Env = append(shim.Env, "MALLOC_ABORT_ON_FAIL=1")
}
shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
if err := shim.Start(); err != nil {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
panic(err)
}
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
shimEnd.Close()
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
shimEndResume.Close()
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
config := test.config
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
config.ClientSessionCache = NewLRUClientSessionCache(1)
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
config.ServerSessionCache = NewLRUServerSessionCache(1)
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
if test.testType == clientTest {
if len(config.Certificates) == 0 {
config.Certificates = []Certificate{getRSACertificate()}
}
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
err := doExchange(test, &config, conn, test.messageLen,
false /* not a resumption */)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
conn.Close()
Debug resumption connections with -debug too. Change-Id: Ib33cceed561698310f369d63de602123af146a45 Reviewed-on: https://boringssl-review.googlesource.com/2402 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 08:01:00 +00:00
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
if err == nil && test.resumeSession {
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
var resumeConfig Config
if test.resumeConfig != nil {
resumeConfig = *test.resumeConfig
if len(resumeConfig.Certificates) == 0 {
resumeConfig.Certificates = []Certificate{getRSACertificate()}
}
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
if !test.newSessionsOnResume {
resumeConfig.SessionTicketKey = config.SessionTicketKey
resumeConfig.ClientSessionCache = config.ClientSessionCache
resumeConfig.ServerSessionCache = config.ServerSessionCache
}
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
} else {
resumeConfig = config
}
err = doExchange(test, &resumeConfig, connResume, test.messageLen,
true /* resumption */)
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
}
Don't deadlock if a resume test fails the first half. Otherwise the child is busy waiting for its second handshake. Change-Id: Ic613eeb04c5d6c1ec1e1bbcb13946d3ac31d05f1 Reviewed-on: https://boringssl-review.googlesource.com/1752 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:49:07 +01:00
connResume.Close()
Add test coverage for session resumption with tickets. The shim is now passed two file descriptors. In a session resumption test, the second is used in an abbreviated handshake immediately after the first. Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6 Reviewed-on: https://boringssl-review.googlesource.com/1291 Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 00:20:02 +01:00
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
childErr := shim.Wait()
Add malloc failure tests. This commit fixes a number of crashes caused by malloc failures. They were found using the -malloc-test=0 option to runner.go which runs tests many times, causing a different allocation call to fail in each case. (This test only works on Linux and only looks for crashes caused by allocation failures, not memory leaks or other errors.) This is not the complete set of crashes! More can be found by collecting core dumps from running with -malloc-test=0. Change-Id: Ia61d19f51e373bccb7bc604642c51e043a74bd83 Reviewed-on: https://boringssl-review.googlesource.com/2320 Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 01:26:55 +00:00
if exitError, ok := childErr.(*exec.ExitError); ok {
if exitError.Sys().(syscall.WaitStatus).ExitStatus() == 88 {
return errMoreMallocs
}
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
stdout := string(stdoutBuf.Bytes())
stderr := string(stderrBuf.Bytes())
failed := err != nil || childErr != nil
correctFailure := len(test.expectedError) == 0 || strings.Contains(stdout, test.expectedError)
Implement TLS_FALLBACK_SCSV support for the client. With this change, calling SSL_enable_fallback_scsv on a client SSL* will cause the fallback SCSV to be sent. This is intended to be set when the client is performing TLS fallback after a failed connection. (This only happens if the application itself implements this behaviour: OpenSSL does not do fallback automatically.) The fallback SCSV indicates to the server that it should reject the connection if the version indicated by the client is less than the version supported by the server. See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02. Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6
2014-06-23 20:03:11 +01:00
localError := "none"
if err != nil {
localError = err.Error()
}
if len(test.expectedLocalError) != 0 {
correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
if failed != test.shouldFail || failed && !correctFailure {
childError := "none"
if childErr != nil {
childError = childErr.Error()
}
var msg string
switch {
case failed && !test.shouldFail:
msg = "unexpected failure"
case !failed && test.shouldFail:
msg = "unexpected success"
case failed && !correctFailure:
Implement TLS_FALLBACK_SCSV support for the client. With this change, calling SSL_enable_fallback_scsv on a client SSL* will cause the fallback SCSV to be sent. This is intended to be set when the client is performing TLS fallback after a failed connection. (This only happens if the application itself implements this behaviour: OpenSSL does not do fallback automatically.) The fallback SCSV indicates to the server that it should reject the connection if the version indicated by the client is less than the version supported by the server. See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02. Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6
2014-06-23 20:03:11 +01:00
msg = "bad error (wanted '" + test.expectedError + "' / '" + test.expectedLocalError + "')"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
default:
panic("internal error")
}
return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s", msg, localError, childError, string(stdoutBuf.Bytes()), stderr)
}
if !*useValgrind && len(stderr) > 0 {
println(stderr)
}
return nil
}
var tlsVersions = []struct {
name string
version uint16
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
flag string
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
hasDTLS bool
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}{
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
{"SSL3", VersionSSL30, "-no-ssl3", false},
{"TLS1", VersionTLS10, "-no-tls1", true},
{"TLS11", VersionTLS11, "-no-tls11", false},
{"TLS12", VersionTLS12, "-no-tls12", true},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
var testCipherSuites = []struct {
name string
id uint16
}{
{"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
runner: Implement DHE-RSA. Use it to test DHE-RSA in BoringSSL. Change-Id: I88f7bfa76507a6f60234d61d494c9f94b7df4e0a Reviewed-on: https://boringssl-review.googlesource.com/1377 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 22:35:45 +01:00
{"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
{"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
runner: Implement DHE-RSA. Use it to test DHE-RSA in BoringSSL. Change-Id: I88f7bfa76507a6f60234d61d494c9f94b7df4e0a Reviewed-on: https://boringssl-review.googlesource.com/1377 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 22:35:45 +01:00
{"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
{"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
runner: Implement DHE-RSA. Use it to test DHE-RSA in BoringSSL. Change-Id: I88f7bfa76507a6f60234d61d494c9f94b7df4e0a Reviewed-on: https://boringssl-review.googlesource.com/1377 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 22:35:45 +01:00
{"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
{"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
{"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
runner: Implement DHE-RSA. Use it to test DHE-RSA in BoringSSL. Change-Id: I88f7bfa76507a6f60234d61d494c9f94b7df4e0a Reviewed-on: https://boringssl-review.googlesource.com/1377 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 22:35:45 +01:00
{"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
{"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
{"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
{"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
{"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
{"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
{"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA},
Add tests for ECDHE_PSK. pskKeyAgreement is now a wrapper over a base key agreement. Change-Id: Ic18862d3e98f7513476f878b8df5dcd8d36a0eac Reviewed-on: https://boringssl-review.googlesource.com/2053 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 06:23:15 +00:00
{"ECDHE-PSK-WITH-AES-128-GCM-SHA256", TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
{"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
{"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
runner: Implement DHE-RSA. Use it to test DHE-RSA in BoringSSL. Change-Id: I88f7bfa76507a6f60234d61d494c9f94b7df4e0a Reviewed-on: https://boringssl-review.googlesource.com/1377 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 22:35:45 +01:00
{"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
{"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA},
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
{"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
{"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
{"PSK-RC4-SHA", TLS_PSK_WITH_RC4_128_SHA},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
{"RC4-MD5", TLS_RSA_WITH_RC4_128_MD5},
runner: Implement DHE-RSA. Use it to test DHE-RSA in BoringSSL. Change-Id: I88f7bfa76507a6f60234d61d494c9f94b7df4e0a Reviewed-on: https://boringssl-review.googlesource.com/1377 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 22:35:45 +01:00
{"RC4-SHA", TLS_RSA_WITH_RC4_128_SHA},
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
func hasComponent(suiteName, component string) bool {
return strings.Contains("-"+suiteName+"-", "-"+component+"-")
}
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
func isTLS12Only(suiteName string) bool {
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
return hasComponent(suiteName, "GCM") ||
hasComponent(suiteName, "SHA256") ||
hasComponent(suiteName, "SHA384")
}
func isDTLSCipher(suiteName string) bool {
Support EVP_AEAD in DTLS. This CL removes the last of the EVP_CIPHER codepath in ssl/. The dead code is intentionally not pruned for ease of review, except in DTLS-only code where adding new logic to support both, only to remove half, would be cumbersome. Fixes made: - dtls1_retransmit_state is taught to retain aead_write_ctx rather than enc_write_ctx. - d1_pkt.c reserves space for the variable-length nonce when echoed into the packet. - dtls1_do_write sizes the MTU based on EVP_AEAD max overhead. - tls1_change_cipher_state_cipher should not free AEAD write contexts in DTLS. This matches the (rather confused) ownership for the EVP_CIPHER contexts. I've added a TODO to resolve this craziness. A follow-up CL will remove all the resultant dead code. Change-Id: I644557f4db53bbfb182950823ab96d5e4c908866 Reviewed-on: https://boringssl-review.googlesource.com/2699 Reviewed-by: Adam Langley <agl@google.com>
2014-12-23 16:16:01 +00:00
return !hasComponent(suiteName, "RC4")
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
func addCipherSuiteTests() {
for _, suite := range testCipherSuites {
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
const psk = "12345"
const pskIdentity = "luggage combo"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
var cert Certificate
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
var certFile string
var keyFile string
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
if hasComponent(suite.name, "ECDSA") {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
cert = getECDSACertificate()
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
certFile = ecdsaCertificateFile
keyFile = ecdsaKeyFile
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
} else {
cert = getRSACertificate()
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
certFile = rsaCertificateFile
keyFile = rsaKeyFile
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
var flags []string
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
if hasComponent(suite.name, "PSK") {
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
flags = append(flags,
"-psk", psk,
"-psk-identity", pskIdentity)
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
for _, ver := range tlsVersions {
Test SHA-256 and SHA-384 CBC-mode cipher suites. These were added in TLS 1.2. They are like the standard AES-CBC cipher suites, but use different HMACs. Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181 Reviewed-on: https://boringssl-review.googlesource.com/1730 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 07:06:47 +01:00
if ver.version < VersionTLS12 && isTLS12Only(suite.name) {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
continue
}
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
testCases = append(testCases, testCase{
testType: clientTest,
name: ver.name + "-" + suite.name + "-client",
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
config: Config{
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
},
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
flags: flags,
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
resumeSession: true,
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
})
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
Get SSL 3.0 server tests working. The missing SSL 3.0 client support in runner.go was fairly minor. Change-Id: Ibbd440c9b6be99be08a214dec6b93ca358d8cf0a Reviewed-on: https://boringssl-review.googlesource.com/1516 Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 21:25:34 +01:00
testCases = append(testCases, testCase{
testType: serverTest,
name: ver.name + "-" + suite.name + "-server",
config: Config{
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Get SSL 3.0 server tests working. The missing SSL 3.0 client support in runner.go was fairly minor. Change-Id: Ibbd440c9b6be99be08a214dec6b93ca358d8cf0a Reviewed-on: https://boringssl-review.googlesource.com/1516 Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 21:25:34 +01:00
},
certFile: certFile,
keyFile: keyFile,
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
flags: flags,
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
resumeSession: true,
Get SSL 3.0 server tests working. The missing SSL 3.0 client support in runner.go was fairly minor. Change-Id: Ibbd440c9b6be99be08a214dec6b93ca358d8cf0a Reviewed-on: https://boringssl-review.googlesource.com/1516 Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 21:25:34 +01:00
})
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
if ver.hasDTLS && isDTLSCipher(suite.name) {
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
testCases = append(testCases, testCase{
testType: clientTest,
protocol: dtls,
name: "D" + ver.name + "-" + suite.name + "-client",
config: Config{
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
},
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
flags: flags,
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
resumeSession: true,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
})
testCases = append(testCases, testCase{
testType: serverTest,
protocol: dtls,
name: "D" + ver.name + "-" + suite.name + "-server",
config: Config{
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
},
certFile: certFile,
keyFile: keyFile,
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
flags: flags,
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
resumeSession: true,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
})
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
}
}
func addBadECDSASignatureTests() {
for badR := BadValue(1); badR < NumBadValues; badR++ {
for badS := BadValue(1); badS < NumBadValues; badS++ {
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
testCases = append(testCases, testCase{
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
config: Config{
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{getECDSACertificate()},
Bugs: ProtocolBugs{
BadECDSAR: badR,
BadECDSAS: badS,
},
},
shouldFail: true,
expectedError: "SIGNATURE",
})
}
}
}
Fix test of first of 255 CBC padding bytes. Thanks to Peter Gijsels for pointing out that if a CBC record has 255 bytes of padding, the first was not being checked.
2014-06-20 20:00:00 +01:00
func addCBCPaddingTests() {
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
testCases = append(testCases, testCase{
Fix test of first of 255 CBC padding bytes. Thanks to Peter Gijsels for pointing out that if a CBC record has 255 bytes of padding, the first was not being checked.
2014-06-20 20:00:00 +01:00
name: "MaxCBCPadding",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
MaxPadding: true,
},
},
messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
})
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
testCases = append(testCases, testCase{
Fix test of first of 255 CBC padding bytes. Thanks to Peter Gijsels for pointing out that if a CBC record has 255 bytes of padding, the first was not being checked.
2014-06-20 20:00:00 +01:00
name: "BadCBCPadding",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
PaddingFirstByteBad: true,
},
},
shouldFail: true,
expectedError: "DECRYPTION_FAILED_OR_BAD_RECORD_MAC",
})
// OpenSSL previously had an issue where the first byte of padding in
// 255 bytes of padding wasn't checked.
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
testCases = append(testCases, testCase{
Fix test of first of 255 CBC padding bytes. Thanks to Peter Gijsels for pointing out that if a CBC record has 255 bytes of padding, the first was not being checked.
2014-06-20 20:00:00 +01:00
name: "BadCBCPadding255",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
MaxPadding: true,
PaddingFirstByteBadIf255: true,
},
},
messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
shouldFail: true,
expectedError: "DECRYPTION_FAILED_OR_BAD_RECORD_MAC",
})
}
Retry sending record split fragment when SSL write fails. When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record splitting is needed, an extra byte would be added to the max size of the message to be written. This would cause the requested size to not exceed the max. If the SSL_WANT_WRITE error were returned, the next packet would not get the extra byte added to the max packet size since record_split_done is set. Since a different set of arguments (SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed to do_ssl3_write, it would return an "SSL3_WRITE_PENDING:bad write retry" error. To avoid a failure in the opposite direction, the max variable increment is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE is not enabled and the call to ssl3_write_bytes contains, e.g., a buffer of 2*SSL3_RT_MAX_PLAIN_LENGTH, where the first call into do_ssl3_write succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but writing the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the first time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has called do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes in turn calls into do_ssl3_write with "max+1" bytes. Change-Id: Icf8453195c1145a54d31b8e8146801118207df03 Reviewed-on: https://boringssl-review.googlesource.com/1420 Reviewed-by: Kenny Root <kroot@google.com> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 23:23:37 +01:00
func addCBCSplittingTests() {
testCases = append(testCases, testCase{
name: "CBCRecordSplitting",
config: Config{
MaxVersion: VersionTLS10,
MinVersion: VersionTLS10,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
},
messageLen: -1, // read until EOF
flags: []string{
"-async",
"-write-different-record-sizes",
"-cbc-record-splitting",
},
Remove SSL_OP_TLS_ROLLBACK_BUG. It's not part of SSL_OP_ALL and is unused, so remove it. Add a test that asserts the version check works. Change-Id: I917516594ec5a4998a8316782f035697c33d99b0 Reviewed-on: https://boringssl-review.googlesource.com/1418 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 03:11:10 +01:00
})
testCases = append(testCases, testCase{
Retry sending record split fragment when SSL write fails. When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record splitting is needed, an extra byte would be added to the max size of the message to be written. This would cause the requested size to not exceed the max. If the SSL_WANT_WRITE error were returned, the next packet would not get the extra byte added to the max packet size since record_split_done is set. Since a different set of arguments (SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed to do_ssl3_write, it would return an "SSL3_WRITE_PENDING:bad write retry" error. To avoid a failure in the opposite direction, the max variable increment is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE is not enabled and the call to ssl3_write_bytes contains, e.g., a buffer of 2*SSL3_RT_MAX_PLAIN_LENGTH, where the first call into do_ssl3_write succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but writing the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the first time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has called do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes in turn calls into do_ssl3_write with "max+1" bytes. Change-Id: Icf8453195c1145a54d31b8e8146801118207df03 Reviewed-on: https://boringssl-review.googlesource.com/1420 Reviewed-by: Kenny Root <kroot@google.com> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 23:23:37 +01:00
name: "CBCRecordSplittingPartialWrite",
config: Config{
MaxVersion: VersionTLS10,
MinVersion: VersionTLS10,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
},
messageLen: -1, // read until EOF
flags: []string{
"-async",
"-write-different-record-sizes",
"-cbc-record-splitting",
"-partial-write",
},
})
}
Add client auth tests. Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97 Reviewed-on: https://boringssl-review.googlesource.com/1112 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:59:18 +01:00
func addClientAuthTests() {
Fix parsing of CertificateRequests. Got one of the conditions flipped. Change-Id: I327a9c13e42865459e8d69a431b0d3a2bc6b54a5 Reviewed-on: https://boringssl-review.googlesource.com/1210 Reviewed-by: Adam Langley <agl@google.com>
2014-07-16 17:58:59 +01:00
// Add a dummy cert pool to stress certificate authority parsing.
// TODO(davidben): Add tests that those values parse out correctly.
certPool := x509.NewCertPool()
cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
if err != nil {
panic(err)
}
certPool.AddCert(cert)
Add client auth tests. Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97 Reviewed-on: https://boringssl-review.googlesource.com/1112 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:59:18 +01:00
for _, ver := range tlsVersions {
testCases = append(testCases, testCase{
testType: clientTest,
Add tests for the server accepting client certificates. Change-Id: I9acc4363c6b9804d5fe464053393cf16ffb7785c Reviewed-on: https://boringssl-review.googlesource.com/1159 Reviewed-by: Adam Langley <agl@google.com>
2014-07-12 20:47:52 +01:00
name: ver.name + "-Client-ClientAuth-RSA",
Add client auth tests. Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97 Reviewed-on: https://boringssl-review.googlesource.com/1112 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:59:18 +01:00
config: Config{
Test client auth under TLS 1.2 hash mismatch and SSL 3. Maintain a handshake buffer in prf.go to implement TLS 1.2 client auth. Also use it for SSL 3. This isn't strictly necessary as we know the hash functions, but Go's hash.Hash interface lacks a Copy method. Also fix the server-side tests which failed to test every TLS version. Change-Id: I98492c334fbb9f2f0f89ee9c5c8345cafc025600 Reviewed-on: https://boringssl-review.googlesource.com/1664 Reviewed-by: Adam Langley <agl@google.com>
2014-08-28 04:13:20 +01:00
MinVersion: ver.version,
MaxVersion: ver.version,
ClientAuth: RequireAnyClientCert,
ClientCAs: certPool,
Add client auth tests. Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97 Reviewed-on: https://boringssl-review.googlesource.com/1112 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:59:18 +01:00
},
flags: []string{
"-cert-file", rsaCertificateFile,
"-key-file", rsaKeyFile,
},
})
Add tests for the server accepting client certificates. Change-Id: I9acc4363c6b9804d5fe464053393cf16ffb7785c Reviewed-on: https://boringssl-review.googlesource.com/1159 Reviewed-by: Adam Langley <agl@google.com>
2014-07-12 20:47:52 +01:00
testCases = append(testCases, testCase{
testType: serverTest,
name: ver.name + "-Server-ClientAuth-RSA",
config: Config{
Test client auth under TLS 1.2 hash mismatch and SSL 3. Maintain a handshake buffer in prf.go to implement TLS 1.2 client auth. Also use it for SSL 3. This isn't strictly necessary as we know the hash functions, but Go's hash.Hash interface lacks a Copy method. Also fix the server-side tests which failed to test every TLS version. Change-Id: I98492c334fbb9f2f0f89ee9c5c8345cafc025600 Reviewed-on: https://boringssl-review.googlesource.com/1664 Reviewed-by: Adam Langley <agl@google.com>
2014-08-28 04:13:20 +01:00
MinVersion: ver.version,
MaxVersion: ver.version,
Add tests for the server accepting client certificates. Change-Id: I9acc4363c6b9804d5fe464053393cf16ffb7785c Reviewed-on: https://boringssl-review.googlesource.com/1159 Reviewed-by: Adam Langley <agl@google.com>
2014-07-12 20:47:52 +01:00
Certificates: []Certificate{rsaCertificate},
},
flags: []string{"-require-any-client-certificate"},
})
Test client auth under TLS 1.2 hash mismatch and SSL 3. Maintain a handshake buffer in prf.go to implement TLS 1.2 client auth. Also use it for SSL 3. This isn't strictly necessary as we know the hash functions, but Go's hash.Hash interface lacks a Copy method. Also fix the server-side tests which failed to test every TLS version. Change-Id: I98492c334fbb9f2f0f89ee9c5c8345cafc025600 Reviewed-on: https://boringssl-review.googlesource.com/1664 Reviewed-by: Adam Langley <agl@google.com>
2014-08-28 04:13:20 +01:00
if ver.version != VersionSSL30 {
testCases = append(testCases, testCase{
testType: serverTest,
name: ver.name + "-Server-ClientAuth-ECDSA",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{ecdsaCertificate},
},
flags: []string{"-require-any-client-certificate"},
})
testCases = append(testCases, testCase{
testType: clientTest,
name: ver.name + "-Client-ClientAuth-ECDSA",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
ClientAuth: RequireAnyClientCert,
ClientCAs: certPool,
},
flags: []string{
"-cert-file", ecdsaCertificateFile,
"-key-file", ecdsaKeyFile,
},
})
}
Add client auth tests. Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97 Reviewed-on: https://boringssl-review.googlesource.com/1112 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:59:18 +01:00
}
}
Extended master secret support. This change implements support for the extended master secret. See https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 https://secure-resumption.com/ Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93 Reviewed-on: https://boringssl-review.googlesource.com/1930 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-10-11 00:23:43 +01:00
func addExtendedMasterSecretTests() {
const expectEMSFlag = "-expect-extended-master-secret"
for _, with := range []bool{false, true} {
prefix := "No"
var flags []string
if with {
prefix = ""
flags = []string{expectEMSFlag}
}
for _, isClient := range []bool{false, true} {
suffix := "-Server"
testType := serverTest
if isClient {
suffix = "-Client"
testType = clientTest
}
for _, ver := range tlsVersions {
test := testCase{
testType: testType,
name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Bugs: ProtocolBugs{
NoExtendedMasterSecret: !with,
RequireExtendedMasterSecret: with,
},
},
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
flags: flags,
shouldFail: ver.version == VersionSSL30 && with,
Extended master secret support. This change implements support for the extended master secret. See https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 https://secure-resumption.com/ Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93 Reviewed-on: https://boringssl-review.googlesource.com/1930 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-10-11 00:23:43 +01:00
}
if test.shouldFail {
test.expectedLocalError = "extended master secret required but not supported by peer"
}
testCases = append(testCases, test)
}
}
}
// When a session is resumed, it should still be aware that its master
// secret was generated via EMS and thus it's safe to use tls-unique.
testCases = append(testCases, testCase{
name: "ExtendedMasterSecret-Resume",
config: Config{
Bugs: ProtocolBugs{
RequireExtendedMasterSecret: true,
},
},
flags: []string{expectEMSFlag},
resumeSession: true,
})
}
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
// Adds tests that try to cover the range of the handshake state machine, under
// various conditions. Some of these are redundant with other tests, but they
// only cover the synchronous case.
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
func addStateMachineCoverageTests(async, splitHandshake bool, protocol protocol) {
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
var suffix string
var flags []string
var maxHandshakeRecordLength int
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if protocol == dtls {
suffix = "-DTLS"
}
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
if async {
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
suffix += "-Async"
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
flags = append(flags, "-async")
} else {
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
suffix += "-Sync"
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
}
if splitHandshake {
suffix += "-SplitHandshakeRecords"
Add tests for CVE-2014-3511. Also change MaxHandshakeRecordLength to 1 in the handshake coverage tests to better stress the state machine. Change-Id: I27fce2c000b3d4818fd2e9a47fb09d3f646dd1bd Reviewed-on: https://boringssl-review.googlesource.com/1452 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 23:02:39 +01:00
maxHandshakeRecordLength = 1
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
}
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
// Basic handshake, with resumption. Client and server,
// session ID and session ticket.
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
testCases = append(testCases, testCase{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
protocol: protocol,
name: "Basic-Client" + suffix,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
Add RenewTicketOnResume tests. Didn't have coverage for abbreviated handshakes with NewSessionTicket. Also add some missing resumeSession flags so the tests match the comments. Change-Id: Ie4d76e8764561f3f1f31e1aa9595324affce0db8 Reviewed-on: https://boringssl-review.googlesource.com/1453 Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 00:13:38 +01:00
flags: flags,
resumeSession: true,
})
testCases = append(testCases, testCase{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
protocol: protocol,
name: "Basic-Client-RenewTicket" + suffix,
Add RenewTicketOnResume tests. Didn't have coverage for abbreviated handshakes with NewSessionTicket. Also add some missing resumeSession flags so the tests match the comments. Change-Id: Ie4d76e8764561f3f1f31e1aa9595324affce0db8 Reviewed-on: https://boringssl-review.googlesource.com/1453 Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 00:13:38 +01:00
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
RenewTicketOnResume: true,
},
},
flags: flags,
resumeSession: true,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
})
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
testCases = append(testCases, testCase{
protocol: protocol,
name: "Basic-Client-NoTicket" + suffix,
config: Config{
SessionTicketsDisabled: true,
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: flags,
resumeSession: true,
})
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
testCases = append(testCases, testCase{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
protocol: protocol,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
testType: serverTest,
name: "Basic-Server" + suffix,
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
Add RenewTicketOnResume tests. Didn't have coverage for abbreviated handshakes with NewSessionTicket. Also add some missing resumeSession flags so the tests match the comments. Change-Id: Ie4d76e8764561f3f1f31e1aa9595324affce0db8 Reviewed-on: https://boringssl-review.googlesource.com/1453 Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 00:13:38 +01:00
flags: flags,
resumeSession: true,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
})
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 08:19:02 +00:00
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "Basic-Server-NoTickets" + suffix,
config: Config{
SessionTicketsDisabled: true,
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: flags,
resumeSession: true,
})
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
// TLS client auth.
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
testCases = append(testCases, testCase{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
protocol: protocol,
testType: clientTest,
name: "ClientAuth-Client" + suffix,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
config: Config{
Test client auth under TLS 1.2 hash mismatch and SSL 3. Maintain a handshake buffer in prf.go to implement TLS 1.2 client auth. Also use it for SSL 3. This isn't strictly necessary as we know the hash functions, but Go's hash.Hash interface lacks a Copy method. Also fix the server-side tests which failed to test every TLS version. Change-Id: I98492c334fbb9f2f0f89ee9c5c8345cafc025600 Reviewed-on: https://boringssl-review.googlesource.com/1664 Reviewed-by: Adam Langley <agl@google.com>
2014-08-28 04:13:20 +01:00
ClientAuth: RequireAnyClientCert,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
flags: append(flags,
"-cert-file", rsaCertificateFile,
"-key-file", rsaKeyFile),
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
})
testCases = append(testCases, testCase{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
protocol: protocol,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
testType: serverTest,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
name: "ClientAuth-Server" + suffix,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
config: Config{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
Certificates: []Certificate{rsaCertificate},
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
},
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
flags: append(flags, "-require-any-client-certificate"),
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
})
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
// No session ticket support; server doesn't send NewSessionTicket.
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
testCases = append(testCases, testCase{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
protocol: protocol,
name: "SessionTicketsDisabled-Client" + suffix,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
config: Config{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
SessionTicketsDisabled: true,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
flags: flags,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
})
testCases = append(testCases, testCase{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
protocol: protocol,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
testType: serverTest,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
name: "SessionTicketsDisabled-Server" + suffix,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
config: Config{
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
SessionTicketsDisabled: true,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
flags: flags,
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
})
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 05:06:24 +00:00
// Skip ServerKeyExchange in PSK key exchange if there's no
// identity hint.
testCases = append(testCases, testCase{
protocol: protocol,
name: "EmptyPSKHint-Client" + suffix,
config: Config{
CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
PreSharedKey: []byte("secret"),
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: append(flags, "-psk", "secret"),
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "EmptyPSKHint-Server" + suffix,
config: Config{
CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
PreSharedKey: []byte("secret"),
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: append(flags, "-psk", "secret"),
})
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
if protocol == tls {
// NPN on client and server; results in post-handshake message.
testCases = append(testCases, testCase{
protocol: protocol,
name: "NPN-Client" + suffix,
config: Config{
Add tests for ALPN support. Both as client and as server. Also tests that ALPN causes False Start to kick in. Change-Id: Ib570346f3c511834152cd2df2ef29541946d3ab4 Reviewed-on: https://boringssl-review.googlesource.com/1753 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:58:58 +01:00
NextProtos: []string{"foo"},
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
},
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 18:21:53 +01:00
flags: append(flags, "-select-next-proto", "foo"),
expectedNextProto: "foo",
expectedNextProtoType: npn,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "NPN-Server" + suffix,
config: Config{
NextProtos: []string{"bar"},
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: append(flags,
"-advertise-npn", "\x03foo\x03bar\x03baz",
"-expect-next-proto", "bar"),
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 18:21:53 +01:00
expectedNextProto: "bar",
expectedNextProtoType: npn,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
})
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
// Client does False Start and negotiates NPN.
testCases = append(testCases, testCase{
protocol: protocol,
name: "FalseStart" + suffix,
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
Add a test to ensure False Start occurs. This adds the missing test coverage for 7e3305eebd7fb06d57e7f25b3bbf9c10d526f7d5. Change-Id: I8c9f1dc998afa9bb1f6fb2a7872a651037bb4844 Reviewed-on: https://boringssl-review.googlesource.com/1610 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 08:47:07 +01:00
ExpectFalseStart: true,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
},
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
flags: append(flags,
"-false-start",
"-select-next-proto", "foo"),
Add a test to ensure False Start occurs. This adds the missing test coverage for 7e3305eebd7fb06d57e7f25b3bbf9c10d526f7d5. Change-Id: I8c9f1dc998afa9bb1f6fb2a7872a651037bb4844 Reviewed-on: https://boringssl-review.googlesource.com/1610 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 08:47:07 +01:00
shimWritesFirst: true,
resumeSession: true,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
})
Move SendV2ClientHello to handshake coverage tests. It's a different handshake flow with more state machine coverage. We should make sure to test the asynchronous version. Change-Id: I0bb79ca7e6a86bd3cac66bac1f795a885d474909 Reviewed-on: https://boringssl-review.googlesource.com/1454 Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 17:27:04 +01:00
Add tests for ALPN support. Both as client and as server. Also tests that ALPN causes False Start to kick in. Change-Id: Ib570346f3c511834152cd2df2ef29541946d3ab4 Reviewed-on: https://boringssl-review.googlesource.com/1753 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:58:58 +01:00
// Client does False Start and negotiates ALPN.
testCases = append(testCases, testCase{
protocol: protocol,
name: "FalseStart-ALPN" + suffix,
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: append(flags,
"-false-start",
"-advertise-alpn", "\x03foo"),
shimWritesFirst: true,
resumeSession: true,
})
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
// False Start without session tickets.
testCases = append(testCases, testCase{
name: "FalseStart-SessionTicketsDisabled",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
SessionTicketsDisabled: true,
Fix FalseStart-SessionTicketsDisabled tests. They weren't inheriting async settings. Change-Id: I5e9c04914926910dce63f93462cce4024627fb26 Reviewed-on: https://boringssl-review.googlesource.com/1605 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:45:30 +01:00
Bugs: ProtocolBugs{
Add a test to ensure False Start occurs. This adds the missing test coverage for 7e3305eebd7fb06d57e7f25b3bbf9c10d526f7d5. Change-Id: I8c9f1dc998afa9bb1f6fb2a7872a651037bb4844 Reviewed-on: https://boringssl-review.googlesource.com/1610 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 08:47:07 +01:00
ExpectFalseStart: true,
Fix FalseStart-SessionTicketsDisabled tests. They weren't inheriting async settings. Change-Id: I5e9c04914926910dce63f93462cce4024627fb26 Reviewed-on: https://boringssl-review.googlesource.com/1605 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:45:30 +01:00
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
Move SendV2ClientHello to handshake coverage tests. It's a different handshake flow with more state machine coverage. We should make sure to test the asynchronous version. Change-Id: I0bb79ca7e6a86bd3cac66bac1f795a885d474909 Reviewed-on: https://boringssl-review.googlesource.com/1454 Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 17:27:04 +01:00
},
Fix FalseStart-SessionTicketsDisabled tests. They weren't inheriting async settings. Change-Id: I5e9c04914926910dce63f93462cce4024627fb26 Reviewed-on: https://boringssl-review.googlesource.com/1605 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:45:30 +01:00
flags: append(flags,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
"-false-start",
"-select-next-proto", "foo",
Fix FalseStart-SessionTicketsDisabled tests. They weren't inheriting async settings. Change-Id: I5e9c04914926910dce63f93462cce4024627fb26 Reviewed-on: https://boringssl-review.googlesource.com/1605 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:45:30 +01:00
),
Add a test to ensure False Start occurs. This adds the missing test coverage for 7e3305eebd7fb06d57e7f25b3bbf9c10d526f7d5. Change-Id: I8c9f1dc998afa9bb1f6fb2a7872a651037bb4844 Reviewed-on: https://boringssl-review.googlesource.com/1610 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 08:47:07 +01:00
shimWritesFirst: true,
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
})
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
// Server parses a V2ClientHello.
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "SendV2ClientHello" + suffix,
config: Config{
// Choose a cipher suite that does not involve
// elliptic curves, so no extensions are
// involved.
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
SendV2ClientHello: true,
},
},
flags: flags,
})
Add basic TLS Channel ID tests. Change-Id: I7ccf2b8282dfa8f3985775e8b67edcf3c2949752 Reviewed-on: https://boringssl-review.googlesource.com/1606 Reviewed-by: Adam Langley <agl@google.com>
2014-08-24 06:46:07 +01:00
// Client sends a Channel ID.
testCases = append(testCases, testCase{
protocol: protocol,
name: "ChannelID-Client" + suffix,
config: Config{
RequestChannelID: true,
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: append(flags,
"-send-channel-id", channelIDKeyFile,
),
resumeSession: true,
expectChannelID: true,
})
// Server accepts a Channel ID.
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "ChannelID-Server" + suffix,
config: Config{
ChannelID: channelIDKey,
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: append(flags,
"-expect-channel-id",
base64.StdEncoding.EncodeToString(channelIDBytes),
),
resumeSession: true,
expectChannelID: true,
})
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
} else {
testCases = append(testCases, testCase{
protocol: protocol,
name: "SkipHelloVerifyRequest" + suffix,
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
SkipHelloVerifyRequest: true,
},
},
flags: flags,
})
testCases = append(testCases, testCase{
testType: serverTest,
protocol: protocol,
name: "CookieExchange" + suffix,
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: maxHandshakeRecordLength,
},
},
flags: append(flags, "-cookie-exchange"),
})
}
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
}
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
func addVersionNegotiationTests() {
for i, shimVers := range tlsVersions {
// Assemble flags to disable all newer versions on the shim.
var flags []string
for _, vers := range tlsVersions[i+1:] {
flags = append(flags, vers.flag)
}
for _, runnerVers := range tlsVersions {
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
protocols := []protocol{tls}
if runnerVers.hasDTLS && shimVers.hasDTLS {
protocols = append(protocols, dtls)
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
}
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
for _, protocol := range protocols {
expectedVersion := shimVers.version
if runnerVers.version < shimVers.version {
expectedVersion = runnerVers.version
}
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
suffix := shimVers.name + "-" + runnerVers.name
if protocol == dtls {
suffix += "-DTLS"
}
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
Add min_version and max_version APIs. Amend the version negotiation tests to test this new spelling of max_version. min_version will be tested in a follow-up. Change-Id: Ic4bfcd43bc4e5f951140966f64bb5fd3e2472b01 Reviewed-on: https://boringssl-review.googlesource.com/2583 Reviewed-by: Adam Langley <agl@google.com>
2014-12-12 23:17:51 +00:00
shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
Add assertions on the initial record version number. The record-layer version of the ServerHello should match the final version. The record-layer version of the ClientHello should be the advertised version, but clamped at TLS 1.0. This is to ensure future rewrites do not regress this. Change-Id: I96f1f0674944997ff38b562453a322ce61652635 Reviewed-on: https://boringssl-review.googlesource.com/2540 Reviewed-by: Adam Langley <agl@google.com>
2014-12-10 07:27:24 +00:00
clientVers := shimVers.version
if clientVers > VersionTLS10 {
clientVers = VersionTLS10
}
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "VersionNegotiation-Client-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Add assertions on the initial record version number. The record-layer version of the ServerHello should match the final version. The record-layer version of the ClientHello should be the advertised version, but clamped at TLS 1.0. This is to ensure future rewrites do not regress this. Change-Id: I96f1f0674944997ff38b562453a322ce61652635 Reviewed-on: https://boringssl-review.googlesource.com/2540 Reviewed-by: Adam Langley <agl@google.com>
2014-12-10 07:27:24 +00:00
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: clientVers,
},
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
},
flags: flags,
expectedVersion: expectedVersion,
})
Add min_version and max_version APIs. Amend the version negotiation tests to test this new spelling of max_version. min_version will be tested in a follow-up. Change-Id: Ic4bfcd43bc4e5f951140966f64bb5fd3e2472b01 Reviewed-on: https://boringssl-review.googlesource.com/2583 Reviewed-by: Adam Langley <agl@google.com>
2014-12-12 23:17:51 +00:00
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "VersionNegotiation-Client2-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: clientVers,
},
},
flags: []string{"-max-version", shimVersFlag},
expectedVersion: expectedVersion,
})
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "VersionNegotiation-Server-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Add assertions on the initial record version number. The record-layer version of the ServerHello should match the final version. The record-layer version of the ClientHello should be the advertised version, but clamped at TLS 1.0. This is to ensure future rewrites do not regress this. Change-Id: I96f1f0674944997ff38b562453a322ce61652635 Reviewed-on: https://boringssl-review.googlesource.com/2540 Reviewed-by: Adam Langley <agl@google.com>
2014-12-10 07:27:24 +00:00
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: expectedVersion,
},
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
},
flags: flags,
expectedVersion: expectedVersion,
})
Add min_version and max_version APIs. Amend the version negotiation tests to test this new spelling of max_version. min_version will be tested in a follow-up. Change-Id: Ic4bfcd43bc4e5f951140966f64bb5fd3e2472b01 Reviewed-on: https://boringssl-review.googlesource.com/2583 Reviewed-by: Adam Langley <agl@google.com>
2014-12-12 23:17:51 +00:00
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "VersionNegotiation-Server2-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: expectedVersion,
},
},
flags: []string{"-max-version", shimVersFlag},
expectedVersion: expectedVersion,
})
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
}
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
}
}
}
Add min_version tests. These tests use both APIs. This also modifies the inline version negotiation's error codes (currently only used for DTLS) to align with SSLv23's error codes. Note: the peer should send a protocol_version alert which is currently untested because it's broken. Upstream would send such an alert if TLS 1.0 was supported but not otherwise, which is somewhat bizarre. We've actually regressed and never send the alert in SSLv23. When version negotiation is unified, we'll get the alerts back. Change-Id: I4c77bcef3a3cd54a039a642f189785cd34387410 Reviewed-on: https://boringssl-review.googlesource.com/2584 Reviewed-by: Adam Langley <agl@google.com>
2014-12-13 04:44:33 +00:00
func addMinimumVersionTests() {
for i, shimVers := range tlsVersions {
// Assemble flags to disable all older versions on the shim.
var flags []string
for _, vers := range tlsVersions[:i] {
flags = append(flags, vers.flag)
}
for _, runnerVers := range tlsVersions {
protocols := []protocol{tls}
if runnerVers.hasDTLS && shimVers.hasDTLS {
protocols = append(protocols, dtls)
}
for _, protocol := range protocols {
suffix := shimVers.name + "-" + runnerVers.name
if protocol == dtls {
suffix += "-DTLS"
}
shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
var expectedVersion uint16
var shouldFail bool
var expectedError string
Add tests for version negotiation failure alerts. Ensure that both the client and the server emit a protocol_version alert (except in SSLv3 where it doesn't exist) with a record-layer version which the peer will recognize. Change-Id: I31650a64fe9b027ff3d51e303711910a00b43d6f
2014-12-13 06:55:01 +00:00
var expectedLocalError string
Add min_version tests. These tests use both APIs. This also modifies the inline version negotiation's error codes (currently only used for DTLS) to align with SSLv23's error codes. Note: the peer should send a protocol_version alert which is currently untested because it's broken. Upstream would send such an alert if TLS 1.0 was supported but not otherwise, which is somewhat bizarre. We've actually regressed and never send the alert in SSLv23. When version negotiation is unified, we'll get the alerts back. Change-Id: I4c77bcef3a3cd54a039a642f189785cd34387410 Reviewed-on: https://boringssl-review.googlesource.com/2584 Reviewed-by: Adam Langley <agl@google.com>
2014-12-13 04:44:33 +00:00
if runnerVers.version >= shimVers.version {
expectedVersion = runnerVers.version
} else {
shouldFail = true
expectedError = ":UNSUPPORTED_PROTOCOL:"
Add tests for version negotiation failure alerts. Ensure that both the client and the server emit a protocol_version alert (except in SSLv3 where it doesn't exist) with a record-layer version which the peer will recognize. Change-Id: I31650a64fe9b027ff3d51e303711910a00b43d6f
2014-12-13 06:55:01 +00:00
if runnerVers.version > VersionSSL30 {
expectedLocalError = "remote error: protocol version not supported"
} else {
expectedLocalError = "remote error: handshake failure"
}
Add min_version tests. These tests use both APIs. This also modifies the inline version negotiation's error codes (currently only used for DTLS) to align with SSLv23's error codes. Note: the peer should send a protocol_version alert which is currently untested because it's broken. Upstream would send such an alert if TLS 1.0 was supported but not otherwise, which is somewhat bizarre. We've actually regressed and never send the alert in SSLv23. When version negotiation is unified, we'll get the alerts back. Change-Id: I4c77bcef3a3cd54a039a642f189785cd34387410 Reviewed-on: https://boringssl-review.googlesource.com/2584 Reviewed-by: Adam Langley <agl@google.com>
2014-12-13 04:44:33 +00:00
}
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "MinimumVersion-Client-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
},
Add tests for version negotiation failure alerts. Ensure that both the client and the server emit a protocol_version alert (except in SSLv3 where it doesn't exist) with a record-layer version which the peer will recognize. Change-Id: I31650a64fe9b027ff3d51e303711910a00b43d6f
2014-12-13 06:55:01 +00:00
flags: flags,
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
expectedLocalError: expectedLocalError,
Add min_version tests. These tests use both APIs. This also modifies the inline version negotiation's error codes (currently only used for DTLS) to align with SSLv23's error codes. Note: the peer should send a protocol_version alert which is currently untested because it's broken. Upstream would send such an alert if TLS 1.0 was supported but not otherwise, which is somewhat bizarre. We've actually regressed and never send the alert in SSLv23. When version negotiation is unified, we'll get the alerts back. Change-Id: I4c77bcef3a3cd54a039a642f189785cd34387410 Reviewed-on: https://boringssl-review.googlesource.com/2584 Reviewed-by: Adam Langley <agl@google.com>
2014-12-13 04:44:33 +00:00
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "MinimumVersion-Client2-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
},
Add tests for version negotiation failure alerts. Ensure that both the client and the server emit a protocol_version alert (except in SSLv3 where it doesn't exist) with a record-layer version which the peer will recognize. Change-Id: I31650a64fe9b027ff3d51e303711910a00b43d6f
2014-12-13 06:55:01 +00:00
flags: []string{"-min-version", shimVersFlag},
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
expectedLocalError: expectedLocalError,
Add min_version tests. These tests use both APIs. This also modifies the inline version negotiation's error codes (currently only used for DTLS) to align with SSLv23's error codes. Note: the peer should send a protocol_version alert which is currently untested because it's broken. Upstream would send such an alert if TLS 1.0 was supported but not otherwise, which is somewhat bizarre. We've actually regressed and never send the alert in SSLv23. When version negotiation is unified, we'll get the alerts back. Change-Id: I4c77bcef3a3cd54a039a642f189785cd34387410 Reviewed-on: https://boringssl-review.googlesource.com/2584 Reviewed-by: Adam Langley <agl@google.com>
2014-12-13 04:44:33 +00:00
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "MinimumVersion-Server-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
},
Add tests for version negotiation failure alerts. Ensure that both the client and the server emit a protocol_version alert (except in SSLv3 where it doesn't exist) with a record-layer version which the peer will recognize. Change-Id: I31650a64fe9b027ff3d51e303711910a00b43d6f
2014-12-13 06:55:01 +00:00
flags: flags,
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
expectedLocalError: expectedLocalError,
Add min_version tests. These tests use both APIs. This also modifies the inline version negotiation's error codes (currently only used for DTLS) to align with SSLv23's error codes. Note: the peer should send a protocol_version alert which is currently untested because it's broken. Upstream would send such an alert if TLS 1.0 was supported but not otherwise, which is somewhat bizarre. We've actually regressed and never send the alert in SSLv23. When version negotiation is unified, we'll get the alerts back. Change-Id: I4c77bcef3a3cd54a039a642f189785cd34387410 Reviewed-on: https://boringssl-review.googlesource.com/2584 Reviewed-by: Adam Langley <agl@google.com>
2014-12-13 04:44:33 +00:00
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "MinimumVersion-Server2-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
},
Add tests for version negotiation failure alerts. Ensure that both the client and the server emit a protocol_version alert (except in SSLv3 where it doesn't exist) with a record-layer version which the peer will recognize. Change-Id: I31650a64fe9b027ff3d51e303711910a00b43d6f
2014-12-13 06:55:01 +00:00
flags: []string{"-min-version", shimVersFlag},
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
expectedLocalError: expectedLocalError,
Add min_version tests. These tests use both APIs. This also modifies the inline version negotiation's error codes (currently only used for DTLS) to align with SSLv23's error codes. Note: the peer should send a protocol_version alert which is currently untested because it's broken. Upstream would send such an alert if TLS 1.0 was supported but not otherwise, which is somewhat bizarre. We've actually regressed and never send the alert in SSLv23. When version negotiation is unified, we'll get the alerts back. Change-Id: I4c77bcef3a3cd54a039a642f189785cd34387410 Reviewed-on: https://boringssl-review.googlesource.com/2584 Reviewed-by: Adam Langley <agl@google.com>
2014-12-13 04:44:33 +00:00
})
}
}
}
}
Add a test for SSL_OP_TLS_D5_BUG. If this is part of SSL_OP_ALL, we should have a test for it. Change-Id: Ia72422beb2da6434726e78e174f3416f90f7c897 Reviewed-on: https://boringssl-review.googlesource.com/1695 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 05:59:27 +01:00
func addD5BugTests() {
testCases = append(testCases, testCase{
testType: serverTest,
name: "D5Bug-NoQuirk-Reject",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SSL3RSAKeyExchange: true,
},
},
shouldFail: true,
expectedError: ":TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "D5Bug-Quirk-Normal",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
},
flags: []string{"-tls-d5-bug"},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "D5Bug-Quirk-Bug",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SSL3RSAKeyExchange: true,
},
},
flags: []string{"-tls-d5-bug"},
})
}
Improve test coverage for server_name extension. Notably, this would have caught ed8270a55c3845abbc85dfeed358597fef059ea9 (although, apart from staring at code coverage, knowing to set resumeSession on the server test isn't exactly obvious). Perhaps we should systematically set it on all extension server tests; ClientHello extension parsing happens after resumption has been determined and is often sensitive to it. Change-Id: Ie83f294a26881a6a41969e9dbd102d0a93cb68b5 Reviewed-on: https://boringssl-review.googlesource.com/1750 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:45:15 +01:00
func addExtensionTests() {
testCases = append(testCases, testCase{
testType: clientTest,
name: "DuplicateExtensionClient",
config: Config{
Bugs: ProtocolBugs{
DuplicateExtension: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: error decoding message",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "DuplicateExtensionServer",
config: Config{
Bugs: ProtocolBugs{
DuplicateExtension: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: error decoding message",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "ServerNameExtensionClient",
config: Config{
Bugs: ProtocolBugs{
ExpectServerName: "example.com",
},
},
flags: []string{"-host-name", "example.com"},
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "ServerNameExtensionClient",
config: Config{
Bugs: ProtocolBugs{
ExpectServerName: "mismatch.com",
},
},
flags: []string{"-host-name", "example.com"},
shouldFail: true,
expectedLocalError: "tls: unexpected server name",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "ServerNameExtensionClient",
config: Config{
Bugs: ProtocolBugs{
ExpectServerName: "missing.com",
},
},
shouldFail: true,
expectedLocalError: "tls: unexpected server name",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerNameExtensionServer",
config: Config{
ServerName: "example.com",
},
flags: []string{"-expect-server-name", "example.com"},
resumeSession: true,
})
Add tests for ALPN support. Both as client and as server. Also tests that ALPN causes False Start to kick in. Change-Id: Ib570346f3c511834152cd2df2ef29541946d3ab4 Reviewed-on: https://boringssl-review.googlesource.com/1753 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:58:58 +01:00
testCases = append(testCases, testCase{
testType: clientTest,
name: "ALPNClient",
config: Config{
NextProtos: []string{"foo"},
},
flags: []string{
"-advertise-alpn", "\x03foo\x03bar\x03baz",
"-expect-alpn", "foo",
},
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 18:21:53 +01:00
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
Add tests for ALPN support. Both as client and as server. Also tests that ALPN causes False Start to kick in. Change-Id: Ib570346f3c511834152cd2df2ef29541946d3ab4 Reviewed-on: https://boringssl-review.googlesource.com/1753 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:58:58 +01:00
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer",
config: Config{
NextProtos: []string{"foo", "bar", "baz"},
},
flags: []string{
"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
"-select-alpn", "foo",
},
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 18:21:53 +01:00
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
})
// Test that the server prefers ALPN over NPN.
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer-Preferred",
config: Config{
NextProtos: []string{"foo", "bar", "baz"},
},
flags: []string{
"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
"-select-alpn", "foo",
"-advertise-npn", "\x03foo\x03bar\x03baz",
},
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer-Preferred-Swapped",
config: Config{
NextProtos: []string{"foo", "bar", "baz"},
Bugs: ProtocolBugs{
SwapNPNAndALPN: true,
},
},
flags: []string{
"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
"-select-alpn", "foo",
"-advertise-npn", "\x03foo\x03bar\x03baz",
},
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
Add tests for ALPN support. Both as client and as server. Also tests that ALPN causes False Start to kick in. Change-Id: Ib570346f3c511834152cd2df2ef29541946d3ab4 Reviewed-on: https://boringssl-review.googlesource.com/1753 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:58:58 +01:00
})
Fix memory leak when decoding corrupt tickets. This is CVE-2014-3567 from upstream. See https://www.openssl.org/news/secadv_20141015.txt Change-Id: I9aad422bf1b8055cb251c7ff9346cf47a448a815 Reviewed-on: https://boringssl-review.googlesource.com/1970 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-10-17 03:04:35 +01:00
// Resume with a corrupt ticket.
testCases = append(testCases, testCase{
testType: serverTest,
name: "CorruptTicket",
config: Config{
Bugs: ProtocolBugs{
CorruptTicket: true,
},
},
resumeSession: true,
flags: []string{"-expect-session-miss"},
})
// Resume with an oversized session id.
testCases = append(testCases, testCase{
testType: serverTest,
name: "OversizedSessionId",
config: Config{
Bugs: ProtocolBugs{
OversizedSessionId: true,
},
},
resumeSession: true,
Extended master secret support. This change implements support for the extended master secret. See https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 https://secure-resumption.com/ Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93 Reviewed-on: https://boringssl-review.googlesource.com/1930 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-10-11 00:23:43 +01:00
shouldFail: true,
Fix memory leak when decoding corrupt tickets. This is CVE-2014-3567 from upstream. See https://www.openssl.org/news/secadv_20141015.txt Change-Id: I9aad422bf1b8055cb251c7ff9346cf47a448a815 Reviewed-on: https://boringssl-review.googlesource.com/1970 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-10-17 03:04:35 +01:00
expectedError: ":DECODE_ERROR:",
})
Add DTLS-SRTP tests. Just the negotiation portion as everything else is external. This feature is used in WebRTC. Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116 Reviewed-on: https://boringssl-review.googlesource.com/2310 Reviewed-by: Adam Langley <agl@google.com>
2014-11-16 00:06:08 +00:00
// Basic DTLS-SRTP tests. Include fake profiles to ensure they
// are ignored.
testCases = append(testCases, testCase{
protocol: dtls,
name: "SRTP-Client",
config: Config{
SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
},
expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
})
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "SRTP-Server",
config: Config{
SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
},
expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
})
// Test that the MKI is ignored.
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "SRTP-Server-IgnoreMKI",
config: Config{
SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
Bugs: ProtocolBugs{
SRTPMasterKeyIdentifer: "bogus",
},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
},
expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
})
// Test that SRTP isn't negotiated on the server if there were
// no matching profiles.
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "SRTP-Server-NoMatch",
config: Config{
SRTPProtectionProfiles: []uint16{100, 101, 102},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
},
expectedSRTPProtectionProfile: 0,
})
// Test that the server returning an invalid SRTP profile is
// flagged as an error by the client.
testCases = append(testCases, testCase{
protocol: dtls,
name: "SRTP-Client-NoMatch",
config: Config{
Bugs: ProtocolBugs{
SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80",
},
shouldFail: true,
expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
})
Add tests for OCSP stapling and SCT lists. We forgot to add those when we implemented the features. (Also relevant because they will provide test coverage later for configuring features when using the generic method tables rather than *_client_method.) Change-Id: Ie08b27de893095e01a05a7084775676616459807 Reviewed-on: https://boringssl-review.googlesource.com/2410 Reviewed-by: Adam Langley <agl@google.com>
2014-11-25 06:55:35 +00:00
// Test OCSP stapling and SCT list.
testCases = append(testCases, testCase{
name: "OCSPStapling",
flags: []string{
"-enable-ocsp-stapling",
"-expect-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
},
})
testCases = append(testCases, testCase{
name: "SignedCertificateTimestampList",
flags: []string{
"-enable-signed-cert-timestamps",
"-expect-signed-cert-timestamps",
base64.StdEncoding.EncodeToString(testSCTList),
},
})
Improve test coverage for server_name extension. Notably, this would have caught ed8270a55c3845abbc85dfeed358597fef059ea9 (although, apart from staring at code coverage, knowing to set resumeSession on the server test isn't exactly obvious). Perhaps we should systematically set it on all extension server tests; ClientHello extension parsing happens after resumption has been determined and is often sensitive to it. Change-Id: Ie83f294a26881a6a41969e9dbd102d0a93cb68b5 Reviewed-on: https://boringssl-review.googlesource.com/1750 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:45:15 +01:00
}
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
func addResumptionVersionTests() {
for _, sessionVers := range tlsVersions {
for _, resumeVers := range tlsVersions {
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
protocols := []protocol{tls}
if sessionVers.hasDTLS && resumeVers.hasDTLS {
protocols = append(protocols, dtls)
}
for _, protocol := range protocols {
suffix := "-" + sessionVers.name + "-" + resumeVers.name
if protocol == dtls {
suffix += "-DTLS"
}
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
testCases = append(testCases, testCase{
protocol: protocol,
name: "Resume-Client" + suffix,
resumeSession: true,
config: Config{
MaxVersion: sessionVers.version,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
AllowSessionVersionMismatch: true,
},
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
},
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
expectedVersion: sessionVers.version,
resumeConfig: &Config{
MaxVersion: resumeVers.version,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
AllowSessionVersionMismatch: true,
},
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
},
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
expectedResumeVersion: resumeVers.version,
})
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
testCases = append(testCases, testCase{
protocol: protocol,
name: "Resume-Client-NoResume" + suffix,
flags: []string{"-expect-session-miss"},
resumeSession: true,
config: Config{
MaxVersion: sessionVers.version,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
},
expectedVersion: sessionVers.version,
resumeConfig: &Config{
MaxVersion: resumeVers.version,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
},
newSessionsOnResume: true,
expectedResumeVersion: resumeVers.version,
})
Don't resume sessions if the negotiated version doesn't match. All of NSS, upstream OpenSSL, SChannel, and Secure Transport require, on the client, that the ServerHello version match the session's version on resumption. OpenSSL's current behavior is incompatible with all of these. Fall back to a full handshake on the server instead of mismatch. Add a comment on the client for why we are, as of 30ddb434bfb845356fbacb6b2bd51f8814c7043c, not currently enforcing the same in the client. Change-Id: I60aec972d81368c4ec30e2fd515dabd69401d175 Reviewed-on: https://boringssl-review.googlesource.com/2244 Reviewed-by: Adam Langley <agl@google.com>
2014-11-11 05:52:15 +00:00
Fix DTLS_ANY_VERSION and add tests. This fixes bugs that kept the tests from working: - Resolve DTLS version and cookie before the session. - In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This is a regression from f2fedefdcaf62f10b566f55858c25f35112072ea. We'll want to do the same for TLS, but first let's change this to a boolean has_version in a follow-up. Things not yet fixed: - DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now. - On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong ssl_version. The tests pass because we no longer enforce the match as of e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server ignoring ssl_version and client enforcing to the client mostly ignoring ssl_version and the server enforcing.) - ssl3_send_client_hello's ssl_version check checks for equality against s->version rather than >. Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c Reviewed-on: https://boringssl-review.googlesource.com/2403 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 07:47:52 +00:00
var flags []string
if sessionVers.version != resumeVers.version {
flags = append(flags, "-expect-session-miss")
}
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "Resume-Server" + suffix,
flags: flags,
resumeSession: true,
config: Config{
MaxVersion: sessionVers.version,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
},
expectedVersion: sessionVers.version,
resumeConfig: &Config{
MaxVersion: resumeVers.version,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
},
expectedResumeVersion: resumeVers.version,
})
Don't resume sessions if the negotiated version doesn't match. All of NSS, upstream OpenSSL, SChannel, and Secure Transport require, on the client, that the ServerHello version match the session's version on resumption. OpenSSL's current behavior is incompatible with all of these. Fall back to a full handshake on the server instead of mismatch. Add a comment on the client for why we are, as of 30ddb434bfb845356fbacb6b2bd51f8814c7043c, not currently enforcing the same in the client. Change-Id: I60aec972d81368c4ec30e2fd515dabd69401d175 Reviewed-on: https://boringssl-review.googlesource.com/2244 Reviewed-by: Adam Langley <agl@google.com>
2014-11-11 05:52:15 +00:00
}
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
}
}
}
Test server-side renegotiation. This change adds support to the Go code for renegotiation as a client, meaning that we can test BoringSSL's renegotiation as a server. Change-Id: Iaa9fb1a6022c51023bce36c47d4ef7abee74344b Reviewed-on: https://boringssl-review.googlesource.com/2082 Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 00:29:33 +00:00
func addRenegotiationTests() {
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server",
flags: []string{"-renegotiate"},
shimWritesFirst: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server-EmptyExt",
config: Config{
Bugs: ProtocolBugs{
EmptyRenegotiationInfo: true,
},
},
flags: []string{"-renegotiate"},
shimWritesFirst: true,
shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server-BadExt",
config: Config{
Bugs: ProtocolBugs{
BadRenegotiationInfo: true,
},
},
flags: []string{"-renegotiate"},
shimWritesFirst: true,
shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:",
})
Add tests for client-initiated renegotiation. These'll get removed once most of renego support is gone, but this is to prove removing the warning alert from the previous commit still prevents legacy renegotiations. Change-Id: I7d9d95e1d4c5d23d3b6d170938a5499a65f2d5ea Reviewed-on: https://boringssl-review.googlesource.com/2236 Reviewed-by: Adam Langley <agl@google.com>
2014-11-08 17:31:52 +00:00
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server-ClientInitiated",
renegotiate: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server-ClientInitiated-NoExt",
renegotiate: true,
config: Config{
Bugs: ProtocolBugs{
NoRenegotiationInfo: true,
},
},
shouldFail: true,
expectedError: ":UNSAFE_LEGACY_RENEGOTIATION_DISABLED:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server-ClientInitiated-NoExt-Allowed",
renegotiate: true,
config: Config{
Bugs: ProtocolBugs{
NoRenegotiationInfo: true,
},
},
flags: []string{"-allow-unsafe-legacy-renegotiation"},
})
Test server-side renegotiation. This change adds support to the Go code for renegotiation as a client, meaning that we can test BoringSSL's renegotiation as a server. Change-Id: Iaa9fb1a6022c51023bce36c47d4ef7abee74344b Reviewed-on: https://boringssl-review.googlesource.com/2082 Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 00:29:33 +00:00
// TODO(agl): test the renegotiation info SCSV.
Test renegotiation with BoringSSL as the client. This also contains a test for the issue fixed in 88333ef7d7d47221ede66a2a31626fc426466297. Change-Id: Id705a82cee34c018491dc301eba8b5097b9c83d5 Reviewed-on: https://boringssl-review.googlesource.com/2083 Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 02:06:14 +00:00
testCases = append(testCases, testCase{
name: "Renegotiate-Client",
renegotiate: true,
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-EmptyExt",
renegotiate: true,
config: Config{
Bugs: ProtocolBugs{
EmptyRenegotiationInfo: true,
},
},
shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-BadExt",
renegotiate: true,
config: Config{
Bugs: ProtocolBugs{
BadRenegotiationInfo: true,
},
},
shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-SwitchCiphers",
renegotiate: true,
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
},
renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-SwitchCiphers2",
renegotiate: true,
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
},
renegotiateCiphers: []uint16{TLS_RSA_WITH_RC4_128_SHA},
})
Add test for renego client_version quirk. In upstream's f4e1169341ad1217e670387db5b0c12d680f95f4, the client_version was made constant across renegotiations, even if the server negotiated a lower version. NSS has the same quirk, reportedly for SChannel: https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/ssl3con.c&sq=package:chromium&l=5103 Add a test to ensure we do not regress this. Change-Id: I214e062463c203b86a9bab00f8503442e1bf74fe Reviewed-on: https://boringssl-review.googlesource.com/2405 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 17:11:01 +00:00
testCases = append(testCases, testCase{
name: "Renegotiate-SameClientVersion",
renegotiate: true,
config: Config{
MaxVersion: VersionTLS10,
Bugs: ProtocolBugs{
RequireSameRenegoClientVersion: true,
},
},
})
Test server-side renegotiation. This change adds support to the Go code for renegotiation as a client, meaning that we can test BoringSSL's renegotiation as a server. Change-Id: Iaa9fb1a6022c51023bce36c47d4ef7abee74344b Reviewed-on: https://boringssl-review.googlesource.com/2082 Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 00:29:33 +00:00
}
Add DTLS replay tests. At the record layer, DTLS maintains a window of seen sequence numbers to detect replays. Add tests to cover that case. Test both repeated sequence numbers within the window and sequence numbers past the window's left edge. Also test receiving sequence numbers far past the window's right edge. Change-Id: If6a7a24869db37fdd8fb3c4b3521b730e31f8f86 Reviewed-on: https://boringssl-review.googlesource.com/2221 Reviewed-by: Adam Langley <agl@google.com>
2014-11-07 06:48:35 +00:00
func addDTLSReplayTests() {
// Test that sequence number replays are detected.
testCases = append(testCases, testCase{
protocol: dtls,
name: "DTLS-Replay",
replayWrites: true,
})
// Test the outgoing sequence number skipping by values larger
// than the retransmit window.
testCases = append(testCases, testCase{
protocol: dtls,
name: "DTLS-Replay-LargeGaps",
config: Config{
Bugs: ProtocolBugs{
SequenceNumberIncrement: 127,
},
},
replayWrites: true,
})
}
ClientHello Padding for Fast Radio Opening in 3G. The ClientHello record is padded to 1024 bytes when fastradio_padding is enabled. As a result, the 3G cellular radio is fast forwarded to DCH (high data rate) state. This mechanism leads to a substantial redunction in terms of TLS handshake latency, and benefits mobile apps that are running on top of TLS. Change-Id: I3d55197b6d601761c94c0f22871774b5a3dad614
2014-11-22 06:47:56 +00:00
func addFastRadioPaddingTests() {
Add assertions on the initial record version number. The record-layer version of the ServerHello should match the final version. The record-layer version of the ClientHello should be the advertised version, but clamped at TLS 1.0. This is to ensure future rewrites do not regress this. Change-Id: I96f1f0674944997ff38b562453a322ce61652635 Reviewed-on: https://boringssl-review.googlesource.com/2540 Reviewed-by: Adam Langley <agl@google.com>
2014-12-10 07:27:24 +00:00
testCases = append(testCases, testCase{
protocol: tls,
name: "FastRadio-Padding",
ClientHello Padding for Fast Radio Opening in 3G. The ClientHello record is padded to 1024 bytes when fastradio_padding is enabled. As a result, the 3G cellular radio is fast forwarded to DCH (high data rate) state. This mechanism leads to a substantial redunction in terms of TLS handshake latency, and benefits mobile apps that are running on top of TLS. Change-Id: I3d55197b6d601761c94c0f22871774b5a3dad614
2014-11-22 06:47:56 +00:00
config: Config{
Bugs: ProtocolBugs{
RequireFastradioPadding: true,
},
},
Add assertions on the initial record version number. The record-layer version of the ServerHello should match the final version. The record-layer version of the ClientHello should be the advertised version, but clamped at TLS 1.0. This is to ensure future rewrites do not regress this. Change-Id: I96f1f0674944997ff38b562453a322ce61652635 Reviewed-on: https://boringssl-review.googlesource.com/2540 Reviewed-by: Adam Langley <agl@google.com>
2014-12-10 07:27:24 +00:00
flags: []string{"-fastradio-padding"},
ClientHello Padding for Fast Radio Opening in 3G. The ClientHello record is padded to 1024 bytes when fastradio_padding is enabled. As a result, the 3G cellular radio is fast forwarded to DCH (high data rate) state. This mechanism leads to a substantial redunction in terms of TLS handshake latency, and benefits mobile apps that are running on top of TLS. Change-Id: I3d55197b6d601761c94c0f22871774b5a3dad614
2014-11-22 06:47:56 +00:00
})
Add assertions on the initial record version number. The record-layer version of the ServerHello should match the final version. The record-layer version of the ClientHello should be the advertised version, but clamped at TLS 1.0. This is to ensure future rewrites do not regress this. Change-Id: I96f1f0674944997ff38b562453a322ce61652635 Reviewed-on: https://boringssl-review.googlesource.com/2540 Reviewed-by: Adam Langley <agl@google.com>
2014-12-10 07:27:24 +00:00
testCases = append(testCases, testCase{
protocol: dtls,
name: "FastRadio-Padding",
ClientHello Padding for Fast Radio Opening in 3G. The ClientHello record is padded to 1024 bytes when fastradio_padding is enabled. As a result, the 3G cellular radio is fast forwarded to DCH (high data rate) state. This mechanism leads to a substantial redunction in terms of TLS handshake latency, and benefits mobile apps that are running on top of TLS. Change-Id: I3d55197b6d601761c94c0f22871774b5a3dad614
2014-11-22 06:47:56 +00:00
config: Config{
Bugs: ProtocolBugs{
RequireFastradioPadding: true,
},
},
Add assertions on the initial record version number. The record-layer version of the ServerHello should match the final version. The record-layer version of the ClientHello should be the advertised version, but clamped at TLS 1.0. This is to ensure future rewrites do not regress this. Change-Id: I96f1f0674944997ff38b562453a322ce61652635 Reviewed-on: https://boringssl-review.googlesource.com/2540 Reviewed-by: Adam Langley <agl@google.com>
2014-12-10 07:27:24 +00:00
flags: []string{"-fastradio-padding"},
ClientHello Padding for Fast Radio Opening in 3G. The ClientHello record is padded to 1024 bytes when fastradio_padding is enabled. As a result, the 3G cellular radio is fast forwarded to DCH (high data rate) state. This mechanism leads to a substantial redunction in terms of TLS handshake latency, and benefits mobile apps that are running on top of TLS. Change-Id: I3d55197b6d601761c94c0f22871774b5a3dad614
2014-11-22 06:47:56 +00:00
})
}
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
2014-11-14 06:43:59 +00:00
var testHashes = []struct {
name string
id uint8
}{
{"SHA1", hashSHA1},
{"SHA224", hashSHA224},
{"SHA256", hashSHA256},
{"SHA384", hashSHA384},
{"SHA512", hashSHA512},
}
func addSigningHashTests() {
// Make sure each hash works. Include some fake hashes in the list and
// ensure they're ignored.
for _, hash := range testHashes {
testCases = append(testCases, testCase{
name: "SigningHash-ClientAuth-" + hash.name,
config: Config{
ClientAuth: RequireAnyClientCert,
SignatureAndHashes: []signatureAndHash{
{signatureRSA, 42},
{signatureRSA, hash.id},
{signatureRSA, 255},
},
},
flags: []string{
"-cert-file", rsaCertificateFile,
"-key-file", rsaKeyFile,
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SigningHash-ServerKeyExchange-Sign-" + hash.name,
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
SignatureAndHashes: []signatureAndHash{
{signatureRSA, 42},
{signatureRSA, hash.id},
{signatureRSA, 255},
},
},
})
}
// Test that hash resolution takes the signature type into account.
testCases = append(testCases, testCase{
name: "SigningHash-ClientAuth-SignatureType",
config: Config{
ClientAuth: RequireAnyClientCert,
SignatureAndHashes: []signatureAndHash{
{signatureECDSA, hashSHA512},
{signatureRSA, hashSHA384},
{signatureECDSA, hashSHA1},
},
},
flags: []string{
"-cert-file", rsaCertificateFile,
"-key-file", rsaKeyFile,
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SigningHash-ServerKeyExchange-SignatureType",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
SignatureAndHashes: []signatureAndHash{
{signatureECDSA, hashSHA512},
{signatureRSA, hashSHA384},
{signatureECDSA, hashSHA1},
},
},
})
// Test that, if the list is missing, the peer falls back to SHA-1.
testCases = append(testCases, testCase{
name: "SigningHash-ClientAuth-Fallback",
config: Config{
ClientAuth: RequireAnyClientCert,
SignatureAndHashes: []signatureAndHash{
{signatureRSA, hashSHA1},
},
Bugs: ProtocolBugs{
NoSignatureAndHashes: true,
},
},
flags: []string{
"-cert-file", rsaCertificateFile,
"-key-file", rsaKeyFile,
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SigningHash-ServerKeyExchange-Fallback",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
SignatureAndHashes: []signatureAndHash{
{signatureRSA, hashSHA1},
},
Bugs: ProtocolBugs{
NoSignatureAndHashes: true,
},
},
})
}
Add DTLS timeout and retransmit tests. This extends the packet adaptor protocol to send three commands: type command = | Packet of []byte | Timeout of time.Duration | TimeoutAck When the shim processes a Timeout in BIO_read, it sends TimeoutAck, fails the BIO_read, returns out of the SSL stack, advances the clock, calls DTLSv1_handle_timeout, and continues. If the Go side sends Timeout right between sending handshake flight N and reading flight N+1, the shim won't read the Timeout until it has sent flight N+1 (it only processes packet commands in BIO_read), so the TimeoutAck comes after N+1. Go then drops all packets before the TimeoutAck, thus dropping one transmit of flight N+1 without having to actually process the packets to determine the end of the flight. The shim then sees the updated clock, calls DTLSv1_handle_timeout, and re-sends flight N+1 for Go to process for real. When dropping packets, Go checks the epoch and increments sequence numbers so that we can continue to be strict here. This requires tracking the initial sequence number of the next epoch. The final Finished message takes an additional special-case to test. DTLS triggers retransmits on either a timeout or seeing a stale flight. OpenSSL only implements the former which should be sufficient (and is necessary) EXCEPT for the final Finished message. If the peer's final Finished message is lost, it won't be waiting for a message from us, so it won't time out anything. That retransmit must be triggered on stale message, so we retransmit the Finished message in Go. Change-Id: I3ffbdb1de525beb2ee831b304670a3387877634c Reviewed-on: https://boringssl-review.googlesource.com/3212 Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 06:09:43 +00:00
// timeouts is the retransmit schedule for BoringSSL. It doubles and
// caps at 60 seconds. On the 13th timeout, it gives up.
var timeouts = []time.Duration{
1 * time.Second,
2 * time.Second,
4 * time.Second,
8 * time.Second,
16 * time.Second,
32 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
}
func addDTLSRetransmitTests() {
// Test that this is indeed the timeout schedule. Stress all
// four patterns of handshake.
for i := 1; i < len(timeouts); i++ {
number := strconv.Itoa(i)
testCases = append(testCases, testCase{
protocol: dtls,
name: "DTLS-Retransmit-Client-" + number,
config: Config{
Bugs: ProtocolBugs{
TimeoutSchedule: timeouts[:i],
},
},
resumeSession: true,
flags: []string{"-async"},
})
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "DTLS-Retransmit-Server-" + number,
config: Config{
Bugs: ProtocolBugs{
TimeoutSchedule: timeouts[:i],
},
},
resumeSession: true,
flags: []string{"-async"},
})
}
// Test that exceeding the timeout schedule hits a read
// timeout.
testCases = append(testCases, testCase{
protocol: dtls,
name: "DTLS-Retransmit-Timeout",
config: Config{
Bugs: ProtocolBugs{
TimeoutSchedule: timeouts,
},
},
resumeSession: true,
flags: []string{"-async"},
shouldFail: true,
expectedError: ":READ_TIMEOUT_EXPIRED:",
})
// Test that timeout handling has a fudge factor, due to API
// problems.
testCases = append(testCases, testCase{
protocol: dtls,
name: "DTLS-Retransmit-Fudge",
config: Config{
Bugs: ProtocolBugs{
TimeoutSchedule: []time.Duration{
timeouts[0] - 10*time.Millisecond,
},
},
},
resumeSession: true,
flags: []string{"-async"},
})
}
runner: Take the build directory as flag. Don't hardcode the directory. Change-Id: I5c778a4ff16e00abbac2959ca9c9b4f4c40576f7 Reviewed-on: https://boringssl-review.googlesource.com/1376 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 20:28:23 +01:00
func worker(statusChan chan statusMsg, c chan *testCase, buildDir string, wg *sync.WaitGroup) {
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
defer wg.Done()
for test := range c {
Add malloc failure tests. This commit fixes a number of crashes caused by malloc failures. They were found using the -malloc-test=0 option to runner.go which runs tests many times, causing a different allocation call to fail in each case. (This test only works on Linux and only looks for crashes caused by allocation failures, not memory leaks or other errors.) This is not the complete set of crashes! More can be found by collecting core dumps from running with -malloc-test=0. Change-Id: Ia61d19f51e373bccb7bc604642c51e043a74bd83 Reviewed-on: https://boringssl-review.googlesource.com/2320 Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 01:26:55 +00:00
var err error
if *mallocTest < 0 {
statusChan <- statusMsg{test: test, started: true}
err = runTest(test, buildDir, -1)
} else {
for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
statusChan <- statusMsg{test: test, started: true}
if err = runTest(test, buildDir, mallocNumToFail); err != errMoreMallocs {
if err != nil {
fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
}
break
}
}
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
statusChan <- statusMsg{test: test, err: err}
}
}
type statusMsg struct {
test *testCase
started bool
err error
}
func statusPrinter(doneChan chan struct{}, statusChan chan statusMsg, total int) {
var started, done, failed, lineLen int
defer close(doneChan)
for msg := range statusChan {
if msg.started {
started++
} else {
done++
}
fmt.Printf("\x1b[%dD\x1b[K", lineLen)
if msg.err != nil {
fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
failed++
}
line := fmt.Sprintf("%d/%d/%d/%d", failed, done, started, total)
lineLen = len(line)
os.Stdout.WriteString(line)
}
}
func main() {
var flagTest *string = flag.String("test", "", "The name of a test to run, or empty to run all tests")
runner: Take the number of workers as a flag. Default to the number of CPUs. Avoids the tests launching 64 valgrinds in parallel on machines without gobs of memory. Change-Id: I9eeb365b48aa7407e303d161f90ce69a591a884c Reviewed-on: https://boringssl-review.googlesource.com/1375 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 20:22:37 +01:00
var flagNumWorkers *int = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
runner: Take the build directory as flag. Don't hardcode the directory. Change-Id: I5c778a4ff16e00abbac2959ca9c9b4f4c40576f7 Reviewed-on: https://boringssl-review.googlesource.com/1376 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 20:28:23 +01:00
var flagBuildDir *string = flag.String("build-dir", "../../../build", "The build directory to run the shim from.")
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
flag.Parse()
addCipherSuiteTests()
addBadECDSASignatureTests()
Fix test of first of 255 CBC padding bytes. Thanks to Peter Gijsels for pointing out that if a CBC record has 255 bytes of padding, the first was not being checked.
2014-06-20 20:00:00 +01:00
addCBCPaddingTests()
Retry sending record split fragment when SSL write fails. When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record splitting is needed, an extra byte would be added to the max size of the message to be written. This would cause the requested size to not exceed the max. If the SSL_WANT_WRITE error were returned, the next packet would not get the extra byte added to the max packet size since record_split_done is set. Since a different set of arguments (SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed to do_ssl3_write, it would return an "SSL3_WRITE_PENDING:bad write retry" error. To avoid a failure in the opposite direction, the max variable increment is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE is not enabled and the call to ssl3_write_bytes contains, e.g., a buffer of 2*SSL3_RT_MAX_PLAIN_LENGTH, where the first call into do_ssl3_write succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but writing the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the first time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has called do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes in turn calls into do_ssl3_write with "max+1" bytes. Change-Id: Icf8453195c1145a54d31b8e8146801118207df03 Reviewed-on: https://boringssl-review.googlesource.com/1420 Reviewed-by: Kenny Root <kroot@google.com> Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 23:23:37 +01:00
addCBCSplittingTests()
Add client auth tests. Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97 Reviewed-on: https://boringssl-review.googlesource.com/1112 Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:59:18 +01:00
addClientAuthTests()
Add test coverage for TLS version negotiation. Test all pairs of client and server version, except for the ones that require SSLv3 client support in runner.go. That is, as yet, still missing. Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b Reviewed-on: https://boringssl-review.googlesource.com/1450 Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 22:44:24 +01:00
addVersionNegotiationTests()
Add min_version tests. These tests use both APIs. This also modifies the inline version negotiation's error codes (currently only used for DTLS) to align with SSLv23's error codes. Note: the peer should send a protocol_version alert which is currently untested because it's broken. Upstream would send such an alert if TLS 1.0 was supported but not otherwise, which is somewhat bizarre. We've actually regressed and never send the alert in SSLv23. When version negotiation is unified, we'll get the alerts back. Change-Id: I4c77bcef3a3cd54a039a642f189785cd34387410 Reviewed-on: https://boringssl-review.googlesource.com/2584 Reviewed-by: Adam Langley <agl@google.com>
2014-12-13 04:44:33 +00:00
addMinimumVersionTests()
Add a test for SSL_OP_TLS_D5_BUG. If this is part of SSL_OP_ALL, we should have a test for it. Change-Id: Ia72422beb2da6434726e78e174f3416f90f7c897 Reviewed-on: https://boringssl-review.googlesource.com/1695 Reviewed-by: Adam Langley <agl@google.com>
2014-08-31 05:59:27 +01:00
addD5BugTests()
Improve test coverage for server_name extension. Notably, this would have caught ed8270a55c3845abbc85dfeed358597fef059ea9 (although, apart from staring at code coverage, knowing to set resumeSession on the server test isn't exactly obvious). Perhaps we should systematically set it on all extension server tests; ClientHello extension parsing happens after resumption has been determined and is often sensitive to it. Change-Id: Ie83f294a26881a6a41969e9dbd102d0a93cb68b5 Reviewed-on: https://boringssl-review.googlesource.com/1750 Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 17:45:15 +01:00
addExtensionTests()
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 20:21:44 +01:00
addResumptionVersionTests()
Extended master secret support. This change implements support for the extended master secret. See https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 https://secure-resumption.com/ Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93 Reviewed-on: https://boringssl-review.googlesource.com/1930 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2014-10-11 00:23:43 +01:00
addExtendedMasterSecretTests()
Test server-side renegotiation. This change adds support to the Go code for renegotiation as a client, meaning that we can test BoringSSL's renegotiation as a server. Change-Id: Iaa9fb1a6022c51023bce36c47d4ef7abee74344b Reviewed-on: https://boringssl-review.googlesource.com/2082 Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 00:29:33 +00:00
addRenegotiationTests()
Add DTLS replay tests. At the record layer, DTLS maintains a window of seen sequence numbers to detect replays. Add tests to cover that case. Test both repeated sequence numbers within the window and sequence numbers past the window's left edge. Also test receiving sequence numbers far past the window's right edge. Change-Id: If6a7a24869db37fdd8fb3c4b3521b730e31f8f86 Reviewed-on: https://boringssl-review.googlesource.com/2221 Reviewed-by: Adam Langley <agl@google.com>
2014-11-07 06:48:35 +00:00
addDTLSReplayTests()
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
2014-11-14 06:43:59 +00:00
addSigningHashTests()
ClientHello Padding for Fast Radio Opening in 3G. The ClientHello record is padded to 1024 bytes when fastradio_padding is enabled. As a result, the 3G cellular radio is fast forwarded to DCH (high data rate) state. This mechanism leads to a substantial redunction in terms of TLS handshake latency, and benefits mobile apps that are running on top of TLS. Change-Id: I3d55197b6d601761c94c0f22871774b5a3dad614
2014-11-22 06:47:56 +00:00
addFastRadioPaddingTests()
Add DTLS timeout and retransmit tests. This extends the packet adaptor protocol to send three commands: type command = | Packet of []byte | Timeout of time.Duration | TimeoutAck When the shim processes a Timeout in BIO_read, it sends TimeoutAck, fails the BIO_read, returns out of the SSL stack, advances the clock, calls DTLSv1_handle_timeout, and continues. If the Go side sends Timeout right between sending handshake flight N and reading flight N+1, the shim won't read the Timeout until it has sent flight N+1 (it only processes packet commands in BIO_read), so the TimeoutAck comes after N+1. Go then drops all packets before the TimeoutAck, thus dropping one transmit of flight N+1 without having to actually process the packets to determine the end of the flight. The shim then sees the updated clock, calls DTLSv1_handle_timeout, and re-sends flight N+1 for Go to process for real. When dropping packets, Go checks the epoch and increments sequence numbers so that we can continue to be strict here. This requires tracking the initial sequence number of the next epoch. The final Finished message takes an additional special-case to test. DTLS triggers retransmits on either a timeout or seeing a stale flight. OpenSSL only implements the former which should be sufficient (and is necessary) EXCEPT for the final Finished message. If the peer's final Finished message is lost, it won't be waiting for a message from us, so it won't time out anything. That retransmit must be triggered on stale message, so we retransmit the Finished message in Go. Change-Id: I3ffbdb1de525beb2ee831b304670a3387877634c Reviewed-on: https://boringssl-review.googlesource.com/3212 Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 06:09:43 +00:00
addDTLSRetransmitTests()
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
for _, async := range []bool{false, true} {
for _, splitHandshake := range []bool{false, true} {
Add initial DTLS tests. Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b Reviewed-on: https://boringssl-review.googlesource.com/1505 Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:43:38 +01:00
for _, protocol := range []protocol{tls, dtls} {
addStateMachineCoverageTests(async, splitHandshake, protocol)
}
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 07:28:57 +01:00
}
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
var wg sync.WaitGroup
runner: Take the number of workers as a flag. Default to the number of CPUs. Avoids the tests launching 64 valgrinds in parallel on machines without gobs of memory. Change-Id: I9eeb365b48aa7407e303d161f90ce69a591a884c Reviewed-on: https://boringssl-review.googlesource.com/1375 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 20:22:37 +01:00
numWorkers := *flagNumWorkers
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
statusChan := make(chan statusMsg, numWorkers)
testChan := make(chan *testCase, numWorkers)
doneChan := make(chan struct{})
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
go statusPrinter(doneChan, statusChan, len(testCases))
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
for i := 0; i < numWorkers; i++ {
wg.Add(1)
runner: Take the build directory as flag. Don't hardcode the directory. Change-Id: I5c778a4ff16e00abbac2959ca9c9b4f4c40576f7 Reviewed-on: https://boringssl-review.googlesource.com/1376 Reviewed-by: Adam Langley <agl@google.com>
2014-08-02 20:28:23 +01:00
go worker(statusChan, testChan, *flagBuildDir, &wg)
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
Add some basic server tests to runner.go. client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit through the test case to control which and add server versions of all the cipher suite tests. Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e Reviewed-on: https://boringssl-review.googlesource.com/1091 Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:53:04 +01:00
for i := range testCases {
if len(*flagTest) == 0 || *flagTest == testCases[i].name {
testChan <- &testCases[i]
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
}
}
close(testChan)
wg.Wait()
close(statusChan)
<-doneChan
fmt.Printf("\n")
}
Reference in New Issue Copy Permalink