boringssl/ssl/test/runner/runner.go
David Benjamin a1eaba1dc6 Add a test for renegotiation on busy write buffer.
The write path for TLS is going to need some work. There are some fiddly
cases when there is a write in progress. Start adding tests to cover
this logic.

Later I'm hoping we can extend this flag so it drains the unfinished
write and thus test the interaction of read/write paths in 0-RTT. (We
may discover 1-RTT keys while we're in the middle of writing data.)

Change-Id: Iac2c417e4b5e84794fb699dd7cbba26a883b64ef
Reviewed-on: https://boringssl-review.googlesource.com/13049
Reviewed-by: Adam Langley <agl@google.com>
2017-01-04 01:54:57 +00:00

10275 lines
274 KiB
Go

// Copyright (c) 2016, Google Inc.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
package runner
import (
"bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/json"
"encoding/pem"
"errors"
"flag"
"fmt"
"io"
"io/ioutil"
"math/big"
"net"
"os"
"os/exec"
"path"
"path/filepath"
"runtime"
"strconv"
"strings"
"sync"
"syscall"
"time"
)
var (
useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
)
// ShimConfigurations is used with the “json” package and represents a shim
// config file.
type ShimConfiguration struct {
// DisabledTests maps from a glob-based pattern to a freeform string.
// The glob pattern is used to exclude tests from being run and the
// freeform string is unparsed but expected to explain why the test is
// disabled.
DisabledTests map[string]string
// ErrorMap maps from expected error strings to the correct error
// string for the shim in question. For example, it might map
// “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
// like “SSL_ERROR_NO_CYPHER_OVERLAP”.
ErrorMap map[string]string
}
var shimConfig ShimConfiguration
type testCert int
const (
testCertRSA testCert = iota
testCertRSA1024
testCertRSAChain
testCertECDSAP256
testCertECDSAP384
testCertECDSAP521
)
const (
rsaCertificateFile = "cert.pem"
rsa1024CertificateFile = "rsa_1024_cert.pem"
rsaChainCertificateFile = "rsa_chain_cert.pem"
ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
)
const (
rsaKeyFile = "key.pem"
rsa1024KeyFile = "rsa_1024_key.pem"
rsaChainKeyFile = "rsa_chain_key.pem"
ecdsaP256KeyFile = "ecdsa_p256_key.pem"
ecdsaP384KeyFile = "ecdsa_p384_key.pem"
ecdsaP521KeyFile = "ecdsa_p521_key.pem"
channelIDKeyFile = "channel_id_key.pem"
)
var (
rsaCertificate Certificate
rsa1024Certificate Certificate
rsaChainCertificate Certificate
ecdsaP256Certificate Certificate
ecdsaP384Certificate Certificate
ecdsaP521Certificate Certificate
)
var testCerts = []struct {
id testCert
certFile, keyFile string
cert *Certificate
}{
{
id: testCertRSA,
certFile: rsaCertificateFile,
keyFile: rsaKeyFile,
cert: &rsaCertificate,
},
{
id: testCertRSA1024,
certFile: rsa1024CertificateFile,
keyFile: rsa1024KeyFile,
cert: &rsa1024Certificate,
},
{
id: testCertRSAChain,
certFile: rsaChainCertificateFile,
keyFile: rsaChainKeyFile,
cert: &rsaChainCertificate,
},
{
id: testCertECDSAP256,
certFile: ecdsaP256CertificateFile,
keyFile: ecdsaP256KeyFile,
cert: &ecdsaP256Certificate,
},
{
id: testCertECDSAP384,
certFile: ecdsaP384CertificateFile,
keyFile: ecdsaP384KeyFile,
cert: &ecdsaP384Certificate,
},
{
id: testCertECDSAP521,
certFile: ecdsaP521CertificateFile,
keyFile: ecdsaP521KeyFile,
cert: &ecdsaP521Certificate,
},
}
var channelIDKey *ecdsa.PrivateKey
var channelIDBytes []byte
var testOCSPResponse = []byte{1, 2, 3, 4}
var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
func initCertificates() {
for i := range testCerts {
cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
if err != nil {
panic(err)
}
cert.OCSPStaple = testOCSPResponse
cert.SignedCertificateTimestampList = testSCTList
*testCerts[i].cert = cert
}
channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
if err != nil {
panic(err)
}
channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
if channelIDDERBlock.Type != "EC PRIVATE KEY" {
panic("bad key type")
}
channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
if err != nil {
panic(err)
}
if channelIDKey.Curve != elliptic.P256() {
panic("bad curve")
}
channelIDBytes = make([]byte, 64)
writeIntPadded(channelIDBytes[:32], channelIDKey.X)
writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
}
func getRunnerCertificate(t testCert) Certificate {
for _, cert := range testCerts {
if cert.id == t {
return *cert.cert
}
}
panic("Unknown test certificate")
}
func getShimCertificate(t testCert) string {
for _, cert := range testCerts {
if cert.id == t {
return cert.certFile
}
}
panic("Unknown test certificate")
}
func getShimKey(t testCert) string {
for _, cert := range testCerts {
if cert.id == t {
return cert.keyFile
}
}
panic("Unknown test certificate")
}
type testType int
const (
clientTest testType = iota
serverTest
)
type protocol int
const (
tls protocol = iota
dtls
)
const (
alpn = 1
npn = 2
)
type testCase struct {
testType testType
protocol protocol
name string
config Config
shouldFail bool
expectedError string
// expectedLocalError, if not empty, contains a substring that must be
// found in the local error.
expectedLocalError string
// expectedVersion, if non-zero, specifies the TLS version that must be
// negotiated.
expectedVersion uint16
// expectedResumeVersion, if non-zero, specifies the TLS version that
// must be negotiated on resumption. If zero, expectedVersion is used.
expectedResumeVersion uint16
// expectedCipher, if non-zero, specifies the TLS cipher suite that
// should be negotiated.
expectedCipher uint16
// expectChannelID controls whether the connection should have
// negotiated a Channel ID with channelIDKey.
expectChannelID bool
// expectedNextProto controls whether the connection should
// negotiate a next protocol via NPN or ALPN.
expectedNextProto string
// expectNoNextProto, if true, means that no next protocol should be
// negotiated.
expectNoNextProto bool
// expectedNextProtoType, if non-zero, is the expected next
// protocol negotiation mechanism.
expectedNextProtoType int
// expectedSRTPProtectionProfile is the DTLS-SRTP profile that
// should be negotiated. If zero, none should be negotiated.
expectedSRTPProtectionProfile uint16
// expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
expectedOCSPResponse []uint8
// expectedSCTList, if not nil, is the expected SCT list to be received.
expectedSCTList []uint8
// expectedPeerSignatureAlgorithm, if not zero, is the signature
// algorithm that the peer should have used in the handshake.
expectedPeerSignatureAlgorithm signatureAlgorithm
// expectedCurveID, if not zero, is the curve that the handshake should
// have used.
expectedCurveID CurveID
// messageLen is the length, in bytes, of the test message that will be
// sent.
messageLen int
// messageCount is the number of test messages that will be sent.
messageCount int
// certFile is the path to the certificate to use for the server.
certFile string
// keyFile is the path to the private key to use for the server.
keyFile string
// resumeSession controls whether a second connection should be tested
// which attempts to resume the first session.
resumeSession bool
// resumeRenewedSession controls whether a third connection should be
// tested which attempts to resume the second connection's session.
resumeRenewedSession bool
// expectResumeRejected, if true, specifies that the attempted
// resumption must be rejected by the client. This is only valid for a
// serverTest.
expectResumeRejected bool
// resumeConfig, if not nil, points to a Config to be used on
// resumption. Unless newSessionsOnResume is set,
// SessionTicketKey, ServerSessionCache, and
// ClientSessionCache are copied from the initial connection's
// config. If nil, the initial connection's config is used.
resumeConfig *Config
// newSessionsOnResume, if true, will cause resumeConfig to
// use a different session resumption context.
newSessionsOnResume bool
// noSessionCache, if true, will cause the server to run without a
// session cache.
noSessionCache bool
// sendPrefix sends a prefix on the socket before actually performing a
// handshake.
sendPrefix string
// shimWritesFirst controls whether the shim sends an initial "hello"
// message before doing a roundtrip with the runner.
shimWritesFirst bool
// shimShutsDown, if true, runs a test where the shim shuts down the
// connection immediately after the handshake rather than echoing
// messages from the runner.
shimShutsDown bool
// renegotiate indicates the number of times the connection should be
// renegotiated during the exchange.
renegotiate int
// sendHalfHelloRequest, if true, causes the server to send half a
// HelloRequest when the handshake completes.
sendHalfHelloRequest bool
// renegotiateCiphers is a list of ciphersuite ids that will be
// switched in just before renegotiation.
renegotiateCiphers []uint16
// replayWrites, if true, configures the underlying transport
// to replay every write it makes in DTLS tests.
replayWrites bool
// damageFirstWrite, if true, configures the underlying transport to
// damage the final byte of the first application data write.
damageFirstWrite bool
// exportKeyingMaterial, if non-zero, configures the test to exchange
// keying material and verify they match.
exportKeyingMaterial int
exportLabel string
exportContext string
useExportContext bool
// flags, if not empty, contains a list of command-line flags that will
// be passed to the shim program.
flags []string
// testTLSUnique, if true, causes the shim to send the tls-unique value
// which will be compared against the expected value.
testTLSUnique bool
// sendEmptyRecords is the number of consecutive empty records to send
// before and after the test message.
sendEmptyRecords int
// sendWarningAlerts is the number of consecutive warning alerts to send
// before and after the test message.
sendWarningAlerts int
// sendKeyUpdates is the number of consecutive key updates to send
// before and after the test message.
sendKeyUpdates int
// keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
keyUpdateRequest byte
// expectMessageDropped, if true, means the test message is expected to
// be dropped by the client rather than echoed back.
expectMessageDropped bool
// expectPeerCertificate, if not nil, is the certificate chain the peer
// is expected to send.
expectPeerCertificate *Certificate
// expectShortHeader is whether the short header extension should be negotiated.
expectShortHeader bool
}
var testCases []testCase
func writeTranscript(test *testCase, num int, data []byte) {
if len(data) == 0 {
return
}
protocol := "tls"
if test.protocol == dtls {
protocol = "dtls"
}
side := "client"
if test.testType == serverTest {
side = "server"
}
dir := path.Join(*transcriptDir, protocol, side)
if err := os.MkdirAll(dir, 0755); err != nil {
fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
return
}
name := fmt.Sprintf("%s-%d", test.name, num)
if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
}
}
// A timeoutConn implements an idle timeout on each Read and Write operation.
type timeoutConn struct {
net.Conn
timeout time.Duration
}
func (t *timeoutConn) Read(b []byte) (int, error) {
if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
return 0, err
}
return t.Conn.Read(b)
}
func (t *timeoutConn) Write(b []byte) (int, error) {
if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
return 0, err
}
return t.Conn.Write(b)
}
func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
if !test.noSessionCache {
if config.ClientSessionCache == nil {
config.ClientSessionCache = NewLRUClientSessionCache(1)
}
if config.ServerSessionCache == nil {
config.ServerSessionCache = NewLRUServerSessionCache(1)
}
}
if test.testType == clientTest {
if len(config.Certificates) == 0 {
config.Certificates = []Certificate{rsaCertificate}
}
} else {
// Supply a ServerName to ensure a constant session cache key,
// rather than falling back to net.Conn.RemoteAddr.
if len(config.ServerName) == 0 {
config.ServerName = "test"
}
}
if *fuzzer {
config.Bugs.NullAllCiphers = true
}
if *deterministic {
config.Time = func() time.Time { return time.Unix(1234, 1234) }
}
conn = &timeoutConn{conn, *idleTimeout}
if test.protocol == dtls {
config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
conn = config.Bugs.PacketAdaptor
}
if *flagDebug || len(*transcriptDir) != 0 {
local, peer := "client", "server"
if test.testType == clientTest {
local, peer = peer, local
}
connDebug := &recordingConn{
Conn: conn,
isDatagram: test.protocol == dtls,
local: local,
peer: peer,
}
conn = connDebug
if *flagDebug {
defer connDebug.WriteTo(os.Stdout)
}
if len(*transcriptDir) != 0 {
defer func() {
writeTranscript(test, num, connDebug.Transcript())
}()
}
if config.Bugs.PacketAdaptor != nil {
config.Bugs.PacketAdaptor.debug = connDebug
}
}
if test.replayWrites {
conn = newReplayAdaptor(conn)
}
var connDamage *damageAdaptor
if test.damageFirstWrite {
connDamage = newDamageAdaptor(conn)
conn = connDamage
}
if test.sendPrefix != "" {
if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
return err
}
}
var tlsConn *Conn
if test.testType == clientTest {
if test.protocol == dtls {
tlsConn = DTLSServer(conn, config)
} else {
tlsConn = Server(conn, config)
}
} else {
config.InsecureSkipVerify = true
if test.protocol == dtls {
tlsConn = DTLSClient(conn, config)
} else {
tlsConn = Client(conn, config)
}
}
defer tlsConn.Close()
if err := tlsConn.Handshake(); err != nil {
return err
}
// TODO(davidben): move all per-connection expectations into a dedicated
// expectations struct that can be specified separately for the two
// legs.
expectedVersion := test.expectedVersion
if isResume && test.expectedResumeVersion != 0 {
expectedVersion = test.expectedResumeVersion
}
connState := tlsConn.ConnectionState()
if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
}
if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
}
if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
}
if test.expectChannelID {
channelID := connState.ChannelID
if channelID == nil {
return fmt.Errorf("no channel ID negotiated")
}
if channelID.Curve != channelIDKey.Curve ||
channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
return fmt.Errorf("incorrect channel ID")
}
}
if expected := test.expectedNextProto; expected != "" {
if actual := connState.NegotiatedProtocol; actual != expected {
return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
}
}
if test.expectNoNextProto {
if actual := connState.NegotiatedProtocol; actual != "" {
return fmt.Errorf("got unexpected next proto %s", actual)
}
}
if test.expectedNextProtoType != 0 {
if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
return fmt.Errorf("next proto type mismatch")
}
}
if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
}
if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
}
if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
return fmt.Errorf("SCT list mismatch")
}
if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
}
if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
}
if test.expectPeerCertificate != nil {
if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
}
for i, cert := range connState.PeerCertificates {
if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
return fmt.Errorf("peer certificate %d did not match", i+1)
}
}
}
if test.expectShortHeader != connState.ShortHeader {
return fmt.Errorf("ShortHeader is %t, but we expected the opposite", connState.ShortHeader)
}
if test.exportKeyingMaterial > 0 {
actual := make([]byte, test.exportKeyingMaterial)
if _, err := io.ReadFull(tlsConn, actual); err != nil {
return err
}
expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
if err != nil {
return err
}
if !bytes.Equal(actual, expected) {
return fmt.Errorf("keying material mismatch")
}
}
if test.testTLSUnique {
var peersValue [12]byte
if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
return err
}
expected := tlsConn.ConnectionState().TLSUnique
if !bytes.Equal(peersValue[:], expected) {
return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
}
}
if test.shimWritesFirst {
var buf [5]byte
_, err := io.ReadFull(tlsConn, buf[:])
if err != nil {
return err
}
if string(buf[:]) != "hello" {
return fmt.Errorf("bad initial message")
}
}
for i := 0; i < test.sendKeyUpdates; i++ {
if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
return err
}
}
for i := 0; i < test.sendEmptyRecords; i++ {
tlsConn.Write(nil)
}
for i := 0; i < test.sendWarningAlerts; i++ {
tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
}
if test.sendHalfHelloRequest {
tlsConn.SendHalfHelloRequest()
}
if test.renegotiate > 0 {
if test.renegotiateCiphers != nil {
config.CipherSuites = test.renegotiateCiphers
}
for i := 0; i < test.renegotiate; i++ {
if err := tlsConn.Renegotiate(); err != nil {
return err
}
}
} else if test.renegotiateCiphers != nil {
panic("renegotiateCiphers without renegotiate")
}
if test.damageFirstWrite {
connDamage.setDamage(true)
tlsConn.Write([]byte("DAMAGED WRITE"))
connDamage.setDamage(false)
}
messageLen := test.messageLen
if messageLen < 0 {
if test.protocol == dtls {
return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
}
// Read until EOF.
_, err := io.Copy(ioutil.Discard, tlsConn)
return err
}
if messageLen == 0 {
messageLen = 32
}
messageCount := test.messageCount
if messageCount == 0 {
messageCount = 1
}
for j := 0; j < messageCount; j++ {
testMessage := make([]byte, messageLen)
for i := range testMessage {
testMessage[i] = 0x42 ^ byte(j)
}
tlsConn.Write(testMessage)
for i := 0; i < test.sendKeyUpdates; i++ {
tlsConn.SendKeyUpdate(test.keyUpdateRequest)
}
for i := 0; i < test.sendEmptyRecords; i++ {
tlsConn.Write(nil)
}
for i := 0; i < test.sendWarningAlerts; i++ {
tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
}
if test.shimShutsDown || test.expectMessageDropped {
// The shim will not respond.
continue
}
buf := make([]byte, len(testMessage))
if test.protocol == dtls {
bufTmp := make([]byte, len(buf)+1)
n, err := tlsConn.Read(bufTmp)
if err != nil {
return err
}
if n != len(buf) {
return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
}
copy(buf, bufTmp)
} else {
_, err := io.ReadFull(tlsConn, buf)
if err != nil {
return err
}
}
for i, v := range buf {
if v != testMessage[i]^0xff {
return fmt.Errorf("bad reply contents at byte %d", i)
}
}
}
return nil
}
func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
if dbAttach {
valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
}
valgrindArgs = append(valgrindArgs, path)
valgrindArgs = append(valgrindArgs, args...)
return exec.Command("valgrind", valgrindArgs...)
}
func gdbOf(path string, args ...string) *exec.Cmd {
xtermArgs := []string{"-e", "gdb", "--args"}
xtermArgs = append(xtermArgs, path)
xtermArgs = append(xtermArgs, args...)
return exec.Command("xterm", xtermArgs...)
}
func lldbOf(path string, args ...string) *exec.Cmd {
xtermArgs := []string{"-e", "lldb", "--"}
xtermArgs = append(xtermArgs, path)
xtermArgs = append(xtermArgs, args...)
return exec.Command("xterm", xtermArgs...)
}
var (
errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
errUnimplemented = errors.New("child process does not implement needed flags")
)
// accept accepts a connection from listener, unless waitChan signals a process
// exit first.
func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
type connOrError struct {
conn net.Conn
err error
}
connChan := make(chan connOrError, 1)
go func() {
conn, err := listener.Accept()
connChan <- connOrError{conn, err}
close(connChan)
}()
select {
case result := <-connChan:
return result.conn, result.err
case childErr := <-waitChan:
waitChan <- childErr
return nil, fmt.Errorf("child exited early: %s", childErr)
}
}
func translateExpectedError(errorStr string) string {
if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
return translated
}
if *looseErrors {
return ""
}
return errorStr
}
func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
// Help debugging panics on the Go side.
defer func() {
if r := recover(); r != nil {
fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
panic(r)
}
}()
if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
panic("Error expected without shouldFail in " + test.name)
}
if test.expectResumeRejected && !test.resumeSession {
panic("expectResumeRejected without resumeSession in " + test.name)
}
for _, ver := range tlsVersions {
if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
continue
}
if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
continue
}
panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
}
listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
if err != nil {
panic(err)
}
defer func() {
if listener != nil {
listener.Close()
}
}()
flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
if test.testType == serverTest {
flags = append(flags, "-server")
flags = append(flags, "-key-file")
if test.keyFile == "" {
flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
} else {
flags = append(flags, path.Join(*resourceDir, test.keyFile))
}
flags = append(flags, "-cert-file")
if test.certFile == "" {
flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
} else {
flags = append(flags, path.Join(*resourceDir, test.certFile))
}
}
if test.protocol == dtls {
flags = append(flags, "-dtls")
}
var resumeCount int
if test.resumeSession {
resumeCount++
if test.resumeRenewedSession {
resumeCount++
}
}
if resumeCount > 0 {
flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
}
if test.shimWritesFirst {
flags = append(flags, "-shim-writes-first")
}
if test.shimShutsDown {
flags = append(flags, "-shim-shuts-down")
}
if test.exportKeyingMaterial > 0 {
flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
flags = append(flags, "-export-label", test.exportLabel)
flags = append(flags, "-export-context", test.exportContext)
if test.useExportContext {
flags = append(flags, "-use-export-context")
}
}
if test.expectResumeRejected {
flags = append(flags, "-expect-session-miss")
}
if test.testTLSUnique {
flags = append(flags, "-tls-unique")
}
flags = append(flags, test.flags...)
var shim *exec.Cmd
if *useValgrind {
shim = valgrindOf(false, shimPath, flags...)
} else if *useGDB {
shim = gdbOf(shimPath, flags...)
} else if *useLLDB {
shim = lldbOf(shimPath, flags...)
} else {
shim = exec.Command(shimPath, flags...)
}
shim.Stdin = os.Stdin
var stdoutBuf, stderrBuf bytes.Buffer
shim.Stdout = &stdoutBuf
shim.Stderr = &stderrBuf
if mallocNumToFail >= 0 {
shim.Env = os.Environ()
shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
if *mallocTestDebug {
shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
}
shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
}
if err := shim.Start(); err != nil {
panic(err)
}
waitChan := make(chan error, 1)
go func() { waitChan <- shim.Wait() }()
config := test.config
if *deterministic {
config.Rand = &deterministicRand{}
}
conn, err := acceptOrWait(listener, waitChan)
if err == nil {
err = doExchange(test, &config, conn, false /* not a resumption */, 0)
conn.Close()
}
for i := 0; err == nil && i < resumeCount; i++ {
var resumeConfig Config
if test.resumeConfig != nil {
resumeConfig = *test.resumeConfig
if !test.newSessionsOnResume {
resumeConfig.SessionTicketKey = config.SessionTicketKey
resumeConfig.ClientSessionCache = config.ClientSessionCache
resumeConfig.ServerSessionCache = config.ServerSessionCache
}
resumeConfig.Rand = config.Rand
} else {
resumeConfig = config
}
var connResume net.Conn
connResume, err = acceptOrWait(listener, waitChan)
if err == nil {
err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
connResume.Close()
}
}
// Close the listener now. This is to avoid hangs should the shim try to
// open more connections than expected.
listener.Close()
listener = nil
childErr := <-waitChan
var isValgrindError bool
if exitError, ok := childErr.(*exec.ExitError); ok {
switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
case 88:
return errMoreMallocs
case 89:
return errUnimplemented
case 99:
isValgrindError = true
}
}
// Account for Windows line endings.
stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
// Separate the errors from the shim and those from tools like
// AddressSanitizer.
var extraStderr string
if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
stderr = stderrParts[0]
extraStderr = stderrParts[1]
}
failed := err != nil || childErr != nil
expectedError := translateExpectedError(test.expectedError)
correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
localError := "none"
if err != nil {
localError = err.Error()
}
if len(test.expectedLocalError) != 0 {
correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
}
if failed != test.shouldFail || failed && !correctFailure {
childError := "none"
if childErr != nil {
childError = childErr.Error()
}
var msg string
switch {
case failed && !test.shouldFail:
msg = "unexpected failure"
case !failed && test.shouldFail:
msg = "unexpected success"
case failed && !correctFailure:
msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
default:
panic("internal error")
}
return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
}
if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
}
if *useValgrind && isValgrindError {
return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
}
return nil
}
type tlsVersion struct {
name string
version uint16
flag string
hasDTLS bool
}
var tlsVersions = []tlsVersion{
{"SSL3", VersionSSL30, "-no-ssl3", false},
{"TLS1", VersionTLS10, "-no-tls1", true},
{"TLS11", VersionTLS11, "-no-tls11", false},
{"TLS12", VersionTLS12, "-no-tls12", true},
{"TLS13", VersionTLS13, "-no-tls13", false},
}
type testCipherSuite struct {
name string
id uint16
}
var testCipherSuites = []testCipherSuite{
{"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
{"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
{"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
{"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
{"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
{"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
{"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
{"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
{"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
{"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
{"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
{"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
{"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
{"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
{"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
{"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
{"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
{"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
{"ECDHE-ECDSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
{"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
{"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
{"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
{"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
{"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
{"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
{"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
{"ECDHE-RSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
{"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
{"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
{"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
{"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
{"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
{"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
{"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
{"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
{"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
}
func hasComponent(suiteName, component string) bool {
return strings.Contains("-"+suiteName+"-", "-"+component+"-")
}
func isTLS12Only(suiteName string) bool {
return hasComponent(suiteName, "GCM") ||
hasComponent(suiteName, "SHA256") ||
hasComponent(suiteName, "SHA384") ||
hasComponent(suiteName, "POLY1305")
}
func isTLS13Suite(suiteName string) bool {
return strings.HasPrefix(suiteName, "AEAD-")
}
func isDTLSCipher(suiteName string) bool {
return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
}
func bigFromHex(hex string) *big.Int {
ret, ok := new(big.Int).SetString(hex, 16)
if !ok {
panic("failed to parse hex number 0x" + hex)
}
return ret
}
func addBasicTests() {
basicTests := []testCase{
{
name: "NoFallbackSCSV",
config: Config{
Bugs: ProtocolBugs{
FailIfNotFallbackSCSV: true,
},
},
shouldFail: true,
expectedLocalError: "no fallback SCSV found",
},
{
name: "SendFallbackSCSV",
config: Config{
Bugs: ProtocolBugs{
FailIfNotFallbackSCSV: true,
},
},
flags: []string{"-fallback-scsv"},
},
{
name: "ClientCertificateTypes",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequestClientCert,
ClientCertificateTypes: []byte{
CertTypeDSSSign,
CertTypeRSASign,
CertTypeECDSASign,
},
},
flags: []string{
"-expect-certificate-types",
base64.StdEncoding.EncodeToString([]byte{
CertTypeDSSSign,
CertTypeRSASign,
CertTypeECDSASign,
}),
},
},
{
name: "UnauthenticatedECDH",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
UnauthenticatedECDH: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
},
{
name: "SkipCertificateStatus",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SkipCertificateStatus: true,
},
},
flags: []string{
"-enable-ocsp-stapling",
},
},
{
name: "SkipServerKeyExchange",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SkipServerKeyExchange: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
},
{
testType: serverTest,
name: "Alert",
config: Config{
Bugs: ProtocolBugs{
SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
},
{
protocol: dtls,
testType: serverTest,
name: "Alert-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
},
{
testType: serverTest,
name: "FragmentAlert",
config: Config{
Bugs: ProtocolBugs{
FragmentAlert: true,
SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":BAD_ALERT:",
},
{
protocol: dtls,
testType: serverTest,
name: "FragmentAlert-DTLS",
config: Config{
Bugs: ProtocolBugs{
FragmentAlert: true,
SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":BAD_ALERT:",
},
{
testType: serverTest,
name: "DoubleAlert",
config: Config{
Bugs: ProtocolBugs{
DoubleAlert: true,
SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":BAD_ALERT:",
},
{
protocol: dtls,
testType: serverTest,
name: "DoubleAlert-DTLS",
config: Config{
Bugs: ProtocolBugs{
DoubleAlert: true,
SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":BAD_ALERT:",
},
{
name: "SkipNewSessionTicket",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SkipNewSessionTicket: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
testType: serverTest,
name: "FallbackSCSV",
config: Config{
MaxVersion: VersionTLS11,
Bugs: ProtocolBugs{
SendFallbackSCSV: true,
},
},
shouldFail: true,
expectedError: ":INAPPROPRIATE_FALLBACK:",
expectedLocalError: "remote error: inappropriate fallback",
},
{
testType: serverTest,
name: "FallbackSCSV-VersionMatch-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendFallbackSCSV: true,
},
},
},
{
testType: serverTest,
name: "FallbackSCSV-VersionMatch-TLS12",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendFallbackSCSV: true,
},
},
flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
},
{
testType: serverTest,
name: "FragmentedClientVersion",
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: 1,
FragmentClientVersion: true,
},
},
expectedVersion: VersionTLS13,
},
{
testType: serverTest,
name: "HttpGET",
sendPrefix: "GET / HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTP_REQUEST:",
},
{
testType: serverTest,
name: "HttpPOST",
sendPrefix: "POST / HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTP_REQUEST:",
},
{
testType: serverTest,
name: "HttpHEAD",
sendPrefix: "HEAD / HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTP_REQUEST:",
},
{
testType: serverTest,
name: "HttpPUT",
sendPrefix: "PUT / HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTP_REQUEST:",
},
{
testType: serverTest,
name: "HttpCONNECT",
sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
shouldFail: true,
expectedError: ":HTTPS_PROXY_REQUEST:",
},
{
testType: serverTest,
name: "Garbage",
sendPrefix: "blah",
shouldFail: true,
expectedError: ":WRONG_VERSION_NUMBER:",
},
{
name: "RSAEphemeralKey",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
RSAEphemeralKey: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
},
{
name: "DisableEverything",
flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
shouldFail: true,
expectedError: ":WRONG_SSL_VERSION:",
},
{
protocol: dtls,
name: "DisableEverything-DTLS",
flags: []string{"-no-tls12", "-no-tls1"},
shouldFail: true,
expectedError: ":WRONG_SSL_VERSION:",
},
{
protocol: dtls,
testType: serverTest,
name: "MTU",
config: Config{
Bugs: ProtocolBugs{
MaxPacketLength: 256,
},
},
flags: []string{"-mtu", "256"},
},
{
protocol: dtls,
testType: serverTest,
name: "MTUExceeded",
config: Config{
Bugs: ProtocolBugs{
MaxPacketLength: 255,
},
},
flags: []string{"-mtu", "256"},
shouldFail: true,
expectedLocalError: "dtls: exceeded maximum packet length",
},
{
name: "CertMismatchRSA",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{ecdsaP256Certificate},
Bugs: ProtocolBugs{
SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
},
shouldFail: true,
expectedError: ":WRONG_CERTIFICATE_TYPE:",
},
{
name: "CertMismatchECDSA",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{rsaCertificate},
Bugs: ProtocolBugs{
SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
},
shouldFail: true,
expectedError: ":WRONG_CERTIFICATE_TYPE:",
},
{
name: "EmptyCertificateList",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
EmptyCertificateList: true,
},
},
shouldFail: true,
expectedError: ":DECODE_ERROR:",
},
{
name: "EmptyCertificateList-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
EmptyCertificateList: true,
},
},
shouldFail: true,
expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
},
{
name: "TLSFatalBadPackets",
damageFirstWrite: true,
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
},
{
protocol: dtls,
name: "DTLSIgnoreBadPackets",
damageFirstWrite: true,
},
{
protocol: dtls,
name: "DTLSIgnoreBadPackets-Async",
damageFirstWrite: true,
flags: []string{"-async"},
},
{
name: "AppDataBeforeHandshake",
config: Config{
Bugs: ProtocolBugs{
AppDataBeforeHandshake: []byte("TEST MESSAGE"),
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
name: "AppDataBeforeHandshake-Empty",
config: Config{
Bugs: ProtocolBugs{
AppDataBeforeHandshake: []byte{},
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
protocol: dtls,
name: "AppDataBeforeHandshake-DTLS",
config: Config{
Bugs: ProtocolBugs{
AppDataBeforeHandshake: []byte("TEST MESSAGE"),
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
protocol: dtls,
name: "AppDataBeforeHandshake-DTLS-Empty",
config: Config{
Bugs: ProtocolBugs{
AppDataBeforeHandshake: []byte{},
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
name: "AppDataAfterChangeCipherSpec",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
name: "AppDataAfterChangeCipherSpec-Empty",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
AppDataAfterChangeCipherSpec: []byte{},
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
protocol: dtls,
name: "AppDataAfterChangeCipherSpec-DTLS",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
},
},
// BoringSSL's DTLS implementation will drop the out-of-order
// application data.
},
{
protocol: dtls,
name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
AppDataAfterChangeCipherSpec: []byte{},
},
},
// BoringSSL's DTLS implementation will drop the out-of-order
// application data.
},
{
name: "AlertAfterChangeCipherSpec",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
AlertAfterChangeCipherSpec: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
},
{
protocol: dtls,
name: "AlertAfterChangeCipherSpec-DTLS",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
AlertAfterChangeCipherSpec: alertRecordOverflow,
},
},
shouldFail: true,
expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
},
{
protocol: dtls,
name: "ReorderHandshakeFragments-Small-DTLS",
config: Config{
Bugs: ProtocolBugs{
ReorderHandshakeFragments: true,
// Small enough that every handshake message is
// fragmented.
MaxHandshakeRecordLength: 2,
},
},
},
{
protocol: dtls,
name: "ReorderHandshakeFragments-Large-DTLS",
config: Config{
Bugs: ProtocolBugs{
ReorderHandshakeFragments: true,
// Large enough that no handshake message is
// fragmented.
MaxHandshakeRecordLength: 2048,
},
},
},
{
protocol: dtls,
name: "MixCompleteMessageWithFragments-DTLS",
config: Config{
Bugs: ProtocolBugs{
ReorderHandshakeFragments: true,
MixCompleteMessageWithFragments: true,
MaxHandshakeRecordLength: 2,
},
},
},
{
name: "SendInvalidRecordType",
config: Config{
Bugs: ProtocolBugs{
SendInvalidRecordType: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
protocol: dtls,
name: "SendInvalidRecordType-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendInvalidRecordType: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
name: "FalseStart-SkipServerSecondLeg",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
SkipNewSessionTicket: true,
SkipChangeCipherSpec: true,
SkipFinished: true,
ExpectFalseStart: true,
},
},
flags: []string{
"-false-start",
"-handshake-never-done",
"-advertise-alpn", "\x03foo",
},
shimWritesFirst: true,
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
name: "FalseStart-SkipServerSecondLeg-Implicit",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
SkipNewSessionTicket: true,
SkipChangeCipherSpec: true,
SkipFinished: true,
},
},
flags: []string{
"-implicit-handshake",
"-false-start",
"-handshake-never-done",
"-advertise-alpn", "\x03foo",
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
testType: serverTest,
name: "FailEarlyCallback",
flags: []string{"-fail-early-callback"},
shouldFail: true,
expectedError: ":CONNECTION_REJECTED:",
expectedLocalError: "remote error: handshake failure",
},
{
name: "FailCertCallback-Client-TLS12",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequestClientCert,
},
flags: []string{"-fail-cert-callback"},
shouldFail: true,
expectedError: ":CERT_CB_ERROR:",
expectedLocalError: "remote error: internal error",
},
{
testType: serverTest,
name: "FailCertCallback-Server-TLS12",
config: Config{
MaxVersion: VersionTLS12,
},
flags: []string{"-fail-cert-callback"},
shouldFail: true,
expectedError: ":CERT_CB_ERROR:",
expectedLocalError: "remote error: internal error",
},
{
name: "FailCertCallback-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequestClientCert,
},
flags: []string{"-fail-cert-callback"},
shouldFail: true,
expectedError: ":CERT_CB_ERROR:",
expectedLocalError: "remote error: internal error",
},
{
testType: serverTest,
name: "FailCertCallback-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
},
flags: []string{"-fail-cert-callback"},
shouldFail: true,
expectedError: ":CERT_CB_ERROR:",
expectedLocalError: "remote error: internal error",
},
{
protocol: dtls,
name: "FragmentMessageTypeMismatch-DTLS",
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: 2,
FragmentMessageTypeMismatch: true,
},
},
shouldFail: true,
expectedError: ":FRAGMENT_MISMATCH:",
},
{
protocol: dtls,
name: "FragmentMessageLengthMismatch-DTLS",
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: 2,
FragmentMessageLengthMismatch: true,
},
},
shouldFail: true,
expectedError: ":FRAGMENT_MISMATCH:",
},
{
protocol: dtls,
name: "SplitFragments-Header-DTLS",
config: Config{
Bugs: ProtocolBugs{
SplitFragments: 2,
},
},
shouldFail: true,
expectedError: ":BAD_HANDSHAKE_RECORD:",
},
{
protocol: dtls,
name: "SplitFragments-Boundary-DTLS",
config: Config{
Bugs: ProtocolBugs{
SplitFragments: dtlsRecordHeaderLen,
},
},
shouldFail: true,
expectedError: ":BAD_HANDSHAKE_RECORD:",
},
{
protocol: dtls,
name: "SplitFragments-Body-DTLS",
config: Config{
Bugs: ProtocolBugs{
SplitFragments: dtlsRecordHeaderLen + 1,
},
},
shouldFail: true,
expectedError: ":BAD_HANDSHAKE_RECORD:",
},
{
protocol: dtls,
name: "SendEmptyFragments-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendEmptyFragments: true,
},
},
},
{
name: "BadFinished-Client",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadFinished: true,
},
},
shouldFail: true,
expectedError: ":DIGEST_CHECK_FAILED:",
},
{
name: "BadFinished-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
BadFinished: true,
},
},
shouldFail: true,
expectedError: ":DIGEST_CHECK_FAILED:",
},
{
testType: serverTest,
name: "BadFinished-Server",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadFinished: true,
},
},
shouldFail: true,
expectedError: ":DIGEST_CHECK_FAILED:",
},
{
testType: serverTest,
name: "BadFinished-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
BadFinished: true,
},
},
shouldFail: true,
expectedError: ":DIGEST_CHECK_FAILED:",
},
{
name: "FalseStart-BadFinished",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
BadFinished: true,
ExpectFalseStart: true,
},
},
flags: []string{
"-false-start",
"-handshake-never-done",
"-advertise-alpn", "\x03foo",
},
shimWritesFirst: true,
shouldFail: true,
expectedError: ":DIGEST_CHECK_FAILED:",
},
{
name: "NoFalseStart-NoALPN",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
AlertBeforeFalseStartTest: alertAccessDenied,
},
},
flags: []string{
"-false-start",
},
shimWritesFirst: true,
shouldFail: true,
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
expectedLocalError: "tls: peer did not false start: EOF",
},
{
name: "NoFalseStart-NoAEAD",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
AlertBeforeFalseStartTest: alertAccessDenied,
},
},
flags: []string{
"-false-start",
"-advertise-alpn", "\x03foo",
},
shimWritesFirst: true,
shouldFail: true,
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
expectedLocalError: "tls: peer did not false start: EOF",
},
{
name: "NoFalseStart-RSA",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
AlertBeforeFalseStartTest: alertAccessDenied,
},
},
flags: []string{
"-false-start",
"-advertise-alpn", "\x03foo",
},
shimWritesFirst: true,
shouldFail: true,
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
expectedLocalError: "tls: peer did not false start: EOF",
},
{
name: "NoFalseStart-DHE_RSA",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
AlertBeforeFalseStartTest: alertAccessDenied,
},
},
flags: []string{
"-false-start",
"-advertise-alpn", "\x03foo",
},
shimWritesFirst: true,
shouldFail: true,
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
expectedLocalError: "tls: peer did not false start: EOF",
},
{
protocol: dtls,
name: "SendSplitAlert-Sync",
config: Config{
Bugs: ProtocolBugs{
SendSplitAlert: true,
},
},
},
{
protocol: dtls,
name: "SendSplitAlert-Async",
config: Config{
Bugs: ProtocolBugs{
SendSplitAlert: true,
},
},
flags: []string{"-async"},
},
{
protocol: dtls,
name: "PackDTLSHandshake",
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: 2,
PackHandshakeFragments: 20,
PackHandshakeRecords: 200,
},
},
},
{
name: "SendEmptyRecords-Pass",
sendEmptyRecords: 32,
},
{
name: "SendEmptyRecords",
sendEmptyRecords: 33,
shouldFail: true,
expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
},
{
name: "SendEmptyRecords-Async",
sendEmptyRecords: 33,
flags: []string{"-async"},
shouldFail: true,
expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
},
{
name: "SendWarningAlerts-Pass",
config: Config{
MaxVersion: VersionTLS12,
},
sendWarningAlerts: 4,
},
{
protocol: dtls,
name: "SendWarningAlerts-DTLS-Pass",
config: Config{
MaxVersion: VersionTLS12,
},
sendWarningAlerts: 4,
},
{
name: "SendWarningAlerts-TLS13",
config: Config{
MaxVersion: VersionTLS13,
},
sendWarningAlerts: 4,
shouldFail: true,
expectedError: ":BAD_ALERT:",
expectedLocalError: "remote error: error decoding message",
},
{
name: "SendWarningAlerts",
config: Config{
MaxVersion: VersionTLS12,
},
sendWarningAlerts: 5,
shouldFail: true,
expectedError: ":TOO_MANY_WARNING_ALERTS:",
},
{
name: "SendWarningAlerts-Async",
config: Config{
MaxVersion: VersionTLS12,
},
sendWarningAlerts: 5,
flags: []string{"-async"},
shouldFail: true,
expectedError: ":TOO_MANY_WARNING_ALERTS:",
},
{
name: "TooManyKeyUpdates",
config: Config{
MaxVersion: VersionTLS13,
},
sendKeyUpdates: 33,
keyUpdateRequest: keyUpdateNotRequested,
shouldFail: true,
expectedError: ":TOO_MANY_KEY_UPDATES:",
},
{
name: "EmptySessionID",
config: Config{
MaxVersion: VersionTLS12,
SessionTicketsDisabled: true,
},
noSessionCache: true,
flags: []string{"-expect-no-session"},
},
{
name: "Unclean-Shutdown",
config: Config{
Bugs: ProtocolBugs{
NoCloseNotify: true,
ExpectCloseNotify: true,
},
},
shimShutsDown: true,
flags: []string{"-check-close-notify"},
shouldFail: true,
expectedError: "Unexpected SSL_shutdown result: -1 != 1",
},
{
name: "Unclean-Shutdown-Ignored",
config: Config{
Bugs: ProtocolBugs{
NoCloseNotify: true,
},
},
shimShutsDown: true,
},
{
name: "Unclean-Shutdown-Alert",
config: Config{
Bugs: ProtocolBugs{
SendAlertOnShutdown: alertDecompressionFailure,
ExpectCloseNotify: true,
},
},
shimShutsDown: true,
flags: []string{"-check-close-notify"},
shouldFail: true,
expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
},
{
name: "LargePlaintext",
config: Config{
Bugs: ProtocolBugs{
SendLargeRecords: true,
},
},
messageLen: maxPlaintext + 1,
shouldFail: true,
expectedError: ":DATA_LENGTH_TOO_LONG:",
},
{
protocol: dtls,
name: "LargePlaintext-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendLargeRecords: true,
},
},
messageLen: maxPlaintext + 1,
shouldFail: true,
expectedError: ":DATA_LENGTH_TOO_LONG:",
},
{
name: "LargeCiphertext",
config: Config{
Bugs: ProtocolBugs{
SendLargeRecords: true,
},
},
messageLen: maxPlaintext * 2,
shouldFail: true,
expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
},
{
protocol: dtls,
name: "LargeCiphertext-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendLargeRecords: true,
},
},
messageLen: maxPlaintext * 2,
// Unlike the other four cases, DTLS drops records which
// are invalid before authentication, so the connection
// does not fail.
expectMessageDropped: true,
},
{
name: "BadHelloRequest-1",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
},
},
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
shouldFail: true,
expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
},
{
name: "BadHelloRequest-2",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
},
},
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
shouldFail: true,
expectedError: ":BAD_HELLO_REQUEST:",
},
{
testType: serverTest,
name: "SupportTicketsWithSessionID",
config: Config{
MaxVersion: VersionTLS12,
SessionTicketsDisabled: true,
},
resumeConfig: &Config{
MaxVersion: VersionTLS12,
},
resumeSession: true,
},
{
protocol: dtls,
name: "DTLS-SendExtraFinished",
config: Config{
Bugs: ProtocolBugs{
SendExtraFinished: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
protocol: dtls,
name: "DTLS-SendExtraFinished-Reordered",
config: Config{
Bugs: ProtocolBugs{
MaxHandshakeRecordLength: 2,
ReorderHandshakeFragments: true,
SendExtraFinished: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
},
{
testType: serverTest,
name: "V2ClientHello-EmptyRecordPrefix",
config: Config{
// Choose a cipher suite that does not involve
// elliptic curves, so no extensions are
// involved.
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Bugs: ProtocolBugs{
SendV2ClientHello: true,
},
},
sendPrefix: string([]byte{
byte(recordTypeHandshake),
3, 1, // version
0, 0, // length
}),
// A no-op empty record may not be sent before V2ClientHello.
shouldFail: true,
expectedError: ":WRONG_VERSION_NUMBER:",
},
{
testType: serverTest,
name: "V2ClientHello-WarningAlertPrefix",
config: Config{
// Choose a cipher suite that does not involve
// elliptic curves, so no extensions are
// involved.
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Bugs: ProtocolBugs{
SendV2ClientHello: true,
},
},
sendPrefix: string([]byte{
byte(recordTypeAlert),
3, 1, // version
0, 2, // length
alertLevelWarning, byte(alertDecompressionFailure),
}),
// A no-op warning alert may not be sent before V2ClientHello.
shouldFail: true,
expectedError: ":WRONG_VERSION_NUMBER:",
},
{
name: "KeyUpdate",
config: Config{
MaxVersion: VersionTLS13,
},
sendKeyUpdates: 1,
keyUpdateRequest: keyUpdateNotRequested,
},
{
name: "KeyUpdate-InvalidRequestMode",
config: Config{
MaxVersion: VersionTLS13,
},
sendKeyUpdates: 1,
keyUpdateRequest: 42,
shouldFail: true,
expectedError: ":DECODE_ERROR:",
},
{
name: "SendSNIWarningAlert",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendSNIWarningAlert: true,
},
},
},
{
testType: serverTest,
name: "ExtraCompressionMethods-TLS12",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
},
},
},
{
testType: serverTest,
name: "ExtraCompressionMethods-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
},
},
shouldFail: true,
expectedError: ":INVALID_COMPRESSION_LIST:",
expectedLocalError: "remote error: illegal parameter",
},
{
testType: serverTest,
name: "NoNullCompression-TLS12",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
},
},
shouldFail: true,
expectedError: ":NO_COMPRESSION_SPECIFIED:",
expectedLocalError: "remote error: illegal parameter",
},
{
testType: serverTest,
name: "NoNullCompression-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
},
},
shouldFail: true,
expectedError: ":INVALID_COMPRESSION_LIST:",
expectedLocalError: "remote error: illegal parameter",
},
{
name: "GREASE-Client-TLS12",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
ExpectGREASE: true,
},
},
flags: []string{"-enable-grease"},
},
{
name: "GREASE-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExpectGREASE: true,
},
},
flags: []string{"-enable-grease"},
},
{
testType: serverTest,
name: "GREASE-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
// TLS 1.3 servers are expected to
// always enable GREASE. TLS 1.3 is new,
// so there is no existing ecosystem to
// worry about.
ExpectGREASE: true,
},
},
},
}
testCases = append(testCases, basicTests...)
// Test that very large messages can be received.
cert := rsaCertificate
for i := 0; i < 50; i++ {
cert.Certificate = append(cert.Certificate, cert.Certificate[0])
}
testCases = append(testCases, testCase{
name: "LargeMessage",
config: Config{
Certificates: []Certificate{cert},
},
})
testCases = append(testCases, testCase{
protocol: dtls,
name: "LargeMessage-DTLS",
config: Config{
Certificates: []Certificate{cert},
},
})
// They are rejected if the maximum certificate chain length is capped.
testCases = append(testCases, testCase{
name: "LargeMessage-Reject",
config: Config{
Certificates: []Certificate{cert},
},
flags: []string{"-max-cert-list", "16384"},
shouldFail: true,
expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
})
testCases = append(testCases, testCase{
protocol: dtls,
name: "LargeMessage-Reject-DTLS",
config: Config{
Certificates: []Certificate{cert},
},
flags: []string{"-max-cert-list", "16384"},
shouldFail: true,
expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
})
}
func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
const psk = "12345"
const pskIdentity = "luggage combo"
var prefix string
if protocol == dtls {
if !ver.hasDTLS {
return
}
prefix = "D"
}
var cert Certificate
var certFile string
var keyFile string
if hasComponent(suite.name, "ECDSA") {
cert = ecdsaP256Certificate
certFile = ecdsaP256CertificateFile
keyFile = ecdsaP256KeyFile
} else {
cert = rsaCertificate
certFile = rsaCertificateFile
keyFile = rsaKeyFile
}
var flags []string
if hasComponent(suite.name, "PSK") {
flags = append(flags,
"-psk", psk,
"-psk-identity", pskIdentity)
}
if hasComponent(suite.name, "NULL") {
// NULL ciphers must be explicitly enabled.
flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
}
if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
// ECDHE_PSK AES_GCM ciphers must be explicitly enabled
// for now.
flags = append(flags, "-cipher", suite.name)
}
var shouldServerFail, shouldClientFail bool
if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
// BoringSSL clients accept ECDHE on SSLv3, but
// a BoringSSL server will never select it
// because the extension is missing.
shouldServerFail = true
}
if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
shouldClientFail = true
shouldServerFail = true
}
if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
shouldClientFail = true
shouldServerFail = true
}
if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
shouldClientFail = true
shouldServerFail = true
}
if !isDTLSCipher(suite.name) && protocol == dtls {
shouldClientFail = true
shouldServerFail = true
}
var sendCipherSuite uint16
var expectedServerError, expectedClientError string
serverCipherSuites := []uint16{suite.id}
if shouldServerFail {
expectedServerError = ":NO_SHARED_CIPHER:"
}
if shouldClientFail {
expectedClientError = ":WRONG_CIPHER_RETURNED:"
// Configure the server to select ciphers as normal but
// select an incompatible cipher in ServerHello.
serverCipherSuites = nil
sendCipherSuite = suite.id
}
testCases = append(testCases, testCase{
testType: serverTest,
protocol: protocol,
name: prefix + ver.name + "-" + suite.name + "-server",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Bugs: ProtocolBugs{
AdvertiseAllConfiguredCiphers: true,
},
},
certFile: certFile,
keyFile: keyFile,
flags: flags,
resumeSession: true,
shouldFail: shouldServerFail,
expectedError: expectedServerError,
})
testCases = append(testCases, testCase{
testType: clientTest,
protocol: protocol,
name: prefix + ver.name + "-" + suite.name + "-client",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: serverCipherSuites,
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Bugs: ProtocolBugs{
IgnorePeerCipherPreferences: shouldClientFail,
SendCipherSuite: sendCipherSuite,
},
},
flags: flags,
resumeSession: true,
shouldFail: shouldClientFail,
expectedError: expectedClientError,
})
if shouldClientFail {
return
}
// Ensure the maximum record size is accepted.
testCases = append(testCases, testCase{
protocol: protocol,
name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
},
flags: flags,
messageLen: maxPlaintext,
})
// Test bad records for all ciphers. Bad records are fatal in TLS
// and ignored in DTLS.
var shouldFail bool
var expectedError string
if protocol == tls {
shouldFail = true
expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
}
testCases = append(testCases, testCase{
protocol: protocol,
name: prefix + ver.name + "-" + suite.name + "-BadRecord",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
},
flags: flags,
damageFirstWrite: true,
messageLen: maxPlaintext,
shouldFail: shouldFail,
expectedError: expectedError,
})
if ver.version >= VersionTLS13 {
testCases = append(testCases, testCase{
protocol: protocol,
name: prefix + ver.name + "-" + suite.name + "-ShortHeader",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Bugs: ProtocolBugs{
EnableShortHeader: true,
},
},
flags: append([]string{"-enable-short-header"}, flags...),
resumeSession: true,
expectShortHeader: true,
})
}
}
func addCipherSuiteTests() {
const bogusCipher = 0xfe00
for _, suite := range testCipherSuites {
for _, ver := range tlsVersions {
for _, protocol := range []protocol{tls, dtls} {
addTestForCipherSuite(suite, ver, protocol)
}
}
}
testCases = append(testCases, testCase{
name: "NoSharedCipher",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{},
},
shouldFail: true,
expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
})
testCases = append(testCases, testCase{
name: "NoSharedCipher-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{},
},
shouldFail: true,
expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
})
testCases = append(testCases, testCase{
name: "UnsupportedCipherSuite",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
IgnorePeerCipherPreferences: true,
},
},
flags: []string{"-cipher", "DEFAULT:!AES"},
shouldFail: true,
expectedError: ":WRONG_CIPHER_RETURNED:",
})
testCases = append(testCases, testCase{
name: "ServerHelloBogusCipher",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendCipherSuite: bogusCipher,
},
},
shouldFail: true,
expectedError: ":UNKNOWN_CIPHER_RETURNED:",
})
testCases = append(testCases, testCase{
name: "ServerHelloBogusCipher-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendCipherSuite: bogusCipher,
},
},
shouldFail: true,
expectedError: ":UNKNOWN_CIPHER_RETURNED:",
})
testCases = append(testCases, testCase{
name: "WeakDH",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
// This is a 1023-bit prime number, generated
// with:
// openssl gendh 1023 | openssl asn1parse -i
DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
},
},
shouldFail: true,
expectedError: ":BAD_DH_P_LENGTH:",
})
testCases = append(testCases, testCase{
name: "SillyDH",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
// This is a 4097-bit prime number, generated
// with:
// openssl gendh 4097 | openssl asn1parse -i
DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
},
},
shouldFail: true,
expectedError: ":DH_P_TOO_LONG:",
})
// This test ensures that Diffie-Hellman public values are padded with
// zeros so that they're the same length as the prime. This is to avoid
// hitting a bug in yaSSL.
testCases = append(testCases, testCase{
testType: serverTest,
name: "DHPublicValuePadded",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
RequireDHPublicValueLen: (1025 + 7) / 8,
},
},
flags: []string{"-use-sparse-dh-prime"},
})
// The server must be tolerant to bogus ciphers.
testCases = append(testCases, testCase{
testType: serverTest,
name: "UnknownCipher",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
AdvertiseAllConfiguredCiphers: true,
},
},
})
// The server must be tolerant to bogus ciphers.
testCases = append(testCases, testCase{
testType: serverTest,
name: "UnknownCipher-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
AdvertiseAllConfiguredCiphers: true,
},
},
})
// Test empty ECDHE_PSK identity hints work as expected.
testCases = append(testCases, testCase{
name: "EmptyECDHEPSKHint",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
PreSharedKey: []byte("secret"),
},
flags: []string{"-psk", "secret"},
})
// Test empty PSK identity hints work as expected, even if an explicit
// ServerKeyExchange is sent.
testCases = append(testCases, testCase{
name: "ExplicitEmptyPSKHint",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
PreSharedKey: []byte("secret"),
Bugs: ProtocolBugs{
AlwaysSendPreSharedKeyIdentityHint: true,
},
},
flags: []string{"-psk", "secret"},
})
}
func addBadECDSASignatureTests() {
for badR := BadValue(1); badR < NumBadValues; badR++ {
for badS := BadValue(1); badS < NumBadValues; badS++ {
testCases = append(testCases, testCase{
name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{ecdsaP256Certificate},
Bugs: ProtocolBugs{
BadECDSAR: badR,
BadECDSAS: badS,
},
},
shouldFail: true,
expectedError: ":BAD_SIGNATURE:",
})
testCases = append(testCases, testCase{
name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{ecdsaP256Certificate},
Bugs: ProtocolBugs{
BadECDSAR: badR,
BadECDSAS: badS,
},
},
shouldFail: true,
expectedError: ":BAD_SIGNATURE:",
})
}
}
}
func addCBCPaddingTests() {
testCases = append(testCases, testCase{
name: "MaxCBCPadding",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
MaxPadding: true,
},
},
messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
})
testCases = append(testCases, testCase{
name: "BadCBCPadding",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
PaddingFirstByteBad: true,
},
},
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
})
// OpenSSL previously had an issue where the first byte of padding in
// 255 bytes of padding wasn't checked.
testCases = append(testCases, testCase{
name: "BadCBCPadding255",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
MaxPadding: true,
PaddingFirstByteBadIf255: true,
},
},
messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
})
}
func addCBCSplittingTests() {
testCases = append(testCases, testCase{
name: "CBCRecordSplitting",
config: Config{
MaxVersion: VersionTLS10,
MinVersion: VersionTLS10,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
},
messageLen: -1, // read until EOF
resumeSession: true,
flags: []string{
"-async",
"-write-different-record-sizes",
"-cbc-record-splitting",
},
})
testCases = append(testCases, testCase{
name: "CBCRecordSplittingPartialWrite",
config: Config{
MaxVersion: VersionTLS10,
MinVersion: VersionTLS10,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
},
messageLen: -1, // read until EOF
flags: []string{
"-async",
"-write-different-record-sizes",
"-cbc-record-splitting",
"-partial-write",
},
})
}
func addClientAuthTests() {
// Add a dummy cert pool to stress certificate authority parsing.
// TODO(davidben): Add tests that those values parse out correctly.
certPool := x509.NewCertPool()
cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
if err != nil {
panic(err)
}
certPool.AddCert(cert)
for _, ver := range tlsVersions {
testCases = append(testCases, testCase{
testType: clientTest,
name: ver.name + "-Client-ClientAuth-RSA",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
ClientAuth: RequireAnyClientCert,
ClientCAs: certPool,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: ver.name + "-Server-ClientAuth-RSA",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{"-require-any-client-certificate"},
})
if ver.version != VersionSSL30 {
testCases = append(testCases, testCase{
testType: serverTest,
name: ver.name + "-Server-ClientAuth-ECDSA",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{ecdsaP256Certificate},
},
flags: []string{"-require-any-client-certificate"},
})
testCases = append(testCases, testCase{
testType: clientTest,
name: ver.name + "-Client-ClientAuth-ECDSA",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
ClientAuth: RequireAnyClientCert,
ClientCAs: certPool,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
},
})
}
testCases = append(testCases, testCase{
name: "NoClientCertificate-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
ClientAuth: RequireAnyClientCert,
},
shouldFail: true,
expectedLocalError: "client didn't provide a certificate",
})
testCases = append(testCases, testCase{
// Even if not configured to expect a certificate, OpenSSL will
// return X509_V_OK as the verify_result.
testType: serverTest,
name: "NoClientCertificateRequested-Server-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
},
flags: []string{
"-expect-verify-result",
},
resumeSession: true,
})
testCases = append(testCases, testCase{
// If a client certificate is not provided, OpenSSL will still
// return X509_V_OK as the verify_result.
testType: serverTest,
name: "NoClientCertificate-Server-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
},
flags: []string{
"-expect-verify-result",
"-verify-peer",
},
resumeSession: true,
})
certificateRequired := "remote error: certificate required"
if ver.version < VersionTLS13 {
// Prior to TLS 1.3, the generic handshake_failure alert
// was used.
certificateRequired = "remote error: handshake failure"
}
testCases = append(testCases, testCase{
testType: serverTest,
name: "RequireAnyClientCertificate-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
},
flags: []string{"-require-any-client-certificate"},
shouldFail: true,
expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
expectedLocalError: certificateRequired,
})
if ver.version != VersionSSL30 {
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipClientCertificate-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Bugs: ProtocolBugs{
SkipClientCertificate: true,
},
},
// Setting SSL_VERIFY_PEER allows anonymous clients.
flags: []string{"-verify-peer"},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
})
}
}
// Client auth is only legal in certificate-based ciphers.
testCases = append(testCases, testCase{
testType: clientTest,
name: "ClientAuth-PSK",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
PreSharedKey: []byte("secret"),
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-psk", "secret",
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "ClientAuth-ECDHE_PSK",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
PreSharedKey: []byte("secret"),
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-psk", "secret",
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
})
// Regression test for a bug where the client CA list, if explicitly
// set to NULL, was mis-encoded.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Null-Client-CA-List",
config: Config{
MaxVersion: VersionTLS12,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
"-require-any-client-certificate",
"-use-null-client-ca-list",
},
})
}
func addExtendedMasterSecretTests() {
const expectEMSFlag = "-expect-extended-master-secret"
for _, with := range []bool{false, true} {
prefix := "No"
if with {
prefix = ""
}
for _, isClient := range []bool{false, true} {
suffix := "-Server"
testType := serverTest
if isClient {
suffix = "-Client"
testType = clientTest
}
for _, ver := range tlsVersions {
// In TLS 1.3, the extension is irrelevant and
// always reports as enabled.
var flags []string
if with || ver.version >= VersionTLS13 {
flags = []string{expectEMSFlag}
}
test := testCase{
testType: testType,
name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Bugs: ProtocolBugs{
NoExtendedMasterSecret: !with,
RequireExtendedMasterSecret: with,
},
},
flags: flags,
shouldFail: ver.version == VersionSSL30 && with,
}
if test.shouldFail {
test.expectedLocalError = "extended master secret required but not supported by peer"
}
testCases = append(testCases, test)
}
}
}
for _, isClient := range []bool{false, true} {
for _, supportedInFirstConnection := range []bool{false, true} {
for _, supportedInResumeConnection := range []bool{false, true} {
boolToWord := func(b bool) string {
if b {
return "Yes"
}
return "No"
}
suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
if isClient {
suffix += "Client"
} else {
suffix += "Server"
}
supportedConfig := Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
RequireExtendedMasterSecret: true,
},
}
noSupportConfig := Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoExtendedMasterSecret: true,
},
}
test := testCase{
name: "ExtendedMasterSecret-" + suffix,
resumeSession: true,
}
if !isClient {
test.testType = serverTest
}
if supportedInFirstConnection {
test.config = supportedConfig
} else {
test.config = noSupportConfig
}
if supportedInResumeConnection {
test.resumeConfig = &supportedConfig
} else {
test.resumeConfig = &noSupportConfig
}
switch suffix {
case "YesToYes-Client", "YesToYes-Server":
// When a session is resumed, it should
// still be aware that its master
// secret was generated via EMS and
// thus it's safe to use tls-unique.
test.flags = []string{expectEMSFlag}
case "NoToYes-Server":
// If an original connection did not
// contain EMS, but a resumption
// handshake does, then a server should
// not resume the session.
test.expectResumeRejected = true
case "YesToNo-Server":
// Resuming an EMS session without the
// EMS extension should cause the
// server to abort the connection.
test.shouldFail = true
test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
case "NoToYes-Client":
// A client should abort a connection
// where the server resumed a non-EMS
// session but echoed the EMS
// extension.
test.shouldFail = true
test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
case "YesToNo-Client":
// A client should abort a connection
// where the server didn't echo EMS
// when the session used it.
test.shouldFail = true
test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
}
testCases = append(testCases, test)
}
}
}
// Switching EMS on renegotiation is forbidden.
testCases = append(testCases, testCase{
name: "ExtendedMasterSecret-Renego-NoEMS",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoExtendedMasterSecret: true,
NoExtendedMasterSecretOnRenegotiation: true,
},
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
testCases = append(testCases, testCase{
name: "ExtendedMasterSecret-Renego-Upgrade",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoExtendedMasterSecret: true,
},
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
shouldFail: true,
expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
})
testCases = append(testCases, testCase{
name: "ExtendedMasterSecret-Renego-Downgrade",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoExtendedMasterSecretOnRenegotiation: true,
},
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
shouldFail: true,
expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
})
}
type stateMachineTestConfig struct {
protocol protocol
async bool
splitHandshake, packHandshakeFlight bool
}
// Adds tests that try to cover the range of the handshake state machine, under
// various conditions. Some of these are redundant with other tests, but they
// only cover the synchronous case.
func addAllStateMachineCoverageTests() {
for _, async := range []bool{false, true} {
for _, protocol := range []protocol{tls, dtls} {
addStateMachineCoverageTests(stateMachineTestConfig{
protocol: protocol,
async: async,
})
addStateMachineCoverageTests(stateMachineTestConfig{
protocol: protocol,
async: async,
splitHandshake: true,
})
if protocol == tls {
addStateMachineCoverageTests(stateMachineTestConfig{
protocol: protocol,
async: async,
packHandshakeFlight: true,
})
}
}
}
}
func addStateMachineCoverageTests(config stateMachineTestConfig) {
var tests []testCase
// Basic handshake, with resumption. Client and server,
// session ID and session ticket.
tests = append(tests, testCase{
name: "Basic-Client",
config: Config{
MaxVersion: VersionTLS12,
},
resumeSession: true,
// Ensure session tickets are used, not session IDs.
noSessionCache: true,
})
tests = append(tests, testCase{
name: "Basic-Client-RenewTicket",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
RenewTicketOnResume: true,
},
},
flags: []string{"-expect-ticket-renewal"},
resumeSession: true,
resumeRenewedSession: true,
})
tests = append(tests, testCase{
name: "Basic-Client-NoTicket",
config: Config{
MaxVersion: VersionTLS12,
SessionTicketsDisabled: true,
},
resumeSession: true,
})
tests = append(tests, testCase{
name: "Basic-Client-Implicit",
config: Config{
MaxVersion: VersionTLS12,
},
flags: []string{"-implicit-handshake"},
resumeSession: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "Basic-Server",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
RequireSessionTickets: true,
},
},
resumeSession: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "Basic-Server-NoTickets",
config: Config{
MaxVersion: VersionTLS12,
SessionTicketsDisabled: true,
},
resumeSession: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "Basic-Server-Implicit",
config: Config{
MaxVersion: VersionTLS12,
},
flags: []string{"-implicit-handshake"},
resumeSession: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "Basic-Server-EarlyCallback",
config: Config{
MaxVersion: VersionTLS12,
},
flags: []string{"-use-early-callback"},
resumeSession: true,
})
// TLS 1.3 basic handshake shapes.
if config.protocol == tls {
tests = append(tests, testCase{
name: "TLS13-1RTT-Client",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
},
resumeSession: true,
resumeRenewedSession: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "TLS13-1RTT-Server",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
},
resumeSession: true,
resumeRenewedSession: true,
})
tests = append(tests, testCase{
name: "TLS13-HelloRetryRequest-Client",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
// P-384 requires a HelloRetryRequest against BoringSSL's default
// configuration. Assert this with ExpectMissingKeyShare.
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
ExpectMissingKeyShare: true,
},
},
// Cover HelloRetryRequest during an ECDHE-PSK resumption.
resumeSession: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "TLS13-HelloRetryRequest-Server",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
// Require a HelloRetryRequest for every curve.
DefaultCurves: []CurveID{},
},
// Cover HelloRetryRequest during an ECDHE-PSK resumption.
resumeSession: true,
})
}
// TLS client auth.
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-NoCertificate-Client",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequestClientCert,
},
})
tests = append(tests, testCase{
testType: serverTest,
name: "ClientAuth-NoCertificate-Server",
config: Config{
MaxVersion: VersionTLS12,
},
// Setting SSL_VERIFY_PEER allows anonymous clients.
flags: []string{"-verify-peer"},
})
if config.protocol == tls {
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-NoCertificate-Client-SSL3",
config: Config{
MaxVersion: VersionSSL30,
ClientAuth: RequestClientCert,
},
})
tests = append(tests, testCase{
testType: serverTest,
name: "ClientAuth-NoCertificate-Server-SSL3",
config: Config{
MaxVersion: VersionSSL30,
},
// Setting SSL_VERIFY_PEER allows anonymous clients.
flags: []string{"-verify-peer"},
})
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-NoCertificate-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequestClientCert,
},
})
tests = append(tests, testCase{
testType: serverTest,
name: "ClientAuth-NoCertificate-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
},
// Setting SSL_VERIFY_PEER allows anonymous clients.
flags: []string{"-verify-peer"},
})
}
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-RSA-Client",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
})
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-RSA-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
})
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-ECDSA-Client",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
},
})
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-ECDSA-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
},
})
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-NoCertificate-OldCallback",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequestClientCert,
},
flags: []string{"-use-old-client-cert-callback"},
})
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-NoCertificate-OldCallback-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequestClientCert,
},
flags: []string{"-use-old-client-cert-callback"},
})
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-OldCallback",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-use-old-client-cert-callback",
},
})
tests = append(tests, testCase{
testType: clientTest,
name: "ClientAuth-OldCallback-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-use-old-client-cert-callback",
},
})
tests = append(tests, testCase{
testType: serverTest,
name: "ClientAuth-Server",
config: Config{
MaxVersion: VersionTLS12,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{"-require-any-client-certificate"},
})
tests = append(tests, testCase{
testType: serverTest,
name: "ClientAuth-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{"-require-any-client-certificate"},
})
// Test each key exchange on the server side for async keys.
tests = append(tests, testCase{
testType: serverTest,
name: "Basic-Server-RSA",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
})
tests = append(tests, testCase{
testType: serverTest,
name: "Basic-Server-ECDHE-RSA",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
})
tests = append(tests, testCase{
testType: serverTest,
name: "Basic-Server-ECDHE-ECDSA",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
},
})
// No session ticket support; server doesn't send NewSessionTicket.
tests = append(tests, testCase{
name: "SessionTicketsDisabled-Client",
config: Config{
MaxVersion: VersionTLS12,
SessionTicketsDisabled: true,
},
})
tests = append(tests, testCase{
testType: serverTest,
name: "SessionTicketsDisabled-Server",
config: Config{
MaxVersion: VersionTLS12,
SessionTicketsDisabled: true,
},
})
// Skip ServerKeyExchange in PSK key exchange if there's no
// identity hint.
tests = append(tests, testCase{
name: "EmptyPSKHint-Client",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
PreSharedKey: []byte("secret"),
},
flags: []string{"-psk", "secret"},
})
tests = append(tests, testCase{
testType: serverTest,
name: "EmptyPSKHint-Server",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
PreSharedKey: []byte("secret"),
},
flags: []string{"-psk", "secret"},
})
// OCSP stapling tests.
tests = append(tests, testCase{
testType: clientTest,
name: "OCSPStapling-Client",
config: Config{
MaxVersion: VersionTLS12,
},
flags: []string{
"-enable-ocsp-stapling",
"-expect-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
"-verify-peer",
},
resumeSession: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "OCSPStapling-Server",
config: Config{
MaxVersion: VersionTLS12,
},
expectedOCSPResponse: testOCSPResponse,
flags: []string{
"-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
},
resumeSession: true,
})
tests = append(tests, testCase{
testType: clientTest,
name: "OCSPStapling-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
},
flags: []string{
"-enable-ocsp-stapling",
"-expect-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
"-verify-peer",
},
resumeSession: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "OCSPStapling-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
},
expectedOCSPResponse: testOCSPResponse,
flags: []string{
"-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
},
resumeSession: true,
})
// Certificate verification tests.
for _, vers := range tlsVersions {
if config.protocol == dtls && !vers.hasDTLS {
continue
}
for _, testType := range []testType{clientTest, serverTest} {
suffix := "-Client"
if testType == serverTest {
suffix = "-Server"
}
suffix += "-" + vers.name
flag := "-verify-peer"
if testType == serverTest {
flag = "-require-any-client-certificate"
}
tests = append(tests, testCase{
testType: testType,
name: "CertificateVerificationSucceed" + suffix,
config: Config{
MaxVersion: vers.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
flag,
"-expect-verify-result",
},
resumeSession: true,
})
tests = append(tests, testCase{
testType: testType,
name: "CertificateVerificationFail" + suffix,
config: Config{
MaxVersion: vers.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
flag,
"-verify-fail",
},
shouldFail: true,
expectedError: ":CERTIFICATE_VERIFY_FAILED:",
})
}
// By default, the client is in a soft fail mode where the peer
// certificate is verified but failures are non-fatal.
tests = append(tests, testCase{
testType: clientTest,
name: "CertificateVerificationSoftFail-" + vers.name,
config: Config{
MaxVersion: vers.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
"-verify-fail",
"-expect-verify-result",
},
resumeSession: true,
})
}
tests = append(tests, testCase{
name: "ShimSendAlert",
flags: []string{"-send-alert"},
shimWritesFirst: true,
shouldFail: true,
expectedLocalError: "remote error: decompression failure",
})
if config.protocol == tls {
tests = append(tests, testCase{
name: "Renegotiate-Client",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
tests = append(tests, testCase{
name: "SendHalfHelloRequest",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
PackHelloRequestWithFinished: config.packHandshakeFlight,
},
},
sendHalfHelloRequest: true,
flags: []string{"-renegotiate-ignore"},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
// NPN on client and server; results in post-handshake message.
tests = append(tests, testCase{
name: "NPN-Client",
config: Config{
MaxVersion: VersionTLS12,
NextProtos: []string{"foo"},
},
flags: []string{"-select-next-proto", "foo"},
resumeSession: true,
expectedNextProto: "foo",
expectedNextProtoType: npn,
})
tests = append(tests, testCase{
testType: serverTest,
name: "NPN-Server",
config: Config{
MaxVersion: VersionTLS12,
NextProtos: []string{"bar"},
},
flags: []string{
"-advertise-npn", "\x03foo\x03bar\x03baz",
"-expect-next-proto", "bar",
},
resumeSession: true,
expectedNextProto: "bar",
expectedNextProtoType: npn,
})
// TODO(davidben): Add tests for when False Start doesn't trigger.
// Client does False Start and negotiates NPN.
tests = append(tests, testCase{
name: "FalseStart",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
},
},
flags: []string{
"-false-start",
"-select-next-proto", "foo",
},
shimWritesFirst: true,
resumeSession: true,
})
// Client does False Start and negotiates ALPN.
tests = append(tests, testCase{
name: "FalseStart-ALPN",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
},
},
flags: []string{
"-false-start",
"-advertise-alpn", "\x03foo",
},
shimWritesFirst: true,
resumeSession: true,
})
// Client does False Start but doesn't explicitly call
// SSL_connect.
tests = append(tests, testCase{
name: "FalseStart-Implicit",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
},
flags: []string{
"-implicit-handshake",
"-false-start",
"-advertise-alpn", "\x03foo",
},
})
// False Start without session tickets.
tests = append(tests, testCase{
name: "FalseStart-SessionTicketsDisabled",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
SessionTicketsDisabled: true,
Bugs: ProtocolBugs{
ExpectFalseStart: true,
},
},
flags: []string{
"-false-start",
"-select-next-proto", "foo",
},
shimWritesFirst: true,
})
// Server parses a V2ClientHello.
tests = append(tests, testCase{
testType: serverTest,
name: "SendV2ClientHello",
config: Config{
// Choose a cipher suite that does not involve
// elliptic curves, so no extensions are
// involved.
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Bugs: ProtocolBugs{
SendV2ClientHello: true,
},
},
})
// Test Channel ID
for _, ver := range tlsVersions {
if ver.version < VersionTLS10 {
continue
}
// Client sends a Channel ID.
tests = append(tests, testCase{
name: "ChannelID-Client-" + ver.name,
config: Config{
MaxVersion: ver.version,
RequestChannelID: true,
},
flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
resumeSession: true,
expectChannelID: true,
})
// Server accepts a Channel ID.
tests = append(tests, testCase{
testType: serverTest,
name: "ChannelID-Server-" + ver.name,
config: Config{
MaxVersion: ver.version,
ChannelID: channelIDKey,
},
flags: []string{
"-expect-channel-id",
base64.StdEncoding.EncodeToString(channelIDBytes),
},
resumeSession: true,
expectChannelID: true,
})
tests = append(tests, testCase{
testType: serverTest,
name: "InvalidChannelIDSignature-" + ver.name,
config: Config{
MaxVersion: ver.version,
ChannelID: channelIDKey,
Bugs: ProtocolBugs{
InvalidChannelIDSignature: true,
},
},
flags: []string{"-enable-channel-id"},
shouldFail: true,
expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
})
}
// Channel ID and NPN at the same time, to ensure their relative
// ordering is correct.
tests = append(tests, testCase{
name: "ChannelID-NPN-Client",
config: Config{
MaxVersion: VersionTLS12,
RequestChannelID: true,
NextProtos: []string{"foo"},
},
flags: []string{
"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
"-select-next-proto", "foo",
},
resumeSession: true,
expectChannelID: true,
expectedNextProto: "foo",
expectedNextProtoType: npn,
})
tests = append(tests, testCase{
testType: serverTest,
name: "ChannelID-NPN-Server",
config: Config{
MaxVersion: VersionTLS12,
ChannelID: channelIDKey,
NextProtos: []string{"bar"},
},
flags: []string{
"-expect-channel-id",
base64.StdEncoding.EncodeToString(channelIDBytes),
"-advertise-npn", "\x03foo\x03bar\x03baz",
"-expect-next-proto", "bar",
},
resumeSession: true,
expectChannelID: true,
expectedNextProto: "bar",
expectedNextProtoType: npn,
})
// Bidirectional shutdown with the runner initiating.
tests = append(tests, testCase{
name: "Shutdown-Runner",
config: Config{
Bugs: ProtocolBugs{
ExpectCloseNotify: true,
},
},
flags: []string{"-check-close-notify"},
})
// Bidirectional shutdown with the shim initiating. The runner,
// in the meantime, sends garbage before the close_notify which
// the shim must ignore.
tests = append(tests, testCase{
name: "Shutdown-Shim",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
ExpectCloseNotify: true,
},
},
shimShutsDown: true,
sendEmptyRecords: 1,
sendWarningAlerts: 1,
flags: []string{"-check-close-notify"},
})
} else {
// TODO(davidben): DTLS 1.3 will want a similar thing for
// HelloRetryRequest.
tests = append(tests, testCase{
name: "SkipHelloVerifyRequest",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SkipHelloVerifyRequest: true,
},
},
})
}
for _, test := range tests {
test.protocol = config.protocol
if config.protocol == dtls {
test.name += "-DTLS"
}
if config.async {
test.name += "-Async"
test.flags = append(test.flags, "-async")
} else {
test.name += "-Sync"
}
if config.splitHandshake {
test.name += "-SplitHandshakeRecords"
test.config.Bugs.MaxHandshakeRecordLength = 1
if config.protocol == dtls {
test.config.Bugs.MaxPacketLength = 256
test.flags = append(test.flags, "-mtu", "256")
}
}
if config.packHandshakeFlight {
test.name += "-PackHandshakeFlight"
test.config.Bugs.PackHandshakeFlight = true
}
testCases = append(testCases, test)
}
}
func addDDoSCallbackTests() {
// DDoS callback.
for _, resume := range []bool{false, true} {
suffix := "Resume"
if resume {
suffix = "No" + suffix
}
testCases = append(testCases, testCase{
testType: serverTest,
name: "Server-DDoS-OK-" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
flags: []string{"-install-ddos-callback"},
resumeSession: resume,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Server-DDoS-OK-" + suffix + "-TLS13",
config: Config{
MaxVersion: VersionTLS13,
},
flags: []string{"-install-ddos-callback"},
resumeSession: resume,
})
failFlag := "-fail-ddos-callback"
if resume {
failFlag = "-fail-second-ddos-callback"
}
testCases = append(testCases, testCase{
testType: serverTest,
name: "Server-DDoS-Reject-" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
flags: []string{"-install-ddos-callback", failFlag},
resumeSession: resume,
shouldFail: true,
expectedError: ":CONNECTION_REJECTED:",
expectedLocalError: "remote error: internal error",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Server-DDoS-Reject-" + suffix + "-TLS13",
config: Config{
MaxVersion: VersionTLS13,
},
flags: []string{"-install-ddos-callback", failFlag},
resumeSession: resume,
shouldFail: true,
expectedError: ":CONNECTION_REJECTED:",
expectedLocalError: "remote error: internal error",
})
}
}
func addVersionNegotiationTests() {
for i, shimVers := range tlsVersions {
// Assemble flags to disable all newer versions on the shim.
var flags []string
for _, vers := range tlsVersions[i+1:] {
flags = append(flags, vers.flag)
}
// Test configuring the runner's maximum version.
for _, runnerVers := range tlsVersions {
protocols := []protocol{tls}
if runnerVers.hasDTLS && shimVers.hasDTLS {
protocols = append(protocols, dtls)
}
for _, protocol := range protocols {
expectedVersion := shimVers.version
if runnerVers.version < shimVers.version {
expectedVersion = runnerVers.version
}
suffix := shimVers.name + "-" + runnerVers.name
if protocol == dtls {
suffix += "-DTLS"
}
shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
// Determine the expected initial record-layer versions.
clientVers := shimVers.version
if clientVers > VersionTLS10 {
clientVers = VersionTLS10
}
clientVers = versionToWire(clientVers, protocol == dtls)
serverVers := expectedVersion
if expectedVersion >= VersionTLS13 {
serverVers = VersionTLS10
}
serverVers = versionToWire(serverVers, protocol == dtls)
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "VersionNegotiation-Client-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: clientVers,
},
},
flags: flags,
expectedVersion: expectedVersion,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "VersionNegotiation-Client2-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: clientVers,
},
},
flags: []string{"-max-version", shimVersFlag},
expectedVersion: expectedVersion,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "VersionNegotiation-Server-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: serverVers,
},
},
flags: flags,
expectedVersion: expectedVersion,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "VersionNegotiation-Server2-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: serverVers,
},
},
flags: []string{"-max-version", shimVersFlag},
expectedVersion: expectedVersion,
})
}
}
}
// Test the version extension at all versions.
for _, vers := range tlsVersions {
protocols := []protocol{tls}
if vers.hasDTLS {
protocols = append(protocols, dtls)
}
for _, protocol := range protocols {
suffix := vers.name
if protocol == dtls {
suffix += "-DTLS"
}
wireVersion := versionToWire(vers.version, protocol == dtls)
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "VersionNegotiationExtension-" + suffix,
config: Config{
Bugs: ProtocolBugs{
SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
},
},
expectedVersion: vers.version,
})
}
}
// If all versions are unknown, negotiation fails.
testCases = append(testCases, testCase{
testType: serverTest,
name: "NoSupportedVersions",
config: Config{
Bugs: ProtocolBugs{
SendSupportedVersions: []uint16{0x1111},
},
},
shouldFail: true,
expectedError: ":UNSUPPORTED_PROTOCOL:",
})
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "NoSupportedVersions-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendSupportedVersions: []uint16{0x1111},
},
},
shouldFail: true,
expectedError: ":UNSUPPORTED_PROTOCOL:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ClientHelloVersionTooHigh",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendClientVersion: 0x0304,
OmitSupportedVersions: true,
},
},
expectedVersion: VersionTLS12,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ConflictingVersionNegotiation",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: VersionTLS12,
SendSupportedVersions: []uint16{VersionTLS11},
},
},
// The extension takes precedence over the ClientHello version.
expectedVersion: VersionTLS11,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ConflictingVersionNegotiation-2",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: VersionTLS11,
SendSupportedVersions: []uint16{VersionTLS12},
},
},
// The extension takes precedence over the ClientHello version.
expectedVersion: VersionTLS12,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "RejectFinalTLS13",
config: Config{
Bugs: ProtocolBugs{
SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
},
},
// We currently implement a draft TLS 1.3 version. Ensure that
// the true TLS 1.3 value is ignored for now.
expectedVersion: VersionTLS12,
})
// Test that the maximum version is selected regardless of the
// client-sent order.
testCases = append(testCases, testCase{
testType: serverTest,
name: "IgnoreClientVersionOrder",
config: Config{
Bugs: ProtocolBugs{
SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
},
},
expectedVersion: VersionTLS13,
})
// Test for version tolerance.
testCases = append(testCases, testCase{
testType: serverTest,
name: "MinorVersionTolerance",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0x03ff,
OmitSupportedVersions: true,
},
},
expectedVersion: VersionTLS12,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "MajorVersionTolerance",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0x0400,
OmitSupportedVersions: true,
},
},
// TLS 1.3 must be negotiated with the supported_versions
// extension, not ClientHello.version.
expectedVersion: VersionTLS12,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "VersionTolerance-TLS13",
config: Config{
Bugs: ProtocolBugs{
// Although TLS 1.3 does not use
// ClientHello.version, it still tolerates high
// values there.
SendClientVersion: 0x0400,
},
},
expectedVersion: VersionTLS13,
})
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "MinorVersionTolerance-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0xfe00,
OmitSupportedVersions: true,
},
},
expectedVersion: VersionTLS12,
})
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "MajorVersionTolerance-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0xfdff,
OmitSupportedVersions: true,
},
},
expectedVersion: VersionTLS12,
})
// Test that versions below 3.0 are rejected.
testCases = append(testCases, testCase{
testType: serverTest,
name: "VersionTooLow",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0x0200,
OmitSupportedVersions: true,
},
},
shouldFail: true,
expectedError: ":UNSUPPORTED_PROTOCOL:",
})
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "VersionTooLow-DTLS",
config: Config{
Bugs: ProtocolBugs{
SendClientVersion: 0xffff,
},
},
shouldFail: true,
expectedError: ":UNSUPPORTED_PROTOCOL:",
})
testCases = append(testCases, testCase{
name: "ServerBogusVersion",
config: Config{
Bugs: ProtocolBugs{
SendServerHelloVersion: 0x1234,
},
},
shouldFail: true,
expectedError: ":UNSUPPORTED_PROTOCOL:",
})
// Test TLS 1.3's downgrade signal.
testCases = append(testCases, testCase{
name: "Downgrade-TLS12-Client",
config: Config{
Bugs: ProtocolBugs{
NegotiateVersion: VersionTLS12,
},
},
expectedVersion: VersionTLS12,
// TODO(davidben): This test should fail once TLS 1.3 is final
// and the fallback signal restored.
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Downgrade-TLS12-Server",
config: Config{
Bugs: ProtocolBugs{
SendSupportedVersions: []uint16{VersionTLS12},
},
},
expectedVersion: VersionTLS12,
// TODO(davidben): This test should fail once TLS 1.3 is final
// and the fallback signal restored.
})
}
func addMinimumVersionTests() {
for i, shimVers := range tlsVersions {
// Assemble flags to disable all older versions on the shim.
var flags []string
for _, vers := range tlsVersions[:i] {
flags = append(flags, vers.flag)
}
for _, runnerVers := range tlsVersions {
protocols := []protocol{tls}
if runnerVers.hasDTLS && shimVers.hasDTLS {
protocols = append(protocols, dtls)
}
for _, protocol := range protocols {
suffix := shimVers.name + "-" + runnerVers.name
if protocol == dtls {
suffix += "-DTLS"
}
shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
var expectedVersion uint16
var shouldFail bool
var expectedError, expectedLocalError string
if runnerVers.version >= shimVers.version {
expectedVersion = runnerVers.version
} else {
shouldFail = true
expectedError = ":UNSUPPORTED_PROTOCOL:"
expectedLocalError = "remote error: protocol version not supported"
}
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "MinimumVersion-Client-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Bugs: ProtocolBugs{
// Ensure the server does not decline to
// select a version (versions extension) or
// cipher (some ciphers depend on versions).
NegotiateVersion: runnerVers.version,
IgnorePeerCipherPreferences: shouldFail,
},
},
flags: flags,
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
expectedLocalError: expectedLocalError,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "MinimumVersion-Client2-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
Bugs: ProtocolBugs{
// Ensure the server does not decline to
// select a version (versions extension) or
// cipher (some ciphers depend on versions).
NegotiateVersion: runnerVers.version,
IgnorePeerCipherPreferences: shouldFail,
},
},
flags: []string{"-min-version", shimVersFlag},
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
expectedLocalError: expectedLocalError,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "MinimumVersion-Server-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
},
flags: flags,
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
expectedLocalError: expectedLocalError,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "MinimumVersion-Server2-" + suffix,
config: Config{
MaxVersion: runnerVers.version,
},
flags: []string{"-min-version", shimVersFlag},
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
expectedLocalError: expectedLocalError,
})
}
}
}
}
func addExtensionTests() {
// TODO(davidben): Extensions, where applicable, all move their server
// halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
// tests for both. Also test interaction with 0-RTT when implemented.
// Repeat extensions tests all versions except SSL 3.0.
for _, ver := range tlsVersions {
if ver.version == VersionSSL30 {
continue
}
// Test that duplicate extensions are rejected.
testCases = append(testCases, testCase{
testType: clientTest,
name: "DuplicateExtensionClient-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
DuplicateExtension: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: error decoding message",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "DuplicateExtensionServer-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
DuplicateExtension: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: error decoding message",
})
// Test SNI.
testCases = append(testCases, testCase{
testType: clientTest,
name: "ServerNameExtensionClient-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
ExpectServerName: "example.com",
},
},
flags: []string{"-host-name", "example.com"},
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "ServerNameExtensionClientMismatch-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
ExpectServerName: "mismatch.com",
},
},
flags: []string{"-host-name", "example.com"},
shouldFail: true,
expectedLocalError: "tls: unexpected server name",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "ServerNameExtensionClientMissing-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
ExpectServerName: "missing.com",
},
},
shouldFail: true,
expectedLocalError: "tls: unexpected server name",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerNameExtensionServer-" + ver.name,
config: Config{
MaxVersion: ver.version,
ServerName: "example.com",
},
flags: []string{"-expect-server-name", "example.com"},
resumeSession: true,
})
// Test ALPN.
testCases = append(testCases, testCase{
testType: clientTest,
name: "ALPNClient-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{"foo"},
},
flags: []string{
"-advertise-alpn", "\x03foo\x03bar\x03baz",
"-expect-alpn", "foo",
},
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "ALPNClient-Mismatch-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
SendALPN: "baz",
},
},
flags: []string{
"-advertise-alpn", "\x03foo\x03bar",
},
shouldFail: true,
expectedError: ":INVALID_ALPN_PROTOCOL:",
expectedLocalError: "remote error: illegal parameter",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{"foo", "bar", "baz"},
},
flags: []string{
"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
"-select-alpn", "foo",
},
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer-Decline-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{"foo", "bar", "baz"},
},
flags: []string{"-decline-alpn"},
expectNoNextProto: true,
resumeSession: true,
})
// Test ALPN in async mode as well to ensure that extensions callbacks are only
// called once.
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer-Async-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{"foo", "bar", "baz"},
// Prior to TLS 1.3, exercise the asynchronous session callback.
SessionTicketsDisabled: ver.version < VersionTLS13,
},
flags: []string{
"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
"-select-alpn", "foo",
"-async",
},
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
})
var emptyString string
testCases = append(testCases, testCase{
testType: clientTest,
name: "ALPNClient-EmptyProtocolName-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{""},
Bugs: ProtocolBugs{
// A server returning an empty ALPN protocol
// should be rejected.
ALPNProtocol: &emptyString,
},
},
flags: []string{
"-advertise-alpn", "\x03foo",
},
shouldFail: true,
expectedError: ":PARSE_TLSEXT:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer-EmptyProtocolName-" + ver.name,
config: Config{
MaxVersion: ver.version,
// A ClientHello containing an empty ALPN protocol
// should be rejected.
NextProtos: []string{"foo", "", "baz"},
},
flags: []string{
"-select-alpn", "foo",
},
shouldFail: true,
expectedError: ":PARSE_TLSEXT:",
})
// Test NPN and the interaction with ALPN.
if ver.version < VersionTLS13 {
// Test that the server prefers ALPN over NPN.
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer-Preferred-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{"foo", "bar", "baz"},
},
flags: []string{
"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
"-select-alpn", "foo",
"-advertise-npn", "\x03foo\x03bar\x03baz",
},
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ALPNServer-Preferred-Swapped-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{"foo", "bar", "baz"},
Bugs: ProtocolBugs{
SwapNPNAndALPN: true,
},
},
flags: []string{
"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
"-select-alpn", "foo",
"-advertise-npn", "\x03foo\x03bar\x03baz",
},
expectedNextProto: "foo",
expectedNextProtoType: alpn,
resumeSession: true,
})
// Test that negotiating both NPN and ALPN is forbidden.
testCases = append(testCases, testCase{
name: "NegotiateALPNAndNPN-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{"foo", "bar", "baz"},
Bugs: ProtocolBugs{
NegotiateALPNAndNPN: true,
},
},
flags: []string{
"-advertise-alpn", "\x03foo",
"-select-next-proto", "foo",
},
shouldFail: true,
expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
})
testCases = append(testCases, testCase{
name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
config: Config{
MaxVersion: ver.version,
NextProtos: []string{"foo", "bar", "baz"},
Bugs: ProtocolBugs{
NegotiateALPNAndNPN: true,
SwapNPNAndALPN: true,
},
},
flags: []string{
"-advertise-alpn", "\x03foo",
"-select-next-proto", "foo",
},
shouldFail: true,
expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
})
}
// Test ticket behavior.
// Resume with a corrupt ticket.
testCases = append(testCases, testCase{
testType: serverTest,
name: "CorruptTicket-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
FilterTicket: func(in []byte) ([]byte, error) {
in[len(in)-1] ^= 1
return in, nil
},
},
},
resumeSession: true,
expectResumeRejected: true,
})
// Test the ticket callback, with and without renewal.
testCases = append(testCases, testCase{
testType: serverTest,
name: "TicketCallback-" + ver.name,
config: Config{
MaxVersion: ver.version,
},
resumeSession: true,
flags: []string{"-use-ticket-callback"},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "TicketCallback-Renew-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
ExpectNewTicket: true,
},
},
flags: []string{"-use-ticket-callback", "-renew-ticket"},
resumeSession: true,
})
// Test that the ticket callback is only called once when everything before
// it in the ClientHello is asynchronous. This corrupts the ticket so
// certificate selection callbacks run.
testCases = append(testCases, testCase{
testType: serverTest,
name: "TicketCallback-SingleCall-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
FilterTicket: func(in []byte) ([]byte, error) {
in[len(in)-1] ^= 1
return in, nil
},
},
},
resumeSession: true,
expectResumeRejected: true,
flags: []string{
"-use-ticket-callback",
"-async",
},
})
// Resume with an oversized session id.
if ver.version < VersionTLS13 {
testCases = append(testCases, testCase{
testType: serverTest,
name: "OversizedSessionId-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
OversizedSessionId: true,
},
},
resumeSession: true,
shouldFail: true,
expectedError: ":DECODE_ERROR:",
})
}
// Basic DTLS-SRTP tests. Include fake profiles to ensure they
// are ignored.
if ver.hasDTLS {
testCases = append(testCases, testCase{
protocol: dtls,
name: "SRTP-Client-" + ver.name,
config: Config{
MaxVersion: ver.version,
SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
},
expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
})
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "SRTP-Server-" + ver.name,
config: Config{
MaxVersion: ver.version,
SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
},
expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
})
// Test that the MKI is ignored.
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "SRTP-Server-IgnoreMKI-" + ver.name,
config: Config{
MaxVersion: ver.version,
SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
Bugs: ProtocolBugs{
SRTPMasterKeyIdentifer: "bogus",
},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
},
expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
})
// Test that SRTP isn't negotiated on the server if there were
// no matching profiles.
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "SRTP-Server-NoMatch-" + ver.name,
config: Config{
MaxVersion: ver.version,
SRTPProtectionProfiles: []uint16{100, 101, 102},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
},
expectedSRTPProtectionProfile: 0,
})
// Test that the server returning an invalid SRTP profile is
// flagged as an error by the client.
testCases = append(testCases, testCase{
protocol: dtls,
name: "SRTP-Client-NoMatch-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
},
},
flags: []string{
"-srtp-profiles",
"SRTP_AES128_CM_SHA1_80",
},
shouldFail: true,
expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
})
}
// Test SCT list.
testCases = append(testCases, testCase{
name: "SignedCertificateTimestampList-Client-" + ver.name,
testType: clientTest,
config: Config{
MaxVersion: ver.version,
},
flags: []string{
"-enable-signed-cert-timestamps",
"-expect-signed-cert-timestamps",
base64.StdEncoding.EncodeToString(testSCTList),
},
resumeSession: true,
})
var differentSCTList []byte
differentSCTList = append(differentSCTList, testSCTList...)
differentSCTList[len(differentSCTList)-1] ^= 1
// The SCT extension did not specify that it must only be sent on resumption as it
// should have, so test that we tolerate but ignore it.
testCases = append(testCases, testCase{
name: "SendSCTListOnResume-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
SendSCTListOnResume: differentSCTList,
},
},
flags: []string{
"-enable-signed-cert-timestamps",
"-expect-signed-cert-timestamps",
base64.StdEncoding.EncodeToString(testSCTList),
},
resumeSession: true,
})
testCases = append(testCases, testCase{
name: "SignedCertificateTimestampList-Server-" + ver.name,
testType: serverTest,
config: Config{
MaxVersion: ver.version,
},
flags: []string{
"-signed-cert-timestamps",
base64.StdEncoding.EncodeToString(testSCTList),
},
expectedSCTList: testSCTList,
resumeSession: true,
})
emptySCTListCert := *testCerts[0].cert
emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
// Test empty SCT list.
testCases = append(testCases, testCase{
name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
testType: clientTest,
config: Config{
MaxVersion: ver.version,
Certificates: []Certificate{emptySCTListCert},
},
flags: []string{
"-enable-signed-cert-timestamps",
},
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
emptySCTCert := *testCerts[0].cert
emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
// Test empty SCT in non-empty list.
testCases = append(testCases, testCase{
name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
testType: clientTest,
config: Config{
MaxVersion: ver.version,
Certificates: []Certificate{emptySCTCert},
},
flags: []string{
"-enable-signed-cert-timestamps",
},
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
// Test that certificate-related extensions are not sent unsolicited.
testCases = append(testCases, testCase{
testType: serverTest,
name: "UnsolicitedCertificateExtensions-" + ver.name,
config: Config{
MaxVersion: ver.version,
Bugs: ProtocolBugs{
NoOCSPStapling: true,
NoSignedCertificateTimestamps: true,
},
},
flags: []string{
"-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
"-signed-cert-timestamps",
base64.StdEncoding.EncodeToString(testSCTList),
},
})
}
testCases = append(testCases, testCase{
testType: clientTest,
name: "ClientHelloPadding",
config: Config{
Bugs: ProtocolBugs{
RequireClientHelloSize: 512,
},
},
// This hostname just needs to be long enough to push the
// ClientHello into F5's danger zone between 256 and 511 bytes
// long.
flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
})
// Extensions should not function in SSL 3.0.
testCases = append(testCases, testCase{
testType: serverTest,
name: "SSLv3Extensions-NoALPN",
config: Config{
MaxVersion: VersionSSL30,
NextProtos: []string{"foo", "bar", "baz"},
},
flags: []string{
"-select-alpn", "foo",
},
expectNoNextProto: true,
})
// Test session tickets separately as they follow a different codepath.
testCases = append(testCases, testCase{
testType: serverTest,
name: "SSLv3Extensions-NoTickets",
config: Config{
MaxVersion: VersionSSL30,
Bugs: ProtocolBugs{
// Historically, session tickets in SSL 3.0
// failed in different ways depending on whether
// the client supported renegotiation_info.
NoRenegotiationInfo: true,
},
},
resumeSession: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SSLv3Extensions-NoTickets2",
config: Config{
MaxVersion: VersionSSL30,
},
resumeSession: true,
})
// But SSL 3.0 does send and process renegotiation_info.
testCases = append(testCases, testCase{
testType: serverTest,
name: "SSLv3Extensions-RenegotiationInfo",
config: Config{
MaxVersion: VersionSSL30,
Bugs: ProtocolBugs{
RequireRenegotiationInfo: true,
},
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SSLv3Extensions-RenegotiationInfo-SCSV",
config: Config{
MaxVersion: VersionSSL30,
Bugs: ProtocolBugs{
NoRenegotiationInfo: true,
SendRenegotiationSCSV: true,
RequireRenegotiationInfo: true,
},
},
})
// Test that illegal extensions in TLS 1.3 are rejected by the client if
// in ServerHello.
testCases = append(testCases, testCase{
name: "NPN-Forbidden-TLS13",
config: Config{
MaxVersion: VersionTLS13,
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
NegotiateNPNAtAllVersions: true,
},
},
flags: []string{"-select-next-proto", "foo"},
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
testCases = append(testCases, testCase{
name: "EMS-Forbidden-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
NegotiateEMSAtAllVersions: true,
},
},
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
testCases = append(testCases, testCase{
name: "RenegotiationInfo-Forbidden-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
NegotiateRenegotiationInfoAtAllVersions: true,
},
},
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
testCases = append(testCases, testCase{
name: "Ticket-Forbidden-TLS13",
config: Config{
MaxVersion: VersionTLS12,
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
AdvertiseTicketExtension: true,
},
},
resumeSession: true,
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
// Test that illegal extensions in TLS 1.3 are declined by the server if
// offered in ClientHello. The runner's server will fail if this occurs,
// so we exercise the offering path. (EMS and Renegotiation Info are
// implicit in every test.)
testCases = append(testCases, testCase{
testType: serverTest,
name: "NPN-Declined-TLS13",
config: Config{
MaxVersion: VersionTLS13,
NextProtos: []string{"bar"},
},
flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
})
// OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
// tolerated.
testCases = append(testCases, testCase{
name: "SendOCSPResponseOnResume-TLS12",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendOCSPResponseOnResume: []byte("bogus"),
},
},
flags: []string{
"-enable-ocsp-stapling",
"-expect-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
},
resumeSession: true,
})
testCases = append(testCases, testCase{
name: "SendUnsolicitedOCSPOnCertificate-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendExtensionOnCertificate: testOCSPExtension,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
testCases = append(testCases, testCase{
name: "SendUnsolicitedSCTOnCertificate-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendExtensionOnCertificate: testSCTExtension,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
// Test that extensions on client certificates are never accepted.
testCases = append(testCases, testCase{
name: "SendExtensionOnClientCertificate-TLS13",
testType: serverTest,
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{rsaCertificate},
Bugs: ProtocolBugs{
SendExtensionOnCertificate: testOCSPExtension,
},
},
flags: []string{
"-enable-ocsp-stapling",
"-require-any-client-certificate",
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
testCases = append(testCases, testCase{
name: "SendUnknownExtensionOnCertificate-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
var differentSCTList []byte
differentSCTList = append(differentSCTList, testSCTList...)
differentSCTList[len(differentSCTList)-1] ^= 1
// Test that extensions on intermediates are allowed but ignored.
testCases = append(testCases, testCase{
name: "IgnoreExtensionsOnIntermediates-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{rsaChainCertificate},
Bugs: ProtocolBugs{
// Send different values on the intermediate. This tests
// the intermediate's extensions do not override the
// leaf's.
SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
SendSCTOnIntermediates: differentSCTList,
},
},
flags: []string{
"-enable-ocsp-stapling",
"-expect-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
"-enable-signed-cert-timestamps",
"-expect-signed-cert-timestamps",
base64.StdEncoding.EncodeToString(testSCTList),
},
resumeSession: true,
})
// Test that extensions are not sent on intermediates when configured
// only for a leaf.
testCases = append(testCases, testCase{
testType: serverTest,
name: "SendNoExtensionsOnIntermediate-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExpectNoExtensionsOnIntermediate: true,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
"-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
"-signed-cert-timestamps",
base64.StdEncoding.EncodeToString(testSCTList),
},
})
// Test that extensions are not sent on client certificates.
testCases = append(testCases, testCase{
name: "SendNoClientCertificateExtensions-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-ocsp-response",
base64.StdEncoding.EncodeToString(testOCSPResponse),
"-signed-cert-timestamps",
base64.StdEncoding.EncodeToString(testSCTList),
},
})
testCases = append(testCases, testCase{
name: "SendDuplicateExtensionsOnCerts-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendDuplicateCertExtensions: true,
},
},
flags: []string{
"-enable-ocsp-stapling",
"-enable-signed-cert-timestamps",
},
resumeSession: true,
shouldFail: true,
expectedError: ":DUPLICATE_EXTENSION:",
})
testCases = append(testCases, testCase{
name: "SignedCertificateTimestampListInvalid-Server",
testType: serverTest,
flags: []string{
"-signed-cert-timestamps",
base64.StdEncoding.EncodeToString([]byte{0, 0}),
},
shouldFail: true,
expectedError: ":INVALID_SCT_LIST:",
})
}
func addResumptionVersionTests() {
for _, sessionVers := range tlsVersions {
for _, resumeVers := range tlsVersions {
// SSL 3.0 does not have tickets and TLS 1.3 does not
// have session IDs, so skip their cross-resumption
// tests.
if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
(resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
continue
}
protocols := []protocol{tls}
if sessionVers.hasDTLS && resumeVers.hasDTLS {
protocols = append(protocols, dtls)
}
for _, protocol := range protocols {
suffix := "-" + sessionVers.name + "-" + resumeVers.name
if protocol == dtls {
suffix += "-DTLS"
}
if sessionVers.version == resumeVers.version {
testCases = append(testCases, testCase{
protocol: protocol,
name: "Resume-Client" + suffix,
resumeSession: true,
config: Config{
MaxVersion: sessionVers.version,
Bugs: ProtocolBugs{
ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
},
},
expectedVersion: sessionVers.version,
expectedResumeVersion: resumeVers.version,
})
} else {
error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
// Offering a TLS 1.3 session sends an empty session ID, so
// there is no way to convince a non-lookahead client the
// session was resumed. It will appear to the client that a
// stray ChangeCipherSpec was sent.
if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
error = ":UNEXPECTED_RECORD:"
}
testCases = append(testCases, testCase{
protocol: protocol,
name: "Resume-Client-Mismatch" + suffix,
resumeSession: true,
config: Config{
MaxVersion: sessionVers.version,
},
expectedVersion: sessionVers.version,
resumeConfig: &Config{
MaxVersion: resumeVers.version,
Bugs: ProtocolBugs{
AcceptAnySession: true,
},
},
expectedResumeVersion: resumeVers.version,
shouldFail: true,
expectedError: error,
})
}
testCases = append(testCases, testCase{
protocol: protocol,
name: "Resume-Client-NoResume" + suffix,
resumeSession: true,
config: Config{
MaxVersion: sessionVers.version,
},
expectedVersion: sessionVers.version,
resumeConfig: &Config{
MaxVersion: resumeVers.version,
},
newSessionsOnResume: true,
expectResumeRejected: true,
expectedResumeVersion: resumeVers.version,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "Resume-Server" + suffix,
resumeSession: true,
config: Config{
MaxVersion: sessionVers.version,
},
expectedVersion: sessionVers.version,
expectResumeRejected: sessionVers.version != resumeVers.version,
resumeConfig: &Config{
MaxVersion: resumeVers.version,
Bugs: ProtocolBugs{
SendBothTickets: true,
},
},
expectedResumeVersion: resumeVers.version,
})
}
}
}
// Make sure shim ticket mutations are functional.
testCases = append(testCases, testCase{
testType: serverTest,
name: "ShimTicketRewritable",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
FilterTicket: func(in []byte) ([]byte, error) {
in, err := SetShimTicketVersion(in, VersionTLS12)
if err != nil {
return nil, err
}
return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
},
},
},
flags: []string{
"-ticket-key",
base64.StdEncoding.EncodeToString(TestShimTicketKey),
},
})
// Resumptions are declined if the version does not match.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-DeclineCrossVersion",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
ExpectNewTicket: true,
FilterTicket: func(in []byte) ([]byte, error) {
return SetShimTicketVersion(in, VersionTLS13)
},
},
},
flags: []string{
"-ticket-key",
base64.StdEncoding.EncodeToString(TestShimTicketKey),
},
expectResumeRejected: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-DeclineCrossVersion-TLS13",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
FilterTicket: func(in []byte) ([]byte, error) {
return SetShimTicketVersion(in, VersionTLS12)
},
},
},
flags: []string{
"-ticket-key",
base64.StdEncoding.EncodeToString(TestShimTicketKey),
},
expectResumeRejected: true,
})
// Resumptions are declined if the cipher is invalid or disabled.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-DeclineBadCipher",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
ExpectNewTicket: true,
FilterTicket: func(in []byte) ([]byte, error) {
return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
},
},
},
flags: []string{
"-ticket-key",
base64.StdEncoding.EncodeToString(TestShimTicketKey),
},
expectResumeRejected: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-DeclineBadCipher-2",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
ExpectNewTicket: true,
FilterTicket: func(in []byte) ([]byte, error) {
return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
},
},
},
flags: []string{
"-cipher", "AES128",
"-ticket-key",
base64.StdEncoding.EncodeToString(TestShimTicketKey),
},
expectResumeRejected: true,
})
// Sessions are not resumed if they do not use the preferred cipher.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-CipherNotPreferred",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
ExpectNewTicket: true,
FilterTicket: func(in []byte) ([]byte, error) {
return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
},
},
},
flags: []string{
"-ticket-key",
base64.StdEncoding.EncodeToString(TestShimTicketKey),
},
shouldFail: false,
expectResumeRejected: true,
})
// TLS 1.3 allows sessions to be resumed at a different cipher if their
// PRF hashes match, but BoringSSL will always decline such resumptions.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-CipherNotPreferred-TLS13",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
FilterTicket: func(in []byte) ([]byte, error) {
// If the client (runner) offers ChaCha20-Poly1305 first, the
// server (shim) always prefers it. Switch it to AES-GCM.
return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
},
},
},
flags: []string{
"-ticket-key",
base64.StdEncoding.EncodeToString(TestShimTicketKey),
},
shouldFail: false,
expectResumeRejected: true,
})
// Sessions may not be resumed if they contain another version's cipher.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-DeclineBadCipher-TLS13",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
FilterTicket: func(in []byte) ([]byte, error) {
return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
},
},
},
flags: []string{
"-ticket-key",
base64.StdEncoding.EncodeToString(TestShimTicketKey),
},
expectResumeRejected: true,
})
// If the client does not offer the cipher from the session, decline to
// resume. Clients are forbidden from doing this, but BoringSSL selects
// the cipher first, so we only decline.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-UnofferedCipher",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
},
resumeConfig: &Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
Bugs: ProtocolBugs{
SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
},
},
expectResumeRejected: true,
})
// In TLS 1.3, clients may advertise a cipher list which does not
// include the selected cipher. Test that we tolerate this. Servers may
// resume at another cipher if the PRF matches, but BoringSSL will
// always decline.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-UnofferedCipher-TLS13",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
Bugs: ProtocolBugs{
SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
},
},
expectResumeRejected: true,
})
// Sessions may not be resumed at a different cipher.
testCases = append(testCases, testCase{
name: "Resume-Client-CipherMismatch",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
},
resumeConfig: &Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
},
},
shouldFail: true,
expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
})
// Session resumption in TLS 1.3 may change the cipher suite if the PRF
// matches.
testCases = append(testCases, testCase{
name: "Resume-Client-CipherMismatch-TLS13",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
},
})
// Session resumption in TLS 1.3 is forbidden if the PRF does not match.
testCases = append(testCases, testCase{
name: "Resume-Client-PRFMismatch-TLS13",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SendCipherSuite: TLS_AES_256_GCM_SHA384,
},
},
shouldFail: true,
expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-BinderWrongLength",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendShortPSKBinder: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: error decrypting message",
expectedError: ":DIGEST_CHECK_FAILED:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-NoPSKBinder",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendNoPSKBinder: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: error decoding message",
expectedError: ":DECODE_ERROR:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-ExtraPSKBinder",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendExtraPSKBinder: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: illegal parameter",
expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-ExtraIdentityNoBinder",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExtraPSKIdentity: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: illegal parameter",
expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-InvalidPSKBinder",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendInvalidPSKBinder: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: error decrypting message",
expectedError: ":DIGEST_CHECK_FAILED:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Resume-Server-PSKBinderFirstExtension",
resumeSession: true,
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
PSKBinderFirst: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: illegal parameter",
expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
})
}
func addRenegotiationTests() {
// Servers cannot renegotiate.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server-Forbidden",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 1,
shouldFail: true,
expectedError: ":NO_RENEGOTIATION:",
expectedLocalError: "remote error: no renegotiation",
})
// The server shouldn't echo the renegotiation extension unless
// requested by the client.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server-NoExt",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoRenegotiationInfo: true,
RequireRenegotiationInfo: true,
},
},
shouldFail: true,
expectedLocalError: "renegotiation extension missing",
})
// The renegotiation SCSV should be sufficient for the server to echo
// the extension.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Renegotiate-Server-NoExt-SCSV",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoRenegotiationInfo: true,
SendRenegotiationSCSV: true,
RequireRenegotiationInfo: true,
},
},
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
FailIfResumeOnRenego: true,
},
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-EmptyExt",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
EmptyRenegotiationInfo: true,
},
},
flags: []string{"-renegotiate-freely"},
shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-BadExt",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadRenegotiationInfo: true,
},
},
flags: []string{"-renegotiate-freely"},
shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Downgrade",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoRenegotiationInfoAfterInitial: true,
},
},
flags: []string{"-renegotiate-freely"},
shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Upgrade",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoRenegotiationInfoInInitial: true,
},
},
flags: []string{"-renegotiate-freely"},
shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-NoExt-Allowed",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoRenegotiationInfo: true,
},
},
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
// Test that the server may switch ciphers on renegotiation without
// problems.
testCases = append(testCases, testCase{
name: "Renegotiate-Client-SwitchCiphers",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
},
renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-SwitchCiphers2",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
},
renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
// Test that the server may not switch versions on renegotiation.
testCases = append(testCases, testCase{
name: "Renegotiate-Client-SwitchVersion",
config: Config{
MaxVersion: VersionTLS12,
// Pick a cipher which exists at both versions.
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
NegotiateVersionOnRenego: VersionTLS11,
// Avoid failing early at the record layer.
SendRecordVersion: VersionTLS12,
},
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
shouldFail: true,
expectedError: ":WRONG_SSL_VERSION:",
})
testCases = append(testCases, testCase{
name: "Renegotiate-SameClientVersion",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS10,
Bugs: ProtocolBugs{
RequireSameRenegoClientVersion: true,
},
},
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
testCases = append(testCases, testCase{
name: "Renegotiate-FalseStart",
renegotiate: 1,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
},
flags: []string{
"-false-start",
"-select-next-proto", "foo",
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
shimWritesFirst: true,
})
// Client-side renegotiation controls.
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Forbidden-1",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 1,
shouldFail: true,
expectedError: ":NO_RENEGOTIATION:",
expectedLocalError: "remote error: no renegotiation",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Once-1",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 1,
flags: []string{
"-renegotiate-once",
"-expect-total-renegotiations", "1",
},
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Freely-1",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Once-2",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 2,
flags: []string{"-renegotiate-once"},
shouldFail: true,
expectedError: ":NO_RENEGOTIATION:",
expectedLocalError: "remote error: no renegotiation",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Freely-2",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 2,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "2",
},
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-NoIgnore",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendHelloRequestBeforeEveryAppDataRecord: true,
},
},
shouldFail: true,
expectedError: ":NO_RENEGOTIATION:",
})
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Ignore",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendHelloRequestBeforeEveryAppDataRecord: true,
},
},
flags: []string{
"-renegotiate-ignore",
"-expect-total-renegotiations", "0",
},
})
// Renegotiation is not allowed at SSL 3.0.
testCases = append(testCases, testCase{
name: "Renegotiate-Client-SSL3",
config: Config{
MaxVersion: VersionSSL30,
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
shouldFail: true,
expectedError: ":NO_RENEGOTIATION:",
expectedLocalError: "remote error: no renegotiation",
})
// Renegotiation is not allowed when there is an unfinished write.
testCases = append(testCases, testCase{
name: "Renegotiate-Client-UnfinishedWrite",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 1,
flags: []string{
"-async",
"-renegotiate-freely",
"-read-with-unfinished-write",
},
shouldFail: true,
expectedError: ":NO_RENEGOTIATION:",
// We do not successfully send the no_renegotiation alert in
// this case. https://crbug.com/boringssl/130
})
// Stray HelloRequests during the handshake are ignored in TLS 1.2.
testCases = append(testCases, testCase{
name: "StrayHelloRequest",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendHelloRequestBeforeEveryHandshakeMessage: true,
},
},
})
testCases = append(testCases, testCase{
name: "StrayHelloRequest-Packed",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
PackHandshakeFlight: true,
SendHelloRequestBeforeEveryHandshakeMessage: true,
},
},
})
// Test renegotiation works if HelloRequest and server Finished come in
// the same record.
testCases = append(testCases, testCase{
name: "Renegotiate-Client-Packed",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
PackHandshakeFlight: true,
PackHelloRequestWithFinished: true,
},
},
renegotiate: 1,
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
// Renegotiation is forbidden in TLS 1.3.
testCases = append(testCases, testCase{
name: "Renegotiate-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendHelloRequestBeforeEveryAppDataRecord: true,
},
},
flags: []string{
"-renegotiate-freely",
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
})
// Stray HelloRequests during the handshake are forbidden in TLS 1.3.
testCases = append(testCases, testCase{
name: "StrayHelloRequest-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendHelloRequestBeforeEveryHandshakeMessage: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
})
}
func addDTLSReplayTests() {
// Test that sequence number replays are detected.
testCases = append(testCases, testCase{
protocol: dtls,
name: "DTLS-Replay",
messageCount: 200,
replayWrites: true,
})
// Test the incoming sequence number skipping by values larger
// than the retransmit window.
testCases = append(testCases, testCase{
protocol: dtls,
name: "DTLS-Replay-LargeGaps",
config: Config{
Bugs: ProtocolBugs{
SequenceNumberMapping: func(in uint64) uint64 {
return in * 127
},
},
},
messageCount: 200,
replayWrites: true,
})
// Test the incoming sequence number changing non-monotonically.
testCases = append(testCases, testCase{
protocol: dtls,
name: "DTLS-Replay-NonMonotonic",
config: Config{
Bugs: ProtocolBugs{
SequenceNumberMapping: func(in uint64) uint64 {
return in ^ 31
},
},
},
messageCount: 200,
replayWrites: true,
})
}
var testSignatureAlgorithms = []struct {
name string
id signatureAlgorithm
cert testCert
}{
{"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
{"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
{"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
{"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
{"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
{"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
{"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
{"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
{"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
{"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
{"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
// Tests for key types prior to TLS 1.2.
{"RSA", 0, testCertRSA},
{"ECDSA", 0, testCertECDSAP256},
}
const fakeSigAlg1 signatureAlgorithm = 0x2a01
const fakeSigAlg2 signatureAlgorithm = 0xff01
func addSignatureAlgorithmTests() {
// Not all ciphers involve a signature. Advertise a list which gives all
// versions a signing cipher.
signingCiphers := []uint16{
TLS_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
}
var allAlgorithms []signatureAlgorithm
for _, alg := range testSignatureAlgorithms {
if alg.id != 0 {
allAlgorithms = append(allAlgorithms, alg.id)
}
}
// Make sure each signature algorithm works. Include some fake values in
// the list and ensure they're ignored.
for _, alg := range testSignatureAlgorithms {
for _, ver := range tlsVersions {
if (ver.version < VersionTLS12) != (alg.id == 0) {
continue
}
// TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
// or remove it in C.
if ver.version == VersionSSL30 && alg.cert != testCertRSA {
continue
}
var shouldSignFail, shouldVerifyFail bool
// ecdsa_sha1 does not exist in TLS 1.3.
if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
shouldSignFail = true
shouldVerifyFail = true
}
// RSA-PKCS1 does not exist in TLS 1.3.
if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
shouldSignFail = true
shouldVerifyFail = true
}
// BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
shouldVerifyFail = true
}
var signError, verifyError string
if shouldSignFail {
signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
}
if shouldVerifyFail {
verifyError = ":WRONG_SIGNATURE_TYPE:"
}
suffix := "-" + alg.name + "-" + ver.name
testCases = append(testCases, testCase{
name: "ClientAuth-Sign" + suffix,
config: Config{
MaxVersion: ver.version,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
fakeSigAlg1,
alg.id,
fakeSigAlg2,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
"-enable-all-curves",
},
shouldFail: shouldSignFail,
expectedError: signError,
expectedPeerSignatureAlgorithm: alg.id,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ClientAuth-Verify" + suffix,
config: Config{
MaxVersion: ver.version,
Certificates: []Certificate{getRunnerCertificate(alg.cert)},
SignSignatureAlgorithms: []signatureAlgorithm{
alg.id,
},
Bugs: ProtocolBugs{
SkipECDSACurveCheck: shouldVerifyFail,
IgnoreSignatureVersionChecks: shouldVerifyFail,
// Some signature algorithms may not be advertised.
IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
},
},
flags: []string{
"-require-any-client-certificate",
"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
"-enable-all-curves",
},
// Resume the session to assert the peer signature
// algorithm is reported on both handshakes.
resumeSession: !shouldVerifyFail,
shouldFail: shouldVerifyFail,
expectedError: verifyError,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerAuth-Sign" + suffix,
config: Config{
MaxVersion: ver.version,
CipherSuites: signingCiphers,
VerifySignatureAlgorithms: []signatureAlgorithm{
fakeSigAlg1,
alg.id,
fakeSigAlg2,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
"-enable-all-curves",
},
shouldFail: shouldSignFail,
expectedError: signError,
expectedPeerSignatureAlgorithm: alg.id,
})
testCases = append(testCases, testCase{
name: "ServerAuth-Verify" + suffix,
config: Config{
MaxVersion: ver.version,
Certificates: []Certificate{getRunnerCertificate(alg.cert)},
CipherSuites: signingCiphers,
SignSignatureAlgorithms: []signatureAlgorithm{
alg.id,
},
Bugs: ProtocolBugs{
SkipECDSACurveCheck: shouldVerifyFail,
IgnoreSignatureVersionChecks: shouldVerifyFail,
// Some signature algorithms may not be advertised.
IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
},
},
flags: []string{
"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
"-enable-all-curves",
},
// Resume the session to assert the peer signature
// algorithm is reported on both handshakes.
resumeSession: !shouldVerifyFail,
shouldFail: shouldVerifyFail,
expectedError: verifyError,
})
if !shouldVerifyFail {
testCases = append(testCases, testCase{
testType: serverTest,
name: "ClientAuth-InvalidSignature" + suffix,
config: Config{
MaxVersion: ver.version,
Certificates: []Certificate{getRunnerCertificate(alg.cert)},
SignSignatureAlgorithms: []signatureAlgorithm{
alg.id,
},
Bugs: ProtocolBugs{
InvalidSignature: true,
},
},
flags: []string{
"-require-any-client-certificate",
"-enable-all-curves",
},
shouldFail: true,
expectedError: ":BAD_SIGNATURE:",
})
testCases = append(testCases, testCase{
name: "ServerAuth-InvalidSignature" + suffix,
config: Config{
MaxVersion: ver.version,
Certificates: []Certificate{getRunnerCertificate(alg.cert)},
CipherSuites: signingCiphers,
SignSignatureAlgorithms: []signatureAlgorithm{
alg.id,
},
Bugs: ProtocolBugs{
InvalidSignature: true,
},
},
flags: []string{"-enable-all-curves"},
shouldFail: true,
expectedError: ":BAD_SIGNATURE:",
})
}
if ver.version >= VersionTLS12 && !shouldSignFail {
testCases = append(testCases, testCase{
name: "ClientAuth-Sign-Negotiate" + suffix,
config: Config{
MaxVersion: ver.version,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: allAlgorithms,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
"-enable-all-curves",
"-signing-prefs", strconv.Itoa(int(alg.id)),
},
expectedPeerSignatureAlgorithm: alg.id,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerAuth-Sign-Negotiate" + suffix,
config: Config{
MaxVersion: ver.version,
CipherSuites: signingCiphers,
VerifySignatureAlgorithms: allAlgorithms,
},
flags: []string{
"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
"-enable-all-curves",
"-signing-prefs", strconv.Itoa(int(alg.id)),
},
expectedPeerSignatureAlgorithm: alg.id,
})
}
}
}
// Test that algorithm selection takes the key type into account.
testCases = append(testCases, testCase{
name: "ClientAuth-SignatureType",
config: Config{
ClientAuth: RequireAnyClientCert,
MaxVersion: VersionTLS12,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP521AndSHA512,
signatureRSAPKCS1WithSHA384,
signatureECDSAWithSHA1,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
})
testCases = append(testCases, testCase{
name: "ClientAuth-SignatureType-TLS13",
config: Config{
ClientAuth: RequireAnyClientCert,
MaxVersion: VersionTLS13,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP521AndSHA512,
signatureRSAPKCS1WithSHA384,
signatureRSAPSSWithSHA384,
signatureECDSAWithSHA1,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerAuth-SignatureType",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP521AndSHA512,
signatureRSAPKCS1WithSHA384,
signatureECDSAWithSHA1,
},
},
expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerAuth-SignatureType-TLS13",
config: Config{
MaxVersion: VersionTLS13,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP521AndSHA512,
signatureRSAPKCS1WithSHA384,
signatureRSAPSSWithSHA384,
signatureECDSAWithSHA1,
},
},
expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
})
// Test that signature verification takes the key type into account.
testCases = append(testCases, testCase{
testType: serverTest,
name: "Verify-ClientAuth-SignatureType",
config: Config{
MaxVersion: VersionTLS12,
Certificates: []Certificate{rsaCertificate},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA256,
},
Bugs: ProtocolBugs{
SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
},
},
flags: []string{
"-require-any-client-certificate",
},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "Verify-ClientAuth-SignatureType-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{rsaCertificate},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA256,
},
Bugs: ProtocolBugs{
SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
},
},
flags: []string{
"-require-any-client-certificate",
},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
testCases = append(testCases, testCase{
name: "Verify-ServerAuth-SignatureType",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA256,
},
Bugs: ProtocolBugs{
SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
},
},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
testCases = append(testCases, testCase{
name: "Verify-ServerAuth-SignatureType-TLS13",
config: Config{
MaxVersion: VersionTLS13,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA256,
},
Bugs: ProtocolBugs{
SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
},
},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
// Test that, if the list is missing, the peer falls back to SHA-1 in
// TLS 1.2, but not TLS 1.3.
testCases = append(testCases, testCase{
name: "ClientAuth-SHA1-Fallback-RSA",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA1,
},
Bugs: ProtocolBugs{
NoSignatureAlgorithms: true,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerAuth-SHA1-Fallback-RSA",
config: Config{
MaxVersion: VersionTLS12,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA1,
},
Bugs: ProtocolBugs{
NoSignatureAlgorithms: true,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
})
testCases = append(testCases, testCase{
name: "ClientAuth-SHA1-Fallback-ECDSA",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithSHA1,
},
Bugs: ProtocolBugs{
NoSignatureAlgorithms: true,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerAuth-SHA1-Fallback-ECDSA",
config: Config{
MaxVersion: VersionTLS12,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithSHA1,
},
Bugs: ProtocolBugs{
NoSignatureAlgorithms: true,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
},
})
testCases = append(testCases, testCase{
name: "ClientAuth-NoFallback-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA1,
},
Bugs: ProtocolBugs{
NoSignatureAlgorithms: true,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
shouldFail: true,
// An empty CertificateRequest signature algorithm list is a
// syntax error in TLS 1.3.
expectedError: ":DECODE_ERROR:",
expectedLocalError: "remote error: error decoding message",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ServerAuth-NoFallback-TLS13",
config: Config{
MaxVersion: VersionTLS13,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA1,
},
Bugs: ProtocolBugs{
NoSignatureAlgorithms: true,
},
},
shouldFail: true,
expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
})
// Test that hash preferences are enforced. BoringSSL does not implement
// MD5 signatures.
testCases = append(testCases, testCase{
testType: serverTest,
name: "ClientAuth-Enforced",
config: Config{
MaxVersion: VersionTLS12,
Certificates: []Certificate{rsaCertificate},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
},
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
},
},
flags: []string{"-require-any-client-certificate"},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
testCases = append(testCases, testCase{
name: "ServerAuth-Enforced",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
},
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
},
},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ClientAuth-Enforced-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{rsaCertificate},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
},
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
IgnoreSignatureVersionChecks: true,
},
},
flags: []string{"-require-any-client-certificate"},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
testCases = append(testCases, testCase{
name: "ServerAuth-Enforced-TLS13",
config: Config{
MaxVersion: VersionTLS13,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
},
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
IgnoreSignatureVersionChecks: true,
},
},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
// Test that the agreed upon digest respects the client preferences and
// the server digests.
testCases = append(testCases, testCase{
name: "NoCommonAlgorithms-Digests",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA512,
signatureRSAPKCS1WithSHA1,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-digest-prefs", "SHA256",
},
shouldFail: true,
expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
})
testCases = append(testCases, testCase{
name: "NoCommonAlgorithms",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA512,
signatureRSAPKCS1WithSHA1,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
},
shouldFail: true,
expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
})
testCases = append(testCases, testCase{
name: "NoCommonAlgorithms-TLS13",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA512,
signatureRSAPSSWithSHA384,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
},
shouldFail: true,
expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
})
testCases = append(testCases, testCase{
name: "Agree-Digest-SHA256",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA1,
signatureRSAPKCS1WithSHA256,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-digest-prefs", "SHA256,SHA1",
},
expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
})
testCases = append(testCases, testCase{
name: "Agree-Digest-SHA1",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA1,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-digest-prefs", "SHA512,SHA256,SHA1",
},
expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
})
testCases = append(testCases, testCase{
name: "Agree-Digest-Default",
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA256,
signatureECDSAWithP256AndSHA256,
signatureRSAPKCS1WithSHA1,
signatureECDSAWithSHA1,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
})
// Test that the signing preference list may include extra algorithms
// without negotiation problems.
testCases = append(testCases, testCase{
testType: serverTest,
name: "FilterExtraAlgorithms",
config: Config{
MaxVersion: VersionTLS12,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA256,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
"-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
"-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
"-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
},
expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
})
// In TLS 1.2 and below, ECDSA uses the curve list rather than the
// signature algorithms.
testCases = append(testCases, testCase{
name: "CheckLeafCurve",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{ecdsaP256Certificate},
},
flags: []string{"-p384-only"},
shouldFail: true,
expectedError: ":BAD_ECC_CERT:",
})
// In TLS 1.3, ECDSA does not use the ECDHE curve list.
testCases = append(testCases, testCase{
name: "CheckLeafCurve-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{ecdsaP256Certificate},
},
flags: []string{"-p384-only"},
})
// In TLS 1.2, the ECDSA curve is not in the signature algorithm.
testCases = append(testCases, testCase{
name: "ECDSACurveMismatch-Verify-TLS12",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
Certificates: []Certificate{ecdsaP256Certificate},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP384AndSHA384,
},
},
})
// In TLS 1.3, the ECDSA curve comes from the signature algorithm.
testCases = append(testCases, testCase{
name: "ECDSACurveMismatch-Verify-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Certificates: []Certificate{ecdsaP256Certificate},
SignSignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP384AndSHA384,
},
Bugs: ProtocolBugs{
SkipECDSACurveCheck: true,
},
},
shouldFail: true,
expectedError: ":WRONG_SIGNATURE_TYPE:",
})
// Signature algorithm selection in TLS 1.3 should take the curve into
// account.
testCases = append(testCases, testCase{
testType: serverTest,
name: "ECDSACurveMismatch-Sign-TLS13",
config: Config{
MaxVersion: VersionTLS13,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP384AndSHA384,
signatureECDSAWithP256AndSHA256,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
},
expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
})
// RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
// server does not attempt to sign in that case.
testCases = append(testCases, testCase{
testType: serverTest,
name: "RSA-PSS-Large",
config: Config{
MaxVersion: VersionTLS13,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA512,
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
"-key-file", path.Join(*resourceDir, rsa1024KeyFile),
},
shouldFail: true,
expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
})
// Test that RSA-PSS is enabled by default for TLS 1.2.
testCases = append(testCases, testCase{
testType: clientTest,
name: "RSA-PSS-Default-Verify",
config: Config{
MaxVersion: VersionTLS12,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA256,
},
},
flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "RSA-PSS-Default-Sign",
config: Config{
MaxVersion: VersionTLS12,
VerifySignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA256,
},
},
flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
})
}
// timeouts is the retransmit schedule for BoringSSL. It doubles and
// caps at 60 seconds. On the 13th timeout, it gives up.
var timeouts = []time.Duration{
1 * time.Second,
2 * time.Second,
4 * time.Second,
8 * time.Second,
16 * time.Second,
32 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
}
// shortTimeouts is an alternate set of timeouts which would occur if the
// initial timeout duration was set to 250ms.
var shortTimeouts = []time.Duration{
250 * time.Millisecond,
500 * time.Millisecond,
1 * time.Second,
2 * time.Second,
4 * time.Second,
8 * time.Second,
16 * time.Second,
32 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
60 * time.Second,
}
func addDTLSRetransmitTests() {
// These tests work by coordinating some behavior on both the shim and
// the runner.
//
// TimeoutSchedule configures the runner to send a series of timeout
// opcodes to the shim (see packetAdaptor) immediately before reading
// each peer handshake flight N. The timeout opcode both simulates a
// timeout in the shim and acts as a synchronization point to help the
// runner bracket each handshake flight.
//
// We assume the shim does not read from the channel eagerly. It must
// first wait until it has sent flight N and is ready to receive
// handshake flight N+1. At this point, it will process the timeout
// opcode. It must then immediately respond with a timeout ACK and act
// as if the shim was idle for the specified amount of time.
//
// The runner then drops all packets received before the ACK and
// continues waiting for flight N. This ordering results in one attempt
// at sending flight N to be dropped. For the test to complete, the
// shim must send flight N again, testing that the shim implements DTLS
// retransmit on a timeout.
// TODO(davidben): Add DTLS 1.3 versions of these tests. There will
// likely be more epochs to cross and the final message's retransmit may
// be more complex.
for _, async := range []bool{true, false} {
var tests []testCase
// Test that this is indeed the timeout schedule. Stress all
// four patterns of handshake.
for i := 1; i < len(timeouts); i++ {
number := strconv.Itoa(i)
tests = append(tests, testCase{
protocol: dtls,
name: "DTLS-Retransmit-Client-" + number,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
TimeoutSchedule: timeouts[:i],
},
},
resumeSession: true,
})
tests = append(tests, testCase{
protocol: dtls,
testType: serverTest,
name: "DTLS-Retransmit-Server-" + number,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
TimeoutSchedule: timeouts[:i],
},
},
resumeSession: true,
})
}
// Test that exceeding the timeout schedule hits a read
// timeout.
tests = append(tests, testCase{
protocol: dtls,
name: "DTLS-Retransmit-Timeout",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
TimeoutSchedule: timeouts,
},
},
resumeSession: true,
shouldFail: true,
expectedError: ":READ_TIMEOUT_EXPIRED:",
})
if async {
// Test that timeout handling has a fudge factor, due to API
// problems.
tests = append(tests, testCase{
protocol: dtls,
name: "DTLS-Retransmit-Fudge",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
TimeoutSchedule: []time.Duration{
timeouts[0] - 10*time.Millisecond,
},
},
},
resumeSession: true,
})
}
// Test that the final Finished retransmitting isn't
// duplicated if the peer badly fragments everything.
tests = append(tests, testCase{
testType: serverTest,
protocol: dtls,
name: "DTLS-Retransmit-Fragmented",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
TimeoutSchedule: []time.Duration{timeouts[0]},
MaxHandshakeRecordLength: 2,
},
},
})
// Test the timeout schedule when a shorter initial timeout duration is set.
tests = append(tests, testCase{
protocol: dtls,
name: "DTLS-Retransmit-Short-Client",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
},
},
resumeSession: true,
flags: []string{"-initial-timeout-duration-ms", "250"},
})
tests = append(tests, testCase{
protocol: dtls,
testType: serverTest,
name: "DTLS-Retransmit-Short-Server",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
},
},
resumeSession: true,
flags: []string{"-initial-timeout-duration-ms", "250"},
})
for _, test := range tests {
if async {
test.name += "-Async"
test.flags = append(test.flags, "-async")
}
testCases = append(testCases, test)
}
}
}
func addExportKeyingMaterialTests() {
for _, vers := range tlsVersions {
if vers.version == VersionSSL30 {
continue
}
testCases = append(testCases, testCase{
name: "ExportKeyingMaterial-" + vers.name,
config: Config{
MaxVersion: vers.version,
},
exportKeyingMaterial: 1024,
exportLabel: "label",
exportContext: "context",
useExportContext: true,
})
testCases = append(testCases, testCase{
name: "ExportKeyingMaterial-NoContext-" + vers.name,
config: Config{
MaxVersion: vers.version,
},
exportKeyingMaterial: 1024,
})
testCases = append(testCases, testCase{
name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
config: Config{
MaxVersion: vers.version,
},
exportKeyingMaterial: 1024,
useExportContext: true,
})
testCases = append(testCases, testCase{
name: "ExportKeyingMaterial-Small-" + vers.name,
config: Config{
MaxVersion: vers.version,
},
exportKeyingMaterial: 1,
exportLabel: "label",
exportContext: "context",
useExportContext: true,
})
}
testCases = append(testCases, testCase{
name: "ExportKeyingMaterial-SSL3",
config: Config{
MaxVersion: VersionSSL30,
},
exportKeyingMaterial: 1024,
exportLabel: "label",
exportContext: "context",
useExportContext: true,
shouldFail: true,
expectedError: "failed to export keying material",
})
// Exporters work during a False Start.
testCases = append(testCases, testCase{
name: "ExportKeyingMaterial-FalseStart",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
Bugs: ProtocolBugs{
ExpectFalseStart: true,
},
},
flags: []string{
"-false-start",
"-advertise-alpn", "\x03foo",
},
shimWritesFirst: true,
exportKeyingMaterial: 1024,
exportLabel: "label",
exportContext: "context",
useExportContext: true,
})
// Exporters do not work in the middle of a renegotiation. Test this by
// triggering the exporter after every SSL_read call and configuring the
// shim to run asynchronously.
testCases = append(testCases, testCase{
name: "ExportKeyingMaterial-Renegotiate",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 1,
flags: []string{
"-async",
"-use-exporter-between-reads",
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
shouldFail: true,
expectedError: "failed to export keying material",
})
}
func addTLSUniqueTests() {
for _, isClient := range []bool{false, true} {
for _, isResumption := range []bool{false, true} {
for _, hasEMS := range []bool{false, true} {
var suffix string
if isResumption {
suffix = "Resume-"
} else {
suffix = "Full-"
}
if hasEMS {
suffix += "EMS-"
} else {
suffix += "NoEMS-"
}
if isClient {
suffix += "Client"
} else {
suffix += "Server"
}
test := testCase{
name: "TLSUnique-" + suffix,
testTLSUnique: true,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoExtendedMasterSecret: !hasEMS,
},
},
}
if isResumption {
test.resumeSession = true
test.resumeConfig = &Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
NoExtendedMasterSecret: !hasEMS,
},
}
}
if isResumption && !hasEMS {
test.shouldFail = true
test.expectedError = "failed to get tls-unique"
}
testCases = append(testCases, test)
}
}
}
}
func addCustomExtensionTests() {
expectedContents := "custom extension"
emptyString := ""
for _, isClient := range []bool{false, true} {
suffix := "Server"
flag := "-enable-server-custom-extension"
testType := serverTest
if isClient {
suffix = "Client"
flag = "-enable-client-custom-extension"
testType = clientTest
}
testCases = append(testCases, testCase{
testType: testType,
name: "CustomExtensions-" + suffix,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
CustomExtension: expectedContents,
ExpectedCustomExtension: &expectedContents,
},
},
flags: []string{flag},
})
testCases = append(testCases, testCase{
testType: testType,
name: "CustomExtensions-" + suffix + "-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
CustomExtension: expectedContents,
ExpectedCustomExtension: &expectedContents,
},
},
flags: []string{flag},
})
// If the parse callback fails, the handshake should also fail.
testCases = append(testCases, testCase{
testType: testType,
name: "CustomExtensions-ParseError-" + suffix,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
CustomExtension: expectedContents + "foo",
ExpectedCustomExtension: &expectedContents,
},
},
flags: []string{flag},
shouldFail: true,
expectedError: ":CUSTOM_EXTENSION_ERROR:",
})
testCases = append(testCases, testCase{
testType: testType,
name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
CustomExtension: expectedContents + "foo",
ExpectedCustomExtension: &expectedContents,
},
},
flags: []string{flag},
shouldFail: true,
expectedError: ":CUSTOM_EXTENSION_ERROR:",
})
// If the add callback fails, the handshake should also fail.
testCases = append(testCases, testCase{
testType: testType,
name: "CustomExtensions-FailAdd-" + suffix,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
CustomExtension: expectedContents,
ExpectedCustomExtension: &expectedContents,
},
},
flags: []string{flag, "-custom-extension-fail-add"},
shouldFail: true,
expectedError: ":CUSTOM_EXTENSION_ERROR:",
})
testCases = append(testCases, testCase{
testType: testType,
name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
CustomExtension: expectedContents,
ExpectedCustomExtension: &expectedContents,
},
},
flags: []string{flag, "-custom-extension-fail-add"},
shouldFail: true,
expectedError: ":CUSTOM_EXTENSION_ERROR:",
})
// If the add callback returns zero, no extension should be
// added.
skipCustomExtension := expectedContents
if isClient {
// For the case where the client skips sending the
// custom extension, the server must not “echo” it.
skipCustomExtension = ""
}
testCases = append(testCases, testCase{
testType: testType,
name: "CustomExtensions-Skip-" + suffix,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
CustomExtension: skipCustomExtension,
ExpectedCustomExtension: &emptyString,
},
},
flags: []string{flag, "-custom-extension-skip"},
})
testCases = append(testCases, testCase{
testType: testType,
name: "CustomExtensions-Skip-" + suffix + "-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
CustomExtension: skipCustomExtension,
ExpectedCustomExtension: &emptyString,
},
},
flags: []string{flag, "-custom-extension-skip"},
})
}
// The custom extension add callback should not be called if the client
// doesn't send the extension.
testCases = append(testCases, testCase{
testType: serverTest,
name: "CustomExtensions-NotCalled-Server",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
ExpectedCustomExtension: &emptyString,
},
},
flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "CustomExtensions-NotCalled-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExpectedCustomExtension: &emptyString,
},
},
flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
})
// Test an unknown extension from the server.
testCases = append(testCases, testCase{
testType: clientTest,
name: "UnknownExtension-Client",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
CustomExtension: expectedContents,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
expectedLocalError: "remote error: unsupported extension",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "UnknownExtension-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
CustomExtension: expectedContents,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
expectedLocalError: "remote error: unsupported extension",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "UnknownUnencryptedExtension-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
CustomUnencryptedExtension: expectedContents,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
// The shim must send an alert, but alerts at this point do not
// get successfully decrypted by the runner.
expectedLocalError: "local error: bad record MAC",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "UnexpectedUnencryptedExtension-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendUnencryptedALPN: "foo",
},
},
flags: []string{
"-advertise-alpn", "\x03foo\x03bar",
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
// The shim must send an alert, but alerts at this point do not
// get successfully decrypted by the runner.
expectedLocalError: "local error: bad record MAC",
})
// Test a known but unoffered extension from the server.
testCases = append(testCases, testCase{
testType: clientTest,
name: "UnofferedExtension-Client",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendALPN: "alpn",
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
expectedLocalError: "remote error: unsupported extension",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "UnofferedExtension-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendALPN: "alpn",
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
expectedLocalError: "remote error: unsupported extension",
})
}
func addRSAClientKeyExchangeTests() {
for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
testCases = append(testCases, testCase{
testType: serverTest,
name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
config: Config{
// Ensure the ClientHello version and final
// version are different, to detect if the
// server uses the wrong one.
MaxVersion: VersionTLS11,
CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Bugs: ProtocolBugs{
BadRSAClientKeyExchange: bad,
},
},
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
})
}
// The server must compare whatever was in ClientHello.version for the
// RSA premaster.
testCases = append(testCases, testCase{
testType: serverTest,
name: "SendClientVersion-RSA",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SendClientVersion: 0x1234,
},
},
flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
})
}
var testCurves = []struct {
name string
id CurveID
}{
{"P-256", CurveP256},
{"P-384", CurveP384},
{"P-521", CurveP521},
{"X25519", CurveX25519},
}
const bogusCurve = 0x1234
func addCurveTests() {
for _, curve := range testCurves {
testCases = append(testCases, testCase{
name: "CurveTest-Client-" + curve.name,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
CurvePreferences: []CurveID{curve.id},
},
flags: []string{
"-enable-all-curves",
"-expect-curve-id", strconv.Itoa(int(curve.id)),
},
expectedCurveID: curve.id,
})
testCases = append(testCases, testCase{
name: "CurveTest-Client-" + curve.name + "-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{curve.id},
},
flags: []string{
"-enable-all-curves",
"-expect-curve-id", strconv.Itoa(int(curve.id)),
},
expectedCurveID: curve.id,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "CurveTest-Server-" + curve.name,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
CurvePreferences: []CurveID{curve.id},
},
flags: []string{
"-enable-all-curves",
"-expect-curve-id", strconv.Itoa(int(curve.id)),
},
expectedCurveID: curve.id,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "CurveTest-Server-" + curve.name + "-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{curve.id},
},
flags: []string{
"-enable-all-curves",
"-expect-curve-id", strconv.Itoa(int(curve.id)),
},
expectedCurveID: curve.id,
})
}
// The server must be tolerant to bogus curves.
testCases = append(testCases, testCase{
testType: serverTest,
name: "UnknownCurve",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
CurvePreferences: []CurveID{bogusCurve, CurveP256},
},
})
// The server must be tolerant to bogus curves.
testCases = append(testCases, testCase{
testType: serverTest,
name: "UnknownCurve-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{bogusCurve, CurveP256},
},
})
// The server must not consider ECDHE ciphers when there are no
// supported curves.
testCases = append(testCases, testCase{
testType: serverTest,
name: "NoSupportedCurves",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
NoSupportedCurves: true,
},
},
shouldFail: true,
expectedError: ":NO_SHARED_CIPHER:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "NoSupportedCurves-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
NoSupportedCurves: true,
},
},
shouldFail: true,
expectedError: ":NO_SHARED_GROUP:",
})
// The server must fall back to another cipher when there are no
// supported curves.
testCases = append(testCases, testCase{
testType: serverTest,
name: "NoCommonCurves",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
},
CurvePreferences: []CurveID{CurveP224},
},
expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
})
// The client must reject bogus curves and disabled curves.
testCases = append(testCases, testCase{
name: "BadECDHECurve",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SendCurve: bogusCurve,
},
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
testCases = append(testCases, testCase{
name: "BadECDHECurve-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendCurve: bogusCurve,
},
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
testCases = append(testCases, testCase{
name: "UnsupportedCurve",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
CurvePreferences: []CurveID{CurveP256},
Bugs: ProtocolBugs{
IgnorePeerCurvePreferences: true,
},
},
flags: []string{"-p384-only"},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
testCases = append(testCases, testCase{
// TODO(davidben): Add a TLS 1.3 version where
// HelloRetryRequest requests an unsupported curve.
name: "UnsupportedCurve-ServerHello-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
SendCurve: CurveP256,
},
},
flags: []string{"-p384-only"},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
// Test invalid curve points.
testCases = append(testCases, testCase{
name: "InvalidECDHPoint-Client",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
CurvePreferences: []CurveID{CurveP256},
Bugs: ProtocolBugs{
InvalidECDHPoint: true,
},
},
shouldFail: true,
expectedError: ":INVALID_ENCODING:",
})
testCases = append(testCases, testCase{
name: "InvalidECDHPoint-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveP256},
Bugs: ProtocolBugs{
InvalidECDHPoint: true,
},
},
shouldFail: true,
expectedError: ":INVALID_ENCODING:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "InvalidECDHPoint-Server",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
CurvePreferences: []CurveID{CurveP256},
Bugs: ProtocolBugs{
InvalidECDHPoint: true,
},
},
shouldFail: true,
expectedError: ":INVALID_ENCODING:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "InvalidECDHPoint-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveP256},
Bugs: ProtocolBugs{
InvalidECDHPoint: true,
},
},
shouldFail: true,
expectedError: ":INVALID_ENCODING:",
})
// The previous curve ID should be reported on TLS 1.2 resumption.
testCases = append(testCases, testCase{
name: "CurveID-Resume-Client",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
CurvePreferences: []CurveID{CurveX25519},
},
flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
resumeSession: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "CurveID-Resume-Server",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
CurvePreferences: []CurveID{CurveX25519},
},
flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
resumeSession: true,
})
// TLS 1.3 allows resuming at a differet curve. If this happens, the new
// one should be reported.
testCases = append(testCases, testCase{
name: "CurveID-Resume-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveX25519},
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveP256},
},
flags: []string{
"-expect-curve-id", strconv.Itoa(int(CurveX25519)),
"-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
},
resumeSession: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "CurveID-Resume-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveX25519},
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveP256},
},
flags: []string{
"-expect-curve-id", strconv.Itoa(int(CurveX25519)),
"-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
},
resumeSession: true,
})
// Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
testCases = append(testCases, testCase{
name: "PointFormat-ServerHello-TLS12",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendSupportedPointFormats: []byte{pointFormatUncompressed},
},
},
})
testCases = append(testCases, testCase{
name: "PointFormat-EncryptedExtensions-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendSupportedPointFormats: []byte{pointFormatUncompressed},
},
},
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
// Test that we tolerate unknown point formats, as long as
// pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
// check they are still functional.
testCases = append(testCases, testCase{
name: "PointFormat-Client-Tolerance",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
},
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "PointFormat-Server-Tolerance",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
Bugs: ProtocolBugs{
SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
},
},
})
// Test TLS 1.2 does not require the point format extension to be
// present.
testCases = append(testCases, testCase{
name: "PointFormat-Client-Missing",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
Bugs: ProtocolBugs{
SendSupportedPointFormats: []byte{},
},
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "PointFormat-Server-Missing",
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
Bugs: ProtocolBugs{
SendSupportedPointFormats: []byte{},
},
},
})
// If the point format extension is present, uncompressed points must be
// offered. BoringSSL requires this whether or not ECDHE is used.
testCases = append(testCases, testCase{
name: "PointFormat-Client-MissingUncompressed",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
},
},
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "PointFormat-Server-MissingUncompressed",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
},
},
shouldFail: true,
expectedError: ":ERROR_PARSING_EXTENSION:",
})
}
func addTLS13RecordTests() {
testCases = append(testCases, testCase{
name: "TLS13-RecordPadding",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
RecordPadding: 10,
},
},
})
testCases = append(testCases, testCase{
name: "TLS13-EmptyRecords",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
OmitRecordContents: true,
},
},
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
})
testCases = append(testCases, testCase{
name: "TLS13-OnlyPadding",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
OmitRecordContents: true,
RecordPadding: 10,
},
},
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
})
testCases = append(testCases, testCase{
name: "TLS13-WrongOuterRecord",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
OuterRecordType: recordTypeHandshake,
},
},
shouldFail: true,
expectedError: ":INVALID_OUTER_RECORD_TYPE:",
})
}
func addSessionTicketTests() {
testCases = append(testCases, testCase{
// In TLS 1.2 and below, empty NewSessionTicket messages
// mean the server changed its mind on sending a ticket.
name: "SendEmptySessionTicket",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendEmptySessionTicket: true,
},
},
flags: []string{"-expect-no-session"},
})
// Test that the server ignores unknown PSK modes.
testCases = append(testCases, testCase{
testType: serverTest,
name: "TLS13-SendUnknownModeSessionTicket-Server",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
},
},
resumeSession: true,
expectedResumeVersion: VersionTLS13,
})
// Test that the server does not send session tickets with no matching key exchange mode.
testCases = append(testCases, testCase{
testType: serverTest,
name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendPSKKeyExchangeModes: []byte{0x1a},
ExpectNoNewSessionTicket: true,
},
},
})
// Test that the server does not accept a session with no matching key exchange mode.
testCases = append(testCases, testCase{
testType: serverTest,
name: "TLS13-SendBadKEModeSessionTicket-Server",
config: Config{
MaxVersion: VersionTLS13,
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendPSKKeyExchangeModes: []byte{0x1a},
},
},
resumeSession: true,
expectResumeRejected: true,
})
// Test that the client ticket age is sent correctly.
testCases = append(testCases, testCase{
testType: clientTest,
name: "TLS13-TestValidTicketAge-Client",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExpectTicketAge: 10 * time.Second,
},
},
resumeSession: true,
flags: []string{
"-resumption-delay", "10",
},
})
// Test that the client ticket age is enforced.
testCases = append(testCases, testCase{
testType: clientTest,
name: "TLS13-TestBadTicketAge-Client",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExpectTicketAge: 1000 * time.Second,
},
},
resumeSession: true,
shouldFail: true,
expectedLocalError: "tls: invalid ticket age",
})
}
func addChangeCipherSpecTests() {
// Test missing ChangeCipherSpecs.
testCases = append(testCases, testCase{
name: "SkipChangeCipherSpec-Client",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SkipChangeCipherSpec: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipChangeCipherSpec-Server",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SkipChangeCipherSpec: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipChangeCipherSpec-Server-NPN",
config: Config{
MaxVersion: VersionTLS12,
NextProtos: []string{"bar"},
Bugs: ProtocolBugs{
SkipChangeCipherSpec: true,
},
},
flags: []string{
"-advertise-npn", "\x03foo\x03bar\x03baz",
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
// Test synchronization between the handshake and ChangeCipherSpec.
// Partial post-CCS handshake messages before ChangeCipherSpec should be
// rejected. Test both with and without handshake packing to handle both
// when the partial post-CCS message is in its own record and when it is
// attached to the pre-CCS message.
for _, packed := range []bool{false, true} {
var suffix string
if packed {
suffix = "-Packed"
}
testCases = append(testCases, testCase{
name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
FragmentAcrossChangeCipherSpec: true,
PackHandshakeFlight: packed,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
resumeSession: true,
resumeConfig: &Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
FragmentAcrossChangeCipherSpec: true,
PackHandshakeFlight: packed,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
FragmentAcrossChangeCipherSpec: true,
PackHandshakeFlight: packed,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
resumeSession: true,
resumeConfig: &Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
FragmentAcrossChangeCipherSpec: true,
PackHandshakeFlight: packed,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
config: Config{
MaxVersion: VersionTLS12,
NextProtos: []string{"bar"},
Bugs: ProtocolBugs{
FragmentAcrossChangeCipherSpec: true,
PackHandshakeFlight: packed,
},
},
flags: []string{
"-advertise-npn", "\x03foo\x03bar\x03baz",
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
}
// Test that, in DTLS, ChangeCipherSpec is not allowed when there are
// messages in the handshake queue. Do this by testing the server
// reading the client Finished, reversing the flight so Finished comes
// first.
testCases = append(testCases, testCase{
protocol: dtls,
testType: serverTest,
name: "SendUnencryptedFinished-DTLS",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
SendUnencryptedFinished: true,
ReverseHandshakeFragments: true,
},
},
shouldFail: true,
expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
})
// Test synchronization between encryption changes and the handshake in
// TLS 1.3, where ChangeCipherSpec is implicit.
testCases = append(testCases, testCase{
name: "PartialEncryptedExtensionsWithServerHello",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
PartialEncryptedExtensionsWithServerHello: true,
},
},
shouldFail: true,
expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "PartialClientFinishedWithClientHello",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
PartialClientFinishedWithClientHello: true,
},
},
shouldFail: true,
expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
})
// Test that early ChangeCipherSpecs are handled correctly.
testCases = append(testCases, testCase{
testType: serverTest,
name: "EarlyChangeCipherSpec-server-1",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
EarlyChangeCipherSpec: 1,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "EarlyChangeCipherSpec-server-2",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
EarlyChangeCipherSpec: 2,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
protocol: dtls,
name: "StrayChangeCipherSpec",
config: Config{
// TODO(davidben): Once DTLS 1.3 exists, test
// that stray ChangeCipherSpec messages are
// rejected.
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
StrayChangeCipherSpec: true,
},
},
})
// Test that the contents of ChangeCipherSpec are checked.
testCases = append(testCases, testCase{
name: "BadChangeCipherSpec-1",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadChangeCipherSpec: []byte{2},
},
},
shouldFail: true,
expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
})
testCases = append(testCases, testCase{
name: "BadChangeCipherSpec-2",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadChangeCipherSpec: []byte{1, 1},
},
},
shouldFail: true,
expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
})
testCases = append(testCases, testCase{
protocol: dtls,
name: "BadChangeCipherSpec-DTLS-1",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadChangeCipherSpec: []byte{2},
},
},
shouldFail: true,
expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
})
testCases = append(testCases, testCase{
protocol: dtls,
name: "BadChangeCipherSpec-DTLS-2",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
BadChangeCipherSpec: []byte{1, 1},
},
},
shouldFail: true,
expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
})
}
type perMessageTest struct {
messageType uint8
test testCase
}
// makePerMessageTests returns a series of test templates which cover each
// message in the TLS handshake. These may be used with bugs like
// WrongMessageType to fully test a per-message bug.
func makePerMessageTests() []perMessageTest {
var ret []perMessageTest
for _, protocol := range []protocol{tls, dtls} {
var suffix string
if protocol == dtls {
suffix = "-DTLS"
}
ret = append(ret, perMessageTest{
messageType: typeClientHello,
test: testCase{
protocol: protocol,
testType: serverTest,
name: "ClientHello" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
if protocol == dtls {
ret = append(ret, perMessageTest{
messageType: typeHelloVerifyRequest,
test: testCase{
protocol: protocol,
name: "HelloVerifyRequest" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
}
ret = append(ret, perMessageTest{
messageType: typeServerHello,
test: testCase{
protocol: protocol,
name: "ServerHello" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificate,
test: testCase{
protocol: protocol,
name: "ServerCertificate" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificateStatus,
test: testCase{
protocol: protocol,
name: "CertificateStatus" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
flags: []string{"-enable-ocsp-stapling"},
},
})
ret = append(ret, perMessageTest{
messageType: typeServerKeyExchange,
test: testCase{
protocol: protocol,
name: "ServerKeyExchange" + suffix,
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificateRequest,
test: testCase{
protocol: protocol,
name: "CertificateRequest" + suffix,
config: Config{
MaxVersion: VersionTLS12,
ClientAuth: RequireAnyClientCert,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeServerHelloDone,
test: testCase{
protocol: protocol,
name: "ServerHelloDone" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificate,
test: testCase{
testType: serverTest,
protocol: protocol,
name: "ClientCertificate" + suffix,
config: Config{
Certificates: []Certificate{rsaCertificate},
MaxVersion: VersionTLS12,
},
flags: []string{"-require-any-client-certificate"},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificateVerify,
test: testCase{
testType: serverTest,
protocol: protocol,
name: "CertificateVerify" + suffix,
config: Config{
Certificates: []Certificate{rsaCertificate},
MaxVersion: VersionTLS12,
},
flags: []string{"-require-any-client-certificate"},
},
})
ret = append(ret, perMessageTest{
messageType: typeClientKeyExchange,
test: testCase{
testType: serverTest,
protocol: protocol,
name: "ClientKeyExchange" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
if protocol != dtls {
ret = append(ret, perMessageTest{
messageType: typeNextProtocol,
test: testCase{
testType: serverTest,
protocol: protocol,
name: "NextProtocol" + suffix,
config: Config{
MaxVersion: VersionTLS12,
NextProtos: []string{"bar"},
},
flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
},
})
ret = append(ret, perMessageTest{
messageType: typeChannelID,
test: testCase{
testType: serverTest,
protocol: protocol,
name: "ChannelID" + suffix,
config: Config{
MaxVersion: VersionTLS12,
ChannelID: channelIDKey,
},
flags: []string{
"-expect-channel-id",
base64.StdEncoding.EncodeToString(channelIDBytes),
},
},
})
}
ret = append(ret, perMessageTest{
messageType: typeFinished,
test: testCase{
testType: serverTest,
protocol: protocol,
name: "ClientFinished" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeNewSessionTicket,
test: testCase{
protocol: protocol,
name: "NewSessionTicket" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeFinished,
test: testCase{
protocol: protocol,
name: "ServerFinished" + suffix,
config: Config{
MaxVersion: VersionTLS12,
},
},
})
}
ret = append(ret, perMessageTest{
messageType: typeClientHello,
test: testCase{
testType: serverTest,
name: "TLS13-ClientHello",
config: Config{
MaxVersion: VersionTLS13,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeServerHello,
test: testCase{
name: "TLS13-ServerHello",
config: Config{
MaxVersion: VersionTLS13,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeEncryptedExtensions,
test: testCase{
name: "TLS13-EncryptedExtensions",
config: Config{
MaxVersion: VersionTLS13,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificateRequest,
test: testCase{
name: "TLS13-CertificateRequest",
config: Config{
MaxVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificate,
test: testCase{
name: "TLS13-ServerCertificate",
config: Config{
MaxVersion: VersionTLS13,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificateVerify,
test: testCase{
name: "TLS13-ServerCertificateVerify",
config: Config{
MaxVersion: VersionTLS13,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeFinished,
test: testCase{
name: "TLS13-ServerFinished",
config: Config{
MaxVersion: VersionTLS13,
},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificate,
test: testCase{
testType: serverTest,
name: "TLS13-ClientCertificate",
config: Config{
Certificates: []Certificate{rsaCertificate},
MaxVersion: VersionTLS13,
},
flags: []string{"-require-any-client-certificate"},
},
})
ret = append(ret, perMessageTest{
messageType: typeCertificateVerify,
test: testCase{
testType: serverTest,
name: "TLS13-ClientCertificateVerify",
config: Config{
Certificates: []Certificate{rsaCertificate},
MaxVersion: VersionTLS13,
},
flags: []string{"-require-any-client-certificate"},
},
})
ret = append(ret, perMessageTest{
messageType: typeFinished,
test: testCase{
testType: serverTest,
name: "TLS13-ClientFinished",
config: Config{
MaxVersion: VersionTLS13,
},
},
})
return ret
}
func addWrongMessageTypeTests() {
for _, t := range makePerMessageTests() {
t.test.name = "WrongMessageType-" + t.test.name
t.test.config.Bugs.SendWrongMessageType = t.messageType
t.test.shouldFail = true
t.test.expectedError = ":UNEXPECTED_MESSAGE:"
t.test.expectedLocalError = "remote error: unexpected message"
if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
// In TLS 1.3, a bad ServerHello means the client sends
// an unencrypted alert while the server expects
// encryption, so the alert is not readable by runner.
t.test.expectedLocalError = "local error: bad record MAC"
}
testCases = append(testCases, t.test)
}
}
func addTrailingMessageDataTests() {
for _, t := range makePerMessageTests() {
t.test.name = "TrailingMessageData-" + t.test.name
t.test.config.Bugs.SendTrailingMessageData = t.messageType
t.test.shouldFail = true
t.test.expectedError = ":DECODE_ERROR:"
t.test.expectedLocalError = "remote error: error decoding message"
if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
// In TLS 1.3, a bad ServerHello means the client sends
// an unencrypted alert while the server expects
// encryption, so the alert is not readable by runner.
t.test.expectedLocalError = "local error: bad record MAC"
}
if t.messageType == typeFinished {
// Bad Finished messages read as the verify data having
// the wrong length.
t.test.expectedError = ":DIGEST_CHECK_FAILED:"
t.test.expectedLocalError = "remote error: error decrypting message"
}
testCases = append(testCases, t.test)
}
}
func addTLS13HandshakeTests() {
testCases = append(testCases, testCase{
testType: clientTest,
name: "NegotiatePSKResumption-TLS13",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
NegotiatePSKResumption: true,
},
},
resumeSession: true,
shouldFail: true,
expectedError: ":MISSING_KEY_SHARE:",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "MissingKeyShare-Client",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
MissingKeyShare: true,
},
},
shouldFail: true,
expectedError: ":MISSING_KEY_SHARE:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "MissingKeyShare-Server",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
MissingKeyShare: true,
},
},
shouldFail: true,
expectedError: ":MISSING_KEY_SHARE:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "DuplicateKeyShares",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
DuplicateKeyShares: true,
},
},
shouldFail: true,
expectedError: ":DUPLICATE_KEY_SHARE:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataLength: 4,
},
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-OmitEarlyDataExtension",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataLength: 4,
OmitEarlyDataExtension: true,
},
},
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-TooMuchData",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataLength: 16384 + 1,
},
},
shouldFail: true,
expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-Interleaved",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataLength: 4,
InterleaveEarlyData: true,
},
},
shouldFail: true,
expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-EarlyDataInTLS12",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataLength: 4,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-HRR",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataLength: 4,
},
DefaultCurves: []CurveID{},
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-HRR-Interleaved",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataLength: 4,
InterleaveEarlyData: true,
},
DefaultCurves: []CurveID{},
},
shouldFail: true,
expectedError: ":UNEXPECTED_RECORD:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-HRR-TooMuchData",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataLength: 16384 + 1,
},
DefaultCurves: []CurveID{},
},
shouldFail: true,
expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
})
// Test that skipping early data looking for cleartext correctly
// processes an alert record.
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-HRR-FatalAlert",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyAlert: true,
SendEarlyDataLength: 4,
},
DefaultCurves: []CurveID{},
},
shouldFail: true,
expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SkipEarlyData-SecondClientHelloEarlyData",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendEarlyDataOnSecondClientHello: true,
},
DefaultCurves: []CurveID{},
},
shouldFail: true,
expectedLocalError: "remote error: bad record MAC",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "EmptyEncryptedExtensions",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
EmptyEncryptedExtensions: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: error decoding message",
})
testCases = append(testCases, testCase{
testType: clientTest,
name: "EncryptedExtensionsWithKeyShare",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
EncryptedExtensionsWithKeyShare: true,
},
},
shouldFail: true,
expectedLocalError: "remote error: unsupported extension",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SendHelloRetryRequest",
config: Config{
MaxVersion: VersionTLS13,
// Require a HelloRetryRequest for every curve.
DefaultCurves: []CurveID{},
},
expectedCurveID: CurveX25519,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SendHelloRetryRequest-2",
config: Config{
MaxVersion: VersionTLS13,
DefaultCurves: []CurveID{CurveP384},
},
// Although the ClientHello did not predict our preferred curve,
// we always select it whether it is predicted or not.
expectedCurveID: CurveX25519,
})
testCases = append(testCases, testCase{
name: "UnknownCurve-HelloRetryRequest",
config: Config{
MaxVersion: VersionTLS13,
// P-384 requires HelloRetryRequest in BoringSSL.
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
SendHelloRetryRequestCurve: bogusCurve,
},
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
testCases = append(testCases, testCase{
name: "DisabledCurve-HelloRetryRequest",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveP256},
Bugs: ProtocolBugs{
IgnorePeerCurvePreferences: true,
},
},
flags: []string{"-p384-only"},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
testCases = append(testCases, testCase{
name: "UnnecessaryHelloRetryRequest",
config: Config{
MaxVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveX25519},
Bugs: ProtocolBugs{
SendHelloRetryRequestCurve: CurveX25519,
},
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
testCases = append(testCases, testCase{
name: "SecondHelloRetryRequest",
config: Config{
MaxVersion: VersionTLS13,
// P-384 requires HelloRetryRequest in BoringSSL.
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
SecondHelloRetryRequest: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
})
testCases = append(testCases, testCase{
name: "HelloRetryRequest-Empty",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
AlwaysSendHelloRetryRequest: true,
},
},
shouldFail: true,
expectedError: ":DECODE_ERROR:",
})
testCases = append(testCases, testCase{
name: "HelloRetryRequest-DuplicateCurve",
config: Config{
MaxVersion: VersionTLS13,
// P-384 requires a HelloRetryRequest against BoringSSL's default
// configuration. Assert this ExpectMissingKeyShare.
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
ExpectMissingKeyShare: true,
DuplicateHelloRetryRequestExtensions: true,
},
},
shouldFail: true,
expectedError: ":DUPLICATE_EXTENSION:",
expectedLocalError: "remote error: illegal parameter",
})
testCases = append(testCases, testCase{
name: "HelloRetryRequest-Cookie",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendHelloRetryRequestCookie: []byte("cookie"),
},
},
})
testCases = append(testCases, testCase{
name: "HelloRetryRequest-DuplicateCookie",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendHelloRetryRequestCookie: []byte("cookie"),
DuplicateHelloRetryRequestExtensions: true,
},
},
shouldFail: true,
expectedError: ":DUPLICATE_EXTENSION:",
expectedLocalError: "remote error: illegal parameter",
})
testCases = append(testCases, testCase{
name: "HelloRetryRequest-EmptyCookie",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SendHelloRetryRequestCookie: []byte{},
},
},
shouldFail: true,
expectedError: ":DECODE_ERROR:",
})
testCases = append(testCases, testCase{
name: "HelloRetryRequest-Cookie-Curve",
config: Config{
MaxVersion: VersionTLS13,
// P-384 requires HelloRetryRequest in BoringSSL.
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
SendHelloRetryRequestCookie: []byte("cookie"),
ExpectMissingKeyShare: true,
},
},
})
testCases = append(testCases, testCase{
name: "HelloRetryRequest-Unknown",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
CustomHelloRetryRequestExtension: "extension",
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
expectedLocalError: "remote error: unsupported extension",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SecondClientHelloMissingKeyShare",
config: Config{
MaxVersion: VersionTLS13,
DefaultCurves: []CurveID{},
Bugs: ProtocolBugs{
SecondClientHelloMissingKeyShare: true,
},
},
shouldFail: true,
expectedError: ":MISSING_KEY_SHARE:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SecondClientHelloWrongCurve",
config: Config{
MaxVersion: VersionTLS13,
DefaultCurves: []CurveID{},
Bugs: ProtocolBugs{
MisinterpretHelloRetryRequestCurve: CurveP521,
},
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
testCases = append(testCases, testCase{
name: "HelloRetryRequestVersionMismatch",
config: Config{
MaxVersion: VersionTLS13,
// P-384 requires HelloRetryRequest in BoringSSL.
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
SendServerHelloVersion: 0x0305,
},
},
shouldFail: true,
expectedError: ":WRONG_VERSION_NUMBER:",
})
testCases = append(testCases, testCase{
name: "HelloRetryRequestCurveMismatch",
config: Config{
MaxVersion: VersionTLS13,
// P-384 requires HelloRetryRequest in BoringSSL.
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
// Send P-384 (correct) in the HelloRetryRequest.
SendHelloRetryRequestCurve: CurveP384,
// But send P-256 in the ServerHello.
SendCurve: CurveP256,
},
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
// Test the server selecting a curve that requires a HelloRetryRequest
// without sending it.
testCases = append(testCases, testCase{
name: "SkipHelloRetryRequest",
config: Config{
MaxVersion: VersionTLS13,
// P-384 requires HelloRetryRequest in BoringSSL.
CurvePreferences: []CurveID{CurveP384},
Bugs: ProtocolBugs{
SkipHelloRetryRequest: true,
},
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
testCases = append(testCases, testCase{
name: "TLS13-RequestContextInHandshake",
config: Config{
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
ClientAuth: RequireAnyClientCert,
Bugs: ProtocolBugs{
SendRequestContext: []byte("request context"),
},
},
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-key-file", path.Join(*resourceDir, rsaKeyFile),
},
shouldFail: true,
expectedError: ":DECODE_ERROR:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "TLS13-TrailingKeyShareData",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
TrailingKeyShareData: true,
},
},
shouldFail: true,
expectedError: ":DECODE_ERROR:",
})
testCases = append(testCases, testCase{
name: "TLS13-AlwaysSelectPSKIdentity",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
AlwaysSelectPSKIdentity: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
testCases = append(testCases, testCase{
name: "TLS13-InvalidPSKIdentity",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
SelectPSKIdentityOnResume: 1,
},
},
resumeSession: true,
shouldFail: true,
expectedError: ":PSK_IDENTITY_NOT_FOUND:",
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "TLS13-ExtraPSKIdentity",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExtraPSKIdentity: true,
SendExtraPSKBinder: true,
},
},
resumeSession: true,
})
// Test that unknown NewSessionTicket extensions are tolerated.
testCases = append(testCases, testCase{
name: "TLS13-CustomTicketExtension",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
CustomTicketExtension: "1234",
},
},
})
}
func addTLS13CipherPreferenceTests() {
// Test that client preference is honored if the shim has AES hardware
// and ChaCha20-Poly1305 is preferred otherwise.
testCases = append(testCases, testCase{
testType: serverTest,
name: "TLS13-CipherPreference-Server-ChaCha20-AES",
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{
TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_GCM_SHA256,
},
},
flags: []string{
"-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "TLS13-CipherPreference-Server-AES-ChaCha20",
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{
TLS_AES_128_GCM_SHA256,
TLS_CHACHA20_POLY1305_SHA256,
},
},
flags: []string{
"-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
},
})
// Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
// whether it has AES hardware.
testCases = append(testCases, testCase{
name: "TLS13-CipherPreference-Client",
config: Config{
MaxVersion: VersionTLS13,
// Use the client cipher order. (This is the default but
// is listed to be explicit.)
PreferServerCipherSuites: false,
},
flags: []string{
"-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
},
})
}
func addPeekTests() {
// Test SSL_peek works, including on empty records.
testCases = append(testCases, testCase{
name: "Peek-Basic",
sendEmptyRecords: 1,
flags: []string{"-peek-then-read"},
})
// Test SSL_peek can drive the initial handshake.
testCases = append(testCases, testCase{
name: "Peek-ImplicitHandshake",
flags: []string{
"-peek-then-read",
"-implicit-handshake",
},
})
// Test SSL_peek can discover and drive a renegotiation.
testCases = append(testCases, testCase{
name: "Peek-Renegotiate",
config: Config{
MaxVersion: VersionTLS12,
},
renegotiate: 1,
flags: []string{
"-peek-then-read",
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
},
})
// Test SSL_peek can discover a close_notify.
testCases = append(testCases, testCase{
name: "Peek-Shutdown",
config: Config{
Bugs: ProtocolBugs{
ExpectCloseNotify: true,
},
},
flags: []string{
"-peek-then-read",
"-check-close-notify",
},
})
// Test SSL_peek can discover an alert.
testCases = append(testCases, testCase{
name: "Peek-Alert",
config: Config{
Bugs: ProtocolBugs{
SendSpuriousAlert: alertRecordOverflow,
},
},
flags: []string{"-peek-then-read"},
shouldFail: true,
expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
})
// Test SSL_peek can handle KeyUpdate.
testCases = append(testCases, testCase{
name: "Peek-KeyUpdate",
config: Config{
MaxVersion: VersionTLS13,
},
sendKeyUpdates: 1,
keyUpdateRequest: keyUpdateNotRequested,
flags: []string{"-peek-then-read"},
})
}
func addRecordVersionTests() {
for _, ver := range tlsVersions {
// Test that the record version is enforced.
testCases = append(testCases, testCase{
name: "CheckRecordVersion-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Bugs: ProtocolBugs{
SendRecordVersion: 0x03ff,
},
},
shouldFail: true,
expectedError: ":WRONG_VERSION_NUMBER:",
})
// Test that the ClientHello may use any record version, for
// compatibility reasons.
testCases = append(testCases, testCase{
testType: serverTest,
name: "LooseInitialRecordVersion-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Bugs: ProtocolBugs{
SendInitialRecordVersion: 0x03ff,
},
},
})
// Test that garbage ClientHello record versions are rejected.
testCases = append(testCases, testCase{
testType: serverTest,
name: "GarbageInitialRecordVersion-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Bugs: ProtocolBugs{
SendInitialRecordVersion: 0xffff,
},
},
shouldFail: true,
expectedError: ":WRONG_VERSION_NUMBER:",
})
}
}
func addCertificateTests() {
// Test that a certificate chain with intermediate may be sent and
// received as both client and server.
for _, ver := range tlsVersions {
testCases = append(testCases, testCase{
testType: clientTest,
name: "SendReceiveIntermediate-Client-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{rsaChainCertificate},
ClientAuth: RequireAnyClientCert,
},
expectPeerCertificate: &rsaChainCertificate,
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
"-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "SendReceiveIntermediate-Server-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{rsaChainCertificate},
},
expectPeerCertificate: &rsaChainCertificate,
flags: []string{
"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
"-require-any-client-certificate",
"-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
},
})
}
}
func addRetainOnlySHA256ClientCertTests() {
for _, ver := range tlsVersions {
// Test that enabling
// SSL_CTX_set_retain_only_sha256_of_client_certs without
// actually requesting a client certificate is a no-op.
testCases = append(testCases, testCase{
testType: serverTest,
name: "RetainOnlySHA256-NoCert-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
},
flags: []string{
"-retain-only-sha256-client-cert-initial",
"-retain-only-sha256-client-cert-resume",
},
resumeSession: true,
})
// Test that when retaining only a SHA-256 certificate is
// enabled, the hash appears as expected.
testCases = append(testCases, testCase{
testType: serverTest,
name: "RetainOnlySHA256-Cert-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
"-verify-peer",
"-retain-only-sha256-client-cert-initial",
"-retain-only-sha256-client-cert-resume",
"-expect-sha256-client-cert-initial",
"-expect-sha256-client-cert-resume",
},
resumeSession: true,
})
// Test that when the config changes from on to off, a
// resumption is rejected because the server now wants the full
// certificate chain.
testCases = append(testCases, testCase{
testType: serverTest,
name: "RetainOnlySHA256-OnOff-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
"-verify-peer",
"-retain-only-sha256-client-cert-initial",
"-expect-sha256-client-cert-initial",
},
resumeSession: true,
expectResumeRejected: true,
})
// Test that when the config changes from off to on, a
// resumption is rejected because the server now wants just the
// hash.
testCases = append(testCases, testCase{
testType: serverTest,
name: "RetainOnlySHA256-OffOn-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
"-verify-peer",
"-retain-only-sha256-client-cert-resume",
"-expect-sha256-client-cert-resume",
},
resumeSession: true,
expectResumeRejected: true,
})
}
}
func addECDSAKeyUsageTests() {
p256 := elliptic.P256()
priv, err := ecdsa.GenerateKey(p256, rand.Reader)
if err != nil {
panic(err)
}
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
panic(err)
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Acme Co"},
},
NotBefore: time.Now(),
NotAfter: time.Now(),
// An ECC certificate with only the keyAgreement key usgae may
// be used with ECDH, but not ECDSA.
KeyUsage: x509.KeyUsageKeyAgreement,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
panic(err)
}
cert := Certificate{
Certificate: [][]byte{derBytes},
PrivateKey: priv,
}
for _, ver := range tlsVersions {
if ver.version < VersionTLS12 {
continue
}
testCases = append(testCases, testCase{
testType: clientTest,
name: "ECDSAKeyUsage-" + ver.name,
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
Certificates: []Certificate{cert},
},
shouldFail: true,
expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
})
}
}
func addShortHeaderTests() {
// The short header extension may be negotiated as either client or
// server.
testCases = append(testCases, testCase{
name: "ShortHeader-Client",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
EnableShortHeader: true,
},
},
flags: []string{"-enable-short-header"},
expectShortHeader: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ShortHeader-Server",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
EnableShortHeader: true,
},
},
flags: []string{"-enable-short-header"},
expectShortHeader: true,
})
// If the peer doesn't support it, it will not be negotiated.
testCases = append(testCases, testCase{
name: "ShortHeader-No-Yes-Client",
config: Config{
MaxVersion: VersionTLS13,
},
flags: []string{"-enable-short-header"},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ShortHeader-No-Yes-Server",
config: Config{
MaxVersion: VersionTLS13,
},
flags: []string{"-enable-short-header"},
})
// If we don't support it, it will not be negotiated.
testCases = append(testCases, testCase{
name: "ShortHeader-Yes-No-Client",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
EnableShortHeader: true,
},
},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ShortHeader-Yes-No-Server",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
EnableShortHeader: true,
},
},
})
// It will not be negotiated at TLS 1.2.
testCases = append(testCases, testCase{
name: "ShortHeader-TLS12-Client",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
EnableShortHeader: true,
},
},
flags: []string{"-enable-short-header"},
})
testCases = append(testCases, testCase{
testType: serverTest,
name: "ShortHeader-TLS12-Server",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
EnableShortHeader: true,
},
},
flags: []string{"-enable-short-header"},
})
// Servers reject early data and short header sent together.
testCases = append(testCases, testCase{
testType: serverTest,
name: "ShortHeader-EarlyData",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
EnableShortHeader: true,
SendEarlyDataLength: 1,
},
},
flags: []string{"-enable-short-header"},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
// Clients reject unsolicited short header extensions.
testCases = append(testCases, testCase{
name: "ShortHeader-Unsolicited",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
AlwaysNegotiateShortHeader: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
testCases = append(testCases, testCase{
name: "ShortHeader-Unsolicited-TLS12",
config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{
AlwaysNegotiateShortHeader: true,
},
},
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
// The high bit must be checked in short headers.
testCases = append(testCases, testCase{
name: "ShortHeader-ClearShortHeaderBit",
config: Config{
Bugs: ProtocolBugs{
EnableShortHeader: true,
ClearShortHeaderBit: true,
},
},
flags: []string{"-enable-short-header"},
shouldFail: true,
expectedError: ":DECODE_ERROR:",
expectedLocalError: "remote error: error decoding message",
})
}
func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
defer wg.Done()
for test := range c {
var err error
if *mallocTest >= 0 {
for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
statusChan <- statusMsg{test: test, started: true}
if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
if err != nil {
fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
}
break
}
}
} else if *repeatUntilFailure {
for err == nil {
statusChan <- statusMsg{test: test, started: true}
err = runTest(test, shimPath, -1)
}
} else {
statusChan <- statusMsg{test: test, started: true}
err = runTest(test, shimPath, -1)
}
statusChan <- statusMsg{test: test, err: err}
}
}
type statusMsg struct {
test *testCase
started bool
err error
}
func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
var started, done, failed, unimplemented, lineLen int
testOutput := newTestOutput()
for msg := range statusChan {
if !*pipe {
// Erase the previous status line.
var erase string
for i := 0; i < lineLen; i++ {
erase += "\b \b"
}
fmt.Print(erase)
}
if msg.started {
started++
} else {
done++
if msg.err != nil {
if msg.err == errUnimplemented {
if *pipe {
// Print each test instead of a status line.
fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
}
unimplemented++
testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
} else {
fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
failed++
testOutput.addResult(msg.test.name, "FAIL")
}
} else {
if *pipe {
// Print each test instead of a status line.
fmt.Printf("PASSED (%s)\n", msg.test.name)
}
testOutput.addResult(msg.test.name, "PASS")
}
}
if !*pipe {
// Print a new status line.
line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
lineLen = len(line)
os.Stdout.WriteString(line)
}
}
doneChan <- testOutput
}
func main() {
flag.Parse()
*resourceDir = path.Clean(*resourceDir)
initCertificates()
addBasicTests()
addCipherSuiteTests()
addBadECDSASignatureTests()
addCBCPaddingTests()
addCBCSplittingTests()
addClientAuthTests()
addDDoSCallbackTests()
addVersionNegotiationTests()
addMinimumVersionTests()
addExtensionTests()
addResumptionVersionTests()
addExtendedMasterSecretTests()
addRenegotiationTests()
addDTLSReplayTests()
addSignatureAlgorithmTests()
addDTLSRetransmitTests()
addExportKeyingMaterialTests()
addTLSUniqueTests()
addCustomExtensionTests()
addRSAClientKeyExchangeTests()
addCurveTests()
addSessionTicketTests()
addTLS13RecordTests()
addAllStateMachineCoverageTests()
addChangeCipherSpecTests()
addWrongMessageTypeTests()
addTrailingMessageDataTests()
addTLS13HandshakeTests()
addTLS13CipherPreferenceTests()
addPeekTests()
addRecordVersionTests()
addCertificateTests()
addRetainOnlySHA256ClientCertTests()
addECDSAKeyUsageTests()
addShortHeaderTests()
var wg sync.WaitGroup
statusChan := make(chan statusMsg, *numWorkers)
testChan := make(chan *testCase, *numWorkers)
doneChan := make(chan *testOutput)
if len(*shimConfigFile) != 0 {
encoded, err := ioutil.ReadFile(*shimConfigFile)
if err != nil {
fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
os.Exit(1)
}
if err := json.Unmarshal(encoded, &shimConfig); err != nil {
fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
os.Exit(1)
}
}
go statusPrinter(doneChan, statusChan, len(testCases))
for i := 0; i < *numWorkers; i++ {
wg.Add(1)
go worker(statusChan, testChan, *shimPath, &wg)
}
var foundTest bool
for i := range testCases {
matched := true
if len(*testToRun) != 0 {
var err error
matched, err = filepath.Match(*testToRun, testCases[i].name)
if err != nil {
fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
os.Exit(1)
}
}
if !*includeDisabled {
for pattern := range shimConfig.DisabledTests {
isDisabled, err := filepath.Match(pattern, testCases[i].name)
if err != nil {
fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
os.Exit(1)
}
if isDisabled {
matched = false
break
}
}
}
if matched {
foundTest = true
testChan <- &testCases[i]
// Only run one test if repeating until failure.
if *repeatUntilFailure {
break
}
}
}
if !foundTest {
fmt.Fprintf(os.Stderr, "No tests run\n")
os.Exit(1)
}
close(testChan)
wg.Wait()
close(statusChan)
testOutput := <-doneChan
fmt.Printf("\n")
if *jsonOutput != "" {
if err := testOutput.writeTo(*jsonOutput); err != nil {
fmt.Fprintf(os.Stderr, "Error: %s\n", err)
}
}
if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
os.Exit(1)
}
if !testOutput.noneFailed {
os.Exit(1)
}
}