Merge branch 'client-tests' into draft22-client

2017-12-04 11:55:35 +00:00 · 2017-12-04 11:55:35 +00:00 · f9729b5e4e
commit f9729b5e4e
parent 81cc32b846 3f5e87d6a1
2 changed files with 71 additions and 6 deletions
--- a/config.json
+++ b/config.json
@ -6,6 +6,8 @@

 		"SupportTicketsWithSessionID": "Session IDs not supported",
 		"*-NoTickets-*": "Session IDs not supported",
+		"*-AES128-SHA256-*": "AES128-CBC-SHA256 not supported",
+		"*-AES256-SHA256-*": "AES256-CBC-SHA256 not supported",
 		"*-AES256-SHA384-*": "AES256-CBC-SHA384 not supported",

 		"BadRSAClientKeyExchange-4": "case RSABadValueWrongVersion1 - See comment in processClientKeyExchange",
@ -19,8 +21,61 @@

 		"Renegotiate-Server-Forbidden": "9b812d006d made OpenSSL tests lock up",

-		"*V2ClientHello*": "Yeah, no.",
-		"*SSL3*": "Fuck that.",
-		"*SSLv3*": "Really."
+		"SendEmptyRecords*": "client: no protection implemented against flood of empty records",
+		"SendWarningAlerts*": "client: no protection implemented against flood of warning alerts",
+		"SendBogusAlertType": "client: TODO send IllegalParam instead of UnexpectedMessage",
+		"SkipNewSessionTicket": "client: TODO enable session cache",
+		"InvalidCompressionMethod": "client: TODO send IllegalParam instead of UnexpectedMessage",
+		"NoClientCertificate-TLS13": "client: TODO implement client certs",
+		"TLS13-Client-CertAuth-*": "client: TODO implement client certs",
+		"SupportedVersionSelection-TLS12": "client: TODO send Unexpected Extension if server sends SV",
+		"DuplicateExtensionClient-*": "TODO",
+		"UnsolicitedServerNameAck-*": "client: TODO send Unexpected Extension if SNI was not advertised",
+		"RenegotiationInfo-Forbidden-TLS13": "client: TODO reject ext",
+		"EMS-Forbidden-TLS13": "client: TODO reject ext",
+
+		"SendUnsolicitedOCSPOnCertificate-TLS13": "client: N/A, we always send status_request",
+		"SendUnsolicitedSCTOnCertificate-TLS13": "client: N/A, we always send SCT",
+		"SendUnknownExtensionOnCertificate-TLS13": "client: TODO reject unknown exts",
+		"Resume-Client-CipherMismatch-TLS13": "client: TODO implement resumption",
+		"ExtendedMasterSecret-NoToNo-Client": "client: TODO implement resumption",
+		"Renegotiate-Client-Forbidden-1": "client: TODO correct alert was sent, but why is the local error EOF?",
+		"TLS13-Client-ClientAuth-*": "client: TODO implement client certs",
+		"ClientAuth-*-TLS13*": "client: TODO implement client certs",
+		"ClientAuth-SHA1-Fallback-*": "client: what to do on empty SigAlg ext?",
+
+		"RSA-PSS-Default-*": "TODO enable PSS by default for TLS 1.2",
+		"ECDSACurveMismatch-Verify-TLS13": "client: we do advertise the SigAlg by default",
+		"Ed25519DefaultDisable-NoAccept": "client: expected IllegalParam instead of Unsupported Cert",
+		"UnofferedExtension-Client*": "client: TODO reject unadvertised extension",
+		"Unknown*Extension-Client*": "client: TODO reject unadvertised extension",
+		"PointFormat-EncryptedExtensions-TLS13": "client: TODO reject forbidden extension",
+		"PointFormat-Client-MissingUncompressed": "client: TODO should reject",
+		"TLS13-TestBadTicketAge-Client": "client: TODO implement resumption",
+		"TLS13-DuplicateTicketEarlyDataInfo": "client: TODO implement resumption",
+
+		"TLS13-WrongOuterRecord": "client: checking record content type is not a MUST",
+		"Basic-Client-*":"client: TODO implement resumption",
+		"TLS13-1RTT-Client-*": "client: TODO implement resumption",
+
+		"WrongMessageType-*": "client: TODO expected different alert",
+		"TrailingMessageData-*": "client: TODO expected different alert",
+		"EncryptedExtensionsWithKeyShare": "client: TODO reject invalid extension",
+		"EmptyEncryptedExtensions": "client: TODO require non-empty EE",
+		"TLS13-*PSKIdentity": "client: TODO",
+		"TLS13-ClientSkipCertificateVerify": "client: TODO implement client certs",
+		"CheckRecordVersion-*": "client: enforce record version",
+		"GarbageCertificate-Client-*": "client: TODO implement client certs",
+
+		"OmitExtensions-ServerHello-*": "client: N/A, we always send status_request and SCT",
+		"EmptyExtensions-ServerHello-*": "client: N/A, we always send status_request and SCT",
+
+		"ECDSAKeyUsage-*": "client: TODO reject cert with invalid KU",
+
+		"SupportedVersionSelection-TLS13": "won't fix for now, D22 will use this extension in ServerHello",
+
+		"*V2ClientHello*": "Unsupported version",
+		"*SSL3*": "Unsupported version",
+		"*SSLv3*": "Unsupported version"
 	}
 }
--- a/tls_shim.go
+++ b/tls_shim.go
@ -19,6 +19,8 @@ func main() {
 		keyFile     = fs.String("key-file", "", "")
 		certFile    = fs.String("cert-file", "", "")
 		resumeCount = fs.Int("resume-count", 0, "")
+		minVersion  = fs.Int("min-version", tls.VersionSSL30, "")
+		maxVersion  = fs.Int("max-version", tls.VersionTLS13, "")
 	)

 	fmt.Println("Args:", os.Args[1:])
@ -30,7 +32,7 @@ func main() {
 			os.Exit(89)
 		}
 	}
-	if *dtls || !*server {
+	if *dtls {
 		os.Exit(89)
 	}

@ -39,11 +41,19 @@ func main() {
 	}

 	config := &tls.Config{
-		MinVersion:         tls.VersionSSL30,
-		MaxVersion:         tls.VersionTLS13,
+		MinVersion:         uint16(*minVersion),
+		MaxVersion:         uint16(*maxVersion),
 		InsecureSkipVerify: true,
 	}

+	if keyLogFile := os.Getenv("SSLKEYLOGFILE"); config.KeyLogWriter == nil && keyLogFile != "" {
+		var err error
+		config.KeyLogWriter, err = os.OpenFile(keyLogFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
+		if err != nil {
+			log.Fatalf("Cannot open keylog file: %v", err)
+		}
+	}
+
 	if *keyFile != "" {
 		cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
 		if err != nil {