1 // Copyright (c) 2016, Google Inc. 2 // 3 // Permission to use, copy, modify, and/or distribute this software for any 4 // purpose with or without fee is hereby granted, provided that the above 5 // copyright notice and this permission notice appear in all copies. 6 // 7 // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 15 package runner 16 17 import ( 18 "bytes" 19 "crypto/ecdsa" 20 "crypto/elliptic" 21 "crypto/rand" 22 "crypto/x509" 23 "crypto/x509/pkix" 24 "encoding/base64" 25 "encoding/hex" 26 "encoding/json" 27 "encoding/pem" 28 "errors" 29 "flag" 30 "fmt" 31 "io" 32 "io/ioutil" 33 "math/big" 34 "net" 35 "os" 36 "os/exec" 37 "path" 38 "path/filepath" 39 "runtime" 40 "strconv" 41 "strings" 42 "sync" 43 "syscall" 44 "time" 45 ) 46 47 var ( 48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind") 49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb") 50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb") 51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection") 52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.") 53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.") 54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.") 55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.") 56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests") 57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.") 58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.") 59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.") 60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.") 61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.") 62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.") 63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.") 64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.") 65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.") 66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.") 67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.") 68 includeDHE = flag.Bool("include-dhe", false, "If true, test DHE ciphersuites.") 69 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.") 70 ) 71 72 // ShimConfigurations is used with the json package and represents a shim 73 // config file. 74 type ShimConfiguration struct { 75 // DisabledTests maps from a glob-based pattern to a freeform string. 76 // The glob pattern is used to exclude tests from being run and the 77 // freeform string is unparsed but expected to explain why the test is 78 // disabled. 79 DisabledTests map[string]string 80 81 // ErrorMap maps from expected error strings to the correct error 82 // string for the shim in question. For example, it might map 83 // :NO_SHARED_CIPHER: (a BoringSSL error string) to something 84 // like SSL_ERROR_NO_CYPHER_OVERLAP. 85 ErrorMap map[string]string 86 87 // HalfRTTTickets is the number of half-RTT tickets the client should 88 // expect before half-RTT data when testing 0-RTT. 89 HalfRTTTickets int 90 } 91 92 // Setup shimConfig defaults aligning with BoringSSL. 93 var shimConfig ShimConfiguration = ShimConfiguration{ 94 HalfRTTTickets: 2, 95 } 96 97 type testCert int 98 99 const ( 100 testCertRSA testCert = iota 101 testCertRSA1024 102 testCertRSAChain 103 testCertECDSAP224 104 testCertECDSAP256 105 testCertECDSAP384 106 testCertECDSAP521 107 ) 108 109 const ( 110 rsaCertificateFile = "cert.pem" 111 rsa1024CertificateFile = "rsa_1024_cert.pem" 112 rsaChainCertificateFile = "rsa_chain_cert.pem" 113 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem" 114 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem" 115 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem" 116 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem" 117 ) 118 119 const ( 120 rsaKeyFile = "key.pem" 121 rsa1024KeyFile = "rsa_1024_key.pem" 122 rsaChainKeyFile = "rsa_chain_key.pem" 123 ecdsaP224KeyFile = "ecdsa_p224_key.pem" 124 ecdsaP256KeyFile = "ecdsa_p256_key.pem" 125 ecdsaP384KeyFile = "ecdsa_p384_key.pem" 126 ecdsaP521KeyFile = "ecdsa_p521_key.pem" 127 channelIDKeyFile = "channel_id_key.pem" 128 ) 129 130 var ( 131 rsaCertificate Certificate 132 rsa1024Certificate Certificate 133 rsaChainCertificate Certificate 134 ecdsaP224Certificate Certificate 135 ecdsaP256Certificate Certificate 136 ecdsaP384Certificate Certificate 137 ecdsaP521Certificate Certificate 138 ) 139 140 var testCerts = []struct { 141 id testCert 142 certFile, keyFile string 143 cert *Certificate 144 }{ 145 { 146 id: testCertRSA, 147 certFile: rsaCertificateFile, 148 keyFile: rsaKeyFile, 149 cert: &rsaCertificate, 150 }, 151 { 152 id: testCertRSA1024, 153 certFile: rsa1024CertificateFile, 154 keyFile: rsa1024KeyFile, 155 cert: &rsa1024Certificate, 156 }, 157 { 158 id: testCertRSAChain, 159 certFile: rsaChainCertificateFile, 160 keyFile: rsaChainKeyFile, 161 cert: &rsaChainCertificate, 162 }, 163 { 164 id: testCertECDSAP224, 165 certFile: ecdsaP224CertificateFile, 166 keyFile: ecdsaP224KeyFile, 167 cert: &ecdsaP224Certificate, 168 }, 169 { 170 id: testCertECDSAP256, 171 certFile: ecdsaP256CertificateFile, 172 keyFile: ecdsaP256KeyFile, 173 cert: &ecdsaP256Certificate, 174 }, 175 { 176 id: testCertECDSAP384, 177 certFile: ecdsaP384CertificateFile, 178 keyFile: ecdsaP384KeyFile, 179 cert: &ecdsaP384Certificate, 180 }, 181 { 182 id: testCertECDSAP521, 183 certFile: ecdsaP521CertificateFile, 184 keyFile: ecdsaP521KeyFile, 185 cert: &ecdsaP521Certificate, 186 }, 187 } 188 189 var channelIDKey *ecdsa.PrivateKey 190 var channelIDBytes []byte 191 192 var testOCSPResponse = []byte{1, 2, 3, 4} 193 var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8} 194 195 var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...) 196 var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...) 197 198 func initCertificates() { 199 for i := range testCerts { 200 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile)) 201 if err != nil { 202 panic(err) 203 } 204 cert.OCSPStaple = testOCSPResponse 205 cert.SignedCertificateTimestampList = testSCTList 206 *testCerts[i].cert = cert 207 } 208 209 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile)) 210 if err != nil { 211 panic(err) 212 } 213 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock) 214 if channelIDDERBlock.Type != "EC PRIVATE KEY" { 215 panic("bad key type") 216 } 217 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes) 218 if err != nil { 219 panic(err) 220 } 221 if channelIDKey.Curve != elliptic.P256() { 222 panic("bad curve") 223 } 224 225 channelIDBytes = make([]byte, 64) 226 writeIntPadded(channelIDBytes[:32], channelIDKey.X) 227 writeIntPadded(channelIDBytes[32:], channelIDKey.Y) 228 } 229 230 func getRunnerCertificate(t testCert) Certificate { 231 for _, cert := range testCerts { 232 if cert.id == t { 233 return *cert.cert 234 } 235 } 236 panic("Unknown test certificate") 237 } 238 239 func getShimCertificate(t testCert) string { 240 for _, cert := range testCerts { 241 if cert.id == t { 242 return cert.certFile 243 } 244 } 245 panic("Unknown test certificate") 246 } 247 248 func getShimKey(t testCert) string { 249 for _, cert := range testCerts { 250 if cert.id == t { 251 return cert.keyFile 252 } 253 } 254 panic("Unknown test certificate") 255 } 256 257 // encodeDERValues encodes a series of bytestrings in comma-separated-hex form. 258 func encodeDERValues(values [][]byte) string { 259 var ret string 260 for i, v := range values { 261 if i > 0 { 262 ret += "," 263 } 264 ret += hex.EncodeToString(v) 265 } 266 267 return ret 268 } 269 270 type testType int 271 272 const ( 273 clientTest testType = iota 274 serverTest 275 ) 276 277 type protocol int 278 279 const ( 280 tls protocol = iota 281 dtls 282 ) 283 284 const ( 285 alpn = 1 286 npn = 2 287 ) 288 289 type testCase struct { 290 testType testType 291 protocol protocol 292 name string 293 config Config 294 shouldFail bool 295 expectedError string 296 // expectedLocalError, if not empty, contains a substring that must be 297 // found in the local error. 298 expectedLocalError string 299 // expectedVersion, if non-zero, specifies the TLS version that must be 300 // negotiated. 301 expectedVersion uint16 302 // expectedResumeVersion, if non-zero, specifies the TLS version that 303 // must be negotiated on resumption. If zero, expectedVersion is used. 304 expectedResumeVersion uint16 305 // expectedCipher, if non-zero, specifies the TLS cipher suite that 306 // should be negotiated. 307 expectedCipher uint16 308 // expectChannelID controls whether the connection should have 309 // negotiated a Channel ID with channelIDKey. 310 expectChannelID bool 311 // expectedNextProto controls whether the connection should 312 // negotiate a next protocol via NPN or ALPN. 313 expectedNextProto string 314 // expectNoNextProto, if true, means that no next protocol should be 315 // negotiated. 316 expectNoNextProto bool 317 // expectedNextProtoType, if non-zero, is the expected next 318 // protocol negotiation mechanism. 319 expectedNextProtoType int 320 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that 321 // should be negotiated. If zero, none should be negotiated. 322 expectedSRTPProtectionProfile uint16 323 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received. 324 expectedOCSPResponse []uint8 325 // expectedSCTList, if not nil, is the expected SCT list to be received. 326 expectedSCTList []uint8 327 // expectedPeerSignatureAlgorithm, if not zero, is the signature 328 // algorithm that the peer should have used in the handshake. 329 expectedPeerSignatureAlgorithm signatureAlgorithm 330 // expectedCurveID, if not zero, is the curve that the handshake should 331 // have used. 332 expectedCurveID CurveID 333 // messageLen is the length, in bytes, of the test message that will be 334 // sent. 335 messageLen int 336 // messageCount is the number of test messages that will be sent. 337 messageCount int 338 // certFile is the path to the certificate to use for the server. 339 certFile string 340 // keyFile is the path to the private key to use for the server. 341 keyFile string 342 // resumeSession controls whether a second connection should be tested 343 // which attempts to resume the first session. 344 resumeSession bool 345 // resumeRenewedSession controls whether a third connection should be 346 // tested which attempts to resume the second connection's session. 347 resumeRenewedSession bool 348 // expectResumeRejected, if true, specifies that the attempted 349 // resumption must be rejected by the client. This is only valid for a 350 // serverTest. 351 expectResumeRejected bool 352 // resumeConfig, if not nil, points to a Config to be used on 353 // resumption. Unless newSessionsOnResume is set, 354 // SessionTicketKey, ServerSessionCache, and 355 // ClientSessionCache are copied from the initial connection's 356 // config. If nil, the initial connection's config is used. 357 resumeConfig *Config 358 // newSessionsOnResume, if true, will cause resumeConfig to 359 // use a different session resumption context. 360 newSessionsOnResume bool 361 // noSessionCache, if true, will cause the server to run without a 362 // session cache. 363 noSessionCache bool 364 // sendPrefix sends a prefix on the socket before actually performing a 365 // handshake. 366 sendPrefix string 367 // shimWritesFirst controls whether the shim sends an initial "hello" 368 // message before doing a roundtrip with the runner. 369 shimWritesFirst bool 370 // shimShutsDown, if true, runs a test where the shim shuts down the 371 // connection immediately after the handshake rather than echoing 372 // messages from the runner. 373 shimShutsDown bool 374 // renegotiate indicates the number of times the connection should be 375 // renegotiated during the exchange. 376 renegotiate int 377 // sendHalfHelloRequest, if true, causes the server to send half a 378 // HelloRequest when the handshake completes. 379 sendHalfHelloRequest bool 380 // renegotiateCiphers is a list of ciphersuite ids that will be 381 // switched in just before renegotiation. 382 renegotiateCiphers []uint16 383 // replayWrites, if true, configures the underlying transport 384 // to replay every write it makes in DTLS tests. 385 replayWrites bool 386 // damageFirstWrite, if true, configures the underlying transport to 387 // damage the final byte of the first application data write. 388 damageFirstWrite bool 389 // exportKeyingMaterial, if non-zero, configures the test to exchange 390 // keying material and verify they match. 391 exportKeyingMaterial int 392 exportLabel string 393 exportContext string 394 useExportContext bool 395 // flags, if not empty, contains a list of command-line flags that will 396 // be passed to the shim program. 397 flags []string 398 // testTLSUnique, if true, causes the shim to send the tls-unique value 399 // which will be compared against the expected value. 400 testTLSUnique bool 401 // sendEmptyRecords is the number of consecutive empty records to send 402 // before and after the test message. 403 sendEmptyRecords int 404 // sendWarningAlerts is the number of consecutive warning alerts to send 405 // before and after the test message. 406 sendWarningAlerts int 407 // sendKeyUpdates is the number of consecutive key updates to send 408 // before and after the test message. 409 sendKeyUpdates int 410 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages. 411 keyUpdateRequest byte 412 // expectMessageDropped, if true, means the test message is expected to 413 // be dropped by the client rather than echoed back. 414 expectMessageDropped bool 415 // expectPeerCertificate, if not nil, is the certificate chain the peer 416 // is expected to send. 417 expectPeerCertificate *Certificate 418 } 419 420 var testCases []testCase 421 422 func writeTranscript(test *testCase, num int, data []byte) { 423 if len(data) == 0 { 424 return 425 } 426 427 protocol := "tls" 428 if test.protocol == dtls { 429 protocol = "dtls" 430 } 431 432 side := "client" 433 if test.testType == serverTest { 434 side = "server" 435 } 436 437 dir := path.Join(*transcriptDir, protocol, side) 438 if err := os.MkdirAll(dir, 0755); err != nil { 439 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err) 440 return 441 } 442 443 name := fmt.Sprintf("%s-%d", test.name, num) 444 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil { 445 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err) 446 } 447 } 448 449 // A timeoutConn implements an idle timeout on each Read and Write operation. 450 type timeoutConn struct { 451 net.Conn 452 timeout time.Duration 453 } 454 455 func (t *timeoutConn) Read(b []byte) (int, error) { 456 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil { 457 return 0, err 458 } 459 return t.Conn.Read(b) 460 } 461 462 func (t *timeoutConn) Write(b []byte) (int, error) { 463 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil { 464 return 0, err 465 } 466 return t.Conn.Write(b) 467 } 468 469 func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error { 470 if !test.noSessionCache { 471 if config.ClientSessionCache == nil { 472 config.ClientSessionCache = NewLRUClientSessionCache(1) 473 } 474 if config.ServerSessionCache == nil { 475 config.ServerSessionCache = NewLRUServerSessionCache(1) 476 } 477 } 478 if test.testType == clientTest { 479 if len(config.Certificates) == 0 { 480 config.Certificates = []Certificate{rsaCertificate} 481 } 482 } else { 483 // Supply a ServerName to ensure a constant session cache key, 484 // rather than falling back to net.Conn.RemoteAddr. 485 if len(config.ServerName) == 0 { 486 config.ServerName = "test" 487 } 488 } 489 if *fuzzer { 490 config.Bugs.NullAllCiphers = true 491 } 492 if *deterministic { 493 config.Time = func() time.Time { return time.Unix(1234, 1234) } 494 } 495 496 conn = &timeoutConn{conn, *idleTimeout} 497 498 if test.protocol == dtls { 499 config.Bugs.PacketAdaptor = newPacketAdaptor(conn) 500 conn = config.Bugs.PacketAdaptor 501 } 502 503 if *flagDebug || len(*transcriptDir) != 0 { 504 local, peer := "client", "server" 505 if test.testType == clientTest { 506 local, peer = peer, local 507 } 508 connDebug := &recordingConn{ 509 Conn: conn, 510 isDatagram: test.protocol == dtls, 511 local: local, 512 peer: peer, 513 } 514 conn = connDebug 515 if *flagDebug { 516 defer connDebug.WriteTo(os.Stdout) 517 } 518 if len(*transcriptDir) != 0 { 519 defer func() { 520 writeTranscript(test, num, connDebug.Transcript()) 521 }() 522 } 523 524 if config.Bugs.PacketAdaptor != nil { 525 config.Bugs.PacketAdaptor.debug = connDebug 526 } 527 } 528 529 if test.replayWrites { 530 conn = newReplayAdaptor(conn) 531 } 532 533 var connDamage *damageAdaptor 534 if test.damageFirstWrite { 535 connDamage = newDamageAdaptor(conn) 536 conn = connDamage 537 } 538 539 if test.sendPrefix != "" { 540 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil { 541 return err 542 } 543 } 544 545 var tlsConn *Conn 546 if test.testType == clientTest { 547 if test.protocol == dtls { 548 tlsConn = DTLSServer(conn, config) 549 } else { 550 tlsConn = Server(conn, config) 551 } 552 } else { 553 config.InsecureSkipVerify = true 554 if test.protocol == dtls { 555 tlsConn = DTLSClient(conn, config) 556 } else { 557 tlsConn = Client(conn, config) 558 } 559 } 560 defer tlsConn.Close() 561 562 if err := tlsConn.Handshake(); err != nil { 563 return err 564 } 565 566 // TODO(davidben): move all per-connection expectations into a dedicated 567 // expectations struct that can be specified separately for the two 568 // legs. 569 expectedVersion := test.expectedVersion 570 if isResume && test.expectedResumeVersion != 0 { 571 expectedVersion = test.expectedResumeVersion 572 } 573 connState := tlsConn.ConnectionState() 574 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion { 575 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion) 576 } 577 578 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher { 579 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher) 580 } 581 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected { 582 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume) 583 } 584 585 if test.expectChannelID { 586 channelID := connState.ChannelID 587 if channelID == nil { 588 return fmt.Errorf("no channel ID negotiated") 589 } 590 if channelID.Curve != channelIDKey.Curve || 591 channelIDKey.X.Cmp(channelIDKey.X) != 0 || 592 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 { 593 return fmt.Errorf("incorrect channel ID") 594 } 595 } 596 597 if expected := test.expectedNextProto; expected != "" { 598 if actual := connState.NegotiatedProtocol; actual != expected { 599 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected) 600 } 601 } 602 603 if test.expectNoNextProto { 604 if actual := connState.NegotiatedProtocol; actual != "" { 605 return fmt.Errorf("got unexpected next proto %s", actual) 606 } 607 } 608 609 if test.expectedNextProtoType != 0 { 610 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN { 611 return fmt.Errorf("next proto type mismatch") 612 } 613 } 614 615 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile { 616 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile) 617 } 618 619 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) { 620 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse) 621 } 622 623 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) { 624 return fmt.Errorf("SCT list mismatch") 625 } 626 627 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm { 628 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm) 629 } 630 631 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID { 632 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID) 633 } 634 635 if test.expectPeerCertificate != nil { 636 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) { 637 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate)) 638 } 639 for i, cert := range connState.PeerCertificates { 640 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) { 641 return fmt.Errorf("peer certificate %d did not match", i+1) 642 } 643 } 644 } 645 646 if test.exportKeyingMaterial > 0 { 647 actual := make([]byte, test.exportKeyingMaterial) 648 if _, err := io.ReadFull(tlsConn, actual); err != nil { 649 return err 650 } 651 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext) 652 if err != nil { 653 return err 654 } 655 if !bytes.Equal(actual, expected) { 656 return fmt.Errorf("keying material mismatch") 657 } 658 } 659 660 if test.testTLSUnique { 661 var peersValue [12]byte 662 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil { 663 return err 664 } 665 expected := tlsConn.ConnectionState().TLSUnique 666 if !bytes.Equal(peersValue[:], expected) { 667 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected) 668 } 669 } 670 671 if test.shimWritesFirst { 672 var buf [5]byte 673 _, err := io.ReadFull(tlsConn, buf[:]) 674 if err != nil { 675 return err 676 } 677 if string(buf[:]) != "hello" { 678 return fmt.Errorf("bad initial message") 679 } 680 } 681 682 for i := 0; i < test.sendKeyUpdates; i++ { 683 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil { 684 return err 685 } 686 } 687 688 for i := 0; i < test.sendEmptyRecords; i++ { 689 tlsConn.Write(nil) 690 } 691 692 for i := 0; i < test.sendWarningAlerts; i++ { 693 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage) 694 } 695 696 if test.sendHalfHelloRequest { 697 tlsConn.SendHalfHelloRequest() 698 } 699 700 if test.renegotiate > 0 { 701 if test.renegotiateCiphers != nil { 702 config.CipherSuites = test.renegotiateCiphers 703 } 704 for i := 0; i < test.renegotiate; i++ { 705 if err := tlsConn.Renegotiate(); err != nil { 706 return err 707 } 708 } 709 } else if test.renegotiateCiphers != nil { 710 panic("renegotiateCiphers without renegotiate") 711 } 712 713 if test.damageFirstWrite { 714 connDamage.setDamage(true) 715 tlsConn.Write([]byte("DAMAGED WRITE")) 716 connDamage.setDamage(false) 717 } 718 719 messageLen := test.messageLen 720 if messageLen < 0 { 721 if test.protocol == dtls { 722 return fmt.Errorf("messageLen < 0 not supported for DTLS tests") 723 } 724 // Read until EOF. 725 _, err := io.Copy(ioutil.Discard, tlsConn) 726 return err 727 } 728 if messageLen == 0 { 729 messageLen = 32 730 } 731 732 messageCount := test.messageCount 733 if messageCount == 0 { 734 messageCount = 1 735 } 736 737 for j := 0; j < messageCount; j++ { 738 testMessage := make([]byte, messageLen) 739 for i := range testMessage { 740 testMessage[i] = 0x42 ^ byte(j) 741 } 742 tlsConn.Write(testMessage) 743 744 for i := 0; i < test.sendKeyUpdates; i++ { 745 tlsConn.SendKeyUpdate(test.keyUpdateRequest) 746 } 747 748 for i := 0; i < test.sendEmptyRecords; i++ { 749 tlsConn.Write(nil) 750 } 751 752 for i := 0; i < test.sendWarningAlerts; i++ { 753 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage) 754 } 755 756 if test.shimShutsDown || test.expectMessageDropped { 757 // The shim will not respond. 758 continue 759 } 760 761 buf := make([]byte, len(testMessage)) 762 if test.protocol == dtls { 763 bufTmp := make([]byte, len(buf)+1) 764 n, err := tlsConn.Read(bufTmp) 765 if err != nil { 766 return err 767 } 768 if n != len(buf) { 769 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf)) 770 } 771 copy(buf, bufTmp) 772 } else { 773 _, err := io.ReadFull(tlsConn, buf) 774 if err != nil { 775 return err 776 } 777 } 778 779 for i, v := range buf { 780 if v != testMessage[i]^0xff { 781 return fmt.Errorf("bad reply contents at byte %d", i) 782 } 783 } 784 } 785 786 return nil 787 } 788 789 func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd { 790 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"} 791 if dbAttach { 792 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p") 793 } 794 valgrindArgs = append(valgrindArgs, path) 795 valgrindArgs = append(valgrindArgs, args...) 796 797 return exec.Command("valgrind", valgrindArgs...) 798 } 799 800 func gdbOf(path string, args ...string) *exec.Cmd { 801 xtermArgs := []string{"-e", "gdb", "--args"} 802 xtermArgs = append(xtermArgs, path) 803 xtermArgs = append(xtermArgs, args...) 804 805 return exec.Command("xterm", xtermArgs...) 806 } 807 808 func lldbOf(path string, args ...string) *exec.Cmd { 809 xtermArgs := []string{"-e", "lldb", "--"} 810 xtermArgs = append(xtermArgs, path) 811 xtermArgs = append(xtermArgs, args...) 812 813 return exec.Command("xterm", xtermArgs...) 814 } 815 816 var ( 817 errMoreMallocs = errors.New("child process did not exhaust all allocation calls") 818 errUnimplemented = errors.New("child process does not implement needed flags") 819 ) 820 821 // accept accepts a connection from listener, unless waitChan signals a process 822 // exit first. 823 func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) { 824 type connOrError struct { 825 conn net.Conn 826 err error 827 } 828 connChan := make(chan connOrError, 1) 829 go func() { 830 conn, err := listener.Accept() 831 connChan <- connOrError{conn, err} 832 close(connChan) 833 }() 834 select { 835 case result := <-connChan: 836 return result.conn, result.err 837 case childErr := <-waitChan: 838 waitChan <- childErr 839 return nil, fmt.Errorf("child exited early: %s", childErr) 840 } 841 } 842 843 func translateExpectedError(errorStr string) string { 844 if translated, ok := shimConfig.ErrorMap[errorStr]; ok { 845 return translated 846 } 847 848 if *looseErrors { 849 return "" 850 } 851 852 return errorStr 853 } 854 855 func runTest(test *testCase, shimPath string, mallocNumToFail int64) error { 856 // Help debugging panics on the Go side. 857 defer func() { 858 if r := recover(); r != nil { 859 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name) 860 panic(r) 861 } 862 }() 863 864 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) { 865 panic("Error expected without shouldFail in " + test.name) 866 } 867 868 if test.expectResumeRejected && !test.resumeSession { 869 panic("expectResumeRejected without resumeSession in " + test.name) 870 } 871 872 for _, ver := range tlsVersions { 873 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") { 874 continue 875 } 876 877 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 { 878 continue 879 } 880 881 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version)) 882 } 883 884 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}}) 885 if err != nil { 886 panic(err) 887 } 888 defer func() { 889 if listener != nil { 890 listener.Close() 891 } 892 }() 893 894 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)} 895 if test.testType == serverTest { 896 flags = append(flags, "-server") 897 898 flags = append(flags, "-key-file") 899 if test.keyFile == "" { 900 flags = append(flags, path.Join(*resourceDir, rsaKeyFile)) 901 } else { 902 flags = append(flags, path.Join(*resourceDir, test.keyFile)) 903 } 904 905 flags = append(flags, "-cert-file") 906 if test.certFile == "" { 907 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile)) 908 } else { 909 flags = append(flags, path.Join(*resourceDir, test.certFile)) 910 } 911 } 912 913 if test.protocol == dtls { 914 flags = append(flags, "-dtls") 915 } 916 917 var resumeCount int 918 if test.resumeSession { 919 resumeCount++ 920 if test.resumeRenewedSession { 921 resumeCount++ 922 } 923 } 924 925 if resumeCount > 0 { 926 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount)) 927 } 928 929 if test.shimWritesFirst { 930 flags = append(flags, "-shim-writes-first") 931 } 932 933 if test.shimShutsDown { 934 flags = append(flags, "-shim-shuts-down") 935 } 936 937 if test.exportKeyingMaterial > 0 { 938 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial)) 939 flags = append(flags, "-export-label", test.exportLabel) 940 flags = append(flags, "-export-context", test.exportContext) 941 if test.useExportContext { 942 flags = append(flags, "-use-export-context") 943 } 944 } 945 if test.expectResumeRejected { 946 flags = append(flags, "-expect-session-miss") 947 } 948 949 if test.testTLSUnique { 950 flags = append(flags, "-tls-unique") 951 } 952 953 flags = append(flags, test.flags...) 954 955 var shim *exec.Cmd 956 if *useValgrind { 957 shim = valgrindOf(false, shimPath, flags...) 958 } else if *useGDB { 959 shim = gdbOf(shimPath, flags...) 960 } else if *useLLDB { 961 shim = lldbOf(shimPath, flags...) 962 } else { 963 shim = exec.Command(shimPath, flags...) 964 } 965 shim.Stdin = os.Stdin 966 var stdoutBuf, stderrBuf bytes.Buffer 967 shim.Stdout = &stdoutBuf 968 shim.Stderr = &stderrBuf 969 if mallocNumToFail >= 0 { 970 shim.Env = os.Environ() 971 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10)) 972 if *mallocTestDebug { 973 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1") 974 } 975 shim.Env = append(shim.Env, "_MALLOC_CHECK=1") 976 } 977 978 if err := shim.Start(); err != nil { 979 panic(err) 980 } 981 waitChan := make(chan error, 1) 982 go func() { waitChan <- shim.Wait() }() 983 984 config := test.config 985 986 if *deterministic { 987 config.Rand = &deterministicRand{} 988 } 989 990 conn, err := acceptOrWait(listener, waitChan) 991 if err == nil { 992 err = doExchange(test, &config, conn, false /* not a resumption */, 0) 993 conn.Close() 994 } 995 996 for i := 0; err == nil && i < resumeCount; i++ { 997 var resumeConfig Config 998 if test.resumeConfig != nil { 999 resumeConfig = *test.resumeConfig 1000 if !test.newSessionsOnResume { 1001 resumeConfig.SessionTicketKey = config.SessionTicketKey 1002 resumeConfig.ClientSessionCache = config.ClientSessionCache 1003 resumeConfig.ServerSessionCache = config.ServerSessionCache 1004 } 1005 resumeConfig.Rand = config.Rand 1006 } else { 1007 resumeConfig = config 1008 } 1009 var connResume net.Conn 1010 connResume, err = acceptOrWait(listener, waitChan) 1011 if err == nil { 1012 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1) 1013 connResume.Close() 1014 } 1015 } 1016 1017 // Close the listener now. This is to avoid hangs should the shim try to 1018 // open more connections than expected. 1019 listener.Close() 1020 listener = nil 1021 1022 childErr := <-waitChan 1023 var isValgrindError bool 1024 if exitError, ok := childErr.(*exec.ExitError); ok { 1025 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() { 1026 case 88: 1027 return errMoreMallocs 1028 case 89: 1029 return errUnimplemented 1030 case 99: 1031 isValgrindError = true 1032 } 1033 } 1034 1035 // Account for Windows line endings. 1036 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1) 1037 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1) 1038 1039 // Separate the errors from the shim and those from tools like 1040 // AddressSanitizer. 1041 var extraStderr string 1042 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 { 1043 stderr = stderrParts[0] 1044 extraStderr = stderrParts[1] 1045 } 1046 1047 failed := err != nil || childErr != nil 1048 expectedError := translateExpectedError(test.expectedError) 1049 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError) 1050 1051 localError := "none" 1052 if err != nil { 1053 localError = err.Error() 1054 } 1055 if len(test.expectedLocalError) != 0 { 1056 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError) 1057 } 1058 1059 if failed != test.shouldFail || failed && !correctFailure { 1060 childError := "none" 1061 if childErr != nil { 1062 childError = childErr.Error() 1063 } 1064 1065 var msg string 1066 switch { 1067 case failed && !test.shouldFail: 1068 msg = "unexpected failure" 1069 case !failed && test.shouldFail: 1070 msg = "unexpected success" 1071 case failed && !correctFailure: 1072 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')" 1073 default: 1074 panic("internal error") 1075 } 1076 1077 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr) 1078 } 1079 1080 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) { 1081 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr) 1082 } 1083 1084 if *useValgrind && isValgrindError { 1085 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr) 1086 } 1087 1088 return nil 1089 } 1090 1091 type tlsVersion struct { 1092 name string 1093 version uint16 1094 flag string 1095 hasDTLS bool 1096 } 1097 1098 var tlsVersions = []tlsVersion{ 1099 {"SSL3", VersionSSL30, "-no-ssl3", false}, 1100 {"TLS1", VersionTLS10, "-no-tls1", true}, 1101 {"TLS11", VersionTLS11, "-no-tls11", false}, 1102 {"TLS12", VersionTLS12, "-no-tls12", true}, 1103 {"TLS13", VersionTLS13, "-no-tls13", false}, 1104 } 1105 1106 type testCipherSuite struct { 1107 name string 1108 id uint16 1109 } 1110 1111 var testCipherSuites = []testCipherSuite{ 1112 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA}, 1113 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256}, 1114 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA}, 1115 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256}, 1116 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384}, 1117 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA}, 1118 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256}, 1119 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1120 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA}, 1121 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256}, 1122 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384}, 1123 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}, 1124 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384}, 1125 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256}, 1126 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1127 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, 1128 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256}, 1129 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384}, 1130 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, 1131 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384}, 1132 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, 1133 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA}, 1134 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA}, 1135 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA}, 1136 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA}, 1137 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256}, 1138 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256}, 1139 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256}, 1140 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384}, 1141 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA}, 1142 } 1143 1144 func hasComponent(suiteName, component string) bool { 1145 return strings.Contains("-"+suiteName+"-", "-"+component+"-") 1146 } 1147 1148 func isTLS12Only(suiteName string) bool { 1149 return hasComponent(suiteName, "GCM") || 1150 hasComponent(suiteName, "SHA256") || 1151 hasComponent(suiteName, "SHA384") || 1152 hasComponent(suiteName, "POLY1305") 1153 } 1154 1155 func isTLS13Suite(suiteName string) bool { 1156 return strings.HasPrefix(suiteName, "AEAD-") 1157 } 1158 1159 func isDTLSCipher(suiteName string) bool { 1160 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL") 1161 } 1162 1163 func bigFromHex(hex string) *big.Int { 1164 ret, ok := new(big.Int).SetString(hex, 16) 1165 if !ok { 1166 panic("failed to parse hex number 0x" + hex) 1167 } 1168 return ret 1169 } 1170 1171 func addBasicTests() { 1172 basicTests := []testCase{ 1173 { 1174 name: "NoFallbackSCSV", 1175 config: Config{ 1176 Bugs: ProtocolBugs{ 1177 FailIfNotFallbackSCSV: true, 1178 }, 1179 }, 1180 shouldFail: true, 1181 expectedLocalError: "no fallback SCSV found", 1182 }, 1183 { 1184 name: "SendFallbackSCSV", 1185 config: Config{ 1186 Bugs: ProtocolBugs{ 1187 FailIfNotFallbackSCSV: true, 1188 }, 1189 }, 1190 flags: []string{"-fallback-scsv"}, 1191 }, 1192 { 1193 name: "ClientCertificateTypes", 1194 config: Config{ 1195 MaxVersion: VersionTLS12, 1196 ClientAuth: RequestClientCert, 1197 ClientCertificateTypes: []byte{ 1198 CertTypeDSSSign, 1199 CertTypeRSASign, 1200 CertTypeECDSASign, 1201 }, 1202 }, 1203 flags: []string{ 1204 "-expect-certificate-types", 1205 base64.StdEncoding.EncodeToString([]byte{ 1206 CertTypeDSSSign, 1207 CertTypeRSASign, 1208 CertTypeECDSASign, 1209 }), 1210 }, 1211 }, 1212 { 1213 name: "UnauthenticatedECDH", 1214 config: Config{ 1215 MaxVersion: VersionTLS12, 1216 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1217 Bugs: ProtocolBugs{ 1218 UnauthenticatedECDH: true, 1219 }, 1220 }, 1221 shouldFail: true, 1222 expectedError: ":UNEXPECTED_MESSAGE:", 1223 }, 1224 { 1225 name: "SkipCertificateStatus", 1226 config: Config{ 1227 MaxVersion: VersionTLS12, 1228 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1229 Bugs: ProtocolBugs{ 1230 SkipCertificateStatus: true, 1231 }, 1232 }, 1233 flags: []string{ 1234 "-enable-ocsp-stapling", 1235 }, 1236 }, 1237 { 1238 name: "SkipServerKeyExchange", 1239 config: Config{ 1240 MaxVersion: VersionTLS12, 1241 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1242 Bugs: ProtocolBugs{ 1243 SkipServerKeyExchange: true, 1244 }, 1245 }, 1246 shouldFail: true, 1247 expectedError: ":UNEXPECTED_MESSAGE:", 1248 }, 1249 { 1250 testType: serverTest, 1251 name: "Alert", 1252 config: Config{ 1253 Bugs: ProtocolBugs{ 1254 SendSpuriousAlert: alertRecordOverflow, 1255 }, 1256 }, 1257 shouldFail: true, 1258 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:", 1259 }, 1260 { 1261 protocol: dtls, 1262 testType: serverTest, 1263 name: "Alert-DTLS", 1264 config: Config{ 1265 Bugs: ProtocolBugs{ 1266 SendSpuriousAlert: alertRecordOverflow, 1267 }, 1268 }, 1269 shouldFail: true, 1270 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:", 1271 }, 1272 { 1273 testType: serverTest, 1274 name: "FragmentAlert", 1275 config: Config{ 1276 Bugs: ProtocolBugs{ 1277 FragmentAlert: true, 1278 SendSpuriousAlert: alertRecordOverflow, 1279 }, 1280 }, 1281 shouldFail: true, 1282 expectedError: ":BAD_ALERT:", 1283 }, 1284 { 1285 protocol: dtls, 1286 testType: serverTest, 1287 name: "FragmentAlert-DTLS", 1288 config: Config{ 1289 Bugs: ProtocolBugs{ 1290 FragmentAlert: true, 1291 SendSpuriousAlert: alertRecordOverflow, 1292 }, 1293 }, 1294 shouldFail: true, 1295 expectedError: ":BAD_ALERT:", 1296 }, 1297 { 1298 testType: serverTest, 1299 name: "DoubleAlert", 1300 config: Config{ 1301 Bugs: ProtocolBugs{ 1302 DoubleAlert: true, 1303 SendSpuriousAlert: alertRecordOverflow, 1304 }, 1305 }, 1306 shouldFail: true, 1307 expectedError: ":BAD_ALERT:", 1308 }, 1309 { 1310 protocol: dtls, 1311 testType: serverTest, 1312 name: "DoubleAlert-DTLS", 1313 config: Config{ 1314 Bugs: ProtocolBugs{ 1315 DoubleAlert: true, 1316 SendSpuriousAlert: alertRecordOverflow, 1317 }, 1318 }, 1319 shouldFail: true, 1320 expectedError: ":BAD_ALERT:", 1321 }, 1322 { 1323 name: "SkipNewSessionTicket", 1324 config: Config{ 1325 MaxVersion: VersionTLS12, 1326 Bugs: ProtocolBugs{ 1327 SkipNewSessionTicket: true, 1328 }, 1329 }, 1330 shouldFail: true, 1331 expectedError: ":UNEXPECTED_RECORD:", 1332 }, 1333 { 1334 testType: serverTest, 1335 name: "FallbackSCSV", 1336 config: Config{ 1337 MaxVersion: VersionTLS11, 1338 Bugs: ProtocolBugs{ 1339 SendFallbackSCSV: true, 1340 }, 1341 }, 1342 shouldFail: true, 1343 expectedError: ":INAPPROPRIATE_FALLBACK:", 1344 expectedLocalError: "remote error: inappropriate fallback", 1345 }, 1346 { 1347 testType: serverTest, 1348 name: "FallbackSCSV-VersionMatch-TLS13", 1349 config: Config{ 1350 MaxVersion: VersionTLS13, 1351 Bugs: ProtocolBugs{ 1352 SendFallbackSCSV: true, 1353 }, 1354 }, 1355 }, 1356 { 1357 testType: serverTest, 1358 name: "FallbackSCSV-VersionMatch-TLS12", 1359 config: Config{ 1360 MaxVersion: VersionTLS12, 1361 Bugs: ProtocolBugs{ 1362 SendFallbackSCSV: true, 1363 }, 1364 }, 1365 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)}, 1366 }, 1367 { 1368 testType: serverTest, 1369 name: "FragmentedClientVersion", 1370 config: Config{ 1371 Bugs: ProtocolBugs{ 1372 MaxHandshakeRecordLength: 1, 1373 FragmentClientVersion: true, 1374 }, 1375 }, 1376 expectedVersion: VersionTLS13, 1377 }, 1378 { 1379 testType: serverTest, 1380 name: "HttpGET", 1381 sendPrefix: "GET / HTTP/1.0\n", 1382 shouldFail: true, 1383 expectedError: ":HTTP_REQUEST:", 1384 }, 1385 { 1386 testType: serverTest, 1387 name: "HttpPOST", 1388 sendPrefix: "POST / HTTP/1.0\n", 1389 shouldFail: true, 1390 expectedError: ":HTTP_REQUEST:", 1391 }, 1392 { 1393 testType: serverTest, 1394 name: "HttpHEAD", 1395 sendPrefix: "HEAD / HTTP/1.0\n", 1396 shouldFail: true, 1397 expectedError: ":HTTP_REQUEST:", 1398 }, 1399 { 1400 testType: serverTest, 1401 name: "HttpPUT", 1402 sendPrefix: "PUT / HTTP/1.0\n", 1403 shouldFail: true, 1404 expectedError: ":HTTP_REQUEST:", 1405 }, 1406 { 1407 testType: serverTest, 1408 name: "HttpCONNECT", 1409 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n", 1410 shouldFail: true, 1411 expectedError: ":HTTPS_PROXY_REQUEST:", 1412 }, 1413 { 1414 testType: serverTest, 1415 name: "Garbage", 1416 sendPrefix: "blah", 1417 shouldFail: true, 1418 expectedError: ":WRONG_VERSION_NUMBER:", 1419 }, 1420 { 1421 name: "RSAEphemeralKey", 1422 config: Config{ 1423 MaxVersion: VersionTLS12, 1424 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA}, 1425 Bugs: ProtocolBugs{ 1426 RSAEphemeralKey: true, 1427 }, 1428 }, 1429 shouldFail: true, 1430 expectedError: ":UNEXPECTED_MESSAGE:", 1431 }, 1432 { 1433 name: "DisableEverything", 1434 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"}, 1435 shouldFail: true, 1436 expectedError: ":WRONG_SSL_VERSION:", 1437 }, 1438 { 1439 protocol: dtls, 1440 name: "DisableEverything-DTLS", 1441 flags: []string{"-no-tls12", "-no-tls1"}, 1442 shouldFail: true, 1443 expectedError: ":WRONG_SSL_VERSION:", 1444 }, 1445 { 1446 protocol: dtls, 1447 testType: serverTest, 1448 name: "MTU", 1449 config: Config{ 1450 Bugs: ProtocolBugs{ 1451 MaxPacketLength: 256, 1452 }, 1453 }, 1454 flags: []string{"-mtu", "256"}, 1455 }, 1456 { 1457 protocol: dtls, 1458 testType: serverTest, 1459 name: "MTUExceeded", 1460 config: Config{ 1461 Bugs: ProtocolBugs{ 1462 MaxPacketLength: 255, 1463 }, 1464 }, 1465 flags: []string{"-mtu", "256"}, 1466 shouldFail: true, 1467 expectedLocalError: "dtls: exceeded maximum packet length", 1468 }, 1469 { 1470 name: "CertMismatchRSA", 1471 config: Config{ 1472 MaxVersion: VersionTLS12, 1473 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1474 Certificates: []Certificate{ecdsaP256Certificate}, 1475 Bugs: ProtocolBugs{ 1476 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1477 }, 1478 }, 1479 shouldFail: true, 1480 expectedError: ":WRONG_CERTIFICATE_TYPE:", 1481 }, 1482 { 1483 name: "CertMismatchECDSA", 1484 config: Config{ 1485 MaxVersion: VersionTLS12, 1486 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1487 Certificates: []Certificate{rsaCertificate}, 1488 Bugs: ProtocolBugs{ 1489 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1490 }, 1491 }, 1492 shouldFail: true, 1493 expectedError: ":WRONG_CERTIFICATE_TYPE:", 1494 }, 1495 { 1496 name: "EmptyCertificateList", 1497 config: Config{ 1498 MaxVersion: VersionTLS12, 1499 Bugs: ProtocolBugs{ 1500 EmptyCertificateList: true, 1501 }, 1502 }, 1503 shouldFail: true, 1504 expectedError: ":DECODE_ERROR:", 1505 }, 1506 { 1507 name: "EmptyCertificateList-TLS13", 1508 config: Config{ 1509 MaxVersion: VersionTLS13, 1510 Bugs: ProtocolBugs{ 1511 EmptyCertificateList: true, 1512 }, 1513 }, 1514 shouldFail: true, 1515 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:", 1516 }, 1517 { 1518 name: "TLSFatalBadPackets", 1519 damageFirstWrite: true, 1520 shouldFail: true, 1521 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", 1522 }, 1523 { 1524 protocol: dtls, 1525 name: "DTLSIgnoreBadPackets", 1526 damageFirstWrite: true, 1527 }, 1528 { 1529 protocol: dtls, 1530 name: "DTLSIgnoreBadPackets-Async", 1531 damageFirstWrite: true, 1532 flags: []string{"-async"}, 1533 }, 1534 { 1535 name: "AppDataBeforeHandshake", 1536 config: Config{ 1537 Bugs: ProtocolBugs{ 1538 AppDataBeforeHandshake: []byte("TEST MESSAGE"), 1539 }, 1540 }, 1541 shouldFail: true, 1542 expectedError: ":UNEXPECTED_RECORD:", 1543 }, 1544 { 1545 name: "AppDataBeforeHandshake-Empty", 1546 config: Config{ 1547 Bugs: ProtocolBugs{ 1548 AppDataBeforeHandshake: []byte{}, 1549 }, 1550 }, 1551 shouldFail: true, 1552 expectedError: ":UNEXPECTED_RECORD:", 1553 }, 1554 { 1555 protocol: dtls, 1556 name: "AppDataBeforeHandshake-DTLS", 1557 config: Config{ 1558 Bugs: ProtocolBugs{ 1559 AppDataBeforeHandshake: []byte("TEST MESSAGE"), 1560 }, 1561 }, 1562 shouldFail: true, 1563 expectedError: ":UNEXPECTED_RECORD:", 1564 }, 1565 { 1566 protocol: dtls, 1567 name: "AppDataBeforeHandshake-DTLS-Empty", 1568 config: Config{ 1569 Bugs: ProtocolBugs{ 1570 AppDataBeforeHandshake: []byte{}, 1571 }, 1572 }, 1573 shouldFail: true, 1574 expectedError: ":UNEXPECTED_RECORD:", 1575 }, 1576 { 1577 name: "AppDataAfterChangeCipherSpec", 1578 config: Config{ 1579 MaxVersion: VersionTLS12, 1580 Bugs: ProtocolBugs{ 1581 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"), 1582 }, 1583 }, 1584 shouldFail: true, 1585 expectedError: ":UNEXPECTED_RECORD:", 1586 }, 1587 { 1588 name: "AppDataAfterChangeCipherSpec-Empty", 1589 config: Config{ 1590 MaxVersion: VersionTLS12, 1591 Bugs: ProtocolBugs{ 1592 AppDataAfterChangeCipherSpec: []byte{}, 1593 }, 1594 }, 1595 shouldFail: true, 1596 expectedError: ":UNEXPECTED_RECORD:", 1597 }, 1598 { 1599 protocol: dtls, 1600 name: "AppDataAfterChangeCipherSpec-DTLS", 1601 config: Config{ 1602 MaxVersion: VersionTLS12, 1603 Bugs: ProtocolBugs{ 1604 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"), 1605 }, 1606 }, 1607 // BoringSSL's DTLS implementation will drop the out-of-order 1608 // application data. 1609 }, 1610 { 1611 protocol: dtls, 1612 name: "AppDataAfterChangeCipherSpec-DTLS-Empty", 1613 config: Config{ 1614 MaxVersion: VersionTLS12, 1615 Bugs: ProtocolBugs{ 1616 AppDataAfterChangeCipherSpec: []byte{}, 1617 }, 1618 }, 1619 // BoringSSL's DTLS implementation will drop the out-of-order 1620 // application data. 1621 }, 1622 { 1623 name: "AlertAfterChangeCipherSpec", 1624 config: Config{ 1625 MaxVersion: VersionTLS12, 1626 Bugs: ProtocolBugs{ 1627 AlertAfterChangeCipherSpec: alertRecordOverflow, 1628 }, 1629 }, 1630 shouldFail: true, 1631 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:", 1632 }, 1633 { 1634 protocol: dtls, 1635 name: "AlertAfterChangeCipherSpec-DTLS", 1636 config: Config{ 1637 MaxVersion: VersionTLS12, 1638 Bugs: ProtocolBugs{ 1639 AlertAfterChangeCipherSpec: alertRecordOverflow, 1640 }, 1641 }, 1642 shouldFail: true, 1643 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:", 1644 }, 1645 { 1646 protocol: dtls, 1647 name: "ReorderHandshakeFragments-Small-DTLS", 1648 config: Config{ 1649 Bugs: ProtocolBugs{ 1650 ReorderHandshakeFragments: true, 1651 // Small enough that every handshake message is 1652 // fragmented. 1653 MaxHandshakeRecordLength: 2, 1654 }, 1655 }, 1656 }, 1657 { 1658 protocol: dtls, 1659 name: "ReorderHandshakeFragments-Large-DTLS", 1660 config: Config{ 1661 Bugs: ProtocolBugs{ 1662 ReorderHandshakeFragments: true, 1663 // Large enough that no handshake message is 1664 // fragmented. 1665 MaxHandshakeRecordLength: 2048, 1666 }, 1667 }, 1668 }, 1669 { 1670 protocol: dtls, 1671 name: "MixCompleteMessageWithFragments-DTLS", 1672 config: Config{ 1673 Bugs: ProtocolBugs{ 1674 ReorderHandshakeFragments: true, 1675 MixCompleteMessageWithFragments: true, 1676 MaxHandshakeRecordLength: 2, 1677 }, 1678 }, 1679 }, 1680 { 1681 name: "SendInvalidRecordType", 1682 config: Config{ 1683 Bugs: ProtocolBugs{ 1684 SendInvalidRecordType: true, 1685 }, 1686 }, 1687 shouldFail: true, 1688 expectedError: ":UNEXPECTED_RECORD:", 1689 }, 1690 { 1691 protocol: dtls, 1692 name: "SendInvalidRecordType-DTLS", 1693 config: Config{ 1694 Bugs: ProtocolBugs{ 1695 SendInvalidRecordType: true, 1696 }, 1697 }, 1698 shouldFail: true, 1699 expectedError: ":UNEXPECTED_RECORD:", 1700 }, 1701 { 1702 name: "FalseStart-SkipServerSecondLeg", 1703 config: Config{ 1704 MaxVersion: VersionTLS12, 1705 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1706 NextProtos: []string{"foo"}, 1707 Bugs: ProtocolBugs{ 1708 SkipNewSessionTicket: true, 1709 SkipChangeCipherSpec: true, 1710 SkipFinished: true, 1711 ExpectFalseStart: true, 1712 }, 1713 }, 1714 flags: []string{ 1715 "-false-start", 1716 "-handshake-never-done", 1717 "-advertise-alpn", "\x03foo", 1718 }, 1719 shimWritesFirst: true, 1720 shouldFail: true, 1721 expectedError: ":UNEXPECTED_RECORD:", 1722 }, 1723 { 1724 name: "FalseStart-SkipServerSecondLeg-Implicit", 1725 config: Config{ 1726 MaxVersion: VersionTLS12, 1727 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1728 NextProtos: []string{"foo"}, 1729 Bugs: ProtocolBugs{ 1730 SkipNewSessionTicket: true, 1731 SkipChangeCipherSpec: true, 1732 SkipFinished: true, 1733 }, 1734 }, 1735 flags: []string{ 1736 "-implicit-handshake", 1737 "-false-start", 1738 "-handshake-never-done", 1739 "-advertise-alpn", "\x03foo", 1740 }, 1741 shouldFail: true, 1742 expectedError: ":UNEXPECTED_RECORD:", 1743 }, 1744 { 1745 testType: serverTest, 1746 name: "FailEarlyCallback", 1747 flags: []string{"-fail-early-callback"}, 1748 shouldFail: true, 1749 expectedError: ":CONNECTION_REJECTED:", 1750 expectedLocalError: "remote error: handshake failure", 1751 }, 1752 { 1753 name: "FailCertCallback-Client-TLS12", 1754 config: Config{ 1755 MaxVersion: VersionTLS12, 1756 ClientAuth: RequestClientCert, 1757 }, 1758 flags: []string{"-fail-cert-callback"}, 1759 shouldFail: true, 1760 expectedError: ":CERT_CB_ERROR:", 1761 expectedLocalError: "remote error: internal error", 1762 }, 1763 { 1764 testType: serverTest, 1765 name: "FailCertCallback-Server-TLS12", 1766 config: Config{ 1767 MaxVersion: VersionTLS12, 1768 }, 1769 flags: []string{"-fail-cert-callback"}, 1770 shouldFail: true, 1771 expectedError: ":CERT_CB_ERROR:", 1772 expectedLocalError: "remote error: internal error", 1773 }, 1774 { 1775 name: "FailCertCallback-Client-TLS13", 1776 config: Config{ 1777 MaxVersion: VersionTLS13, 1778 ClientAuth: RequestClientCert, 1779 }, 1780 flags: []string{"-fail-cert-callback"}, 1781 shouldFail: true, 1782 expectedError: ":CERT_CB_ERROR:", 1783 expectedLocalError: "remote error: internal error", 1784 }, 1785 { 1786 testType: serverTest, 1787 name: "FailCertCallback-Server-TLS13", 1788 config: Config{ 1789 MaxVersion: VersionTLS13, 1790 }, 1791 flags: []string{"-fail-cert-callback"}, 1792 shouldFail: true, 1793 expectedError: ":CERT_CB_ERROR:", 1794 expectedLocalError: "remote error: internal error", 1795 }, 1796 { 1797 protocol: dtls, 1798 name: "FragmentMessageTypeMismatch-DTLS", 1799 config: Config{ 1800 Bugs: ProtocolBugs{ 1801 MaxHandshakeRecordLength: 2, 1802 FragmentMessageTypeMismatch: true, 1803 }, 1804 }, 1805 shouldFail: true, 1806 expectedError: ":FRAGMENT_MISMATCH:", 1807 }, 1808 { 1809 protocol: dtls, 1810 name: "FragmentMessageLengthMismatch-DTLS", 1811 config: Config{ 1812 Bugs: ProtocolBugs{ 1813 MaxHandshakeRecordLength: 2, 1814 FragmentMessageLengthMismatch: true, 1815 }, 1816 }, 1817 shouldFail: true, 1818 expectedError: ":FRAGMENT_MISMATCH:", 1819 }, 1820 { 1821 protocol: dtls, 1822 name: "SplitFragments-Header-DTLS", 1823 config: Config{ 1824 Bugs: ProtocolBugs{ 1825 SplitFragments: 2, 1826 }, 1827 }, 1828 shouldFail: true, 1829 expectedError: ":BAD_HANDSHAKE_RECORD:", 1830 }, 1831 { 1832 protocol: dtls, 1833 name: "SplitFragments-Boundary-DTLS", 1834 config: Config{ 1835 Bugs: ProtocolBugs{ 1836 SplitFragments: dtlsRecordHeaderLen, 1837 }, 1838 }, 1839 shouldFail: true, 1840 expectedError: ":BAD_HANDSHAKE_RECORD:", 1841 }, 1842 { 1843 protocol: dtls, 1844 name: "SplitFragments-Body-DTLS", 1845 config: Config{ 1846 Bugs: ProtocolBugs{ 1847 SplitFragments: dtlsRecordHeaderLen + 1, 1848 }, 1849 }, 1850 shouldFail: true, 1851 expectedError: ":BAD_HANDSHAKE_RECORD:", 1852 }, 1853 { 1854 protocol: dtls, 1855 name: "SendEmptyFragments-DTLS", 1856 config: Config{ 1857 Bugs: ProtocolBugs{ 1858 SendEmptyFragments: true, 1859 }, 1860 }, 1861 }, 1862 { 1863 name: "BadFinished-Client", 1864 config: Config{ 1865 MaxVersion: VersionTLS12, 1866 Bugs: ProtocolBugs{ 1867 BadFinished: true, 1868 }, 1869 }, 1870 shouldFail: true, 1871 expectedError: ":DIGEST_CHECK_FAILED:", 1872 }, 1873 { 1874 name: "BadFinished-Client-TLS13", 1875 config: Config{ 1876 MaxVersion: VersionTLS13, 1877 Bugs: ProtocolBugs{ 1878 BadFinished: true, 1879 }, 1880 }, 1881 shouldFail: true, 1882 expectedError: ":DIGEST_CHECK_FAILED:", 1883 }, 1884 { 1885 testType: serverTest, 1886 name: "BadFinished-Server", 1887 config: Config{ 1888 MaxVersion: VersionTLS12, 1889 Bugs: ProtocolBugs{ 1890 BadFinished: true, 1891 }, 1892 }, 1893 shouldFail: true, 1894 expectedError: ":DIGEST_CHECK_FAILED:", 1895 }, 1896 { 1897 testType: serverTest, 1898 name: "BadFinished-Server-TLS13", 1899 config: Config{ 1900 MaxVersion: VersionTLS13, 1901 Bugs: ProtocolBugs{ 1902 BadFinished: true, 1903 }, 1904 }, 1905 shouldFail: true, 1906 expectedError: ":DIGEST_CHECK_FAILED:", 1907 }, 1908 { 1909 name: "FalseStart-BadFinished", 1910 config: Config{ 1911 MaxVersion: VersionTLS12, 1912 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1913 NextProtos: []string{"foo"}, 1914 Bugs: ProtocolBugs{ 1915 BadFinished: true, 1916 ExpectFalseStart: true, 1917 }, 1918 }, 1919 flags: []string{ 1920 "-false-start", 1921 "-handshake-never-done", 1922 "-advertise-alpn", "\x03foo", 1923 }, 1924 shimWritesFirst: true, 1925 shouldFail: true, 1926 expectedError: ":DIGEST_CHECK_FAILED:", 1927 }, 1928 { 1929 name: "NoFalseStart-NoALPN", 1930 config: Config{ 1931 MaxVersion: VersionTLS12, 1932 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 1933 Bugs: ProtocolBugs{ 1934 ExpectFalseStart: true, 1935 AlertBeforeFalseStartTest: alertAccessDenied, 1936 }, 1937 }, 1938 flags: []string{ 1939 "-false-start", 1940 }, 1941 shimWritesFirst: true, 1942 shouldFail: true, 1943 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:", 1944 expectedLocalError: "tls: peer did not false start: EOF", 1945 }, 1946 { 1947 name: "NoFalseStart-NoAEAD", 1948 config: Config{ 1949 MaxVersion: VersionTLS12, 1950 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, 1951 NextProtos: []string{"foo"}, 1952 Bugs: ProtocolBugs{ 1953 ExpectFalseStart: true, 1954 AlertBeforeFalseStartTest: alertAccessDenied, 1955 }, 1956 }, 1957 flags: []string{ 1958 "-false-start", 1959 "-advertise-alpn", "\x03foo", 1960 }, 1961 shimWritesFirst: true, 1962 shouldFail: true, 1963 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:", 1964 expectedLocalError: "tls: peer did not false start: EOF", 1965 }, 1966 { 1967 name: "NoFalseStart-RSA", 1968 config: Config{ 1969 MaxVersion: VersionTLS12, 1970 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 1971 NextProtos: []string{"foo"}, 1972 Bugs: ProtocolBugs{ 1973 ExpectFalseStart: true, 1974 AlertBeforeFalseStartTest: alertAccessDenied, 1975 }, 1976 }, 1977 flags: []string{ 1978 "-false-start", 1979 "-advertise-alpn", "\x03foo", 1980 }, 1981 shimWritesFirst: true, 1982 shouldFail: true, 1983 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:", 1984 expectedLocalError: "tls: peer did not false start: EOF", 1985 }, 1986 { 1987 protocol: dtls, 1988 name: "SendSplitAlert-Sync", 1989 config: Config{ 1990 Bugs: ProtocolBugs{ 1991 SendSplitAlert: true, 1992 }, 1993 }, 1994 }, 1995 { 1996 protocol: dtls, 1997 name: "SendSplitAlert-Async", 1998 config: Config{ 1999 Bugs: ProtocolBugs{ 2000 SendSplitAlert: true, 2001 }, 2002 }, 2003 flags: []string{"-async"}, 2004 }, 2005 { 2006 protocol: dtls, 2007 name: "PackDTLSHandshake", 2008 config: Config{ 2009 Bugs: ProtocolBugs{ 2010 MaxHandshakeRecordLength: 2, 2011 PackHandshakeFragments: 20, 2012 PackHandshakeRecords: 200, 2013 }, 2014 }, 2015 }, 2016 { 2017 name: "SendEmptyRecords-Pass", 2018 sendEmptyRecords: 32, 2019 }, 2020 { 2021 name: "SendEmptyRecords", 2022 sendEmptyRecords: 33, 2023 shouldFail: true, 2024 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:", 2025 }, 2026 { 2027 name: "SendEmptyRecords-Async", 2028 sendEmptyRecords: 33, 2029 flags: []string{"-async"}, 2030 shouldFail: true, 2031 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:", 2032 }, 2033 { 2034 name: "SendWarningAlerts-Pass", 2035 config: Config{ 2036 MaxVersion: VersionTLS12, 2037 }, 2038 sendWarningAlerts: 4, 2039 }, 2040 { 2041 protocol: dtls, 2042 name: "SendWarningAlerts-DTLS-Pass", 2043 config: Config{ 2044 MaxVersion: VersionTLS12, 2045 }, 2046 sendWarningAlerts: 4, 2047 }, 2048 { 2049 name: "SendWarningAlerts-TLS13", 2050 config: Config{ 2051 MaxVersion: VersionTLS13, 2052 }, 2053 sendWarningAlerts: 4, 2054 shouldFail: true, 2055 expectedError: ":BAD_ALERT:", 2056 expectedLocalError: "remote error: error decoding message", 2057 }, 2058 { 2059 name: "SendWarningAlerts", 2060 config: Config{ 2061 MaxVersion: VersionTLS12, 2062 }, 2063 sendWarningAlerts: 5, 2064 shouldFail: true, 2065 expectedError: ":TOO_MANY_WARNING_ALERTS:", 2066 }, 2067 { 2068 name: "SendWarningAlerts-Async", 2069 config: Config{ 2070 MaxVersion: VersionTLS12, 2071 }, 2072 sendWarningAlerts: 5, 2073 flags: []string{"-async"}, 2074 shouldFail: true, 2075 expectedError: ":TOO_MANY_WARNING_ALERTS:", 2076 }, 2077 { 2078 name: "TooManyKeyUpdates", 2079 config: Config{ 2080 MaxVersion: VersionTLS13, 2081 }, 2082 sendKeyUpdates: 33, 2083 keyUpdateRequest: keyUpdateNotRequested, 2084 shouldFail: true, 2085 expectedError: ":TOO_MANY_KEY_UPDATES:", 2086 }, 2087 { 2088 name: "EmptySessionID", 2089 config: Config{ 2090 MaxVersion: VersionTLS12, 2091 SessionTicketsDisabled: true, 2092 }, 2093 noSessionCache: true, 2094 flags: []string{"-expect-no-session"}, 2095 }, 2096 { 2097 name: "Unclean-Shutdown", 2098 config: Config{ 2099 Bugs: ProtocolBugs{ 2100 NoCloseNotify: true, 2101 ExpectCloseNotify: true, 2102 }, 2103 }, 2104 shimShutsDown: true, 2105 flags: []string{"-check-close-notify"}, 2106 shouldFail: true, 2107 expectedError: "Unexpected SSL_shutdown result: -1 != 1", 2108 }, 2109 { 2110 name: "Unclean-Shutdown-Ignored", 2111 config: Config{ 2112 Bugs: ProtocolBugs{ 2113 NoCloseNotify: true, 2114 }, 2115 }, 2116 shimShutsDown: true, 2117 }, 2118 { 2119 name: "Unclean-Shutdown-Alert", 2120 config: Config{ 2121 Bugs: ProtocolBugs{ 2122 SendAlertOnShutdown: alertDecompressionFailure, 2123 ExpectCloseNotify: true, 2124 }, 2125 }, 2126 shimShutsDown: true, 2127 flags: []string{"-check-close-notify"}, 2128 shouldFail: true, 2129 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:", 2130 }, 2131 { 2132 name: "LargePlaintext", 2133 config: Config{ 2134 Bugs: ProtocolBugs{ 2135 SendLargeRecords: true, 2136 }, 2137 }, 2138 messageLen: maxPlaintext + 1, 2139 shouldFail: true, 2140 expectedError: ":DATA_LENGTH_TOO_LONG:", 2141 }, 2142 { 2143 protocol: dtls, 2144 name: "LargePlaintext-DTLS", 2145 config: Config{ 2146 Bugs: ProtocolBugs{ 2147 SendLargeRecords: true, 2148 }, 2149 }, 2150 messageLen: maxPlaintext + 1, 2151 shouldFail: true, 2152 expectedError: ":DATA_LENGTH_TOO_LONG:", 2153 }, 2154 { 2155 name: "LargeCiphertext", 2156 config: Config{ 2157 Bugs: ProtocolBugs{ 2158 SendLargeRecords: true, 2159 }, 2160 }, 2161 messageLen: maxPlaintext * 2, 2162 shouldFail: true, 2163 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:", 2164 }, 2165 { 2166 protocol: dtls, 2167 name: "LargeCiphertext-DTLS", 2168 config: Config{ 2169 Bugs: ProtocolBugs{ 2170 SendLargeRecords: true, 2171 }, 2172 }, 2173 messageLen: maxPlaintext * 2, 2174 // Unlike the other four cases, DTLS drops records which 2175 // are invalid before authentication, so the connection 2176 // does not fail. 2177 expectMessageDropped: true, 2178 }, 2179 { 2180 name: "BadHelloRequest-1", 2181 renegotiate: 1, 2182 config: Config{ 2183 MaxVersion: VersionTLS12, 2184 Bugs: ProtocolBugs{ 2185 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1}, 2186 }, 2187 }, 2188 flags: []string{ 2189 "-renegotiate-freely", 2190 "-expect-total-renegotiations", "1", 2191 }, 2192 shouldFail: true, 2193 expectedError: ":EXCESSIVE_MESSAGE_SIZE:", 2194 }, 2195 { 2196 name: "BadHelloRequest-2", 2197 renegotiate: 1, 2198 config: Config{ 2199 MaxVersion: VersionTLS12, 2200 Bugs: ProtocolBugs{ 2201 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0}, 2202 }, 2203 }, 2204 flags: []string{ 2205 "-renegotiate-freely", 2206 "-expect-total-renegotiations", "1", 2207 }, 2208 shouldFail: true, 2209 expectedError: ":BAD_HELLO_REQUEST:", 2210 }, 2211 { 2212 testType: serverTest, 2213 name: "SupportTicketsWithSessionID", 2214 config: Config{ 2215 MaxVersion: VersionTLS12, 2216 SessionTicketsDisabled: true, 2217 }, 2218 resumeConfig: &Config{ 2219 MaxVersion: VersionTLS12, 2220 }, 2221 resumeSession: true, 2222 }, 2223 { 2224 protocol: dtls, 2225 name: "DTLS-SendExtraFinished", 2226 config: Config{ 2227 Bugs: ProtocolBugs{ 2228 SendExtraFinished: true, 2229 }, 2230 }, 2231 shouldFail: true, 2232 expectedError: ":UNEXPECTED_RECORD:", 2233 }, 2234 { 2235 protocol: dtls, 2236 name: "DTLS-SendExtraFinished-Reordered", 2237 config: Config{ 2238 Bugs: ProtocolBugs{ 2239 MaxHandshakeRecordLength: 2, 2240 ReorderHandshakeFragments: true, 2241 SendExtraFinished: true, 2242 }, 2243 }, 2244 shouldFail: true, 2245 expectedError: ":UNEXPECTED_RECORD:", 2246 }, 2247 { 2248 testType: serverTest, 2249 name: "V2ClientHello-EmptyRecordPrefix", 2250 config: Config{ 2251 // Choose a cipher suite that does not involve 2252 // elliptic curves, so no extensions are 2253 // involved. 2254 MaxVersion: VersionTLS12, 2255 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA}, 2256 Bugs: ProtocolBugs{ 2257 SendV2ClientHello: true, 2258 }, 2259 }, 2260 sendPrefix: string([]byte{ 2261 byte(recordTypeHandshake), 2262 3, 1, // version 2263 0, 0, // length 2264 }), 2265 // A no-op empty record may not be sent before V2ClientHello. 2266 shouldFail: true, 2267 expectedError: ":WRONG_VERSION_NUMBER:", 2268 }, 2269 { 2270 testType: serverTest, 2271 name: "V2ClientHello-WarningAlertPrefix", 2272 config: Config{ 2273 // Choose a cipher suite that does not involve 2274 // elliptic curves, so no extensions are 2275 // involved. 2276 MaxVersion: VersionTLS12, 2277 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA}, 2278 Bugs: ProtocolBugs{ 2279 SendV2ClientHello: true, 2280 }, 2281 }, 2282 sendPrefix: string([]byte{ 2283 byte(recordTypeAlert), 2284 3, 1, // version 2285 0, 2, // length 2286 alertLevelWarning, byte(alertDecompressionFailure), 2287 }), 2288 // A no-op warning alert may not be sent before V2ClientHello. 2289 shouldFail: true, 2290 expectedError: ":WRONG_VERSION_NUMBER:", 2291 }, 2292 { 2293 name: "KeyUpdate-Client", 2294 config: Config{ 2295 MaxVersion: VersionTLS13, 2296 }, 2297 sendKeyUpdates: 1, 2298 keyUpdateRequest: keyUpdateNotRequested, 2299 }, 2300 { 2301 testType: serverTest, 2302 name: "KeyUpdate-Server", 2303 config: Config{ 2304 MaxVersion: VersionTLS13, 2305 }, 2306 sendKeyUpdates: 1, 2307 keyUpdateRequest: keyUpdateNotRequested, 2308 }, 2309 { 2310 name: "KeyUpdate-InvalidRequestMode", 2311 config: Config{ 2312 MaxVersion: VersionTLS13, 2313 }, 2314 sendKeyUpdates: 1, 2315 keyUpdateRequest: 42, 2316 shouldFail: true, 2317 expectedError: ":DECODE_ERROR:", 2318 }, 2319 { 2320 name: "SendSNIWarningAlert", 2321 config: Config{ 2322 MaxVersion: VersionTLS12, 2323 Bugs: ProtocolBugs{ 2324 SendSNIWarningAlert: true, 2325 }, 2326 }, 2327 }, 2328 { 2329 testType: serverTest, 2330 name: "ExtraCompressionMethods-TLS12", 2331 config: Config{ 2332 MaxVersion: VersionTLS12, 2333 Bugs: ProtocolBugs{ 2334 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6}, 2335 }, 2336 }, 2337 }, 2338 { 2339 testType: serverTest, 2340 name: "ExtraCompressionMethods-TLS13", 2341 config: Config{ 2342 MaxVersion: VersionTLS13, 2343 Bugs: ProtocolBugs{ 2344 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6}, 2345 }, 2346 }, 2347 shouldFail: true, 2348 expectedError: ":INVALID_COMPRESSION_LIST:", 2349 expectedLocalError: "remote error: illegal parameter", 2350 }, 2351 { 2352 testType: serverTest, 2353 name: "NoNullCompression-TLS12", 2354 config: Config{ 2355 MaxVersion: VersionTLS12, 2356 Bugs: ProtocolBugs{ 2357 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6}, 2358 }, 2359 }, 2360 shouldFail: true, 2361 expectedError: ":INVALID_COMPRESSION_LIST:", 2362 expectedLocalError: "remote error: illegal parameter", 2363 }, 2364 { 2365 testType: serverTest, 2366 name: "NoNullCompression-TLS13", 2367 config: Config{ 2368 MaxVersion: VersionTLS13, 2369 Bugs: ProtocolBugs{ 2370 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6}, 2371 }, 2372 }, 2373 shouldFail: true, 2374 expectedError: ":INVALID_COMPRESSION_LIST:", 2375 expectedLocalError: "remote error: illegal parameter", 2376 }, 2377 { 2378 name: "GREASE-Client-TLS12", 2379 config: Config{ 2380 MaxVersion: VersionTLS12, 2381 Bugs: ProtocolBugs{ 2382 ExpectGREASE: true, 2383 }, 2384 }, 2385 flags: []string{"-enable-grease"}, 2386 }, 2387 { 2388 name: "GREASE-Client-TLS13", 2389 config: Config{ 2390 MaxVersion: VersionTLS13, 2391 Bugs: ProtocolBugs{ 2392 ExpectGREASE: true, 2393 }, 2394 }, 2395 flags: []string{"-enable-grease"}, 2396 }, 2397 { 2398 testType: serverTest, 2399 name: "GREASE-Server-TLS13", 2400 config: Config{ 2401 MaxVersion: VersionTLS13, 2402 Bugs: ProtocolBugs{ 2403 // TLS 1.3 servers are expected to 2404 // always enable GREASE. TLS 1.3 is new, 2405 // so there is no existing ecosystem to 2406 // worry about. 2407 ExpectGREASE: true, 2408 }, 2409 }, 2410 }, 2411 { 2412 // Test the server so there is a large certificate as 2413 // well as application data. 2414 testType: serverTest, 2415 name: "MaxSendFragment", 2416 config: Config{ 2417 Bugs: ProtocolBugs{ 2418 MaxReceivePlaintext: 512, 2419 }, 2420 }, 2421 messageLen: 1024, 2422 flags: []string{ 2423 "-max-send-fragment", "512", 2424 "-read-size", "1024", 2425 }, 2426 }, 2427 { 2428 // Test the server so there is a large certificate as 2429 // well as application data. 2430 testType: serverTest, 2431 name: "MaxSendFragment-TooLarge", 2432 config: Config{ 2433 Bugs: ProtocolBugs{ 2434 // Ensure that some of the records are 2435 // 512. 2436 MaxReceivePlaintext: 511, 2437 }, 2438 }, 2439 messageLen: 1024, 2440 flags: []string{ 2441 "-max-send-fragment", "512", 2442 "-read-size", "1024", 2443 }, 2444 shouldFail: true, 2445 expectedLocalError: "local error: record overflow", 2446 }, 2447 } 2448 testCases = append(testCases, basicTests...) 2449 2450 if *includeDHE { 2451 testCases = append(testCases, testCase{ 2452 name: "NoFalseStart-DHE_RSA", 2453 config: Config{ 2454 MaxVersion: VersionTLS12, 2455 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, 2456 NextProtos: []string{"foo"}, 2457 Bugs: ProtocolBugs{ 2458 ExpectFalseStart: true, 2459 AlertBeforeFalseStartTest: alertAccessDenied, 2460 }, 2461 }, 2462 flags: []string{ 2463 "-false-start", 2464 "-advertise-alpn", "\x03foo", 2465 }, 2466 shimWritesFirst: true, 2467 shouldFail: true, 2468 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:", 2469 expectedLocalError: "tls: peer did not false start: EOF", 2470 }) 2471 } 2472 2473 // Test that very large messages can be received. 2474 cert := rsaCertificate 2475 for i := 0; i < 50; i++ { 2476 cert.Certificate = append(cert.Certificate, cert.Certificate[0]) 2477 } 2478 testCases = append(testCases, testCase{ 2479 name: "LargeMessage", 2480 config: Config{ 2481 Certificates: []Certificate{cert}, 2482 }, 2483 }) 2484 testCases = append(testCases, testCase{ 2485 protocol: dtls, 2486 name: "LargeMessage-DTLS", 2487 config: Config{ 2488 Certificates: []Certificate{cert}, 2489 }, 2490 }) 2491 2492 // They are rejected if the maximum certificate chain length is capped. 2493 testCases = append(testCases, testCase{ 2494 name: "LargeMessage-Reject", 2495 config: Config{ 2496 Certificates: []Certificate{cert}, 2497 }, 2498 flags: []string{"-max-cert-list", "16384"}, 2499 shouldFail: true, 2500 expectedError: ":EXCESSIVE_MESSAGE_SIZE:", 2501 }) 2502 testCases = append(testCases, testCase{ 2503 protocol: dtls, 2504 name: "LargeMessage-Reject-DTLS", 2505 config: Config{ 2506 Certificates: []Certificate{cert}, 2507 }, 2508 flags: []string{"-max-cert-list", "16384"}, 2509 shouldFail: true, 2510 expectedError: ":EXCESSIVE_MESSAGE_SIZE:", 2511 }) 2512 } 2513 2514 func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) { 2515 const psk = "12345" 2516 const pskIdentity = "luggage combo" 2517 2518 var prefix string 2519 if protocol == dtls { 2520 if !ver.hasDTLS { 2521 return 2522 } 2523 prefix = "D" 2524 } 2525 2526 var cert Certificate 2527 var certFile string 2528 var keyFile string 2529 if hasComponent(suite.name, "ECDSA") { 2530 cert = ecdsaP256Certificate 2531 certFile = ecdsaP256CertificateFile 2532 keyFile = ecdsaP256KeyFile 2533 } else { 2534 cert = rsaCertificate 2535 certFile = rsaCertificateFile 2536 keyFile = rsaKeyFile 2537 } 2538 2539 var flags []string 2540 if hasComponent(suite.name, "PSK") { 2541 flags = append(flags, 2542 "-psk", psk, 2543 "-psk-identity", pskIdentity) 2544 } 2545 if hasComponent(suite.name, "NULL") { 2546 // NULL ciphers must be explicitly enabled. 2547 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA") 2548 } 2549 2550 var shouldServerFail, shouldClientFail bool 2551 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 { 2552 // BoringSSL clients accept ECDHE on SSLv3, but 2553 // a BoringSSL server will never select it 2554 // because the extension is missing. 2555 shouldServerFail = true 2556 } 2557 if isTLS12Only(suite.name) && ver.version < VersionTLS12 { 2558 shouldClientFail = true 2559 shouldServerFail = true 2560 } 2561 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 { 2562 shouldClientFail = true 2563 shouldServerFail = true 2564 } 2565 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 { 2566 shouldClientFail = true 2567 shouldServerFail = true 2568 } 2569 if !isDTLSCipher(suite.name) && protocol == dtls { 2570 shouldClientFail = true 2571 shouldServerFail = true 2572 } 2573 2574 var sendCipherSuite uint16 2575 var expectedServerError, expectedClientError string 2576 serverCipherSuites := []uint16{suite.id} 2577 if shouldServerFail { 2578 expectedServerError = ":NO_SHARED_CIPHER:" 2579 } 2580 if shouldClientFail { 2581 expectedClientError = ":WRONG_CIPHER_RETURNED:" 2582 // Configure the server to select ciphers as normal but 2583 // select an incompatible cipher in ServerHello. 2584 serverCipherSuites = nil 2585 sendCipherSuite = suite.id 2586 } 2587 2588 // For cipher suites and versions where exporters are defined, verify 2589 // that they interoperate. 2590 var exportKeyingMaterial int 2591 if ver.version > VersionSSL30 { 2592 exportKeyingMaterial = 1024 2593 } 2594 2595 testCases = append(testCases, testCase{ 2596 testType: serverTest, 2597 protocol: protocol, 2598 name: prefix + ver.name + "-" + suite.name + "-server", 2599 config: Config{ 2600 MinVersion: ver.version, 2601 MaxVersion: ver.version, 2602 CipherSuites: []uint16{suite.id}, 2603 Certificates: []Certificate{cert}, 2604 PreSharedKey: []byte(psk), 2605 PreSharedKeyIdentity: pskIdentity, 2606 Bugs: ProtocolBugs{ 2607 AdvertiseAllConfiguredCiphers: true, 2608 }, 2609 }, 2610 certFile: certFile, 2611 keyFile: keyFile, 2612 flags: flags, 2613 resumeSession: true, 2614 shouldFail: shouldServerFail, 2615 expectedError: expectedServerError, 2616 exportKeyingMaterial: exportKeyingMaterial, 2617 }) 2618 2619 testCases = append(testCases, testCase{ 2620 testType: clientTest, 2621 protocol: protocol, 2622 name: prefix + ver.name + "-" + suite.name + "-client", 2623 config: Config{ 2624 MinVersion: ver.version, 2625 MaxVersion: ver.version, 2626 CipherSuites: serverCipherSuites, 2627 Certificates: []Certificate{cert}, 2628 PreSharedKey: []byte(psk), 2629 PreSharedKeyIdentity: pskIdentity, 2630 Bugs: ProtocolBugs{ 2631 IgnorePeerCipherPreferences: shouldClientFail, 2632 SendCipherSuite: sendCipherSuite, 2633 }, 2634 }, 2635 flags: flags, 2636 resumeSession: true, 2637 shouldFail: shouldClientFail, 2638 expectedError: expectedClientError, 2639 exportKeyingMaterial: exportKeyingMaterial, 2640 }) 2641 2642 if shouldClientFail { 2643 return 2644 } 2645 2646 // Ensure the maximum record size is accepted. 2647 testCases = append(testCases, testCase{ 2648 protocol: protocol, 2649 name: prefix + ver.name + "-" + suite.name + "-LargeRecord", 2650 config: Config{ 2651 MinVersion: ver.version, 2652 MaxVersion: ver.version, 2653 CipherSuites: []uint16{suite.id}, 2654 Certificates: []Certificate{cert}, 2655 PreSharedKey: []byte(psk), 2656 PreSharedKeyIdentity: pskIdentity, 2657 }, 2658 flags: flags, 2659 messageLen: maxPlaintext, 2660 }) 2661 2662 // Test bad records for all ciphers. Bad records are fatal in TLS 2663 // and ignored in DTLS. 2664 var shouldFail bool 2665 var expectedError string 2666 if protocol == tls { 2667 shouldFail = true 2668 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:" 2669 } 2670 2671 testCases = append(testCases, testCase{ 2672 protocol: protocol, 2673 name: prefix + ver.name + "-" + suite.name + "-BadRecord", 2674 config: Config{ 2675 MinVersion: ver.version, 2676 MaxVersion: ver.version, 2677 CipherSuites: []uint16{suite.id}, 2678 Certificates: []Certificate{cert}, 2679 PreSharedKey: []byte(psk), 2680 PreSharedKeyIdentity: pskIdentity, 2681 }, 2682 flags: flags, 2683 damageFirstWrite: true, 2684 messageLen: maxPlaintext, 2685 shouldFail: shouldFail, 2686 expectedError: expectedError, 2687 }) 2688 } 2689 2690 func addCipherSuiteTests() { 2691 const bogusCipher = 0xfe00 2692 2693 if *includeDHE { 2694 testCipherSuites = append(testCipherSuites, []testCipherSuite{ 2695 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, 2696 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, 2697 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}, 2698 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384}, 2699 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, 2700 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256}, 2701 }...) 2702 } 2703 2704 for _, suite := range testCipherSuites { 2705 for _, ver := range tlsVersions { 2706 for _, protocol := range []protocol{tls, dtls} { 2707 addTestForCipherSuite(suite, ver, protocol) 2708 } 2709 } 2710 } 2711 2712 testCases = append(testCases, testCase{ 2713 name: "NoSharedCipher", 2714 config: Config{ 2715 MaxVersion: VersionTLS12, 2716 CipherSuites: []uint16{}, 2717 }, 2718 shouldFail: true, 2719 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:", 2720 }) 2721 2722 testCases = append(testCases, testCase{ 2723 name: "NoSharedCipher-TLS13", 2724 config: Config{ 2725 MaxVersion: VersionTLS13, 2726 CipherSuites: []uint16{}, 2727 }, 2728 shouldFail: true, 2729 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:", 2730 }) 2731 2732 testCases = append(testCases, testCase{ 2733 name: "UnsupportedCipherSuite", 2734 config: Config{ 2735 MaxVersion: VersionTLS12, 2736 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA}, 2737 Bugs: ProtocolBugs{ 2738 IgnorePeerCipherPreferences: true, 2739 }, 2740 }, 2741 flags: []string{"-cipher", "DEFAULT:!AES"}, 2742 shouldFail: true, 2743 expectedError: ":WRONG_CIPHER_RETURNED:", 2744 }) 2745 2746 testCases = append(testCases, testCase{ 2747 name: "ServerHelloBogusCipher", 2748 config: Config{ 2749 MaxVersion: VersionTLS12, 2750 Bugs: ProtocolBugs{ 2751 SendCipherSuite: bogusCipher, 2752 }, 2753 }, 2754 shouldFail: true, 2755 expectedError: ":UNKNOWN_CIPHER_RETURNED:", 2756 }) 2757 testCases = append(testCases, testCase{ 2758 name: "ServerHelloBogusCipher-TLS13", 2759 config: Config{ 2760 MaxVersion: VersionTLS13, 2761 Bugs: ProtocolBugs{ 2762 SendCipherSuite: bogusCipher, 2763 }, 2764 }, 2765 shouldFail: true, 2766 expectedError: ":UNKNOWN_CIPHER_RETURNED:", 2767 }) 2768 2769 if *includeDHE { 2770 testCases = append(testCases, testCase{ 2771 name: "WeakDH", 2772 config: Config{ 2773 MaxVersion: VersionTLS12, 2774 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, 2775 Bugs: ProtocolBugs{ 2776 // This is a 1023-bit prime number, generated 2777 // with: 2778 // openssl gendh 1023 | openssl asn1parse -i 2779 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"), 2780 }, 2781 }, 2782 shouldFail: true, 2783 expectedError: ":BAD_DH_P_LENGTH:", 2784 }) 2785 2786 testCases = append(testCases, testCase{ 2787 name: "SillyDH", 2788 config: Config{ 2789 MaxVersion: VersionTLS12, 2790 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, 2791 Bugs: ProtocolBugs{ 2792 // This is a 4097-bit prime number, generated 2793 // with: 2794 // openssl gendh 4097 | openssl asn1parse -i 2795 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"), 2796 }, 2797 }, 2798 shouldFail: true, 2799 expectedError: ":DH_P_TOO_LONG:", 2800 }) 2801 2802 // This test ensures that Diffie-Hellman public values are padded with 2803 // zeros so that they're the same length as the prime. This is to avoid 2804 // hitting a bug in yaSSL. 2805 testCases = append(testCases, testCase{ 2806 testType: serverTest, 2807 name: "DHPublicValuePadded", 2808 config: Config{ 2809 MaxVersion: VersionTLS12, 2810 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, 2811 Bugs: ProtocolBugs{ 2812 RequireDHPublicValueLen: (1025 + 7) / 8, 2813 }, 2814 }, 2815 flags: []string{"-use-sparse-dh-prime"}, 2816 }) 2817 } 2818 2819 // The server must be tolerant to bogus ciphers. 2820 testCases = append(testCases, testCase{ 2821 testType: serverTest, 2822 name: "UnknownCipher", 2823 config: Config{ 2824 MaxVersion: VersionTLS12, 2825 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 2826 Bugs: ProtocolBugs{ 2827 AdvertiseAllConfiguredCiphers: true, 2828 }, 2829 }, 2830 }) 2831 2832 // The server must be tolerant to bogus ciphers. 2833 testCases = append(testCases, testCase{ 2834 testType: serverTest, 2835 name: "UnknownCipher-TLS13", 2836 config: Config{ 2837 MaxVersion: VersionTLS13, 2838 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256}, 2839 Bugs: ProtocolBugs{ 2840 AdvertiseAllConfiguredCiphers: true, 2841 }, 2842 }, 2843 }) 2844 2845 // Test empty ECDHE_PSK identity hints work as expected. 2846 testCases = append(testCases, testCase{ 2847 name: "EmptyECDHEPSKHint", 2848 config: Config{ 2849 MaxVersion: VersionTLS12, 2850 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA}, 2851 PreSharedKey: []byte("secret"), 2852 }, 2853 flags: []string{"-psk", "secret"}, 2854 }) 2855 2856 // Test empty PSK identity hints work as expected, even if an explicit 2857 // ServerKeyExchange is sent. 2858 testCases = append(testCases, testCase{ 2859 name: "ExplicitEmptyPSKHint", 2860 config: Config{ 2861 MaxVersion: VersionTLS12, 2862 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA}, 2863 PreSharedKey: []byte("secret"), 2864 Bugs: ProtocolBugs{ 2865 AlwaysSendPreSharedKeyIdentityHint: true, 2866 }, 2867 }, 2868 flags: []string{"-psk", "secret"}, 2869 }) 2870 } 2871 2872 func addBadECDSASignatureTests() { 2873 for badR := BadValue(1); badR < NumBadValues; badR++ { 2874 for badS := BadValue(1); badS < NumBadValues; badS++ { 2875 testCases = append(testCases, testCase{ 2876 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS), 2877 config: Config{ 2878 MaxVersion: VersionTLS12, 2879 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 2880 Certificates: []Certificate{ecdsaP256Certificate}, 2881 Bugs: ProtocolBugs{ 2882 BadECDSAR: badR, 2883 BadECDSAS: badS, 2884 }, 2885 }, 2886 shouldFail: true, 2887 expectedError: ":BAD_SIGNATURE:", 2888 }) 2889 testCases = append(testCases, testCase{ 2890 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS), 2891 config: Config{ 2892 MaxVersion: VersionTLS13, 2893 Certificates: []Certificate{ecdsaP256Certificate}, 2894 Bugs: ProtocolBugs{ 2895 BadECDSAR: badR, 2896 BadECDSAS: badS, 2897 }, 2898 }, 2899 shouldFail: true, 2900 expectedError: ":BAD_SIGNATURE:", 2901 }) 2902 } 2903 } 2904 } 2905 2906 func addCBCPaddingTests() { 2907 testCases = append(testCases, testCase{ 2908 name: "MaxCBCPadding", 2909 config: Config{ 2910 MaxVersion: VersionTLS12, 2911 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, 2912 Bugs: ProtocolBugs{ 2913 MaxPadding: true, 2914 }, 2915 }, 2916 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size 2917 }) 2918 testCases = append(testCases, testCase{ 2919 name: "BadCBCPadding", 2920 config: Config{ 2921 MaxVersion: VersionTLS12, 2922 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, 2923 Bugs: ProtocolBugs{ 2924 PaddingFirstByteBad: true, 2925 }, 2926 }, 2927 shouldFail: true, 2928 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", 2929 }) 2930 // OpenSSL previously had an issue where the first byte of padding in 2931 // 255 bytes of padding wasn't checked. 2932 testCases = append(testCases, testCase{ 2933 name: "BadCBCPadding255", 2934 config: Config{ 2935 MaxVersion: VersionTLS12, 2936 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, 2937 Bugs: ProtocolBugs{ 2938 MaxPadding: true, 2939 PaddingFirstByteBadIf255: true, 2940 }, 2941 }, 2942 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size 2943 shouldFail: true, 2944 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", 2945 }) 2946 } 2947 2948 func addCBCSplittingTests() { 2949 testCases = append(testCases, testCase{ 2950 name: "CBCRecordSplitting", 2951 config: Config{ 2952 MaxVersion: VersionTLS10, 2953 MinVersion: VersionTLS10, 2954 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, 2955 }, 2956 messageLen: -1, // read until EOF 2957 resumeSession: true, 2958 flags: []string{ 2959 "-async", 2960 "-write-different-record-sizes", 2961 "-cbc-record-splitting", 2962 }, 2963 }) 2964 testCases = append(testCases, testCase{ 2965 name: "CBCRecordSplittingPartialWrite", 2966 config: Config{ 2967 MaxVersion: VersionTLS10, 2968 MinVersion: VersionTLS10, 2969 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, 2970 }, 2971 messageLen: -1, // read until EOF 2972 flags: []string{ 2973 "-async", 2974 "-write-different-record-sizes", 2975 "-cbc-record-splitting", 2976 "-partial-write", 2977 }, 2978 }) 2979 } 2980 2981 func addClientAuthTests() { 2982 // Add a dummy cert pool to stress certificate authority parsing. 2983 certPool := x509.NewCertPool() 2984 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} { 2985 cert, err := x509.ParseCertificate(cert.Certificate[0]) 2986 if err != nil { 2987 panic(err) 2988 } 2989 certPool.AddCert(cert) 2990 } 2991 caNames := certPool.Subjects() 2992 2993 for _, ver := range tlsVersions { 2994 testCases = append(testCases, testCase{ 2995 testType: clientTest, 2996 name: ver.name + "-Client-ClientAuth-RSA", 2997 config: Config{ 2998 MinVersion: ver.version, 2999 MaxVersion: ver.version, 3000 ClientAuth: RequireAnyClientCert, 3001 ClientCAs: certPool, 3002 }, 3003 flags: []string{ 3004 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3005 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3006 }, 3007 }) 3008 testCases = append(testCases, testCase{ 3009 testType: serverTest, 3010 name: ver.name + "-Server-ClientAuth-RSA", 3011 config: Config{ 3012 MinVersion: ver.version, 3013 MaxVersion: ver.version, 3014 Certificates: []Certificate{rsaCertificate}, 3015 }, 3016 flags: []string{"-require-any-client-certificate"}, 3017 }) 3018 if ver.version != VersionSSL30 { 3019 testCases = append(testCases, testCase{ 3020 testType: serverTest, 3021 name: ver.name + "-Server-ClientAuth-ECDSA", 3022 config: Config{ 3023 MinVersion: ver.version, 3024 MaxVersion: ver.version, 3025 Certificates: []Certificate{ecdsaP256Certificate}, 3026 }, 3027 flags: []string{"-require-any-client-certificate"}, 3028 }) 3029 testCases = append(testCases, testCase{ 3030 testType: clientTest, 3031 name: ver.name + "-Client-ClientAuth-ECDSA", 3032 config: Config{ 3033 MinVersion: ver.version, 3034 MaxVersion: ver.version, 3035 ClientAuth: RequireAnyClientCert, 3036 ClientCAs: certPool, 3037 }, 3038 flags: []string{ 3039 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile), 3040 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile), 3041 }, 3042 }) 3043 } 3044 3045 testCases = append(testCases, testCase{ 3046 name: "NoClientCertificate-" + ver.name, 3047 config: Config{ 3048 MinVersion: ver.version, 3049 MaxVersion: ver.version, 3050 ClientAuth: RequireAnyClientCert, 3051 }, 3052 shouldFail: true, 3053 expectedLocalError: "client didn't provide a certificate", 3054 }) 3055 3056 testCases = append(testCases, testCase{ 3057 // Even if not configured to expect a certificate, OpenSSL will 3058 // return X509_V_OK as the verify_result. 3059 testType: serverTest, 3060 name: "NoClientCertificateRequested-Server-" + ver.name, 3061 config: Config{ 3062 MinVersion: ver.version, 3063 MaxVersion: ver.version, 3064 }, 3065 flags: []string{ 3066 "-expect-verify-result", 3067 }, 3068 resumeSession: true, 3069 }) 3070 3071 testCases = append(testCases, testCase{ 3072 // If a client certificate is not provided, OpenSSL will still 3073 // return X509_V_OK as the verify_result. 3074 testType: serverTest, 3075 name: "NoClientCertificate-Server-" + ver.name, 3076 config: Config{ 3077 MinVersion: ver.version, 3078 MaxVersion: ver.version, 3079 }, 3080 flags: []string{ 3081 "-expect-verify-result", 3082 "-verify-peer", 3083 }, 3084 resumeSession: true, 3085 }) 3086 3087 certificateRequired := "remote error: certificate required" 3088 if ver.version < VersionTLS13 { 3089 // Prior to TLS 1.3, the generic handshake_failure alert 3090 // was used. 3091 certificateRequired = "remote error: handshake failure" 3092 } 3093 testCases = append(testCases, testCase{ 3094 testType: serverTest, 3095 name: "RequireAnyClientCertificate-" + ver.name, 3096 config: Config{ 3097 MinVersion: ver.version, 3098 MaxVersion: ver.version, 3099 }, 3100 flags: []string{"-require-any-client-certificate"}, 3101 shouldFail: true, 3102 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:", 3103 expectedLocalError: certificateRequired, 3104 }) 3105 3106 if ver.version != VersionSSL30 { 3107 testCases = append(testCases, testCase{ 3108 testType: serverTest, 3109 name: "SkipClientCertificate-" + ver.name, 3110 config: Config{ 3111 MinVersion: ver.version, 3112 MaxVersion: ver.version, 3113 Bugs: ProtocolBugs{ 3114 SkipClientCertificate: true, 3115 }, 3116 }, 3117 // Setting SSL_VERIFY_PEER allows anonymous clients. 3118 flags: []string{"-verify-peer"}, 3119 shouldFail: true, 3120 expectedError: ":UNEXPECTED_MESSAGE:", 3121 }) 3122 } 3123 3124 testCases = append(testCases, testCase{ 3125 testType: serverTest, 3126 name: ver.name + "-Server-CertReq-CA-List", 3127 config: Config{ 3128 MinVersion: ver.version, 3129 MaxVersion: ver.version, 3130 Certificates: []Certificate{rsaCertificate}, 3131 Bugs: ProtocolBugs{ 3132 ExpectCertificateReqNames: caNames, 3133 }, 3134 }, 3135 flags: []string{ 3136 "-require-any-client-certificate", 3137 "-use-client-ca-list", encodeDERValues(caNames), 3138 }, 3139 }) 3140 3141 testCases = append(testCases, testCase{ 3142 testType: clientTest, 3143 name: ver.name + "-Client-CertReq-CA-List", 3144 config: Config{ 3145 MinVersion: ver.version, 3146 MaxVersion: ver.version, 3147 Certificates: []Certificate{rsaCertificate}, 3148 ClientAuth: RequireAnyClientCert, 3149 ClientCAs: certPool, 3150 }, 3151 flags: []string{ 3152 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3153 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3154 "-expect-client-ca-list", encodeDERValues(caNames), 3155 }, 3156 }) 3157 } 3158 3159 // Client auth is only legal in certificate-based ciphers. 3160 testCases = append(testCases, testCase{ 3161 testType: clientTest, 3162 name: "ClientAuth-PSK", 3163 config: Config{ 3164 MaxVersion: VersionTLS12, 3165 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA}, 3166 PreSharedKey: []byte("secret"), 3167 ClientAuth: RequireAnyClientCert, 3168 }, 3169 flags: []string{ 3170 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3171 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3172 "-psk", "secret", 3173 }, 3174 shouldFail: true, 3175 expectedError: ":UNEXPECTED_MESSAGE:", 3176 }) 3177 testCases = append(testCases, testCase{ 3178 testType: clientTest, 3179 name: "ClientAuth-ECDHE_PSK", 3180 config: Config{ 3181 MaxVersion: VersionTLS12, 3182 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA}, 3183 PreSharedKey: []byte("secret"), 3184 ClientAuth: RequireAnyClientCert, 3185 }, 3186 flags: []string{ 3187 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3188 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3189 "-psk", "secret", 3190 }, 3191 shouldFail: true, 3192 expectedError: ":UNEXPECTED_MESSAGE:", 3193 }) 3194 3195 // Regression test for a bug where the client CA list, if explicitly 3196 // set to NULL, was mis-encoded. 3197 testCases = append(testCases, testCase{ 3198 testType: serverTest, 3199 name: "Null-Client-CA-List", 3200 config: Config{ 3201 MaxVersion: VersionTLS12, 3202 Certificates: []Certificate{rsaCertificate}, 3203 Bugs: ProtocolBugs{ 3204 ExpectCertificateReqNames: [][]byte{}, 3205 }, 3206 }, 3207 flags: []string{ 3208 "-require-any-client-certificate", 3209 "-use-client-ca-list", "<NULL>", 3210 }, 3211 }) 3212 } 3213 3214 func addExtendedMasterSecretTests() { 3215 const expectEMSFlag = "-expect-extended-master-secret" 3216 3217 for _, with := range []bool{false, true} { 3218 prefix := "No" 3219 if with { 3220 prefix = "" 3221 } 3222 3223 for _, isClient := range []bool{false, true} { 3224 suffix := "-Server" 3225 testType := serverTest 3226 if isClient { 3227 suffix = "-Client" 3228 testType = clientTest 3229 } 3230 3231 for _, ver := range tlsVersions { 3232 // In TLS 1.3, the extension is irrelevant and 3233 // always reports as enabled. 3234 var flags []string 3235 if with || ver.version >= VersionTLS13 { 3236 flags = []string{expectEMSFlag} 3237 } 3238 3239 test := testCase{ 3240 testType: testType, 3241 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix, 3242 config: Config{ 3243 MinVersion: ver.version, 3244 MaxVersion: ver.version, 3245 Bugs: ProtocolBugs{ 3246 NoExtendedMasterSecret: !with, 3247 RequireExtendedMasterSecret: with, 3248 }, 3249 }, 3250 flags: flags, 3251 shouldFail: ver.version == VersionSSL30 && with, 3252 } 3253 if test.shouldFail { 3254 test.expectedLocalError = "extended master secret required but not supported by peer" 3255 } 3256 testCases = append(testCases, test) 3257 } 3258 } 3259 } 3260 3261 for _, isClient := range []bool{false, true} { 3262 for _, supportedInFirstConnection := range []bool{false, true} { 3263 for _, supportedInResumeConnection := range []bool{false, true} { 3264 boolToWord := func(b bool) string { 3265 if b { 3266 return "Yes" 3267 } 3268 return "No" 3269 } 3270 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-" 3271 if isClient { 3272 suffix += "Client" 3273 } else { 3274 suffix += "Server" 3275 } 3276 3277 supportedConfig := Config{ 3278 MaxVersion: VersionTLS12, 3279 Bugs: ProtocolBugs{ 3280 RequireExtendedMasterSecret: true, 3281 }, 3282 } 3283 3284 noSupportConfig := Config{ 3285 MaxVersion: VersionTLS12, 3286 Bugs: ProtocolBugs{ 3287 NoExtendedMasterSecret: true, 3288 }, 3289 } 3290 3291 test := testCase{ 3292 name: "ExtendedMasterSecret-" + suffix, 3293 resumeSession: true, 3294 } 3295 3296 if !isClient { 3297 test.testType = serverTest 3298 } 3299 3300 if supportedInFirstConnection { 3301 test.config = supportedConfig 3302 } else { 3303 test.config = noSupportConfig 3304 } 3305 3306 if supportedInResumeConnection { 3307 test.resumeConfig = &supportedConfig 3308 } else { 3309 test.resumeConfig = &noSupportConfig 3310 } 3311 3312 switch suffix { 3313 case "YesToYes-Client", "YesToYes-Server": 3314 // When a session is resumed, it should 3315 // still be aware that its master 3316 // secret was generated via EMS and 3317 // thus it's safe to use tls-unique. 3318 test.flags = []string{expectEMSFlag} 3319 case "NoToYes-Server": 3320 // If an original connection did not 3321 // contain EMS, but a resumption 3322 // handshake does, then a server should 3323 // not resume the session. 3324 test.expectResumeRejected = true 3325 case "YesToNo-Server": 3326 // Resuming an EMS session without the 3327 // EMS extension should cause the 3328 // server to abort the connection. 3329 test.shouldFail = true 3330 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:" 3331 case "NoToYes-Client": 3332 // A client should abort a connection 3333 // where the server resumed a non-EMS 3334 // session but echoed the EMS 3335 // extension. 3336 test.shouldFail = true 3337 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:" 3338 case "YesToNo-Client": 3339 // A client should abort a connection 3340 // where the server didn't echo EMS 3341 // when the session used it. 3342 test.shouldFail = true 3343 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:" 3344 } 3345 3346 testCases = append(testCases, test) 3347 } 3348 } 3349 } 3350 3351 // Switching EMS on renegotiation is forbidden. 3352 testCases = append(testCases, testCase{ 3353 name: "ExtendedMasterSecret-Renego-NoEMS", 3354 config: Config{ 3355 MaxVersion: VersionTLS12, 3356 Bugs: ProtocolBugs{ 3357 NoExtendedMasterSecret: true, 3358 NoExtendedMasterSecretOnRenegotiation: true, 3359 }, 3360 }, 3361 renegotiate: 1, 3362 flags: []string{ 3363 "-renegotiate-freely", 3364 "-expect-total-renegotiations", "1", 3365 }, 3366 }) 3367 3368 testCases = append(testCases, testCase{ 3369 name: "ExtendedMasterSecret-Renego-Upgrade", 3370 config: Config{ 3371 MaxVersion: VersionTLS12, 3372 Bugs: ProtocolBugs{ 3373 NoExtendedMasterSecret: true, 3374 }, 3375 }, 3376 renegotiate: 1, 3377 flags: []string{ 3378 "-renegotiate-freely", 3379 "-expect-total-renegotiations", "1", 3380 }, 3381 shouldFail: true, 3382 expectedError: ":RENEGOTIATION_EMS_MISMATCH:", 3383 }) 3384 3385 testCases = append(testCases, testCase{ 3386 name: "ExtendedMasterSecret-Renego-Downgrade", 3387 config: Config{ 3388 MaxVersion: VersionTLS12, 3389 Bugs: ProtocolBugs{ 3390 NoExtendedMasterSecretOnRenegotiation: true, 3391 }, 3392 }, 3393 renegotiate: 1, 3394 flags: []string{ 3395 "-renegotiate-freely", 3396 "-expect-total-renegotiations", "1", 3397 }, 3398 shouldFail: true, 3399 expectedError: ":RENEGOTIATION_EMS_MISMATCH:", 3400 }) 3401 } 3402 3403 type stateMachineTestConfig struct { 3404 protocol protocol 3405 async bool 3406 splitHandshake bool 3407 packHandshakeFlight bool 3408 implicitHandshake bool 3409 } 3410 3411 // Adds tests that try to cover the range of the handshake state machine, under 3412 // various conditions. Some of these are redundant with other tests, but they 3413 // only cover the synchronous case. 3414 func addAllStateMachineCoverageTests() { 3415 for _, async := range []bool{false, true} { 3416 for _, protocol := range []protocol{tls, dtls} { 3417 addStateMachineCoverageTests(stateMachineTestConfig{ 3418 protocol: protocol, 3419 async: async, 3420 }) 3421 addStateMachineCoverageTests(stateMachineTestConfig{ 3422 protocol: protocol, 3423 async: async, 3424 implicitHandshake: true, 3425 }) 3426 addStateMachineCoverageTests(stateMachineTestConfig{ 3427 protocol: protocol, 3428 async: async, 3429 splitHandshake: true, 3430 }) 3431 if protocol == tls { 3432 addStateMachineCoverageTests(stateMachineTestConfig{ 3433 protocol: protocol, 3434 async: async, 3435 packHandshakeFlight: true, 3436 }) 3437 } 3438 } 3439 } 3440 } 3441 3442 func addStateMachineCoverageTests(config stateMachineTestConfig) { 3443 var tests []testCase 3444 3445 // Basic handshake, with resumption. Client and server, 3446 // session ID and session ticket. 3447 tests = append(tests, testCase{ 3448 name: "Basic-Client", 3449 config: Config{ 3450 MaxVersion: VersionTLS12, 3451 }, 3452 resumeSession: true, 3453 // Ensure session tickets are used, not session IDs. 3454 noSessionCache: true, 3455 }) 3456 tests = append(tests, testCase{ 3457 name: "Basic-Client-RenewTicket", 3458 config: Config{ 3459 MaxVersion: VersionTLS12, 3460 Bugs: ProtocolBugs{ 3461 RenewTicketOnResume: true, 3462 }, 3463 }, 3464 flags: []string{"-expect-ticket-renewal"}, 3465 resumeSession: true, 3466 resumeRenewedSession: true, 3467 }) 3468 tests = append(tests, testCase{ 3469 name: "Basic-Client-NoTicket", 3470 config: Config{ 3471 MaxVersion: VersionTLS12, 3472 SessionTicketsDisabled: true, 3473 }, 3474 resumeSession: true, 3475 }) 3476 tests = append(tests, testCase{ 3477 testType: serverTest, 3478 name: "Basic-Server", 3479 config: Config{ 3480 MaxVersion: VersionTLS12, 3481 Bugs: ProtocolBugs{ 3482 RequireSessionTickets: true, 3483 }, 3484 }, 3485 resumeSession: true, 3486 flags: []string{"-expect-no-session-id"}, 3487 }) 3488 tests = append(tests, testCase{ 3489 testType: serverTest, 3490 name: "Basic-Server-NoTickets", 3491 config: Config{ 3492 MaxVersion: VersionTLS12, 3493 SessionTicketsDisabled: true, 3494 }, 3495 resumeSession: true, 3496 flags: []string{"-expect-session-id"}, 3497 }) 3498 tests = append(tests, testCase{ 3499 testType: serverTest, 3500 name: "Basic-Server-EarlyCallback", 3501 config: Config{ 3502 MaxVersion: VersionTLS12, 3503 }, 3504 flags: []string{"-use-early-callback"}, 3505 resumeSession: true, 3506 }) 3507 3508 // TLS 1.3 basic handshake shapes. 3509 if config.protocol == tls { 3510 tests = append(tests, testCase{ 3511 name: "TLS13-1RTT-Client", 3512 config: Config{ 3513 MaxVersion: VersionTLS13, 3514 MinVersion: VersionTLS13, 3515 }, 3516 resumeSession: true, 3517 resumeRenewedSession: true, 3518 }) 3519 3520 tests = append(tests, testCase{ 3521 testType: serverTest, 3522 name: "TLS13-1RTT-Server", 3523 config: Config{ 3524 MaxVersion: VersionTLS13, 3525 MinVersion: VersionTLS13, 3526 }, 3527 resumeSession: true, 3528 resumeRenewedSession: true, 3529 // TLS 1.3 uses tickets, so the session should not be 3530 // cached statefully. 3531 flags: []string{"-expect-no-session-id"}, 3532 }) 3533 3534 tests = append(tests, testCase{ 3535 name: "TLS13-HelloRetryRequest-Client", 3536 config: Config{ 3537 MaxVersion: VersionTLS13, 3538 MinVersion: VersionTLS13, 3539 // P-384 requires a HelloRetryRequest against BoringSSL's default 3540 // configuration. Assert this with ExpectMissingKeyShare. 3541 CurvePreferences: []CurveID{CurveP384}, 3542 Bugs: ProtocolBugs{ 3543 ExpectMissingKeyShare: true, 3544 }, 3545 }, 3546 // Cover HelloRetryRequest during an ECDHE-PSK resumption. 3547 resumeSession: true, 3548 }) 3549 3550 tests = append(tests, testCase{ 3551 testType: serverTest, 3552 name: "TLS13-HelloRetryRequest-Server", 3553 config: Config{ 3554 MaxVersion: VersionTLS13, 3555 MinVersion: VersionTLS13, 3556 // Require a HelloRetryRequest for every curve. 3557 DefaultCurves: []CurveID{}, 3558 }, 3559 // Cover HelloRetryRequest during an ECDHE-PSK resumption. 3560 resumeSession: true, 3561 }) 3562 3563 // TODO(svaldez): Send data on early data once implemented. 3564 tests = append(tests, testCase{ 3565 testType: clientTest, 3566 name: "TLS13-EarlyData-Client", 3567 config: Config{ 3568 MaxVersion: VersionTLS13, 3569 MinVersion: VersionTLS13, 3570 MaxEarlyDataSize: 16384, 3571 }, 3572 resumeSession: true, 3573 flags: []string{ 3574 "-enable-early-data", 3575 "-expect-early-data-info", 3576 "-expect-accept-early-data", 3577 }, 3578 }) 3579 3580 tests = append(tests, testCase{ 3581 testType: serverTest, 3582 name: "TLS13-EarlyData-Server", 3583 config: Config{ 3584 MaxVersion: VersionTLS13, 3585 MinVersion: VersionTLS13, 3586 Bugs: ProtocolBugs{ 3587 SendEarlyData: [][]byte{{1, 2, 3, 4}}, 3588 ExpectEarlyDataAccepted: true, 3589 ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}}, 3590 }, 3591 }, 3592 messageCount: 2, 3593 resumeSession: true, 3594 flags: []string{ 3595 "-enable-early-data", 3596 "-expect-accept-early-data", 3597 }, 3598 }) 3599 } 3600 3601 // TLS client auth. 3602 tests = append(tests, testCase{ 3603 testType: clientTest, 3604 name: "ClientAuth-NoCertificate-Client", 3605 config: Config{ 3606 MaxVersion: VersionTLS12, 3607 ClientAuth: RequestClientCert, 3608 }, 3609 }) 3610 tests = append(tests, testCase{ 3611 testType: serverTest, 3612 name: "ClientAuth-NoCertificate-Server", 3613 config: Config{ 3614 MaxVersion: VersionTLS12, 3615 }, 3616 // Setting SSL_VERIFY_PEER allows anonymous clients. 3617 flags: []string{"-verify-peer"}, 3618 }) 3619 if config.protocol == tls { 3620 tests = append(tests, testCase{ 3621 testType: clientTest, 3622 name: "ClientAuth-NoCertificate-Client-SSL3", 3623 config: Config{ 3624 MaxVersion: VersionSSL30, 3625 ClientAuth: RequestClientCert, 3626 }, 3627 }) 3628 tests = append(tests, testCase{ 3629 testType: serverTest, 3630 name: "ClientAuth-NoCertificate-Server-SSL3", 3631 config: Config{ 3632 MaxVersion: VersionSSL30, 3633 }, 3634 // Setting SSL_VERIFY_PEER allows anonymous clients. 3635 flags: []string{"-verify-peer"}, 3636 }) 3637 tests = append(tests, testCase{ 3638 testType: clientTest, 3639 name: "ClientAuth-NoCertificate-Client-TLS13", 3640 config: Config{ 3641 MaxVersion: VersionTLS13, 3642 ClientAuth: RequestClientCert, 3643 }, 3644 }) 3645 tests = append(tests, testCase{ 3646 testType: serverTest, 3647 name: "ClientAuth-NoCertificate-Server-TLS13", 3648 config: Config{ 3649 MaxVersion: VersionTLS13, 3650 }, 3651 // Setting SSL_VERIFY_PEER allows anonymous clients. 3652 flags: []string{"-verify-peer"}, 3653 }) 3654 } 3655 tests = append(tests, testCase{ 3656 testType: clientTest, 3657 name: "ClientAuth-RSA-Client", 3658 config: Config{ 3659 MaxVersion: VersionTLS12, 3660 ClientAuth: RequireAnyClientCert, 3661 }, 3662 flags: []string{ 3663 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3664 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3665 }, 3666 }) 3667 tests = append(tests, testCase{ 3668 testType: clientTest, 3669 name: "ClientAuth-RSA-Client-TLS13", 3670 config: Config{ 3671 MaxVersion: VersionTLS13, 3672 ClientAuth: RequireAnyClientCert, 3673 }, 3674 flags: []string{ 3675 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3676 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3677 }, 3678 }) 3679 tests = append(tests, testCase{ 3680 testType: clientTest, 3681 name: "ClientAuth-ECDSA-Client", 3682 config: Config{ 3683 MaxVersion: VersionTLS12, 3684 ClientAuth: RequireAnyClientCert, 3685 }, 3686 flags: []string{ 3687 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile), 3688 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile), 3689 }, 3690 }) 3691 tests = append(tests, testCase{ 3692 testType: clientTest, 3693 name: "ClientAuth-ECDSA-Client-TLS13", 3694 config: Config{ 3695 MaxVersion: VersionTLS13, 3696 ClientAuth: RequireAnyClientCert, 3697 }, 3698 flags: []string{ 3699 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile), 3700 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile), 3701 }, 3702 }) 3703 tests = append(tests, testCase{ 3704 testType: clientTest, 3705 name: "ClientAuth-NoCertificate-OldCallback", 3706 config: Config{ 3707 MaxVersion: VersionTLS12, 3708 ClientAuth: RequestClientCert, 3709 }, 3710 flags: []string{"-use-old-client-cert-callback"}, 3711 }) 3712 tests = append(tests, testCase{ 3713 testType: clientTest, 3714 name: "ClientAuth-NoCertificate-OldCallback-TLS13", 3715 config: Config{ 3716 MaxVersion: VersionTLS13, 3717 ClientAuth: RequestClientCert, 3718 }, 3719 flags: []string{"-use-old-client-cert-callback"}, 3720 }) 3721 tests = append(tests, testCase{ 3722 testType: clientTest, 3723 name: "ClientAuth-OldCallback", 3724 config: Config{ 3725 MaxVersion: VersionTLS12, 3726 ClientAuth: RequireAnyClientCert, 3727 }, 3728 flags: []string{ 3729 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3730 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3731 "-use-old-client-cert-callback", 3732 }, 3733 }) 3734 tests = append(tests, testCase{ 3735 testType: clientTest, 3736 name: "ClientAuth-OldCallback-TLS13", 3737 config: Config{ 3738 MaxVersion: VersionTLS13, 3739 ClientAuth: RequireAnyClientCert, 3740 }, 3741 flags: []string{ 3742 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3743 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3744 "-use-old-client-cert-callback", 3745 }, 3746 }) 3747 tests = append(tests, testCase{ 3748 testType: serverTest, 3749 name: "ClientAuth-Server", 3750 config: Config{ 3751 MaxVersion: VersionTLS12, 3752 Certificates: []Certificate{rsaCertificate}, 3753 }, 3754 flags: []string{"-require-any-client-certificate"}, 3755 }) 3756 tests = append(tests, testCase{ 3757 testType: serverTest, 3758 name: "ClientAuth-Server-TLS13", 3759 config: Config{ 3760 MaxVersion: VersionTLS13, 3761 Certificates: []Certificate{rsaCertificate}, 3762 }, 3763 flags: []string{"-require-any-client-certificate"}, 3764 }) 3765 3766 // Test each key exchange on the server side for async keys. 3767 tests = append(tests, testCase{ 3768 testType: serverTest, 3769 name: "Basic-Server-RSA", 3770 config: Config{ 3771 MaxVersion: VersionTLS12, 3772 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 3773 }, 3774 flags: []string{ 3775 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3776 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3777 }, 3778 }) 3779 tests = append(tests, testCase{ 3780 testType: serverTest, 3781 name: "Basic-Server-ECDHE-RSA", 3782 config: Config{ 3783 MaxVersion: VersionTLS12, 3784 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 3785 }, 3786 flags: []string{ 3787 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 3788 "-key-file", path.Join(*resourceDir, rsaKeyFile), 3789 }, 3790 }) 3791 tests = append(tests, testCase{ 3792 testType: serverTest, 3793 name: "Basic-Server-ECDHE-ECDSA", 3794 config: Config{ 3795 MaxVersion: VersionTLS12, 3796 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 3797 }, 3798 flags: []string{ 3799 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile), 3800 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile), 3801 }, 3802 }) 3803 3804 // No session ticket support; server doesn't send NewSessionTicket. 3805 tests = append(tests, testCase{ 3806 name: "SessionTicketsDisabled-Client", 3807 config: Config{ 3808 MaxVersion: VersionTLS12, 3809 SessionTicketsDisabled: true, 3810 }, 3811 }) 3812 tests = append(tests, testCase{ 3813 testType: serverTest, 3814 name: "SessionTicketsDisabled-Server", 3815 config: Config{ 3816 MaxVersion: VersionTLS12, 3817 SessionTicketsDisabled: true, 3818 }, 3819 }) 3820 3821 // Skip ServerKeyExchange in PSK key exchange if there's no 3822 // identity hint. 3823 tests = append(tests, testCase{ 3824 name: "EmptyPSKHint-Client", 3825 config: Config{ 3826 MaxVersion: VersionTLS12, 3827 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA}, 3828 PreSharedKey: []byte("secret"), 3829 }, 3830 flags: []string{"-psk", "secret"}, 3831 }) 3832 tests = append(tests, testCase{ 3833 testType: serverTest, 3834 name: "EmptyPSKHint-Server", 3835 config: Config{ 3836 MaxVersion: VersionTLS12, 3837 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA}, 3838 PreSharedKey: []byte("secret"), 3839 }, 3840 flags: []string{"-psk", "secret"}, 3841 }) 3842 3843 // OCSP stapling tests. 3844 tests = append(tests, testCase{ 3845 testType: clientTest, 3846 name: "OCSPStapling-Client", 3847 config: Config{ 3848 MaxVersion: VersionTLS12, 3849 }, 3850 flags: []string{ 3851 "-enable-ocsp-stapling", 3852 "-expect-ocsp-response", 3853 base64.StdEncoding.EncodeToString(testOCSPResponse), 3854 "-verify-peer", 3855 }, 3856 resumeSession: true, 3857 }) 3858 tests = append(tests, testCase{ 3859 testType: serverTest, 3860 name: "OCSPStapling-Server", 3861 config: Config{ 3862 MaxVersion: VersionTLS12, 3863 }, 3864 expectedOCSPResponse: testOCSPResponse, 3865 flags: []string{ 3866 "-ocsp-response", 3867 base64.StdEncoding.EncodeToString(testOCSPResponse), 3868 }, 3869 resumeSession: true, 3870 }) 3871 tests = append(tests, testCase{ 3872 testType: clientTest, 3873 name: "OCSPStapling-Client-TLS13", 3874 config: Config{ 3875 MaxVersion: VersionTLS13, 3876 }, 3877 flags: []string{ 3878 "-enable-ocsp-stapling", 3879 "-expect-ocsp-response", 3880 base64.StdEncoding.EncodeToString(testOCSPResponse), 3881 "-verify-peer", 3882 }, 3883 resumeSession: true, 3884 }) 3885 tests = append(tests, testCase{ 3886 testType: serverTest, 3887 name: "OCSPStapling-Server-TLS13", 3888 config: Config{ 3889 MaxVersion: VersionTLS13, 3890 }, 3891 expectedOCSPResponse: testOCSPResponse, 3892 flags: []string{ 3893 "-ocsp-response", 3894 base64.StdEncoding.EncodeToString(testOCSPResponse), 3895 }, 3896 resumeSession: true, 3897 }) 3898 3899 // Certificate verification tests. 3900 for _, vers := range tlsVersions { 3901 if config.protocol == dtls && !vers.hasDTLS { 3902 continue 3903 } 3904 for _, testType := range []testType{clientTest, serverTest} { 3905 suffix := "-Client" 3906 if testType == serverTest { 3907 suffix = "-Server" 3908 } 3909 suffix += "-" + vers.name 3910 3911 flag := "-verify-peer" 3912 if testType == serverTest { 3913 flag = "-require-any-client-certificate" 3914 } 3915 3916 tests = append(tests, testCase{ 3917 testType: testType, 3918 name: "CertificateVerificationSucceed" + suffix, 3919 config: Config{ 3920 MaxVersion: vers.version, 3921 Certificates: []Certificate{rsaCertificate}, 3922 }, 3923 flags: []string{ 3924 flag, 3925 "-expect-verify-result", 3926 }, 3927 resumeSession: true, 3928 }) 3929 tests = append(tests, testCase{ 3930 testType: testType, 3931 name: "CertificateVerificationFail" + suffix, 3932 config: Config{ 3933 MaxVersion: vers.version, 3934 Certificates: []Certificate{rsaCertificate}, 3935 }, 3936 flags: []string{ 3937 flag, 3938 "-verify-fail", 3939 }, 3940 shouldFail: true, 3941 expectedError: ":CERTIFICATE_VERIFY_FAILED:", 3942 }) 3943 } 3944 3945 // By default, the client is in a soft fail mode where the peer 3946 // certificate is verified but failures are non-fatal. 3947 tests = append(tests, testCase{ 3948 testType: clientTest, 3949 name: "CertificateVerificationSoftFail-" + vers.name, 3950 config: Config{ 3951 MaxVersion: vers.version, 3952 Certificates: []Certificate{rsaCertificate}, 3953 }, 3954 flags: []string{ 3955 "-verify-fail", 3956 "-expect-verify-result", 3957 }, 3958 resumeSession: true, 3959 }) 3960 } 3961 3962 tests = append(tests, testCase{ 3963 name: "ShimSendAlert", 3964 flags: []string{"-send-alert"}, 3965 shimWritesFirst: true, 3966 shouldFail: true, 3967 expectedLocalError: "remote error: decompression failure", 3968 }) 3969 3970 if config.protocol == tls { 3971 tests = append(tests, testCase{ 3972 name: "Renegotiate-Client", 3973 config: Config{ 3974 MaxVersion: VersionTLS12, 3975 }, 3976 renegotiate: 1, 3977 flags: []string{ 3978 "-renegotiate-freely", 3979 "-expect-total-renegotiations", "1", 3980 }, 3981 }) 3982 3983 tests = append(tests, testCase{ 3984 name: "SendHalfHelloRequest", 3985 config: Config{ 3986 MaxVersion: VersionTLS12, 3987 Bugs: ProtocolBugs{ 3988 PackHelloRequestWithFinished: config.packHandshakeFlight, 3989 }, 3990 }, 3991 sendHalfHelloRequest: true, 3992 flags: []string{"-renegotiate-ignore"}, 3993 shouldFail: true, 3994 expectedError: ":UNEXPECTED_RECORD:", 3995 }) 3996 3997 // NPN on client and server; results in post-handshake message. 3998 tests = append(tests, testCase{ 3999 name: "NPN-Client", 4000 config: Config{ 4001 MaxVersion: VersionTLS12, 4002 NextProtos: []string{"foo"}, 4003 }, 4004 flags: []string{"-select-next-proto", "foo"}, 4005 resumeSession: true, 4006 expectedNextProto: "foo", 4007 expectedNextProtoType: npn, 4008 }) 4009 tests = append(tests, testCase{ 4010 testType: serverTest, 4011 name: "NPN-Server", 4012 config: Config{ 4013 MaxVersion: VersionTLS12, 4014 NextProtos: []string{"bar"}, 4015 }, 4016 flags: []string{ 4017 "-advertise-npn", "\x03foo\x03bar\x03baz", 4018 "-expect-next-proto", "bar", 4019 }, 4020 resumeSession: true, 4021 expectedNextProto: "bar", 4022 expectedNextProtoType: npn, 4023 }) 4024 4025 // TODO(davidben): Add tests for when False Start doesn't trigger. 4026 4027 // Client does False Start and negotiates NPN. 4028 tests = append(tests, testCase{ 4029 name: "FalseStart", 4030 config: Config{ 4031 MaxVersion: VersionTLS12, 4032 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 4033 NextProtos: []string{"foo"}, 4034 Bugs: ProtocolBugs{ 4035 ExpectFalseStart: true, 4036 }, 4037 }, 4038 flags: []string{ 4039 "-false-start", 4040 "-select-next-proto", "foo", 4041 }, 4042 shimWritesFirst: true, 4043 resumeSession: true, 4044 }) 4045 4046 // Client does False Start and negotiates ALPN. 4047 tests = append(tests, testCase{ 4048 name: "FalseStart-ALPN", 4049 config: Config{ 4050 MaxVersion: VersionTLS12, 4051 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 4052 NextProtos: []string{"foo"}, 4053 Bugs: ProtocolBugs{ 4054 ExpectFalseStart: true, 4055 }, 4056 }, 4057 flags: []string{ 4058 "-false-start", 4059 "-advertise-alpn", "\x03foo", 4060 }, 4061 shimWritesFirst: true, 4062 resumeSession: true, 4063 }) 4064 4065 // False Start without session tickets. 4066 tests = append(tests, testCase{ 4067 name: "FalseStart-SessionTicketsDisabled", 4068 config: Config{ 4069 MaxVersion: VersionTLS12, 4070 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 4071 NextProtos: []string{"foo"}, 4072 SessionTicketsDisabled: true, 4073 Bugs: ProtocolBugs{ 4074 ExpectFalseStart: true, 4075 }, 4076 }, 4077 flags: []string{ 4078 "-false-start", 4079 "-select-next-proto", "foo", 4080 }, 4081 shimWritesFirst: true, 4082 }) 4083 4084 // Server parses a V2ClientHello. 4085 tests = append(tests, testCase{ 4086 testType: serverTest, 4087 name: "SendV2ClientHello", 4088 config: Config{ 4089 // Choose a cipher suite that does not involve 4090 // elliptic curves, so no extensions are 4091 // involved. 4092 MaxVersion: VersionTLS12, 4093 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA}, 4094 Bugs: ProtocolBugs{ 4095 SendV2ClientHello: true, 4096 }, 4097 }, 4098 }) 4099 4100 // Test Channel ID 4101 for _, ver := range tlsVersions { 4102 if ver.version < VersionTLS10 { 4103 continue 4104 } 4105 // Client sends a Channel ID. 4106 tests = append(tests, testCase{ 4107 name: "ChannelID-Client-" + ver.name, 4108 config: Config{ 4109 MaxVersion: ver.version, 4110 RequestChannelID: true, 4111 }, 4112 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)}, 4113 resumeSession: true, 4114 expectChannelID: true, 4115 }) 4116 4117 // Server accepts a Channel ID. 4118 tests = append(tests, testCase{ 4119 testType: serverTest, 4120 name: "ChannelID-Server-" + ver.name, 4121 config: Config{ 4122 MaxVersion: ver.version, 4123 ChannelID: channelIDKey, 4124 }, 4125 flags: []string{ 4126 "-expect-channel-id", 4127 base64.StdEncoding.EncodeToString(channelIDBytes), 4128 }, 4129 resumeSession: true, 4130 expectChannelID: true, 4131 }) 4132 4133 tests = append(tests, testCase{ 4134 testType: serverTest, 4135 name: "InvalidChannelIDSignature-" + ver.name, 4136 config: Config{ 4137 MaxVersion: ver.version, 4138 ChannelID: channelIDKey, 4139 Bugs: ProtocolBugs{ 4140 InvalidChannelIDSignature: true, 4141 }, 4142 }, 4143 flags: []string{"-enable-channel-id"}, 4144 shouldFail: true, 4145 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:", 4146 }) 4147 } 4148 4149 // Channel ID and NPN at the same time, to ensure their relative 4150 // ordering is correct. 4151 tests = append(tests, testCase{ 4152 name: "ChannelID-NPN-Client", 4153 config: Config{ 4154 MaxVersion: VersionTLS12, 4155 RequestChannelID: true, 4156 NextProtos: []string{"foo"}, 4157 }, 4158 flags: []string{ 4159 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile), 4160 "-select-next-proto", "foo", 4161 }, 4162 resumeSession: true, 4163 expectChannelID: true, 4164 expectedNextProto: "foo", 4165 expectedNextProtoType: npn, 4166 }) 4167 tests = append(tests, testCase{ 4168 testType: serverTest, 4169 name: "ChannelID-NPN-Server", 4170 config: Config{ 4171 MaxVersion: VersionTLS12, 4172 ChannelID: channelIDKey, 4173 NextProtos: []string{"bar"}, 4174 }, 4175 flags: []string{ 4176 "-expect-channel-id", 4177 base64.StdEncoding.EncodeToString(channelIDBytes), 4178 "-advertise-npn", "\x03foo\x03bar\x03baz", 4179 "-expect-next-proto", "bar", 4180 }, 4181 resumeSession: true, 4182 expectChannelID: true, 4183 expectedNextProto: "bar", 4184 expectedNextProtoType: npn, 4185 }) 4186 4187 // Bidirectional shutdown with the runner initiating. 4188 tests = append(tests, testCase{ 4189 name: "Shutdown-Runner", 4190 config: Config{ 4191 Bugs: ProtocolBugs{ 4192 ExpectCloseNotify: true, 4193 }, 4194 }, 4195 flags: []string{"-check-close-notify"}, 4196 }) 4197 4198 if !config.implicitHandshake { 4199 // Bidirectional shutdown with the shim initiating. The runner, 4200 // in the meantime, sends garbage before the close_notify which 4201 // the shim must ignore. This test is disabled under implicit 4202 // handshake tests because the shim never reads or writes. 4203 tests = append(tests, testCase{ 4204 name: "Shutdown-Shim", 4205 config: Config{ 4206 MaxVersion: VersionTLS12, 4207 Bugs: ProtocolBugs{ 4208 ExpectCloseNotify: true, 4209 }, 4210 }, 4211 shimShutsDown: true, 4212 sendEmptyRecords: 1, 4213 sendWarningAlerts: 1, 4214 flags: []string{"-check-close-notify"}, 4215 }) 4216 } 4217 } else { 4218 // TODO(davidben): DTLS 1.3 will want a similar thing for 4219 // HelloRetryRequest. 4220 tests = append(tests, testCase{ 4221 name: "SkipHelloVerifyRequest", 4222 config: Config{ 4223 MaxVersion: VersionTLS12, 4224 Bugs: ProtocolBugs{ 4225 SkipHelloVerifyRequest: true, 4226 }, 4227 }, 4228 }) 4229 } 4230 4231 for _, test := range tests { 4232 test.protocol = config.protocol 4233 if config.protocol == dtls { 4234 test.name += "-DTLS" 4235 } 4236 if config.async { 4237 test.name += "-Async" 4238 test.flags = append(test.flags, "-async") 4239 } else { 4240 test.name += "-Sync" 4241 } 4242 if config.splitHandshake { 4243 test.name += "-SplitHandshakeRecords" 4244 test.config.Bugs.MaxHandshakeRecordLength = 1 4245 if config.protocol == dtls { 4246 test.config.Bugs.MaxPacketLength = 256 4247 test.flags = append(test.flags, "-mtu", "256") 4248 } 4249 } 4250 if config.packHandshakeFlight { 4251 test.name += "-PackHandshakeFlight" 4252 test.config.Bugs.PackHandshakeFlight = true 4253 } 4254 if config.implicitHandshake { 4255 test.name += "-ImplicitHandshake" 4256 test.flags = append(test.flags, "-implicit-handshake") 4257 } 4258 testCases = append(testCases, test) 4259 } 4260 } 4261 4262 func addDDoSCallbackTests() { 4263 // DDoS callback. 4264 for _, resume := range []bool{false, true} { 4265 suffix := "Resume" 4266 if resume { 4267 suffix = "No" + suffix 4268 } 4269 4270 testCases = append(testCases, testCase{ 4271 testType: serverTest, 4272 name: "Server-DDoS-OK-" + suffix, 4273 config: Config{ 4274 MaxVersion: VersionTLS12, 4275 }, 4276 flags: []string{"-install-ddos-callback"}, 4277 resumeSession: resume, 4278 }) 4279 testCases = append(testCases, testCase{ 4280 testType: serverTest, 4281 name: "Server-DDoS-OK-" + suffix + "-TLS13", 4282 config: Config{ 4283 MaxVersion: VersionTLS13, 4284 }, 4285 flags: []string{"-install-ddos-callback"}, 4286 resumeSession: resume, 4287 }) 4288 4289 failFlag := "-fail-ddos-callback" 4290 if resume { 4291 failFlag = "-fail-second-ddos-callback" 4292 } 4293 testCases = append(testCases, testCase{ 4294 testType: serverTest, 4295 name: "Server-DDoS-Reject-" + suffix, 4296 config: Config{ 4297 MaxVersion: VersionTLS12, 4298 }, 4299 flags: []string{"-install-ddos-callback", failFlag}, 4300 resumeSession: resume, 4301 shouldFail: true, 4302 expectedError: ":CONNECTION_REJECTED:", 4303 expectedLocalError: "remote error: internal error", 4304 }) 4305 testCases = append(testCases, testCase{ 4306 testType: serverTest, 4307 name: "Server-DDoS-Reject-" + suffix + "-TLS13", 4308 config: Config{ 4309 MaxVersion: VersionTLS13, 4310 }, 4311 flags: []string{"-install-ddos-callback", failFlag}, 4312 resumeSession: resume, 4313 shouldFail: true, 4314 expectedError: ":CONNECTION_REJECTED:", 4315 expectedLocalError: "remote error: internal error", 4316 }) 4317 } 4318 } 4319 4320 func addVersionNegotiationTests() { 4321 for i, shimVers := range tlsVersions { 4322 // Assemble flags to disable all newer versions on the shim. 4323 var flags []string 4324 for _, vers := range tlsVersions[i+1:] { 4325 flags = append(flags, vers.flag) 4326 } 4327 4328 // Test configuring the runner's maximum version. 4329 for _, runnerVers := range tlsVersions { 4330 protocols := []protocol{tls} 4331 if runnerVers.hasDTLS && shimVers.hasDTLS { 4332 protocols = append(protocols, dtls) 4333 } 4334 for _, protocol := range protocols { 4335 expectedVersion := shimVers.version 4336 if runnerVers.version < shimVers.version { 4337 expectedVersion = runnerVers.version 4338 } 4339 4340 suffix := shimVers.name + "-" + runnerVers.name 4341 if protocol == dtls { 4342 suffix += "-DTLS" 4343 } 4344 4345 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls))) 4346 4347 // Determine the expected initial record-layer versions. 4348 clientVers := shimVers.version 4349 if clientVers > VersionTLS10 { 4350 clientVers = VersionTLS10 4351 } 4352 clientVers = versionToWire(clientVers, protocol == dtls) 4353 serverVers := expectedVersion 4354 if expectedVersion >= VersionTLS13 { 4355 serverVers = VersionTLS10 4356 } 4357 serverVers = versionToWire(serverVers, protocol == dtls) 4358 4359 testCases = append(testCases, testCase{ 4360 protocol: protocol, 4361 testType: clientTest, 4362 name: "VersionNegotiation-Client-" + suffix, 4363 config: Config{ 4364 MaxVersion: runnerVers.version, 4365 Bugs: ProtocolBugs{ 4366 ExpectInitialRecordVersion: clientVers, 4367 }, 4368 }, 4369 flags: flags, 4370 expectedVersion: expectedVersion, 4371 }) 4372 testCases = append(testCases, testCase{ 4373 protocol: protocol, 4374 testType: clientTest, 4375 name: "VersionNegotiation-Client2-" + suffix, 4376 config: Config{ 4377 MaxVersion: runnerVers.version, 4378 Bugs: ProtocolBugs{ 4379 ExpectInitialRecordVersion: clientVers, 4380 }, 4381 }, 4382 flags: []string{"-max-version", shimVersFlag}, 4383 expectedVersion: expectedVersion, 4384 }) 4385 4386 testCases = append(testCases, testCase{ 4387 protocol: protocol, 4388 testType: serverTest, 4389 name: "VersionNegotiation-Server-" + suffix, 4390 config: Config{ 4391 MaxVersion: runnerVers.version, 4392 Bugs: ProtocolBugs{ 4393 ExpectInitialRecordVersion: serverVers, 4394 }, 4395 }, 4396 flags: flags, 4397 expectedVersion: expectedVersion, 4398 }) 4399 testCases = append(testCases, testCase{ 4400 protocol: protocol, 4401 testType: serverTest, 4402 name: "VersionNegotiation-Server2-" + suffix, 4403 config: Config{ 4404 MaxVersion: runnerVers.version, 4405 Bugs: ProtocolBugs{ 4406 ExpectInitialRecordVersion: serverVers, 4407 }, 4408 }, 4409 flags: []string{"-max-version", shimVersFlag}, 4410 expectedVersion: expectedVersion, 4411 }) 4412 } 4413 } 4414 } 4415 4416 // Test the version extension at all versions. 4417 for _, vers := range tlsVersions { 4418 protocols := []protocol{tls} 4419 if vers.hasDTLS { 4420 protocols = append(protocols, dtls) 4421 } 4422 for _, protocol := range protocols { 4423 suffix := vers.name 4424 if protocol == dtls { 4425 suffix += "-DTLS" 4426 } 4427 4428 wireVersion := versionToWire(vers.version, protocol == dtls) 4429 testCases = append(testCases, testCase{ 4430 protocol: protocol, 4431 testType: serverTest, 4432 name: "VersionNegotiationExtension-" + suffix, 4433 config: Config{ 4434 Bugs: ProtocolBugs{ 4435 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222}, 4436 }, 4437 }, 4438 expectedVersion: vers.version, 4439 }) 4440 } 4441 4442 } 4443 4444 // If all versions are unknown, negotiation fails. 4445 testCases = append(testCases, testCase{ 4446 testType: serverTest, 4447 name: "NoSupportedVersions", 4448 config: Config{ 4449 Bugs: ProtocolBugs{ 4450 SendSupportedVersions: []uint16{0x1111}, 4451 }, 4452 }, 4453 shouldFail: true, 4454 expectedError: ":UNSUPPORTED_PROTOCOL:", 4455 }) 4456 testCases = append(testCases, testCase{ 4457 protocol: dtls, 4458 testType: serverTest, 4459 name: "NoSupportedVersions-DTLS", 4460 config: Config{ 4461 Bugs: ProtocolBugs{ 4462 SendSupportedVersions: []uint16{0x1111}, 4463 }, 4464 }, 4465 shouldFail: true, 4466 expectedError: ":UNSUPPORTED_PROTOCOL:", 4467 }) 4468 4469 testCases = append(testCases, testCase{ 4470 testType: serverTest, 4471 name: "ClientHelloVersionTooHigh", 4472 config: Config{ 4473 MaxVersion: VersionTLS13, 4474 Bugs: ProtocolBugs{ 4475 SendClientVersion: 0x0304, 4476 OmitSupportedVersions: true, 4477 }, 4478 }, 4479 expectedVersion: VersionTLS12, 4480 }) 4481 4482 testCases = append(testCases, testCase{ 4483 testType: serverTest, 4484 name: "ConflictingVersionNegotiation", 4485 config: Config{ 4486 Bugs: ProtocolBugs{ 4487 SendClientVersion: VersionTLS12, 4488 SendSupportedVersions: []uint16{VersionTLS11}, 4489 }, 4490 }, 4491 // The extension takes precedence over the ClientHello version. 4492 expectedVersion: VersionTLS11, 4493 }) 4494 4495 testCases = append(testCases, testCase{ 4496 testType: serverTest, 4497 name: "ConflictingVersionNegotiation-2", 4498 config: Config{ 4499 Bugs: ProtocolBugs{ 4500 SendClientVersion: VersionTLS11, 4501 SendSupportedVersions: []uint16{VersionTLS12}, 4502 }, 4503 }, 4504 // The extension takes precedence over the ClientHello version. 4505 expectedVersion: VersionTLS12, 4506 }) 4507 4508 testCases = append(testCases, testCase{ 4509 testType: serverTest, 4510 name: "RejectFinalTLS13", 4511 config: Config{ 4512 Bugs: ProtocolBugs{ 4513 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12}, 4514 }, 4515 }, 4516 // We currently implement a draft TLS 1.3 version. Ensure that 4517 // the true TLS 1.3 value is ignored for now. 4518 expectedVersion: VersionTLS12, 4519 }) 4520 4521 // Test that the maximum version is selected regardless of the 4522 // client-sent order. 4523 testCases = append(testCases, testCase{ 4524 testType: serverTest, 4525 name: "IgnoreClientVersionOrder", 4526 config: Config{ 4527 Bugs: ProtocolBugs{ 4528 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion}, 4529 }, 4530 }, 4531 expectedVersion: VersionTLS13, 4532 }) 4533 4534 // Test for version tolerance. 4535 testCases = append(testCases, testCase{ 4536 testType: serverTest, 4537 name: "MinorVersionTolerance", 4538 config: Config{ 4539 Bugs: ProtocolBugs{ 4540 SendClientVersion: 0x03ff, 4541 OmitSupportedVersions: true, 4542 }, 4543 }, 4544 expectedVersion: VersionTLS12, 4545 }) 4546 testCases = append(testCases, testCase{ 4547 testType: serverTest, 4548 name: "MajorVersionTolerance", 4549 config: Config{ 4550 Bugs: ProtocolBugs{ 4551 SendClientVersion: 0x0400, 4552 OmitSupportedVersions: true, 4553 }, 4554 }, 4555 // TLS 1.3 must be negotiated with the supported_versions 4556 // extension, not ClientHello.version. 4557 expectedVersion: VersionTLS12, 4558 }) 4559 testCases = append(testCases, testCase{ 4560 testType: serverTest, 4561 name: "VersionTolerance-TLS13", 4562 config: Config{ 4563 Bugs: ProtocolBugs{ 4564 // Although TLS 1.3 does not use 4565 // ClientHello.version, it still tolerates high 4566 // values there. 4567 SendClientVersion: 0x0400, 4568 }, 4569 }, 4570 expectedVersion: VersionTLS13, 4571 }) 4572 4573 testCases = append(testCases, testCase{ 4574 protocol: dtls, 4575 testType: serverTest, 4576 name: "MinorVersionTolerance-DTLS", 4577 config: Config{ 4578 Bugs: ProtocolBugs{ 4579 SendClientVersion: 0xfe00, 4580 OmitSupportedVersions: true, 4581 }, 4582 }, 4583 expectedVersion: VersionTLS12, 4584 }) 4585 testCases = append(testCases, testCase{ 4586 protocol: dtls, 4587 testType: serverTest, 4588 name: "MajorVersionTolerance-DTLS", 4589 config: Config{ 4590 Bugs: ProtocolBugs{ 4591 SendClientVersion: 0xfdff, 4592 OmitSupportedVersions: true, 4593 }, 4594 }, 4595 expectedVersion: VersionTLS12, 4596 }) 4597 4598 // Test that versions below 3.0 are rejected. 4599 testCases = append(testCases, testCase{ 4600 testType: serverTest, 4601 name: "VersionTooLow", 4602 config: Config{ 4603 Bugs: ProtocolBugs{ 4604 SendClientVersion: 0x0200, 4605 OmitSupportedVersions: true, 4606 }, 4607 }, 4608 shouldFail: true, 4609 expectedError: ":UNSUPPORTED_PROTOCOL:", 4610 }) 4611 testCases = append(testCases, testCase{ 4612 protocol: dtls, 4613 testType: serverTest, 4614 name: "VersionTooLow-DTLS", 4615 config: Config{ 4616 Bugs: ProtocolBugs{ 4617 SendClientVersion: 0xffff, 4618 }, 4619 }, 4620 shouldFail: true, 4621 expectedError: ":UNSUPPORTED_PROTOCOL:", 4622 }) 4623 4624 testCases = append(testCases, testCase{ 4625 name: "ServerBogusVersion", 4626 config: Config{ 4627 Bugs: ProtocolBugs{ 4628 SendServerHelloVersion: 0x1234, 4629 }, 4630 }, 4631 shouldFail: true, 4632 expectedError: ":UNSUPPORTED_PROTOCOL:", 4633 }) 4634 4635 // Test TLS 1.3's downgrade signal. 4636 testCases = append(testCases, testCase{ 4637 name: "Downgrade-TLS12-Client", 4638 config: Config{ 4639 Bugs: ProtocolBugs{ 4640 NegotiateVersion: VersionTLS12, 4641 }, 4642 }, 4643 expectedVersion: VersionTLS12, 4644 // TODO(davidben): This test should fail once TLS 1.3 is final 4645 // and the fallback signal restored. 4646 }) 4647 testCases = append(testCases, testCase{ 4648 testType: serverTest, 4649 name: "Downgrade-TLS12-Server", 4650 config: Config{ 4651 Bugs: ProtocolBugs{ 4652 SendSupportedVersions: []uint16{VersionTLS12}, 4653 }, 4654 }, 4655 expectedVersion: VersionTLS12, 4656 // TODO(davidben): This test should fail once TLS 1.3 is final 4657 // and the fallback signal restored. 4658 }) 4659 } 4660 4661 func addMinimumVersionTests() { 4662 for i, shimVers := range tlsVersions { 4663 // Assemble flags to disable all older versions on the shim. 4664 var flags []string 4665 for _, vers := range tlsVersions[:i] { 4666 flags = append(flags, vers.flag) 4667 } 4668 4669 for _, runnerVers := range tlsVersions { 4670 protocols := []protocol{tls} 4671 if runnerVers.hasDTLS && shimVers.hasDTLS { 4672 protocols = append(protocols, dtls) 4673 } 4674 for _, protocol := range protocols { 4675 suffix := shimVers.name + "-" + runnerVers.name 4676 if protocol == dtls { 4677 suffix += "-DTLS" 4678 } 4679 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls))) 4680 4681 var expectedVersion uint16 4682 var shouldFail bool 4683 var expectedError, expectedLocalError string 4684 if runnerVers.version >= shimVers.version { 4685 expectedVersion = runnerVers.version 4686 } else { 4687 shouldFail = true 4688 expectedError = ":UNSUPPORTED_PROTOCOL:" 4689 expectedLocalError = "remote error: protocol version not supported" 4690 } 4691 4692 testCases = append(testCases, testCase{ 4693 protocol: protocol, 4694 testType: clientTest, 4695 name: "MinimumVersion-Client-" + suffix, 4696 config: Config{ 4697 MaxVersion: runnerVers.version, 4698 Bugs: ProtocolBugs{ 4699 // Ensure the server does not decline to 4700 // select a version (versions extension) or 4701 // cipher (some ciphers depend on versions). 4702 NegotiateVersion: runnerVers.version, 4703 IgnorePeerCipherPreferences: shouldFail, 4704 }, 4705 }, 4706 flags: flags, 4707 expectedVersion: expectedVersion, 4708 shouldFail: shouldFail, 4709 expectedError: expectedError, 4710 expectedLocalError: expectedLocalError, 4711 }) 4712 testCases = append(testCases, testCase{ 4713 protocol: protocol, 4714 testType: clientTest, 4715 name: "MinimumVersion-Client2-" + suffix, 4716 config: Config{ 4717 MaxVersion: runnerVers.version, 4718 Bugs: ProtocolBugs{ 4719 // Ensure the server does not decline to 4720 // select a version (versions extension) or 4721 // cipher (some ciphers depend on versions). 4722 NegotiateVersion: runnerVers.version, 4723 IgnorePeerCipherPreferences: shouldFail, 4724 }, 4725 }, 4726 flags: []string{"-min-version", shimVersFlag}, 4727 expectedVersion: expectedVersion, 4728 shouldFail: shouldFail, 4729 expectedError: expectedError, 4730 expectedLocalError: expectedLocalError, 4731 }) 4732 4733 testCases = append(testCases, testCase{ 4734 protocol: protocol, 4735 testType: serverTest, 4736 name: "MinimumVersion-Server-" + suffix, 4737 config: Config{ 4738 MaxVersion: runnerVers.version, 4739 }, 4740 flags: flags, 4741 expectedVersion: expectedVersion, 4742 shouldFail: shouldFail, 4743 expectedError: expectedError, 4744 expectedLocalError: expectedLocalError, 4745 }) 4746 testCases = append(testCases, testCase{ 4747 protocol: protocol, 4748 testType: serverTest, 4749 name: "MinimumVersion-Server2-" + suffix, 4750 config: Config{ 4751 MaxVersion: runnerVers.version, 4752 }, 4753 flags: []string{"-min-version", shimVersFlag}, 4754 expectedVersion: expectedVersion, 4755 shouldFail: shouldFail, 4756 expectedError: expectedError, 4757 expectedLocalError: expectedLocalError, 4758 }) 4759 } 4760 } 4761 } 4762 } 4763 4764 func addExtensionTests() { 4765 // TODO(davidben): Extensions, where applicable, all move their server 4766 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these 4767 // tests for both. Also test interaction with 0-RTT when implemented. 4768 4769 // Repeat extensions tests all versions except SSL 3.0. 4770 for _, ver := range tlsVersions { 4771 if ver.version == VersionSSL30 { 4772 continue 4773 } 4774 4775 // Test that duplicate extensions are rejected. 4776 testCases = append(testCases, testCase{ 4777 testType: clientTest, 4778 name: "DuplicateExtensionClient-" + ver.name, 4779 config: Config{ 4780 MaxVersion: ver.version, 4781 Bugs: ProtocolBugs{ 4782 DuplicateExtension: true, 4783 }, 4784 }, 4785 shouldFail: true, 4786 expectedLocalError: "remote error: error decoding message", 4787 }) 4788 testCases = append(testCases, testCase{ 4789 testType: serverTest, 4790 name: "DuplicateExtensionServer-" + ver.name, 4791 config: Config{ 4792 MaxVersion: ver.version, 4793 Bugs: ProtocolBugs{ 4794 DuplicateExtension: true, 4795 }, 4796 }, 4797 shouldFail: true, 4798 expectedLocalError: "remote error: error decoding message", 4799 }) 4800 4801 // Test SNI. 4802 testCases = append(testCases, testCase{ 4803 testType: clientTest, 4804 name: "ServerNameExtensionClient-" + ver.name, 4805 config: Config{ 4806 MaxVersion: ver.version, 4807 Bugs: ProtocolBugs{ 4808 ExpectServerName: "example.com", 4809 }, 4810 }, 4811 flags: []string{"-host-name", "example.com"}, 4812 }) 4813 testCases = append(testCases, testCase{ 4814 testType: clientTest, 4815 name: "ServerNameExtensionClientMismatch-" + ver.name, 4816 config: Config{ 4817 MaxVersion: ver.version, 4818 Bugs: ProtocolBugs{ 4819 ExpectServerName: "mismatch.com", 4820 }, 4821 }, 4822 flags: []string{"-host-name", "example.com"}, 4823 shouldFail: true, 4824 expectedLocalError: "tls: unexpected server name", 4825 }) 4826 testCases = append(testCases, testCase{ 4827 testType: clientTest, 4828 name: "ServerNameExtensionClientMissing-" + ver.name, 4829 config: Config{ 4830 MaxVersion: ver.version, 4831 Bugs: ProtocolBugs{ 4832 ExpectServerName: "missing.com", 4833 }, 4834 }, 4835 shouldFail: true, 4836 expectedLocalError: "tls: unexpected server name", 4837 }) 4838 testCases = append(testCases, testCase{ 4839 testType: clientTest, 4840 name: "TolerateServerNameAck-" + ver.name, 4841 config: Config{ 4842 MaxVersion: ver.version, 4843 Bugs: ProtocolBugs{ 4844 SendServerNameAck: true, 4845 }, 4846 }, 4847 flags: []string{"-host-name", "example.com"}, 4848 resumeSession: true, 4849 }) 4850 testCases = append(testCases, testCase{ 4851 testType: clientTest, 4852 name: "UnsolicitedServerNameAck-" + ver.name, 4853 config: Config{ 4854 MaxVersion: ver.version, 4855 Bugs: ProtocolBugs{ 4856 SendServerNameAck: true, 4857 }, 4858 }, 4859 shouldFail: true, 4860 expectedError: ":UNEXPECTED_EXTENSION:", 4861 expectedLocalError: "remote error: unsupported extension", 4862 }) 4863 testCases = append(testCases, testCase{ 4864 testType: serverTest, 4865 name: "ServerNameExtensionServer-" + ver.name, 4866 config: Config{ 4867 MaxVersion: ver.version, 4868 ServerName: "example.com", 4869 }, 4870 flags: []string{"-expect-server-name", "example.com"}, 4871 resumeSession: true, 4872 }) 4873 4874 // Test ALPN. 4875 testCases = append(testCases, testCase{ 4876 testType: clientTest, 4877 name: "ALPNClient-" + ver.name, 4878 config: Config{ 4879 MaxVersion: ver.version, 4880 NextProtos: []string{"foo"}, 4881 }, 4882 flags: []string{ 4883 "-advertise-alpn", "\x03foo\x03bar\x03baz", 4884 "-expect-alpn", "foo", 4885 }, 4886 expectedNextProto: "foo", 4887 expectedNextProtoType: alpn, 4888 resumeSession: true, 4889 }) 4890 testCases = append(testCases, testCase{ 4891 testType: clientTest, 4892 name: "ALPNClient-Mismatch-" + ver.name, 4893 config: Config{ 4894 MaxVersion: ver.version, 4895 Bugs: ProtocolBugs{ 4896 SendALPN: "baz", 4897 }, 4898 }, 4899 flags: []string{ 4900 "-advertise-alpn", "\x03foo\x03bar", 4901 }, 4902 shouldFail: true, 4903 expectedError: ":INVALID_ALPN_PROTOCOL:", 4904 expectedLocalError: "remote error: illegal parameter", 4905 }) 4906 testCases = append(testCases, testCase{ 4907 testType: serverTest, 4908 name: "ALPNServer-" + ver.name, 4909 config: Config{ 4910 MaxVersion: ver.version, 4911 NextProtos: []string{"foo", "bar", "baz"}, 4912 }, 4913 flags: []string{ 4914 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz", 4915 "-select-alpn", "foo", 4916 }, 4917 expectedNextProto: "foo", 4918 expectedNextProtoType: alpn, 4919 resumeSession: true, 4920 }) 4921 testCases = append(testCases, testCase{ 4922 testType: serverTest, 4923 name: "ALPNServer-Decline-" + ver.name, 4924 config: Config{ 4925 MaxVersion: ver.version, 4926 NextProtos: []string{"foo", "bar", "baz"}, 4927 }, 4928 flags: []string{"-decline-alpn"}, 4929 expectNoNextProto: true, 4930 resumeSession: true, 4931 }) 4932 4933 // Test ALPN in async mode as well to ensure that extensions callbacks are only 4934 // called once. 4935 testCases = append(testCases, testCase{ 4936 testType: serverTest, 4937 name: "ALPNServer-Async-" + ver.name, 4938 config: Config{ 4939 MaxVersion: ver.version, 4940 NextProtos: []string{"foo", "bar", "baz"}, 4941 // Prior to TLS 1.3, exercise the asynchronous session callback. 4942 SessionTicketsDisabled: ver.version < VersionTLS13, 4943 }, 4944 flags: []string{ 4945 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz", 4946 "-select-alpn", "foo", 4947 "-async", 4948 }, 4949 expectedNextProto: "foo", 4950 expectedNextProtoType: alpn, 4951 resumeSession: true, 4952 }) 4953 4954 var emptyString string 4955 testCases = append(testCases, testCase{ 4956 testType: clientTest, 4957 name: "ALPNClient-EmptyProtocolName-" + ver.name, 4958 config: Config{ 4959 MaxVersion: ver.version, 4960 NextProtos: []string{""}, 4961 Bugs: ProtocolBugs{ 4962 // A server returning an empty ALPN protocol 4963 // should be rejected. 4964 ALPNProtocol: &emptyString, 4965 }, 4966 }, 4967 flags: []string{ 4968 "-advertise-alpn", "\x03foo", 4969 }, 4970 shouldFail: true, 4971 expectedError: ":PARSE_TLSEXT:", 4972 }) 4973 testCases = append(testCases, testCase{ 4974 testType: serverTest, 4975 name: "ALPNServer-EmptyProtocolName-" + ver.name, 4976 config: Config{ 4977 MaxVersion: ver.version, 4978 // A ClientHello containing an empty ALPN protocol 4979 // should be rejected. 4980 NextProtos: []string{"foo", "", "baz"}, 4981 }, 4982 flags: []string{ 4983 "-select-alpn", "foo", 4984 }, 4985 shouldFail: true, 4986 expectedError: ":PARSE_TLSEXT:", 4987 }) 4988 4989 // Test NPN and the interaction with ALPN. 4990 if ver.version < VersionTLS13 { 4991 // Test that the server prefers ALPN over NPN. 4992 testCases = append(testCases, testCase{ 4993 testType: serverTest, 4994 name: "ALPNServer-Preferred-" + ver.name, 4995 config: Config{ 4996 MaxVersion: ver.version, 4997 NextProtos: []string{"foo", "bar", "baz"}, 4998 }, 4999 flags: []string{ 5000 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz", 5001 "-select-alpn", "foo", 5002 "-advertise-npn", "\x03foo\x03bar\x03baz", 5003 }, 5004 expectedNextProto: "foo", 5005 expectedNextProtoType: alpn, 5006 resumeSession: true, 5007 }) 5008 testCases = append(testCases, testCase{ 5009 testType: serverTest, 5010 name: "ALPNServer-Preferred-Swapped-" + ver.name, 5011 config: Config{ 5012 MaxVersion: ver.version, 5013 NextProtos: []string{"foo", "bar", "baz"}, 5014 Bugs: ProtocolBugs{ 5015 SwapNPNAndALPN: true, 5016 }, 5017 }, 5018 flags: []string{ 5019 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz", 5020 "-select-alpn", "foo", 5021 "-advertise-npn", "\x03foo\x03bar\x03baz", 5022 }, 5023 expectedNextProto: "foo", 5024 expectedNextProtoType: alpn, 5025 resumeSession: true, 5026 }) 5027 5028 // Test that negotiating both NPN and ALPN is forbidden. 5029 testCases = append(testCases, testCase{ 5030 name: "NegotiateALPNAndNPN-" + ver.name, 5031 config: Config{ 5032 MaxVersion: ver.version, 5033 NextProtos: []string{"foo", "bar", "baz"}, 5034 Bugs: ProtocolBugs{ 5035 NegotiateALPNAndNPN: true, 5036 }, 5037 }, 5038 flags: []string{ 5039 "-advertise-alpn", "\x03foo", 5040 "-select-next-proto", "foo", 5041 }, 5042 shouldFail: true, 5043 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:", 5044 }) 5045 testCases = append(testCases, testCase{ 5046 name: "NegotiateALPNAndNPN-Swapped-" + ver.name, 5047 config: Config{ 5048 MaxVersion: ver.version, 5049 NextProtos: []string{"foo", "bar", "baz"}, 5050 Bugs: ProtocolBugs{ 5051 NegotiateALPNAndNPN: true, 5052 SwapNPNAndALPN: true, 5053 }, 5054 }, 5055 flags: []string{ 5056 "-advertise-alpn", "\x03foo", 5057 "-select-next-proto", "foo", 5058 }, 5059 shouldFail: true, 5060 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:", 5061 }) 5062 } 5063 5064 // Test ticket behavior. 5065 5066 // Resume with a corrupt ticket. 5067 testCases = append(testCases, testCase{ 5068 testType: serverTest, 5069 name: "CorruptTicket-" + ver.name, 5070 config: Config{ 5071 MaxVersion: ver.version, 5072 Bugs: ProtocolBugs{ 5073 FilterTicket: func(in []byte) ([]byte, error) { 5074 in[len(in)-1] ^= 1 5075 return in, nil 5076 }, 5077 }, 5078 }, 5079 resumeSession: true, 5080 expectResumeRejected: true, 5081 }) 5082 // Test the ticket callback, with and without renewal. 5083 testCases = append(testCases, testCase{ 5084 testType: serverTest, 5085 name: "TicketCallback-" + ver.name, 5086 config: Config{ 5087 MaxVersion: ver.version, 5088 }, 5089 resumeSession: true, 5090 flags: []string{"-use-ticket-callback"}, 5091 }) 5092 testCases = append(testCases, testCase{ 5093 testType: serverTest, 5094 name: "TicketCallback-Renew-" + ver.name, 5095 config: Config{ 5096 MaxVersion: ver.version, 5097 Bugs: ProtocolBugs{ 5098 ExpectNewTicket: true, 5099 }, 5100 }, 5101 flags: []string{"-use-ticket-callback", "-renew-ticket"}, 5102 resumeSession: true, 5103 }) 5104 5105 // Test that the ticket callback is only called once when everything before 5106 // it in the ClientHello is asynchronous. This corrupts the ticket so 5107 // certificate selection callbacks run. 5108 testCases = append(testCases, testCase{ 5109 testType: serverTest, 5110 name: "TicketCallback-SingleCall-" + ver.name, 5111 config: Config{ 5112 MaxVersion: ver.version, 5113 Bugs: ProtocolBugs{ 5114 FilterTicket: func(in []byte) ([]byte, error) { 5115 in[len(in)-1] ^= 1 5116 return in, nil 5117 }, 5118 }, 5119 }, 5120 resumeSession: true, 5121 expectResumeRejected: true, 5122 flags: []string{ 5123 "-use-ticket-callback", 5124 "-async", 5125 }, 5126 }) 5127 5128 // Resume with various lengths of ticket session id. 5129 if ver.version < VersionTLS13 { 5130 testCases = append(testCases, testCase{ 5131 testType: serverTest, 5132 name: "TicketSessionIDLength-0-" + ver.name, 5133 config: Config{ 5134 MaxVersion: ver.version, 5135 Bugs: ProtocolBugs{ 5136 EmptyTicketSessionID: true, 5137 }, 5138 }, 5139 resumeSession: true, 5140 }) 5141 testCases = append(testCases, testCase{ 5142 testType: serverTest, 5143 name: "TicketSessionIDLength-16-" + ver.name, 5144 config: Config{ 5145 MaxVersion: ver.version, 5146 Bugs: ProtocolBugs{ 5147 TicketSessionIDLength: 16, 5148 }, 5149 }, 5150 resumeSession: true, 5151 }) 5152 testCases = append(testCases, testCase{ 5153 testType: serverTest, 5154 name: "TicketSessionIDLength-32-" + ver.name, 5155 config: Config{ 5156 MaxVersion: ver.version, 5157 Bugs: ProtocolBugs{ 5158 TicketSessionIDLength: 32, 5159 }, 5160 }, 5161 resumeSession: true, 5162 }) 5163 testCases = append(testCases, testCase{ 5164 testType: serverTest, 5165 name: "TicketSessionIDLength-33-" + ver.name, 5166 config: Config{ 5167 MaxVersion: ver.version, 5168 Bugs: ProtocolBugs{ 5169 TicketSessionIDLength: 33, 5170 }, 5171 }, 5172 resumeSession: true, 5173 shouldFail: true, 5174 // The maximum session ID length is 32. 5175 expectedError: ":DECODE_ERROR:", 5176 }) 5177 } 5178 5179 // Basic DTLS-SRTP tests. Include fake profiles to ensure they 5180 // are ignored. 5181 if ver.hasDTLS { 5182 testCases = append(testCases, testCase{ 5183 protocol: dtls, 5184 name: "SRTP-Client-" + ver.name, 5185 config: Config{ 5186 MaxVersion: ver.version, 5187 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42}, 5188 }, 5189 flags: []string{ 5190 "-srtp-profiles", 5191 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32", 5192 }, 5193 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80, 5194 }) 5195 testCases = append(testCases, testCase{ 5196 protocol: dtls, 5197 testType: serverTest, 5198 name: "SRTP-Server-" + ver.name, 5199 config: Config{ 5200 MaxVersion: ver.version, 5201 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42}, 5202 }, 5203 flags: []string{ 5204 "-srtp-profiles", 5205 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32", 5206 }, 5207 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80, 5208 }) 5209 // Test that the MKI is ignored. 5210 testCases = append(testCases, testCase{ 5211 protocol: dtls, 5212 testType: serverTest, 5213 name: "SRTP-Server-IgnoreMKI-" + ver.name, 5214 config: Config{ 5215 MaxVersion: ver.version, 5216 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80}, 5217 Bugs: ProtocolBugs{ 5218 SRTPMasterKeyIdentifer: "bogus", 5219 }, 5220 }, 5221 flags: []string{ 5222 "-srtp-profiles", 5223 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32", 5224 }, 5225 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80, 5226 }) 5227 // Test that SRTP isn't negotiated on the server if there were 5228 // no matching profiles. 5229 testCases = append(testCases, testCase{ 5230 protocol: dtls, 5231 testType: serverTest, 5232 name: "SRTP-Server-NoMatch-" + ver.name, 5233 config: Config{ 5234 MaxVersion: ver.version, 5235 SRTPProtectionProfiles: []uint16{100, 101, 102}, 5236 }, 5237 flags: []string{ 5238 "-srtp-profiles", 5239 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32", 5240 }, 5241 expectedSRTPProtectionProfile: 0, 5242 }) 5243 // Test that the server returning an invalid SRTP profile is 5244 // flagged as an error by the client. 5245 testCases = append(testCases, testCase{ 5246 protocol: dtls, 5247 name: "SRTP-Client-NoMatch-" + ver.name, 5248 config: Config{ 5249 MaxVersion: ver.version, 5250 Bugs: ProtocolBugs{ 5251 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32, 5252 }, 5253 }, 5254 flags: []string{ 5255 "-srtp-profiles", 5256 "SRTP_AES128_CM_SHA1_80", 5257 }, 5258 shouldFail: true, 5259 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:", 5260 }) 5261 } 5262 5263 // Test SCT list. 5264 testCases = append(testCases, testCase{ 5265 name: "SignedCertificateTimestampList-Client-" + ver.name, 5266 testType: clientTest, 5267 config: Config{ 5268 MaxVersion: ver.version, 5269 }, 5270 flags: []string{ 5271 "-enable-signed-cert-timestamps", 5272 "-expect-signed-cert-timestamps", 5273 base64.StdEncoding.EncodeToString(testSCTList), 5274 }, 5275 resumeSession: true, 5276 }) 5277 5278 var differentSCTList []byte 5279 differentSCTList = append(differentSCTList, testSCTList...) 5280 differentSCTList[len(differentSCTList)-1] ^= 1 5281 5282 // The SCT extension did not specify that it must only be sent on resumption as it 5283 // should have, so test that we tolerate but ignore it. 5284 testCases = append(testCases, testCase{ 5285 name: "SendSCTListOnResume-" + ver.name, 5286 config: Config{ 5287 MaxVersion: ver.version, 5288 Bugs: ProtocolBugs{ 5289 SendSCTListOnResume: differentSCTList, 5290 }, 5291 }, 5292 flags: []string{ 5293 "-enable-signed-cert-timestamps", 5294 "-expect-signed-cert-timestamps", 5295 base64.StdEncoding.EncodeToString(testSCTList), 5296 }, 5297 resumeSession: true, 5298 }) 5299 5300 testCases = append(testCases, testCase{ 5301 name: "SignedCertificateTimestampList-Server-" + ver.name, 5302 testType: serverTest, 5303 config: Config{ 5304 MaxVersion: ver.version, 5305 }, 5306 flags: []string{ 5307 "-signed-cert-timestamps", 5308 base64.StdEncoding.EncodeToString(testSCTList), 5309 }, 5310 expectedSCTList: testSCTList, 5311 resumeSession: true, 5312 }) 5313 5314 emptySCTListCert := *testCerts[0].cert 5315 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0} 5316 5317 // Test empty SCT list. 5318 testCases = append(testCases, testCase{ 5319 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name, 5320 testType: clientTest, 5321 config: Config{ 5322 MaxVersion: ver.version, 5323 Certificates: []Certificate{emptySCTListCert}, 5324 }, 5325 flags: []string{ 5326 "-enable-signed-cert-timestamps", 5327 }, 5328 shouldFail: true, 5329 expectedError: ":ERROR_PARSING_EXTENSION:", 5330 }) 5331 5332 emptySCTCert := *testCerts[0].cert 5333 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0} 5334 5335 // Test empty SCT in non-empty list. 5336 testCases = append(testCases, testCase{ 5337 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name, 5338 testType: clientTest, 5339 config: Config{ 5340 MaxVersion: ver.version, 5341 Certificates: []Certificate{emptySCTCert}, 5342 }, 5343 flags: []string{ 5344 "-enable-signed-cert-timestamps", 5345 }, 5346 shouldFail: true, 5347 expectedError: ":ERROR_PARSING_EXTENSION:", 5348 }) 5349 5350 // Test that certificate-related extensions are not sent unsolicited. 5351 testCases = append(testCases, testCase{ 5352 testType: serverTest, 5353 name: "UnsolicitedCertificateExtensions-" + ver.name, 5354 config: Config{ 5355 MaxVersion: ver.version, 5356 Bugs: ProtocolBugs{ 5357 NoOCSPStapling: true, 5358 NoSignedCertificateTimestamps: true, 5359 }, 5360 }, 5361 flags: []string{ 5362 "-ocsp-response", 5363 base64.StdEncoding.EncodeToString(testOCSPResponse), 5364 "-signed-cert-timestamps", 5365 base64.StdEncoding.EncodeToString(testSCTList), 5366 }, 5367 }) 5368 } 5369 5370 testCases = append(testCases, testCase{ 5371 testType: clientTest, 5372 name: "ClientHelloPadding", 5373 config: Config{ 5374 Bugs: ProtocolBugs{ 5375 RequireClientHelloSize: 512, 5376 }, 5377 }, 5378 // This hostname just needs to be long enough to push the 5379 // ClientHello into F5's danger zone between 256 and 511 bytes 5380 // long. 5381 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"}, 5382 }) 5383 5384 // Extensions should not function in SSL 3.0. 5385 testCases = append(testCases, testCase{ 5386 testType: serverTest, 5387 name: "SSLv3Extensions-NoALPN", 5388 config: Config{ 5389 MaxVersion: VersionSSL30, 5390 NextProtos: []string{"foo", "bar", "baz"}, 5391 }, 5392 flags: []string{ 5393 "-select-alpn", "foo", 5394 }, 5395 expectNoNextProto: true, 5396 }) 5397 5398 // Test session tickets separately as they follow a different codepath. 5399 testCases = append(testCases, testCase{ 5400 testType: serverTest, 5401 name: "SSLv3Extensions-NoTickets", 5402 config: Config{ 5403 MaxVersion: VersionSSL30, 5404 Bugs: ProtocolBugs{ 5405 // Historically, session tickets in SSL 3.0 5406 // failed in different ways depending on whether 5407 // the client supported renegotiation_info. 5408 NoRenegotiationInfo: true, 5409 }, 5410 }, 5411 resumeSession: true, 5412 }) 5413 testCases = append(testCases, testCase{ 5414 testType: serverTest, 5415 name: "SSLv3Extensions-NoTickets2", 5416 config: Config{ 5417 MaxVersion: VersionSSL30, 5418 }, 5419 resumeSession: true, 5420 }) 5421 5422 // But SSL 3.0 does send and process renegotiation_info. 5423 testCases = append(testCases, testCase{ 5424 testType: serverTest, 5425 name: "SSLv3Extensions-RenegotiationInfo", 5426 config: Config{ 5427 MaxVersion: VersionSSL30, 5428 Bugs: ProtocolBugs{ 5429 RequireRenegotiationInfo: true, 5430 }, 5431 }, 5432 flags: []string{"-expect-secure-renegotiation"}, 5433 }) 5434 testCases = append(testCases, testCase{ 5435 testType: serverTest, 5436 name: "SSLv3Extensions-RenegotiationInfo-SCSV", 5437 config: Config{ 5438 MaxVersion: VersionSSL30, 5439 Bugs: ProtocolBugs{ 5440 NoRenegotiationInfo: true, 5441 SendRenegotiationSCSV: true, 5442 RequireRenegotiationInfo: true, 5443 }, 5444 }, 5445 flags: []string{"-expect-secure-renegotiation"}, 5446 }) 5447 5448 // Test that illegal extensions in TLS 1.3 are rejected by the client if 5449 // in ServerHello. 5450 testCases = append(testCases, testCase{ 5451 name: "NPN-Forbidden-TLS13", 5452 config: Config{ 5453 MaxVersion: VersionTLS13, 5454 NextProtos: []string{"foo"}, 5455 Bugs: ProtocolBugs{ 5456 NegotiateNPNAtAllVersions: true, 5457 }, 5458 }, 5459 flags: []string{"-select-next-proto", "foo"}, 5460 shouldFail: true, 5461 expectedError: ":ERROR_PARSING_EXTENSION:", 5462 }) 5463 testCases = append(testCases, testCase{ 5464 name: "EMS-Forbidden-TLS13", 5465 config: Config{ 5466 MaxVersion: VersionTLS13, 5467 Bugs: ProtocolBugs{ 5468 NegotiateEMSAtAllVersions: true, 5469 }, 5470 }, 5471 shouldFail: true, 5472 expectedError: ":ERROR_PARSING_EXTENSION:", 5473 }) 5474 testCases = append(testCases, testCase{ 5475 name: "RenegotiationInfo-Forbidden-TLS13", 5476 config: Config{ 5477 MaxVersion: VersionTLS13, 5478 Bugs: ProtocolBugs{ 5479 NegotiateRenegotiationInfoAtAllVersions: true, 5480 }, 5481 }, 5482 shouldFail: true, 5483 expectedError: ":ERROR_PARSING_EXTENSION:", 5484 }) 5485 testCases = append(testCases, testCase{ 5486 name: "Ticket-Forbidden-TLS13", 5487 config: Config{ 5488 MaxVersion: VersionTLS12, 5489 }, 5490 resumeConfig: &Config{ 5491 MaxVersion: VersionTLS13, 5492 Bugs: ProtocolBugs{ 5493 AdvertiseTicketExtension: true, 5494 }, 5495 }, 5496 resumeSession: true, 5497 shouldFail: true, 5498 expectedError: ":ERROR_PARSING_EXTENSION:", 5499 }) 5500 5501 // Test that illegal extensions in TLS 1.3 are declined by the server if 5502 // offered in ClientHello. The runner's server will fail if this occurs, 5503 // so we exercise the offering path. (EMS and Renegotiation Info are 5504 // implicit in every test.) 5505 testCases = append(testCases, testCase{ 5506 testType: serverTest, 5507 name: "NPN-Declined-TLS13", 5508 config: Config{ 5509 MaxVersion: VersionTLS13, 5510 NextProtos: []string{"bar"}, 5511 }, 5512 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"}, 5513 }) 5514 5515 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is 5516 // tolerated. 5517 testCases = append(testCases, testCase{ 5518 name: "SendOCSPResponseOnResume-TLS12", 5519 config: Config{ 5520 MaxVersion: VersionTLS12, 5521 Bugs: ProtocolBugs{ 5522 SendOCSPResponseOnResume: []byte("bogus"), 5523 }, 5524 }, 5525 flags: []string{ 5526 "-enable-ocsp-stapling", 5527 "-expect-ocsp-response", 5528 base64.StdEncoding.EncodeToString(testOCSPResponse), 5529 }, 5530 resumeSession: true, 5531 }) 5532 5533 testCases = append(testCases, testCase{ 5534 name: "SendUnsolicitedOCSPOnCertificate-TLS13", 5535 config: Config{ 5536 MaxVersion: VersionTLS13, 5537 Bugs: ProtocolBugs{ 5538 SendExtensionOnCertificate: testOCSPExtension, 5539 }, 5540 }, 5541 shouldFail: true, 5542 expectedError: ":UNEXPECTED_EXTENSION:", 5543 }) 5544 5545 testCases = append(testCases, testCase{ 5546 name: "SendUnsolicitedSCTOnCertificate-TLS13", 5547 config: Config{ 5548 MaxVersion: VersionTLS13, 5549 Bugs: ProtocolBugs{ 5550 SendExtensionOnCertificate: testSCTExtension, 5551 }, 5552 }, 5553 shouldFail: true, 5554 expectedError: ":UNEXPECTED_EXTENSION:", 5555 }) 5556 5557 // Test that extensions on client certificates are never accepted. 5558 testCases = append(testCases, testCase{ 5559 name: "SendExtensionOnClientCertificate-TLS13", 5560 testType: serverTest, 5561 config: Config{ 5562 MaxVersion: VersionTLS13, 5563 Certificates: []Certificate{rsaCertificate}, 5564 Bugs: ProtocolBugs{ 5565 SendExtensionOnCertificate: testOCSPExtension, 5566 }, 5567 }, 5568 flags: []string{ 5569 "-enable-ocsp-stapling", 5570 "-require-any-client-certificate", 5571 }, 5572 shouldFail: true, 5573 expectedError: ":UNEXPECTED_EXTENSION:", 5574 }) 5575 5576 testCases = append(testCases, testCase{ 5577 name: "SendUnknownExtensionOnCertificate-TLS13", 5578 config: Config{ 5579 MaxVersion: VersionTLS13, 5580 Bugs: ProtocolBugs{ 5581 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0}, 5582 }, 5583 }, 5584 shouldFail: true, 5585 expectedError: ":UNEXPECTED_EXTENSION:", 5586 }) 5587 5588 var differentSCTList []byte 5589 differentSCTList = append(differentSCTList, testSCTList...) 5590 differentSCTList[len(differentSCTList)-1] ^= 1 5591 5592 // Test that extensions on intermediates are allowed but ignored. 5593 testCases = append(testCases, testCase{ 5594 name: "IgnoreExtensionsOnIntermediates-TLS13", 5595 config: Config{ 5596 MaxVersion: VersionTLS13, 5597 Certificates: []Certificate{rsaChainCertificate}, 5598 Bugs: ProtocolBugs{ 5599 // Send different values on the intermediate. This tests 5600 // the intermediate's extensions do not override the 5601 // leaf's. 5602 SendOCSPOnIntermediates: []byte{1, 3, 3, 7}, 5603 SendSCTOnIntermediates: differentSCTList, 5604 }, 5605 }, 5606 flags: []string{ 5607 "-enable-ocsp-stapling", 5608 "-expect-ocsp-response", 5609 base64.StdEncoding.EncodeToString(testOCSPResponse), 5610 "-enable-signed-cert-timestamps", 5611 "-expect-signed-cert-timestamps", 5612 base64.StdEncoding.EncodeToString(testSCTList), 5613 }, 5614 resumeSession: true, 5615 }) 5616 5617 // Test that extensions are not sent on intermediates when configured 5618 // only for a leaf. 5619 testCases = append(testCases, testCase{ 5620 testType: serverTest, 5621 name: "SendNoExtensionsOnIntermediate-TLS13", 5622 config: Config{ 5623 MaxVersion: VersionTLS13, 5624 Bugs: ProtocolBugs{ 5625 ExpectNoExtensionsOnIntermediate: true, 5626 }, 5627 }, 5628 flags: []string{ 5629 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile), 5630 "-key-file", path.Join(*resourceDir, rsaChainKeyFile), 5631 "-ocsp-response", 5632 base64.StdEncoding.EncodeToString(testOCSPResponse), 5633 "-signed-cert-timestamps", 5634 base64.StdEncoding.EncodeToString(testSCTList), 5635 }, 5636 }) 5637 5638 // Test that extensions are not sent on client certificates. 5639 testCases = append(testCases, testCase{ 5640 name: "SendNoClientCertificateExtensions-TLS13", 5641 config: Config{ 5642 MaxVersion: VersionTLS13, 5643 ClientAuth: RequireAnyClientCert, 5644 }, 5645 flags: []string{ 5646 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 5647 "-key-file", path.Join(*resourceDir, rsaKeyFile), 5648 "-ocsp-response", 5649 base64.StdEncoding.EncodeToString(testOCSPResponse), 5650 "-signed-cert-timestamps", 5651 base64.StdEncoding.EncodeToString(testSCTList), 5652 }, 5653 }) 5654 5655 testCases = append(testCases, testCase{ 5656 name: "SendDuplicateExtensionsOnCerts-TLS13", 5657 config: Config{ 5658 MaxVersion: VersionTLS13, 5659 Bugs: ProtocolBugs{ 5660 SendDuplicateCertExtensions: true, 5661 }, 5662 }, 5663 flags: []string{ 5664 "-enable-ocsp-stapling", 5665 "-enable-signed-cert-timestamps", 5666 }, 5667 resumeSession: true, 5668 shouldFail: true, 5669 expectedError: ":DUPLICATE_EXTENSION:", 5670 }) 5671 5672 testCases = append(testCases, testCase{ 5673 name: "SignedCertificateTimestampListInvalid-Server", 5674 testType: serverTest, 5675 flags: []string{ 5676 "-signed-cert-timestamps", 5677 base64.StdEncoding.EncodeToString([]byte{0, 0}), 5678 }, 5679 shouldFail: true, 5680 expectedError: ":INVALID_SCT_LIST:", 5681 }) 5682 } 5683 5684 func addResumptionVersionTests() { 5685 for _, sessionVers := range tlsVersions { 5686 for _, resumeVers := range tlsVersions { 5687 // SSL 3.0 does not have tickets and TLS 1.3 does not 5688 // have session IDs, so skip their cross-resumption 5689 // tests. 5690 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) || 5691 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) { 5692 continue 5693 } 5694 5695 protocols := []protocol{tls} 5696 if sessionVers.hasDTLS && resumeVers.hasDTLS { 5697 protocols = append(protocols, dtls) 5698 } 5699 for _, protocol := range protocols { 5700 suffix := "-" + sessionVers.name + "-" + resumeVers.name 5701 if protocol == dtls { 5702 suffix += "-DTLS" 5703 } 5704 5705 if sessionVers.version == resumeVers.version { 5706 testCases = append(testCases, testCase{ 5707 protocol: protocol, 5708 name: "Resume-Client" + suffix, 5709 resumeSession: true, 5710 config: Config{ 5711 MaxVersion: sessionVers.version, 5712 Bugs: ProtocolBugs{ 5713 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13, 5714 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13, 5715 }, 5716 }, 5717 expectedVersion: sessionVers.version, 5718 expectedResumeVersion: resumeVers.version, 5719 }) 5720 } else { 5721 error := ":OLD_SESSION_VERSION_NOT_RETURNED:" 5722 5723 // Offering a TLS 1.3 session sends an empty session ID, so 5724 // there is no way to convince a non-lookahead client the 5725 // session was resumed. It will appear to the client that a 5726 // stray ChangeCipherSpec was sent. 5727 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 { 5728 error = ":UNEXPECTED_RECORD:" 5729 } 5730 5731 testCases = append(testCases, testCase{ 5732 protocol: protocol, 5733 name: "Resume-Client-Mismatch" + suffix, 5734 resumeSession: true, 5735 config: Config{ 5736 MaxVersion: sessionVers.version, 5737 }, 5738 expectedVersion: sessionVers.version, 5739 resumeConfig: &Config{ 5740 MaxVersion: resumeVers.version, 5741 Bugs: ProtocolBugs{ 5742 AcceptAnySession: true, 5743 }, 5744 }, 5745 expectedResumeVersion: resumeVers.version, 5746 shouldFail: true, 5747 expectedError: error, 5748 }) 5749 } 5750 5751 testCases = append(testCases, testCase{ 5752 protocol: protocol, 5753 name: "Resume-Client-NoResume" + suffix, 5754 resumeSession: true, 5755 config: Config{ 5756 MaxVersion: sessionVers.version, 5757 }, 5758 expectedVersion: sessionVers.version, 5759 resumeConfig: &Config{ 5760 MaxVersion: resumeVers.version, 5761 }, 5762 newSessionsOnResume: true, 5763 expectResumeRejected: true, 5764 expectedResumeVersion: resumeVers.version, 5765 }) 5766 5767 testCases = append(testCases, testCase{ 5768 protocol: protocol, 5769 testType: serverTest, 5770 name: "Resume-Server" + suffix, 5771 resumeSession: true, 5772 config: Config{ 5773 MaxVersion: sessionVers.version, 5774 }, 5775 expectedVersion: sessionVers.version, 5776 expectResumeRejected: sessionVers.version != resumeVers.version, 5777 resumeConfig: &Config{ 5778 MaxVersion: resumeVers.version, 5779 Bugs: ProtocolBugs{ 5780 SendBothTickets: true, 5781 }, 5782 }, 5783 expectedResumeVersion: resumeVers.version, 5784 }) 5785 } 5786 } 5787 } 5788 5789 // Make sure shim ticket mutations are functional. 5790 testCases = append(testCases, testCase{ 5791 testType: serverTest, 5792 name: "ShimTicketRewritable", 5793 resumeSession: true, 5794 config: Config{ 5795 MaxVersion: VersionTLS12, 5796 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 5797 Bugs: ProtocolBugs{ 5798 FilterTicket: func(in []byte) ([]byte, error) { 5799 in, err := SetShimTicketVersion(in, VersionTLS12) 5800 if err != nil { 5801 return nil, err 5802 } 5803 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) 5804 }, 5805 }, 5806 }, 5807 flags: []string{ 5808 "-ticket-key", 5809 base64.StdEncoding.EncodeToString(TestShimTicketKey), 5810 }, 5811 }) 5812 5813 // Resumptions are declined if the version does not match. 5814 testCases = append(testCases, testCase{ 5815 testType: serverTest, 5816 name: "Resume-Server-DeclineCrossVersion", 5817 resumeSession: true, 5818 config: Config{ 5819 MaxVersion: VersionTLS12, 5820 Bugs: ProtocolBugs{ 5821 ExpectNewTicket: true, 5822 FilterTicket: func(in []byte) ([]byte, error) { 5823 return SetShimTicketVersion(in, VersionTLS13) 5824 }, 5825 }, 5826 }, 5827 flags: []string{ 5828 "-ticket-key", 5829 base64.StdEncoding.EncodeToString(TestShimTicketKey), 5830 }, 5831 expectResumeRejected: true, 5832 }) 5833 5834 testCases = append(testCases, testCase{ 5835 testType: serverTest, 5836 name: "Resume-Server-DeclineCrossVersion-TLS13", 5837 resumeSession: true, 5838 config: Config{ 5839 MaxVersion: VersionTLS13, 5840 Bugs: ProtocolBugs{ 5841 FilterTicket: func(in []byte) ([]byte, error) { 5842 return SetShimTicketVersion(in, VersionTLS12) 5843 }, 5844 }, 5845 }, 5846 flags: []string{ 5847 "-ticket-key", 5848 base64.StdEncoding.EncodeToString(TestShimTicketKey), 5849 }, 5850 expectResumeRejected: true, 5851 }) 5852 5853 // Resumptions are declined if the cipher is invalid or disabled. 5854 testCases = append(testCases, testCase{ 5855 testType: serverTest, 5856 name: "Resume-Server-DeclineBadCipher", 5857 resumeSession: true, 5858 config: Config{ 5859 MaxVersion: VersionTLS12, 5860 Bugs: ProtocolBugs{ 5861 ExpectNewTicket: true, 5862 FilterTicket: func(in []byte) ([]byte, error) { 5863 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256) 5864 }, 5865 }, 5866 }, 5867 flags: []string{ 5868 "-ticket-key", 5869 base64.StdEncoding.EncodeToString(TestShimTicketKey), 5870 }, 5871 expectResumeRejected: true, 5872 }) 5873 5874 testCases = append(testCases, testCase{ 5875 testType: serverTest, 5876 name: "Resume-Server-DeclineBadCipher-2", 5877 resumeSession: true, 5878 config: Config{ 5879 MaxVersion: VersionTLS12, 5880 Bugs: ProtocolBugs{ 5881 ExpectNewTicket: true, 5882 FilterTicket: func(in []byte) ([]byte, error) { 5883 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 5884 }, 5885 }, 5886 }, 5887 flags: []string{ 5888 "-cipher", "AES128", 5889 "-ticket-key", 5890 base64.StdEncoding.EncodeToString(TestShimTicketKey), 5891 }, 5892 expectResumeRejected: true, 5893 }) 5894 5895 // Sessions are not resumed if they do not use the preferred cipher. 5896 testCases = append(testCases, testCase{ 5897 testType: serverTest, 5898 name: "Resume-Server-CipherNotPreferred", 5899 resumeSession: true, 5900 config: Config{ 5901 MaxVersion: VersionTLS12, 5902 Bugs: ProtocolBugs{ 5903 ExpectNewTicket: true, 5904 FilterTicket: func(in []byte) ([]byte, error) { 5905 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) 5906 }, 5907 }, 5908 }, 5909 flags: []string{ 5910 "-ticket-key", 5911 base64.StdEncoding.EncodeToString(TestShimTicketKey), 5912 }, 5913 shouldFail: false, 5914 expectResumeRejected: true, 5915 }) 5916 5917 // TLS 1.3 allows sessions to be resumed at a different cipher if their 5918 // PRF hashes match, but BoringSSL will always decline such resumptions. 5919 testCases = append(testCases, testCase{ 5920 testType: serverTest, 5921 name: "Resume-Server-CipherNotPreferred-TLS13", 5922 resumeSession: true, 5923 config: Config{ 5924 MaxVersion: VersionTLS13, 5925 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256}, 5926 Bugs: ProtocolBugs{ 5927 FilterTicket: func(in []byte) ([]byte, error) { 5928 // If the client (runner) offers ChaCha20-Poly1305 first, the 5929 // server (shim) always prefers it. Switch it to AES-GCM. 5930 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256) 5931 }, 5932 }, 5933 }, 5934 flags: []string{ 5935 "-ticket-key", 5936 base64.StdEncoding.EncodeToString(TestShimTicketKey), 5937 }, 5938 shouldFail: false, 5939 expectResumeRejected: true, 5940 }) 5941 5942 // Sessions may not be resumed if they contain another version's cipher. 5943 testCases = append(testCases, testCase{ 5944 testType: serverTest, 5945 name: "Resume-Server-DeclineBadCipher-TLS13", 5946 resumeSession: true, 5947 config: Config{ 5948 MaxVersion: VersionTLS13, 5949 Bugs: ProtocolBugs{ 5950 FilterTicket: func(in []byte) ([]byte, error) { 5951 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) 5952 }, 5953 }, 5954 }, 5955 flags: []string{ 5956 "-ticket-key", 5957 base64.StdEncoding.EncodeToString(TestShimTicketKey), 5958 }, 5959 expectResumeRejected: true, 5960 }) 5961 5962 // If the client does not offer the cipher from the session, decline to 5963 // resume. Clients are forbidden from doing this, but BoringSSL selects 5964 // the cipher first, so we only decline. 5965 testCases = append(testCases, testCase{ 5966 testType: serverTest, 5967 name: "Resume-Server-UnofferedCipher", 5968 resumeSession: true, 5969 config: Config{ 5970 MaxVersion: VersionTLS12, 5971 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, 5972 }, 5973 resumeConfig: &Config{ 5974 MaxVersion: VersionTLS12, 5975 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, 5976 Bugs: ProtocolBugs{ 5977 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 5978 }, 5979 }, 5980 expectResumeRejected: true, 5981 }) 5982 5983 // In TLS 1.3, clients may advertise a cipher list which does not 5984 // include the selected cipher. Test that we tolerate this. Servers may 5985 // resume at another cipher if the PRF matches and are not doing 0-RTT, but 5986 // BoringSSL will always decline. 5987 testCases = append(testCases, testCase{ 5988 testType: serverTest, 5989 name: "Resume-Server-UnofferedCipher-TLS13", 5990 resumeSession: true, 5991 config: Config{ 5992 MaxVersion: VersionTLS13, 5993 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256}, 5994 }, 5995 resumeConfig: &Config{ 5996 MaxVersion: VersionTLS13, 5997 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256}, 5998 Bugs: ProtocolBugs{ 5999 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256}, 6000 }, 6001 }, 6002 expectResumeRejected: true, 6003 }) 6004 6005 // Sessions may not be resumed at a different cipher. 6006 testCases = append(testCases, testCase{ 6007 name: "Resume-Client-CipherMismatch", 6008 resumeSession: true, 6009 config: Config{ 6010 MaxVersion: VersionTLS12, 6011 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 6012 }, 6013 resumeConfig: &Config{ 6014 MaxVersion: VersionTLS12, 6015 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 6016 Bugs: ProtocolBugs{ 6017 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA, 6018 }, 6019 }, 6020 shouldFail: true, 6021 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:", 6022 }) 6023 6024 // Session resumption in TLS 1.3 may change the cipher suite if the PRF 6025 // matches. 6026 testCases = append(testCases, testCase{ 6027 name: "Resume-Client-CipherMismatch-TLS13", 6028 resumeSession: true, 6029 config: Config{ 6030 MaxVersion: VersionTLS13, 6031 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256}, 6032 }, 6033 resumeConfig: &Config{ 6034 MaxVersion: VersionTLS13, 6035 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256}, 6036 }, 6037 }) 6038 6039 // Session resumption in TLS 1.3 is forbidden if the PRF does not match. 6040 testCases = append(testCases, testCase{ 6041 name: "Resume-Client-PRFMismatch-TLS13", 6042 resumeSession: true, 6043 config: Config{ 6044 MaxVersion: VersionTLS13, 6045 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256}, 6046 }, 6047 resumeConfig: &Config{ 6048 MaxVersion: VersionTLS13, 6049 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256}, 6050 Bugs: ProtocolBugs{ 6051 SendCipherSuite: TLS_AES_256_GCM_SHA384, 6052 }, 6053 }, 6054 shouldFail: true, 6055 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:", 6056 }) 6057 6058 testCases = append(testCases, testCase{ 6059 testType: serverTest, 6060 name: "Resume-Server-BinderWrongLength", 6061 resumeSession: true, 6062 config: Config{ 6063 MaxVersion: VersionTLS13, 6064 Bugs: ProtocolBugs{ 6065 SendShortPSKBinder: true, 6066 }, 6067 }, 6068 shouldFail: true, 6069 expectedLocalError: "remote error: error decrypting message", 6070 expectedError: ":DIGEST_CHECK_FAILED:", 6071 }) 6072 6073 testCases = append(testCases, testCase{ 6074 testType: serverTest, 6075 name: "Resume-Server-NoPSKBinder", 6076 resumeSession: true, 6077 config: Config{ 6078 MaxVersion: VersionTLS13, 6079 Bugs: ProtocolBugs{ 6080 SendNoPSKBinder: true, 6081 }, 6082 }, 6083 shouldFail: true, 6084 expectedLocalError: "remote error: error decoding message", 6085 expectedError: ":DECODE_ERROR:", 6086 }) 6087 6088 testCases = append(testCases, testCase{ 6089 testType: serverTest, 6090 name: "Resume-Server-ExtraPSKBinder", 6091 resumeSession: true, 6092 config: Config{ 6093 MaxVersion: VersionTLS13, 6094 Bugs: ProtocolBugs{ 6095 SendExtraPSKBinder: true, 6096 }, 6097 }, 6098 shouldFail: true, 6099 expectedLocalError: "remote error: illegal parameter", 6100 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:", 6101 }) 6102 6103 testCases = append(testCases, testCase{ 6104 testType: serverTest, 6105 name: "Resume-Server-ExtraIdentityNoBinder", 6106 resumeSession: true, 6107 config: Config{ 6108 MaxVersion: VersionTLS13, 6109 Bugs: ProtocolBugs{ 6110 ExtraPSKIdentity: true, 6111 }, 6112 }, 6113 shouldFail: true, 6114 expectedLocalError: "remote error: illegal parameter", 6115 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:", 6116 }) 6117 6118 testCases = append(testCases, testCase{ 6119 testType: serverTest, 6120 name: "Resume-Server-InvalidPSKBinder", 6121 resumeSession: true, 6122 config: Config{ 6123 MaxVersion: VersionTLS13, 6124 Bugs: ProtocolBugs{ 6125 SendInvalidPSKBinder: true, 6126 }, 6127 }, 6128 shouldFail: true, 6129 expectedLocalError: "remote error: error decrypting message", 6130 expectedError: ":DIGEST_CHECK_FAILED:", 6131 }) 6132 6133 testCases = append(testCases, testCase{ 6134 testType: serverTest, 6135 name: "Resume-Server-PSKBinderFirstExtension", 6136 resumeSession: true, 6137 config: Config{ 6138 MaxVersion: VersionTLS13, 6139 Bugs: ProtocolBugs{ 6140 PSKBinderFirst: true, 6141 }, 6142 }, 6143 shouldFail: true, 6144 expectedLocalError: "remote error: illegal parameter", 6145 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:", 6146 }) 6147 } 6148 6149 func addRenegotiationTests() { 6150 // Servers cannot renegotiate. 6151 testCases = append(testCases, testCase{ 6152 testType: serverTest, 6153 name: "Renegotiate-Server-Forbidden", 6154 config: Config{ 6155 MaxVersion: VersionTLS12, 6156 }, 6157 renegotiate: 1, 6158 shouldFail: true, 6159 expectedError: ":NO_RENEGOTIATION:", 6160 expectedLocalError: "remote error: no renegotiation", 6161 }) 6162 // The server shouldn't echo the renegotiation extension unless 6163 // requested by the client. 6164 testCases = append(testCases, testCase{ 6165 testType: serverTest, 6166 name: "Renegotiate-Server-NoExt", 6167 config: Config{ 6168 MaxVersion: VersionTLS12, 6169 Bugs: ProtocolBugs{ 6170 NoRenegotiationInfo: true, 6171 RequireRenegotiationInfo: true, 6172 }, 6173 }, 6174 shouldFail: true, 6175 expectedLocalError: "renegotiation extension missing", 6176 }) 6177 // The renegotiation SCSV should be sufficient for the server to echo 6178 // the extension. 6179 testCases = append(testCases, testCase{ 6180 testType: serverTest, 6181 name: "Renegotiate-Server-NoExt-SCSV", 6182 config: Config{ 6183 MaxVersion: VersionTLS12, 6184 Bugs: ProtocolBugs{ 6185 NoRenegotiationInfo: true, 6186 SendRenegotiationSCSV: true, 6187 RequireRenegotiationInfo: true, 6188 }, 6189 }, 6190 }) 6191 testCases = append(testCases, testCase{ 6192 name: "Renegotiate-Client", 6193 config: Config{ 6194 MaxVersion: VersionTLS12, 6195 Bugs: ProtocolBugs{ 6196 FailIfResumeOnRenego: true, 6197 }, 6198 }, 6199 renegotiate: 1, 6200 flags: []string{ 6201 "-renegotiate-freely", 6202 "-expect-total-renegotiations", "1", 6203 "-expect-secure-renegotiation", 6204 }, 6205 }) 6206 testCases = append(testCases, testCase{ 6207 name: "Renegotiate-Client-EmptyExt", 6208 renegotiate: 1, 6209 config: Config{ 6210 MaxVersion: VersionTLS12, 6211 Bugs: ProtocolBugs{ 6212 EmptyRenegotiationInfo: true, 6213 }, 6214 }, 6215 flags: []string{"-renegotiate-freely"}, 6216 shouldFail: true, 6217 expectedError: ":RENEGOTIATION_MISMATCH:", 6218 }) 6219 testCases = append(testCases, testCase{ 6220 name: "Renegotiate-Client-BadExt", 6221 renegotiate: 1, 6222 config: Config{ 6223 MaxVersion: VersionTLS12, 6224 Bugs: ProtocolBugs{ 6225 BadRenegotiationInfo: true, 6226 }, 6227 }, 6228 flags: []string{"-renegotiate-freely"}, 6229 shouldFail: true, 6230 expectedError: ":RENEGOTIATION_MISMATCH:", 6231 }) 6232 testCases = append(testCases, testCase{ 6233 name: "Renegotiate-Client-Downgrade", 6234 renegotiate: 1, 6235 config: Config{ 6236 MaxVersion: VersionTLS12, 6237 Bugs: ProtocolBugs{ 6238 NoRenegotiationInfoAfterInitial: true, 6239 }, 6240 }, 6241 flags: []string{"-renegotiate-freely"}, 6242 shouldFail: true, 6243 expectedError: ":RENEGOTIATION_MISMATCH:", 6244 }) 6245 testCases = append(testCases, testCase{ 6246 name: "Renegotiate-Client-Upgrade", 6247 renegotiate: 1, 6248 config: Config{ 6249 MaxVersion: VersionTLS12, 6250 Bugs: ProtocolBugs{ 6251 NoRenegotiationInfoInInitial: true, 6252 }, 6253 }, 6254 flags: []string{"-renegotiate-freely"}, 6255 shouldFail: true, 6256 expectedError: ":RENEGOTIATION_MISMATCH:", 6257 }) 6258 testCases = append(testCases, testCase{ 6259 name: "Renegotiate-Client-NoExt-Allowed", 6260 renegotiate: 1, 6261 config: Config{ 6262 MaxVersion: VersionTLS12, 6263 Bugs: ProtocolBugs{ 6264 NoRenegotiationInfo: true, 6265 }, 6266 }, 6267 flags: []string{ 6268 "-renegotiate-freely", 6269 "-expect-total-renegotiations", "1", 6270 "-expect-no-secure-renegotiation", 6271 }, 6272 }) 6273 6274 // Test that the server may switch ciphers on renegotiation without 6275 // problems. 6276 testCases = append(testCases, testCase{ 6277 name: "Renegotiate-Client-SwitchCiphers", 6278 renegotiate: 1, 6279 config: Config{ 6280 MaxVersion: VersionTLS12, 6281 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA}, 6282 }, 6283 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 6284 flags: []string{ 6285 "-renegotiate-freely", 6286 "-expect-total-renegotiations", "1", 6287 }, 6288 }) 6289 testCases = append(testCases, testCase{ 6290 name: "Renegotiate-Client-SwitchCiphers2", 6291 renegotiate: 1, 6292 config: Config{ 6293 MaxVersion: VersionTLS12, 6294 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 6295 }, 6296 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA}, 6297 flags: []string{ 6298 "-renegotiate-freely", 6299 "-expect-total-renegotiations", "1", 6300 }, 6301 }) 6302 6303 // Test that the server may not switch versions on renegotiation. 6304 testCases = append(testCases, testCase{ 6305 name: "Renegotiate-Client-SwitchVersion", 6306 config: Config{ 6307 MaxVersion: VersionTLS12, 6308 // Pick a cipher which exists at both versions. 6309 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA}, 6310 Bugs: ProtocolBugs{ 6311 NegotiateVersionOnRenego: VersionTLS11, 6312 // Avoid failing early at the record layer. 6313 SendRecordVersion: VersionTLS12, 6314 }, 6315 }, 6316 renegotiate: 1, 6317 flags: []string{ 6318 "-renegotiate-freely", 6319 "-expect-total-renegotiations", "1", 6320 }, 6321 shouldFail: true, 6322 expectedError: ":WRONG_SSL_VERSION:", 6323 }) 6324 6325 testCases = append(testCases, testCase{ 6326 name: "Renegotiate-SameClientVersion", 6327 renegotiate: 1, 6328 config: Config{ 6329 MaxVersion: VersionTLS10, 6330 Bugs: ProtocolBugs{ 6331 RequireSameRenegoClientVersion: true, 6332 }, 6333 }, 6334 flags: []string{ 6335 "-renegotiate-freely", 6336 "-expect-total-renegotiations", "1", 6337 }, 6338 }) 6339 testCases = append(testCases, testCase{ 6340 name: "Renegotiate-FalseStart", 6341 renegotiate: 1, 6342 config: Config{ 6343 MaxVersion: VersionTLS12, 6344 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 6345 NextProtos: []string{"foo"}, 6346 }, 6347 flags: []string{ 6348 "-false-start", 6349 "-select-next-proto", "foo", 6350 "-renegotiate-freely", 6351 "-expect-total-renegotiations", "1", 6352 }, 6353 shimWritesFirst: true, 6354 }) 6355 6356 // Client-side renegotiation controls. 6357 testCases = append(testCases, testCase{ 6358 name: "Renegotiate-Client-Forbidden-1", 6359 config: Config{ 6360 MaxVersion: VersionTLS12, 6361 }, 6362 renegotiate: 1, 6363 shouldFail: true, 6364 expectedError: ":NO_RENEGOTIATION:", 6365 expectedLocalError: "remote error: no renegotiation", 6366 }) 6367 testCases = append(testCases, testCase{ 6368 name: "Renegotiate-Client-Once-1", 6369 config: Config{ 6370 MaxVersion: VersionTLS12, 6371 }, 6372 renegotiate: 1, 6373 flags: []string{ 6374 "-renegotiate-once", 6375 "-expect-total-renegotiations", "1", 6376 }, 6377 }) 6378 testCases = append(testCases, testCase{ 6379 name: "Renegotiate-Client-Freely-1", 6380 config: Config{ 6381 MaxVersion: VersionTLS12, 6382 }, 6383 renegotiate: 1, 6384 flags: []string{ 6385 "-renegotiate-freely", 6386 "-expect-total-renegotiations", "1", 6387 }, 6388 }) 6389 testCases = append(testCases, testCase{ 6390 name: "Renegotiate-Client-Once-2", 6391 config: Config{ 6392 MaxVersion: VersionTLS12, 6393 }, 6394 renegotiate: 2, 6395 flags: []string{"-renegotiate-once"}, 6396 shouldFail: true, 6397 expectedError: ":NO_RENEGOTIATION:", 6398 expectedLocalError: "remote error: no renegotiation", 6399 }) 6400 testCases = append(testCases, testCase{ 6401 name: "Renegotiate-Client-Freely-2", 6402 config: Config{ 6403 MaxVersion: VersionTLS12, 6404 }, 6405 renegotiate: 2, 6406 flags: []string{ 6407 "-renegotiate-freely", 6408 "-expect-total-renegotiations", "2", 6409 }, 6410 }) 6411 testCases = append(testCases, testCase{ 6412 name: "Renegotiate-Client-NoIgnore", 6413 config: Config{ 6414 MaxVersion: VersionTLS12, 6415 Bugs: ProtocolBugs{ 6416 SendHelloRequestBeforeEveryAppDataRecord: true, 6417 }, 6418 }, 6419 shouldFail: true, 6420 expectedError: ":NO_RENEGOTIATION:", 6421 }) 6422 testCases = append(testCases, testCase{ 6423 name: "Renegotiate-Client-Ignore", 6424 config: Config{ 6425 MaxVersion: VersionTLS12, 6426 Bugs: ProtocolBugs{ 6427 SendHelloRequestBeforeEveryAppDataRecord: true, 6428 }, 6429 }, 6430 flags: []string{ 6431 "-renegotiate-ignore", 6432 "-expect-total-renegotiations", "0", 6433 }, 6434 }) 6435 6436 // Renegotiation is not allowed at SSL 3.0. 6437 testCases = append(testCases, testCase{ 6438 name: "Renegotiate-Client-SSL3", 6439 config: Config{ 6440 MaxVersion: VersionSSL30, 6441 }, 6442 renegotiate: 1, 6443 flags: []string{ 6444 "-renegotiate-freely", 6445 "-expect-total-renegotiations", "1", 6446 }, 6447 shouldFail: true, 6448 expectedError: ":NO_RENEGOTIATION:", 6449 expectedLocalError: "remote error: no renegotiation", 6450 }) 6451 6452 // Renegotiation is not allowed when there is an unfinished write. 6453 testCases = append(testCases, testCase{ 6454 name: "Renegotiate-Client-UnfinishedWrite", 6455 config: Config{ 6456 MaxVersion: VersionTLS12, 6457 }, 6458 renegotiate: 1, 6459 flags: []string{ 6460 "-async", 6461 "-renegotiate-freely", 6462 "-read-with-unfinished-write", 6463 }, 6464 shouldFail: true, 6465 expectedError: ":NO_RENEGOTIATION:", 6466 // We do not successfully send the no_renegotiation alert in 6467 // this case. https://crbug.com/boringssl/130 6468 }) 6469 6470 // We reject stray HelloRequests during the handshake in TLS 1.2. 6471 testCases = append(testCases, testCase{ 6472 name: "StrayHelloRequest", 6473 config: Config{ 6474 MaxVersion: VersionTLS12, 6475 Bugs: ProtocolBugs{ 6476 SendHelloRequestBeforeEveryHandshakeMessage: true, 6477 }, 6478 }, 6479 shouldFail: true, 6480 expectedError: ":UNEXPECTED_MESSAGE:", 6481 }) 6482 testCases = append(testCases, testCase{ 6483 name: "StrayHelloRequest-Packed", 6484 config: Config{ 6485 MaxVersion: VersionTLS12, 6486 Bugs: ProtocolBugs{ 6487 PackHandshakeFlight: true, 6488 SendHelloRequestBeforeEveryHandshakeMessage: true, 6489 }, 6490 }, 6491 shouldFail: true, 6492 expectedError: ":UNEXPECTED_MESSAGE:", 6493 }) 6494 6495 // Test renegotiation works if HelloRequest and server Finished come in 6496 // the same record. 6497 testCases = append(testCases, testCase{ 6498 name: "Renegotiate-Client-Packed", 6499 config: Config{ 6500 MaxVersion: VersionTLS12, 6501 Bugs: ProtocolBugs{ 6502 PackHandshakeFlight: true, 6503 PackHelloRequestWithFinished: true, 6504 }, 6505 }, 6506 renegotiate: 1, 6507 flags: []string{ 6508 "-renegotiate-freely", 6509 "-expect-total-renegotiations", "1", 6510 }, 6511 }) 6512 6513 // Renegotiation is forbidden in TLS 1.3. 6514 testCases = append(testCases, testCase{ 6515 name: "Renegotiate-Client-TLS13", 6516 config: Config{ 6517 MaxVersion: VersionTLS13, 6518 Bugs: ProtocolBugs{ 6519 SendHelloRequestBeforeEveryAppDataRecord: true, 6520 }, 6521 }, 6522 flags: []string{ 6523 "-renegotiate-freely", 6524 }, 6525 shouldFail: true, 6526 expectedError: ":UNEXPECTED_MESSAGE:", 6527 }) 6528 6529 // Stray HelloRequests during the handshake are forbidden in TLS 1.3. 6530 testCases = append(testCases, testCase{ 6531 name: "StrayHelloRequest-TLS13", 6532 config: Config{ 6533 MaxVersion: VersionTLS13, 6534 Bugs: ProtocolBugs{ 6535 SendHelloRequestBeforeEveryHandshakeMessage: true, 6536 }, 6537 }, 6538 shouldFail: true, 6539 expectedError: ":UNEXPECTED_MESSAGE:", 6540 }) 6541 6542 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3 6543 // always reads as supporting it, regardless of whether it was 6544 // negotiated. 6545 testCases = append(testCases, testCase{ 6546 name: "AlwaysReportRenegotiationInfo-TLS13", 6547 config: Config{ 6548 MaxVersion: VersionTLS13, 6549 Bugs: ProtocolBugs{ 6550 NoRenegotiationInfo: true, 6551 }, 6552 }, 6553 flags: []string{ 6554 "-expect-secure-renegotiation", 6555 }, 6556 }) 6557 6558 // Certificates may not change on renegotiation. 6559 testCases = append(testCases, testCase{ 6560 name: "Renegotiation-CertificateChange", 6561 config: Config{ 6562 MaxVersion: VersionTLS12, 6563 Certificates: []Certificate{rsaCertificate}, 6564 Bugs: ProtocolBugs{ 6565 RenegotiationCertificate: &rsaChainCertificate, 6566 }, 6567 }, 6568 renegotiate: 1, 6569 flags: []string{"-renegotiate-freely"}, 6570 shouldFail: true, 6571 expectedError: ":SERVER_CERT_CHANGED:", 6572 }) 6573 testCases = append(testCases, testCase{ 6574 name: "Renegotiation-CertificateChange-2", 6575 config: Config{ 6576 MaxVersion: VersionTLS12, 6577 Certificates: []Certificate{rsaCertificate}, 6578 Bugs: ProtocolBugs{ 6579 RenegotiationCertificate: &rsa1024Certificate, 6580 }, 6581 }, 6582 renegotiate: 1, 6583 flags: []string{"-renegotiate-freely"}, 6584 shouldFail: true, 6585 expectedError: ":SERVER_CERT_CHANGED:", 6586 }) 6587 6588 // We do not negotiate ALPN after the initial handshake. This is 6589 // error-prone and only risks bugs in consumers. 6590 testCases = append(testCases, testCase{ 6591 testType: clientTest, 6592 name: "Renegotiation-ForbidALPN", 6593 config: Config{ 6594 MaxVersion: VersionTLS12, 6595 Bugs: ProtocolBugs{ 6596 // Forcibly negotiate ALPN on both initial and 6597 // renegotiation handshakes. The test stack will 6598 // internally check the client does not offer 6599 // it. 6600 SendALPN: "foo", 6601 }, 6602 }, 6603 flags: []string{ 6604 "-advertise-alpn", "\x03foo\x03bar\x03baz", 6605 "-expect-alpn", "foo", 6606 "-renegotiate-freely", 6607 }, 6608 renegotiate: 1, 6609 shouldFail: true, 6610 expectedError: ":UNEXPECTED_EXTENSION:", 6611 }) 6612 } 6613 6614 func addDTLSReplayTests() { 6615 // Test that sequence number replays are detected. 6616 testCases = append(testCases, testCase{ 6617 protocol: dtls, 6618 name: "DTLS-Replay", 6619 messageCount: 200, 6620 replayWrites: true, 6621 }) 6622 6623 // Test the incoming sequence number skipping by values larger 6624 // than the retransmit window. 6625 testCases = append(testCases, testCase{ 6626 protocol: dtls, 6627 name: "DTLS-Replay-LargeGaps", 6628 config: Config{ 6629 Bugs: ProtocolBugs{ 6630 SequenceNumberMapping: func(in uint64) uint64 { 6631 return in * 127 6632 }, 6633 }, 6634 }, 6635 messageCount: 200, 6636 replayWrites: true, 6637 }) 6638 6639 // Test the incoming sequence number changing non-monotonically. 6640 testCases = append(testCases, testCase{ 6641 protocol: dtls, 6642 name: "DTLS-Replay-NonMonotonic", 6643 config: Config{ 6644 Bugs: ProtocolBugs{ 6645 SequenceNumberMapping: func(in uint64) uint64 { 6646 return in ^ 31 6647 }, 6648 }, 6649 }, 6650 messageCount: 200, 6651 replayWrites: true, 6652 }) 6653 } 6654 6655 var testSignatureAlgorithms = []struct { 6656 name string 6657 id signatureAlgorithm 6658 cert testCert 6659 }{ 6660 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA}, 6661 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA}, 6662 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA}, 6663 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA}, 6664 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256}, 6665 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256}, 6666 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384}, 6667 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521}, 6668 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA}, 6669 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA}, 6670 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA}, 6671 // Tests for key types prior to TLS 1.2. 6672 {"RSA", 0, testCertRSA}, 6673 {"ECDSA", 0, testCertECDSAP256}, 6674 } 6675 6676 const fakeSigAlg1 signatureAlgorithm = 0x2a01 6677 const fakeSigAlg2 signatureAlgorithm = 0xff01 6678 6679 func addSignatureAlgorithmTests() { 6680 // Not all ciphers involve a signature. Advertise a list which gives all 6681 // versions a signing cipher. 6682 signingCiphers := []uint16{ 6683 TLS_AES_128_GCM_SHA256, 6684 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 6685 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 6686 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 6687 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 6688 } 6689 if *includeDHE { 6690 signingCiphers = append(signingCiphers, TLS_DHE_RSA_WITH_AES_128_CBC_SHA) 6691 } 6692 6693 var allAlgorithms []signatureAlgorithm 6694 for _, alg := range testSignatureAlgorithms { 6695 if alg.id != 0 { 6696 allAlgorithms = append(allAlgorithms, alg.id) 6697 } 6698 } 6699 6700 // Make sure each signature algorithm works. Include some fake values in 6701 // the list and ensure they're ignored. 6702 for _, alg := range testSignatureAlgorithms { 6703 for _, ver := range tlsVersions { 6704 if (ver.version < VersionTLS12) != (alg.id == 0) { 6705 continue 6706 } 6707 6708 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing 6709 // or remove it in C. 6710 if ver.version == VersionSSL30 && alg.cert != testCertRSA { 6711 continue 6712 } 6713 6714 var shouldSignFail, shouldVerifyFail bool 6715 // ecdsa_sha1 does not exist in TLS 1.3. 6716 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 { 6717 shouldSignFail = true 6718 shouldVerifyFail = true 6719 } 6720 // RSA-PKCS1 does not exist in TLS 1.3. 6721 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") { 6722 shouldSignFail = true 6723 shouldVerifyFail = true 6724 } 6725 6726 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them. 6727 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 { 6728 shouldVerifyFail = true 6729 } 6730 6731 var signError, verifyError string 6732 if shouldSignFail { 6733 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:" 6734 } 6735 if shouldVerifyFail { 6736 verifyError = ":WRONG_SIGNATURE_TYPE:" 6737 } 6738 6739 suffix := "-" + alg.name + "-" + ver.name 6740 6741 testCases = append(testCases, testCase{ 6742 name: "ClientAuth-Sign" + suffix, 6743 config: Config{ 6744 MaxVersion: ver.version, 6745 ClientAuth: RequireAnyClientCert, 6746 VerifySignatureAlgorithms: []signatureAlgorithm{ 6747 fakeSigAlg1, 6748 alg.id, 6749 fakeSigAlg2, 6750 }, 6751 }, 6752 flags: []string{ 6753 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)), 6754 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)), 6755 "-enable-all-curves", 6756 }, 6757 shouldFail: shouldSignFail, 6758 expectedError: signError, 6759 expectedPeerSignatureAlgorithm: alg.id, 6760 }) 6761 6762 testCases = append(testCases, testCase{ 6763 testType: serverTest, 6764 name: "ClientAuth-Verify" + suffix, 6765 config: Config{ 6766 MaxVersion: ver.version, 6767 Certificates: []Certificate{getRunnerCertificate(alg.cert)}, 6768 SignSignatureAlgorithms: []signatureAlgorithm{ 6769 alg.id, 6770 }, 6771 Bugs: ProtocolBugs{ 6772 SkipECDSACurveCheck: shouldVerifyFail, 6773 IgnoreSignatureVersionChecks: shouldVerifyFail, 6774 // Some signature algorithms may not be advertised. 6775 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail, 6776 }, 6777 }, 6778 flags: []string{ 6779 "-require-any-client-certificate", 6780 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)), 6781 "-enable-all-curves", 6782 }, 6783 // Resume the session to assert the peer signature 6784 // algorithm is reported on both handshakes. 6785 resumeSession: !shouldVerifyFail, 6786 shouldFail: shouldVerifyFail, 6787 expectedError: verifyError, 6788 }) 6789 6790 // No signing cipher for SSL 3.0. 6791 if *includeDHE || ver.version > VersionSSL30 { 6792 testCases = append(testCases, testCase{ 6793 testType: serverTest, 6794 name: "ServerAuth-Sign" + suffix, 6795 config: Config{ 6796 MaxVersion: ver.version, 6797 CipherSuites: signingCiphers, 6798 VerifySignatureAlgorithms: []signatureAlgorithm{ 6799 fakeSigAlg1, 6800 alg.id, 6801 fakeSigAlg2, 6802 }, 6803 }, 6804 flags: []string{ 6805 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)), 6806 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)), 6807 "-enable-all-curves", 6808 }, 6809 shouldFail: shouldSignFail, 6810 expectedError: signError, 6811 expectedPeerSignatureAlgorithm: alg.id, 6812 }) 6813 } 6814 6815 testCases = append(testCases, testCase{ 6816 name: "ServerAuth-Verify" + suffix, 6817 config: Config{ 6818 MaxVersion: ver.version, 6819 Certificates: []Certificate{getRunnerCertificate(alg.cert)}, 6820 CipherSuites: signingCiphers, 6821 SignSignatureAlgorithms: []signatureAlgorithm{ 6822 alg.id, 6823 }, 6824 Bugs: ProtocolBugs{ 6825 SkipECDSACurveCheck: shouldVerifyFail, 6826 IgnoreSignatureVersionChecks: shouldVerifyFail, 6827 // Some signature algorithms may not be advertised. 6828 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail, 6829 }, 6830 }, 6831 flags: []string{ 6832 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)), 6833 "-enable-all-curves", 6834 }, 6835 // Resume the session to assert the peer signature 6836 // algorithm is reported on both handshakes. 6837 resumeSession: !shouldVerifyFail, 6838 shouldFail: shouldVerifyFail, 6839 expectedError: verifyError, 6840 }) 6841 6842 if !shouldVerifyFail { 6843 testCases = append(testCases, testCase{ 6844 testType: serverTest, 6845 name: "ClientAuth-InvalidSignature" + suffix, 6846 config: Config{ 6847 MaxVersion: ver.version, 6848 Certificates: []Certificate{getRunnerCertificate(alg.cert)}, 6849 SignSignatureAlgorithms: []signatureAlgorithm{ 6850 alg.id, 6851 }, 6852 Bugs: ProtocolBugs{ 6853 InvalidSignature: true, 6854 }, 6855 }, 6856 flags: []string{ 6857 "-require-any-client-certificate", 6858 "-enable-all-curves", 6859 }, 6860 shouldFail: true, 6861 expectedError: ":BAD_SIGNATURE:", 6862 }) 6863 6864 testCases = append(testCases, testCase{ 6865 name: "ServerAuth-InvalidSignature" + suffix, 6866 config: Config{ 6867 MaxVersion: ver.version, 6868 Certificates: []Certificate{getRunnerCertificate(alg.cert)}, 6869 CipherSuites: signingCiphers, 6870 SignSignatureAlgorithms: []signatureAlgorithm{ 6871 alg.id, 6872 }, 6873 Bugs: ProtocolBugs{ 6874 InvalidSignature: true, 6875 }, 6876 }, 6877 flags: []string{"-enable-all-curves"}, 6878 shouldFail: true, 6879 expectedError: ":BAD_SIGNATURE:", 6880 }) 6881 } 6882 6883 if ver.version >= VersionTLS12 && !shouldSignFail { 6884 testCases = append(testCases, testCase{ 6885 name: "ClientAuth-Sign-Negotiate" + suffix, 6886 config: Config{ 6887 MaxVersion: ver.version, 6888 ClientAuth: RequireAnyClientCert, 6889 VerifySignatureAlgorithms: allAlgorithms, 6890 }, 6891 flags: []string{ 6892 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)), 6893 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)), 6894 "-enable-all-curves", 6895 "-signing-prefs", strconv.Itoa(int(alg.id)), 6896 }, 6897 expectedPeerSignatureAlgorithm: alg.id, 6898 }) 6899 6900 testCases = append(testCases, testCase{ 6901 testType: serverTest, 6902 name: "ServerAuth-Sign-Negotiate" + suffix, 6903 config: Config{ 6904 MaxVersion: ver.version, 6905 CipherSuites: signingCiphers, 6906 VerifySignatureAlgorithms: allAlgorithms, 6907 }, 6908 flags: []string{ 6909 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)), 6910 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)), 6911 "-enable-all-curves", 6912 "-signing-prefs", strconv.Itoa(int(alg.id)), 6913 }, 6914 expectedPeerSignatureAlgorithm: alg.id, 6915 }) 6916 } 6917 } 6918 } 6919 6920 // Test that algorithm selection takes the key type into account. 6921 testCases = append(testCases, testCase{ 6922 name: "ClientAuth-SignatureType", 6923 config: Config{ 6924 ClientAuth: RequireAnyClientCert, 6925 MaxVersion: VersionTLS12, 6926 VerifySignatureAlgorithms: []signatureAlgorithm{ 6927 signatureECDSAWithP521AndSHA512, 6928 signatureRSAPKCS1WithSHA384, 6929 signatureECDSAWithSHA1, 6930 }, 6931 }, 6932 flags: []string{ 6933 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 6934 "-key-file", path.Join(*resourceDir, rsaKeyFile), 6935 }, 6936 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384, 6937 }) 6938 6939 testCases = append(testCases, testCase{ 6940 name: "ClientAuth-SignatureType-TLS13", 6941 config: Config{ 6942 ClientAuth: RequireAnyClientCert, 6943 MaxVersion: VersionTLS13, 6944 VerifySignatureAlgorithms: []signatureAlgorithm{ 6945 signatureECDSAWithP521AndSHA512, 6946 signatureRSAPKCS1WithSHA384, 6947 signatureRSAPSSWithSHA384, 6948 signatureECDSAWithSHA1, 6949 }, 6950 }, 6951 flags: []string{ 6952 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 6953 "-key-file", path.Join(*resourceDir, rsaKeyFile), 6954 }, 6955 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384, 6956 }) 6957 6958 testCases = append(testCases, testCase{ 6959 testType: serverTest, 6960 name: "ServerAuth-SignatureType", 6961 config: Config{ 6962 MaxVersion: VersionTLS12, 6963 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 6964 VerifySignatureAlgorithms: []signatureAlgorithm{ 6965 signatureECDSAWithP521AndSHA512, 6966 signatureRSAPKCS1WithSHA384, 6967 signatureECDSAWithSHA1, 6968 }, 6969 }, 6970 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384, 6971 }) 6972 6973 testCases = append(testCases, testCase{ 6974 testType: serverTest, 6975 name: "ServerAuth-SignatureType-TLS13", 6976 config: Config{ 6977 MaxVersion: VersionTLS13, 6978 VerifySignatureAlgorithms: []signatureAlgorithm{ 6979 signatureECDSAWithP521AndSHA512, 6980 signatureRSAPKCS1WithSHA384, 6981 signatureRSAPSSWithSHA384, 6982 signatureECDSAWithSHA1, 6983 }, 6984 }, 6985 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384, 6986 }) 6987 6988 // Test that signature verification takes the key type into account. 6989 testCases = append(testCases, testCase{ 6990 testType: serverTest, 6991 name: "Verify-ClientAuth-SignatureType", 6992 config: Config{ 6993 MaxVersion: VersionTLS12, 6994 Certificates: []Certificate{rsaCertificate}, 6995 SignSignatureAlgorithms: []signatureAlgorithm{ 6996 signatureRSAPKCS1WithSHA256, 6997 }, 6998 Bugs: ProtocolBugs{ 6999 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256, 7000 }, 7001 }, 7002 flags: []string{ 7003 "-require-any-client-certificate", 7004 }, 7005 shouldFail: true, 7006 expectedError: ":WRONG_SIGNATURE_TYPE:", 7007 }) 7008 7009 testCases = append(testCases, testCase{ 7010 testType: serverTest, 7011 name: "Verify-ClientAuth-SignatureType-TLS13", 7012 config: Config{ 7013 MaxVersion: VersionTLS13, 7014 Certificates: []Certificate{rsaCertificate}, 7015 SignSignatureAlgorithms: []signatureAlgorithm{ 7016 signatureRSAPSSWithSHA256, 7017 }, 7018 Bugs: ProtocolBugs{ 7019 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256, 7020 }, 7021 }, 7022 flags: []string{ 7023 "-require-any-client-certificate", 7024 }, 7025 shouldFail: true, 7026 expectedError: ":WRONG_SIGNATURE_TYPE:", 7027 }) 7028 7029 testCases = append(testCases, testCase{ 7030 name: "Verify-ServerAuth-SignatureType", 7031 config: Config{ 7032 MaxVersion: VersionTLS12, 7033 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 7034 SignSignatureAlgorithms: []signatureAlgorithm{ 7035 signatureRSAPKCS1WithSHA256, 7036 }, 7037 Bugs: ProtocolBugs{ 7038 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256, 7039 }, 7040 }, 7041 shouldFail: true, 7042 expectedError: ":WRONG_SIGNATURE_TYPE:", 7043 }) 7044 7045 testCases = append(testCases, testCase{ 7046 name: "Verify-ServerAuth-SignatureType-TLS13", 7047 config: Config{ 7048 MaxVersion: VersionTLS13, 7049 SignSignatureAlgorithms: []signatureAlgorithm{ 7050 signatureRSAPSSWithSHA256, 7051 }, 7052 Bugs: ProtocolBugs{ 7053 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256, 7054 }, 7055 }, 7056 shouldFail: true, 7057 expectedError: ":WRONG_SIGNATURE_TYPE:", 7058 }) 7059 7060 // Test that, if the list is missing, the peer falls back to SHA-1 in 7061 // TLS 1.2, but not TLS 1.3. 7062 testCases = append(testCases, testCase{ 7063 name: "ClientAuth-SHA1-Fallback-RSA", 7064 config: Config{ 7065 MaxVersion: VersionTLS12, 7066 ClientAuth: RequireAnyClientCert, 7067 VerifySignatureAlgorithms: []signatureAlgorithm{ 7068 signatureRSAPKCS1WithSHA1, 7069 }, 7070 Bugs: ProtocolBugs{ 7071 NoSignatureAlgorithms: true, 7072 }, 7073 }, 7074 flags: []string{ 7075 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7076 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7077 }, 7078 }) 7079 7080 testCases = append(testCases, testCase{ 7081 testType: serverTest, 7082 name: "ServerAuth-SHA1-Fallback-RSA", 7083 config: Config{ 7084 MaxVersion: VersionTLS12, 7085 VerifySignatureAlgorithms: []signatureAlgorithm{ 7086 signatureRSAPKCS1WithSHA1, 7087 }, 7088 Bugs: ProtocolBugs{ 7089 NoSignatureAlgorithms: true, 7090 }, 7091 }, 7092 flags: []string{ 7093 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7094 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7095 }, 7096 }) 7097 7098 testCases = append(testCases, testCase{ 7099 name: "ClientAuth-SHA1-Fallback-ECDSA", 7100 config: Config{ 7101 MaxVersion: VersionTLS12, 7102 ClientAuth: RequireAnyClientCert, 7103 VerifySignatureAlgorithms: []signatureAlgorithm{ 7104 signatureECDSAWithSHA1, 7105 }, 7106 Bugs: ProtocolBugs{ 7107 NoSignatureAlgorithms: true, 7108 }, 7109 }, 7110 flags: []string{ 7111 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile), 7112 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile), 7113 }, 7114 }) 7115 7116 testCases = append(testCases, testCase{ 7117 testType: serverTest, 7118 name: "ServerAuth-SHA1-Fallback-ECDSA", 7119 config: Config{ 7120 MaxVersion: VersionTLS12, 7121 VerifySignatureAlgorithms: []signatureAlgorithm{ 7122 signatureECDSAWithSHA1, 7123 }, 7124 Bugs: ProtocolBugs{ 7125 NoSignatureAlgorithms: true, 7126 }, 7127 }, 7128 flags: []string{ 7129 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile), 7130 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile), 7131 }, 7132 }) 7133 7134 testCases = append(testCases, testCase{ 7135 name: "ClientAuth-NoFallback-TLS13", 7136 config: Config{ 7137 MaxVersion: VersionTLS13, 7138 ClientAuth: RequireAnyClientCert, 7139 VerifySignatureAlgorithms: []signatureAlgorithm{ 7140 signatureRSAPKCS1WithSHA1, 7141 }, 7142 Bugs: ProtocolBugs{ 7143 NoSignatureAlgorithms: true, 7144 }, 7145 }, 7146 flags: []string{ 7147 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7148 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7149 }, 7150 shouldFail: true, 7151 // An empty CertificateRequest signature algorithm list is a 7152 // syntax error in TLS 1.3. 7153 expectedError: ":DECODE_ERROR:", 7154 expectedLocalError: "remote error: error decoding message", 7155 }) 7156 7157 testCases = append(testCases, testCase{ 7158 testType: serverTest, 7159 name: "ServerAuth-NoFallback-TLS13", 7160 config: Config{ 7161 MaxVersion: VersionTLS13, 7162 VerifySignatureAlgorithms: []signatureAlgorithm{ 7163 signatureRSAPKCS1WithSHA1, 7164 }, 7165 Bugs: ProtocolBugs{ 7166 NoSignatureAlgorithms: true, 7167 }, 7168 }, 7169 shouldFail: true, 7170 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:", 7171 }) 7172 7173 // Test that hash preferences are enforced. BoringSSL does not implement 7174 // MD5 signatures. 7175 testCases = append(testCases, testCase{ 7176 testType: serverTest, 7177 name: "ClientAuth-Enforced", 7178 config: Config{ 7179 MaxVersion: VersionTLS12, 7180 Certificates: []Certificate{rsaCertificate}, 7181 SignSignatureAlgorithms: []signatureAlgorithm{ 7182 signatureRSAPKCS1WithMD5, 7183 }, 7184 Bugs: ProtocolBugs{ 7185 IgnorePeerSignatureAlgorithmPreferences: true, 7186 }, 7187 }, 7188 flags: []string{"-require-any-client-certificate"}, 7189 shouldFail: true, 7190 expectedError: ":WRONG_SIGNATURE_TYPE:", 7191 }) 7192 7193 testCases = append(testCases, testCase{ 7194 name: "ServerAuth-Enforced", 7195 config: Config{ 7196 MaxVersion: VersionTLS12, 7197 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 7198 SignSignatureAlgorithms: []signatureAlgorithm{ 7199 signatureRSAPKCS1WithMD5, 7200 }, 7201 Bugs: ProtocolBugs{ 7202 IgnorePeerSignatureAlgorithmPreferences: true, 7203 }, 7204 }, 7205 shouldFail: true, 7206 expectedError: ":WRONG_SIGNATURE_TYPE:", 7207 }) 7208 testCases = append(testCases, testCase{ 7209 testType: serverTest, 7210 name: "ClientAuth-Enforced-TLS13", 7211 config: Config{ 7212 MaxVersion: VersionTLS13, 7213 Certificates: []Certificate{rsaCertificate}, 7214 SignSignatureAlgorithms: []signatureAlgorithm{ 7215 signatureRSAPKCS1WithMD5, 7216 }, 7217 Bugs: ProtocolBugs{ 7218 IgnorePeerSignatureAlgorithmPreferences: true, 7219 IgnoreSignatureVersionChecks: true, 7220 }, 7221 }, 7222 flags: []string{"-require-any-client-certificate"}, 7223 shouldFail: true, 7224 expectedError: ":WRONG_SIGNATURE_TYPE:", 7225 }) 7226 7227 testCases = append(testCases, testCase{ 7228 name: "ServerAuth-Enforced-TLS13", 7229 config: Config{ 7230 MaxVersion: VersionTLS13, 7231 SignSignatureAlgorithms: []signatureAlgorithm{ 7232 signatureRSAPKCS1WithMD5, 7233 }, 7234 Bugs: ProtocolBugs{ 7235 IgnorePeerSignatureAlgorithmPreferences: true, 7236 IgnoreSignatureVersionChecks: true, 7237 }, 7238 }, 7239 shouldFail: true, 7240 expectedError: ":WRONG_SIGNATURE_TYPE:", 7241 }) 7242 7243 // Test that the agreed upon digest respects the client preferences and 7244 // the server digests. 7245 testCases = append(testCases, testCase{ 7246 name: "NoCommonAlgorithms-Digests", 7247 config: Config{ 7248 MaxVersion: VersionTLS12, 7249 ClientAuth: RequireAnyClientCert, 7250 VerifySignatureAlgorithms: []signatureAlgorithm{ 7251 signatureRSAPKCS1WithSHA512, 7252 signatureRSAPKCS1WithSHA1, 7253 }, 7254 }, 7255 flags: []string{ 7256 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7257 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7258 "-digest-prefs", "SHA256", 7259 }, 7260 shouldFail: true, 7261 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:", 7262 }) 7263 testCases = append(testCases, testCase{ 7264 name: "NoCommonAlgorithms", 7265 config: Config{ 7266 MaxVersion: VersionTLS12, 7267 ClientAuth: RequireAnyClientCert, 7268 VerifySignatureAlgorithms: []signatureAlgorithm{ 7269 signatureRSAPKCS1WithSHA512, 7270 signatureRSAPKCS1WithSHA1, 7271 }, 7272 }, 7273 flags: []string{ 7274 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7275 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7276 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)), 7277 }, 7278 shouldFail: true, 7279 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:", 7280 }) 7281 testCases = append(testCases, testCase{ 7282 name: "NoCommonAlgorithms-TLS13", 7283 config: Config{ 7284 MaxVersion: VersionTLS13, 7285 ClientAuth: RequireAnyClientCert, 7286 VerifySignatureAlgorithms: []signatureAlgorithm{ 7287 signatureRSAPSSWithSHA512, 7288 signatureRSAPSSWithSHA384, 7289 }, 7290 }, 7291 flags: []string{ 7292 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7293 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7294 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)), 7295 }, 7296 shouldFail: true, 7297 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:", 7298 }) 7299 testCases = append(testCases, testCase{ 7300 name: "Agree-Digest-SHA256", 7301 config: Config{ 7302 MaxVersion: VersionTLS12, 7303 ClientAuth: RequireAnyClientCert, 7304 VerifySignatureAlgorithms: []signatureAlgorithm{ 7305 signatureRSAPKCS1WithSHA1, 7306 signatureRSAPKCS1WithSHA256, 7307 }, 7308 }, 7309 flags: []string{ 7310 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7311 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7312 "-digest-prefs", "SHA256,SHA1", 7313 }, 7314 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256, 7315 }) 7316 testCases = append(testCases, testCase{ 7317 name: "Agree-Digest-SHA1", 7318 config: Config{ 7319 MaxVersion: VersionTLS12, 7320 ClientAuth: RequireAnyClientCert, 7321 VerifySignatureAlgorithms: []signatureAlgorithm{ 7322 signatureRSAPKCS1WithSHA1, 7323 }, 7324 }, 7325 flags: []string{ 7326 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7327 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7328 "-digest-prefs", "SHA512,SHA256,SHA1", 7329 }, 7330 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1, 7331 }) 7332 testCases = append(testCases, testCase{ 7333 name: "Agree-Digest-Default", 7334 config: Config{ 7335 MaxVersion: VersionTLS12, 7336 ClientAuth: RequireAnyClientCert, 7337 VerifySignatureAlgorithms: []signatureAlgorithm{ 7338 signatureRSAPKCS1WithSHA256, 7339 signatureECDSAWithP256AndSHA256, 7340 signatureRSAPKCS1WithSHA1, 7341 signatureECDSAWithSHA1, 7342 }, 7343 }, 7344 flags: []string{ 7345 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7346 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7347 }, 7348 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256, 7349 }) 7350 7351 // Test that the signing preference list may include extra algorithms 7352 // without negotiation problems. 7353 testCases = append(testCases, testCase{ 7354 testType: serverTest, 7355 name: "FilterExtraAlgorithms", 7356 config: Config{ 7357 MaxVersion: VersionTLS12, 7358 VerifySignatureAlgorithms: []signatureAlgorithm{ 7359 signatureRSAPKCS1WithSHA256, 7360 }, 7361 }, 7362 flags: []string{ 7363 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 7364 "-key-file", path.Join(*resourceDir, rsaKeyFile), 7365 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)), 7366 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)), 7367 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)), 7368 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)), 7369 }, 7370 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256, 7371 }) 7372 7373 // In TLS 1.2 and below, ECDSA uses the curve list rather than the 7374 // signature algorithms. 7375 testCases = append(testCases, testCase{ 7376 name: "CheckLeafCurve", 7377 config: Config{ 7378 MaxVersion: VersionTLS12, 7379 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 7380 Certificates: []Certificate{ecdsaP256Certificate}, 7381 }, 7382 flags: []string{"-p384-only"}, 7383 shouldFail: true, 7384 expectedError: ":BAD_ECC_CERT:", 7385 }) 7386 7387 // In TLS 1.3, ECDSA does not use the ECDHE curve list. 7388 testCases = append(testCases, testCase{ 7389 name: "CheckLeafCurve-TLS13", 7390 config: Config{ 7391 MaxVersion: VersionTLS13, 7392 Certificates: []Certificate{ecdsaP256Certificate}, 7393 }, 7394 flags: []string{"-p384-only"}, 7395 }) 7396 7397 // In TLS 1.2, the ECDSA curve is not in the signature algorithm. 7398 testCases = append(testCases, testCase{ 7399 name: "ECDSACurveMismatch-Verify-TLS12", 7400 config: Config{ 7401 MaxVersion: VersionTLS12, 7402 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 7403 Certificates: []Certificate{ecdsaP256Certificate}, 7404 SignSignatureAlgorithms: []signatureAlgorithm{ 7405 signatureECDSAWithP384AndSHA384, 7406 }, 7407 }, 7408 }) 7409 7410 // In TLS 1.3, the ECDSA curve comes from the signature algorithm. 7411 testCases = append(testCases, testCase{ 7412 name: "ECDSACurveMismatch-Verify-TLS13", 7413 config: Config{ 7414 MaxVersion: VersionTLS13, 7415 Certificates: []Certificate{ecdsaP256Certificate}, 7416 SignSignatureAlgorithms: []signatureAlgorithm{ 7417 signatureECDSAWithP384AndSHA384, 7418 }, 7419 Bugs: ProtocolBugs{ 7420 SkipECDSACurveCheck: true, 7421 }, 7422 }, 7423 shouldFail: true, 7424 expectedError: ":WRONG_SIGNATURE_TYPE:", 7425 }) 7426 7427 // Signature algorithm selection in TLS 1.3 should take the curve into 7428 // account. 7429 testCases = append(testCases, testCase{ 7430 testType: serverTest, 7431 name: "ECDSACurveMismatch-Sign-TLS13", 7432 config: Config{ 7433 MaxVersion: VersionTLS13, 7434 VerifySignatureAlgorithms: []signatureAlgorithm{ 7435 signatureECDSAWithP384AndSHA384, 7436 signatureECDSAWithP256AndSHA256, 7437 }, 7438 }, 7439 flags: []string{ 7440 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile), 7441 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile), 7442 }, 7443 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256, 7444 }) 7445 7446 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the 7447 // server does not attempt to sign in that case. 7448 testCases = append(testCases, testCase{ 7449 testType: serverTest, 7450 name: "RSA-PSS-Large", 7451 config: Config{ 7452 MaxVersion: VersionTLS13, 7453 VerifySignatureAlgorithms: []signatureAlgorithm{ 7454 signatureRSAPSSWithSHA512, 7455 }, 7456 }, 7457 flags: []string{ 7458 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile), 7459 "-key-file", path.Join(*resourceDir, rsa1024KeyFile), 7460 }, 7461 shouldFail: true, 7462 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:", 7463 }) 7464 7465 // Test that RSA-PSS is enabled by default for TLS 1.2. 7466 testCases = append(testCases, testCase{ 7467 testType: clientTest, 7468 name: "RSA-PSS-Default-Verify", 7469 config: Config{ 7470 MaxVersion: VersionTLS12, 7471 SignSignatureAlgorithms: []signatureAlgorithm{ 7472 signatureRSAPSSWithSHA256, 7473 }, 7474 }, 7475 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)}, 7476 }) 7477 7478 testCases = append(testCases, testCase{ 7479 testType: serverTest, 7480 name: "RSA-PSS-Default-Sign", 7481 config: Config{ 7482 MaxVersion: VersionTLS12, 7483 VerifySignatureAlgorithms: []signatureAlgorithm{ 7484 signatureRSAPSSWithSHA256, 7485 }, 7486 }, 7487 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)}, 7488 }) 7489 7490 // A server certificate with a P-224 key will only work up to TLS 1.2 7491 // and we only test it with BoringSSL acting as a server because that's 7492 // all Alphabet requires with it. 7493 testCases = append(testCases, testCase{ 7494 testType: serverTest, 7495 name: "P224-Server", 7496 config: Config{ 7497 VerifySignatureAlgorithms: []signatureAlgorithm{ 7498 // TLS 1.2 does not require that the curve 7499 // match the hash, thus P-256 with SHA-256 is 7500 // the same signature algorithm value as P-224 7501 // with SHA-256. 7502 signatureECDSAWithP256AndSHA256, 7503 }, 7504 // P-256 must be offered as well because ECDHE requires 7505 // it. 7506 CurvePreferences: []CurveID{CurveP224, CurveP256}, 7507 }, 7508 flags: []string{ 7509 "-max-version", strconv.Itoa(VersionTLS12), 7510 "-cert-file", path.Join(*resourceDir, ecdsaP224CertificateFile), 7511 "-key-file", path.Join(*resourceDir, ecdsaP224KeyFile), 7512 }, 7513 }) 7514 } 7515 7516 // timeouts is the retransmit schedule for BoringSSL. It doubles and 7517 // caps at 60 seconds. On the 13th timeout, it gives up. 7518 var timeouts = []time.Duration{ 7519 1 * time.Second, 7520 2 * time.Second, 7521 4 * time.Second, 7522 8 * time.Second, 7523 16 * time.Second, 7524 32 * time.Second, 7525 60 * time.Second, 7526 60 * time.Second, 7527 60 * time.Second, 7528 60 * time.Second, 7529 60 * time.Second, 7530 60 * time.Second, 7531 60 * time.Second, 7532 } 7533 7534 // shortTimeouts is an alternate set of timeouts which would occur if the 7535 // initial timeout duration was set to 250ms. 7536 var shortTimeouts = []time.Duration{ 7537 250 * time.Millisecond, 7538 500 * time.Millisecond, 7539 1 * time.Second, 7540 2 * time.Second, 7541 4 * time.Second, 7542 8 * time.Second, 7543 16 * time.Second, 7544 32 * time.Second, 7545 60 * time.Second, 7546 60 * time.Second, 7547 60 * time.Second, 7548 60 * time.Second, 7549 60 * time.Second, 7550 } 7551 7552 func addDTLSRetransmitTests() { 7553 // These tests work by coordinating some behavior on both the shim and 7554 // the runner. 7555 // 7556 // TimeoutSchedule configures the runner to send a series of timeout 7557 // opcodes to the shim (see packetAdaptor) immediately before reading 7558 // each peer handshake flight N. The timeout opcode both simulates a 7559 // timeout in the shim and acts as a synchronization point to help the 7560 // runner bracket each handshake flight. 7561 // 7562 // We assume the shim does not read from the channel eagerly. It must 7563 // first wait until it has sent flight N and is ready to receive 7564 // handshake flight N+1. At this point, it will process the timeout 7565 // opcode. It must then immediately respond with a timeout ACK and act 7566 // as if the shim was idle for the specified amount of time. 7567 // 7568 // The runner then drops all packets received before the ACK and 7569 // continues waiting for flight N. This ordering results in one attempt 7570 // at sending flight N to be dropped. For the test to complete, the 7571 // shim must send flight N again, testing that the shim implements DTLS 7572 // retransmit on a timeout. 7573 7574 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will 7575 // likely be more epochs to cross and the final message's retransmit may 7576 // be more complex. 7577 7578 // Test that this is indeed the timeout schedule. Stress all 7579 // four patterns of handshake. 7580 for i := 1; i < len(timeouts); i++ { 7581 number := strconv.Itoa(i) 7582 testCases = append(testCases, testCase{ 7583 protocol: dtls, 7584 name: "DTLS-Retransmit-Client-" + number, 7585 config: Config{ 7586 MaxVersion: VersionTLS12, 7587 Bugs: ProtocolBugs{ 7588 TimeoutSchedule: timeouts[:i], 7589 }, 7590 }, 7591 resumeSession: true, 7592 flags: []string{"-async"}, 7593 }) 7594 testCases = append(testCases, testCase{ 7595 protocol: dtls, 7596 testType: serverTest, 7597 name: "DTLS-Retransmit-Server-" + number, 7598 config: Config{ 7599 MaxVersion: VersionTLS12, 7600 Bugs: ProtocolBugs{ 7601 TimeoutSchedule: timeouts[:i], 7602 }, 7603 }, 7604 resumeSession: true, 7605 flags: []string{"-async"}, 7606 }) 7607 } 7608 7609 // Test that exceeding the timeout schedule hits a read 7610 // timeout. 7611 testCases = append(testCases, testCase{ 7612 protocol: dtls, 7613 name: "DTLS-Retransmit-Timeout", 7614 config: Config{ 7615 MaxVersion: VersionTLS12, 7616 Bugs: ProtocolBugs{ 7617 TimeoutSchedule: timeouts, 7618 }, 7619 }, 7620 resumeSession: true, 7621 flags: []string{"-async"}, 7622 shouldFail: true, 7623 expectedError: ":READ_TIMEOUT_EXPIRED:", 7624 }) 7625 7626 // Test that timeout handling has a fudge factor, due to API 7627 // problems. 7628 testCases = append(testCases, testCase{ 7629 protocol: dtls, 7630 name: "DTLS-Retransmit-Fudge", 7631 config: Config{ 7632 MaxVersion: VersionTLS12, 7633 Bugs: ProtocolBugs{ 7634 TimeoutSchedule: []time.Duration{ 7635 timeouts[0] - 10*time.Millisecond, 7636 }, 7637 }, 7638 }, 7639 resumeSession: true, 7640 flags: []string{"-async"}, 7641 }) 7642 7643 // Test that the final Finished retransmitting isn't 7644 // duplicated if the peer badly fragments everything. 7645 testCases = append(testCases, testCase{ 7646 testType: serverTest, 7647 protocol: dtls, 7648 name: "DTLS-Retransmit-Fragmented", 7649 config: Config{ 7650 MaxVersion: VersionTLS12, 7651 Bugs: ProtocolBugs{ 7652 TimeoutSchedule: []time.Duration{timeouts[0]}, 7653 MaxHandshakeRecordLength: 2, 7654 }, 7655 }, 7656 flags: []string{"-async"}, 7657 }) 7658 7659 // Test the timeout schedule when a shorter initial timeout duration is set. 7660 testCases = append(testCases, testCase{ 7661 protocol: dtls, 7662 name: "DTLS-Retransmit-Short-Client", 7663 config: Config{ 7664 MaxVersion: VersionTLS12, 7665 Bugs: ProtocolBugs{ 7666 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1], 7667 }, 7668 }, 7669 resumeSession: true, 7670 flags: []string{ 7671 "-async", 7672 "-initial-timeout-duration-ms", "250", 7673 }, 7674 }) 7675 testCases = append(testCases, testCase{ 7676 protocol: dtls, 7677 testType: serverTest, 7678 name: "DTLS-Retransmit-Short-Server", 7679 config: Config{ 7680 MaxVersion: VersionTLS12, 7681 Bugs: ProtocolBugs{ 7682 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1], 7683 }, 7684 }, 7685 resumeSession: true, 7686 flags: []string{ 7687 "-async", 7688 "-initial-timeout-duration-ms", "250", 7689 }, 7690 }) 7691 } 7692 7693 func addExportKeyingMaterialTests() { 7694 for _, vers := range tlsVersions { 7695 if vers.version == VersionSSL30 { 7696 continue 7697 } 7698 testCases = append(testCases, testCase{ 7699 name: "ExportKeyingMaterial-" + vers.name, 7700 config: Config{ 7701 MaxVersion: vers.version, 7702 }, 7703 exportKeyingMaterial: 1024, 7704 exportLabel: "label", 7705 exportContext: "context", 7706 useExportContext: true, 7707 }) 7708 testCases = append(testCases, testCase{ 7709 name: "ExportKeyingMaterial-NoContext-" + vers.name, 7710 config: Config{ 7711 MaxVersion: vers.version, 7712 }, 7713 exportKeyingMaterial: 1024, 7714 }) 7715 testCases = append(testCases, testCase{ 7716 name: "ExportKeyingMaterial-EmptyContext-" + vers.name, 7717 config: Config{ 7718 MaxVersion: vers.version, 7719 }, 7720 exportKeyingMaterial: 1024, 7721 useExportContext: true, 7722 }) 7723 testCases = append(testCases, testCase{ 7724 name: "ExportKeyingMaterial-Small-" + vers.name, 7725 config: Config{ 7726 MaxVersion: vers.version, 7727 }, 7728 exportKeyingMaterial: 1, 7729 exportLabel: "label", 7730 exportContext: "context", 7731 useExportContext: true, 7732 }) 7733 } 7734 7735 testCases = append(testCases, testCase{ 7736 name: "ExportKeyingMaterial-SSL3", 7737 config: Config{ 7738 MaxVersion: VersionSSL30, 7739 }, 7740 exportKeyingMaterial: 1024, 7741 exportLabel: "label", 7742 exportContext: "context", 7743 useExportContext: true, 7744 shouldFail: true, 7745 expectedError: "failed to export keying material", 7746 }) 7747 7748 // Exporters work during a False Start. 7749 testCases = append(testCases, testCase{ 7750 name: "ExportKeyingMaterial-FalseStart", 7751 config: Config{ 7752 MaxVersion: VersionTLS12, 7753 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 7754 NextProtos: []string{"foo"}, 7755 Bugs: ProtocolBugs{ 7756 ExpectFalseStart: true, 7757 }, 7758 }, 7759 flags: []string{ 7760 "-false-start", 7761 "-advertise-alpn", "\x03foo", 7762 }, 7763 shimWritesFirst: true, 7764 exportKeyingMaterial: 1024, 7765 exportLabel: "label", 7766 exportContext: "context", 7767 useExportContext: true, 7768 }) 7769 7770 // Exporters do not work in the middle of a renegotiation. Test this by 7771 // triggering the exporter after every SSL_read call and configuring the 7772 // shim to run asynchronously. 7773 testCases = append(testCases, testCase{ 7774 name: "ExportKeyingMaterial-Renegotiate", 7775 config: Config{ 7776 MaxVersion: VersionTLS12, 7777 }, 7778 renegotiate: 1, 7779 flags: []string{ 7780 "-async", 7781 "-use-exporter-between-reads", 7782 "-renegotiate-freely", 7783 "-expect-total-renegotiations", "1", 7784 }, 7785 shouldFail: true, 7786 expectedError: "failed to export keying material", 7787 }) 7788 } 7789 7790 func addTLSUniqueTests() { 7791 for _, isClient := range []bool{false, true} { 7792 for _, isResumption := range []bool{false, true} { 7793 for _, hasEMS := range []bool{false, true} { 7794 var suffix string 7795 if isResumption { 7796 suffix = "Resume-" 7797 } else { 7798 suffix = "Full-" 7799 } 7800 7801 if hasEMS { 7802 suffix += "EMS-" 7803 } else { 7804 suffix += "NoEMS-" 7805 } 7806 7807 if isClient { 7808 suffix += "Client" 7809 } else { 7810 suffix += "Server" 7811 } 7812 7813 test := testCase{ 7814 name: "TLSUnique-" + suffix, 7815 testTLSUnique: true, 7816 config: Config{ 7817 MaxVersion: VersionTLS12, 7818 Bugs: ProtocolBugs{ 7819 NoExtendedMasterSecret: !hasEMS, 7820 }, 7821 }, 7822 } 7823 7824 if isResumption { 7825 test.resumeSession = true 7826 test.resumeConfig = &Config{ 7827 MaxVersion: VersionTLS12, 7828 Bugs: ProtocolBugs{ 7829 NoExtendedMasterSecret: !hasEMS, 7830 }, 7831 } 7832 } 7833 7834 if isResumption && !hasEMS { 7835 test.shouldFail = true 7836 test.expectedError = "failed to get tls-unique" 7837 } 7838 7839 testCases = append(testCases, test) 7840 } 7841 } 7842 } 7843 } 7844 7845 func addCustomExtensionTests() { 7846 expectedContents := "custom extension" 7847 emptyString := "" 7848 7849 for _, isClient := range []bool{false, true} { 7850 suffix := "Server" 7851 flag := "-enable-server-custom-extension" 7852 testType := serverTest 7853 if isClient { 7854 suffix = "Client" 7855 flag = "-enable-client-custom-extension" 7856 testType = clientTest 7857 } 7858 7859 testCases = append(testCases, testCase{ 7860 testType: testType, 7861 name: "CustomExtensions-" + suffix, 7862 config: Config{ 7863 MaxVersion: VersionTLS12, 7864 Bugs: ProtocolBugs{ 7865 CustomExtension: expectedContents, 7866 ExpectedCustomExtension: &expectedContents, 7867 }, 7868 }, 7869 flags: []string{flag}, 7870 }) 7871 testCases = append(testCases, testCase{ 7872 testType: testType, 7873 name: "CustomExtensions-" + suffix + "-TLS13", 7874 config: Config{ 7875 MaxVersion: VersionTLS13, 7876 Bugs: ProtocolBugs{ 7877 CustomExtension: expectedContents, 7878 ExpectedCustomExtension: &expectedContents, 7879 }, 7880 }, 7881 flags: []string{flag}, 7882 }) 7883 7884 // 0-RTT is not currently supported with Custom Extensions. 7885 testCases = append(testCases, testCase{ 7886 testType: testType, 7887 name: "CustomExtensions-" + suffix + "-EarlyData", 7888 config: Config{ 7889 MaxVersion: VersionTLS13, 7890 Bugs: ProtocolBugs{ 7891 CustomExtension: expectedContents, 7892 ExpectedCustomExtension: &expectedContents, 7893 }, 7894 }, 7895 shouldFail: true, 7896 expectedError: ":CUSTOM_EXTENSION_ERROR:", 7897 flags: []string{flag, "-enable-early-data"}, 7898 }) 7899 7900 // If the parse callback fails, the handshake should also fail. 7901 testCases = append(testCases, testCase{ 7902 testType: testType, 7903 name: "CustomExtensions-ParseError-" + suffix, 7904 config: Config{ 7905 MaxVersion: VersionTLS12, 7906 Bugs: ProtocolBugs{ 7907 CustomExtension: expectedContents + "foo", 7908 ExpectedCustomExtension: &expectedContents, 7909 }, 7910 }, 7911 flags: []string{flag}, 7912 shouldFail: true, 7913 expectedError: ":CUSTOM_EXTENSION_ERROR:", 7914 }) 7915 testCases = append(testCases, testCase{ 7916 testType: testType, 7917 name: "CustomExtensions-ParseError-" + suffix + "-TLS13", 7918 config: Config{ 7919 MaxVersion: VersionTLS13, 7920 Bugs: ProtocolBugs{ 7921 CustomExtension: expectedContents + "foo", 7922 ExpectedCustomExtension: &expectedContents, 7923 }, 7924 }, 7925 flags: []string{flag}, 7926 shouldFail: true, 7927 expectedError: ":CUSTOM_EXTENSION_ERROR:", 7928 }) 7929 7930 // If the add callback fails, the handshake should also fail. 7931 testCases = append(testCases, testCase{ 7932 testType: testType, 7933 name: "CustomExtensions-FailAdd-" + suffix, 7934 config: Config{ 7935 MaxVersion: VersionTLS12, 7936 Bugs: ProtocolBugs{ 7937 CustomExtension: expectedContents, 7938 ExpectedCustomExtension: &expectedContents, 7939 }, 7940 }, 7941 flags: []string{flag, "-custom-extension-fail-add"}, 7942 shouldFail: true, 7943 expectedError: ":CUSTOM_EXTENSION_ERROR:", 7944 }) 7945 testCases = append(testCases, testCase{ 7946 testType: testType, 7947 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13", 7948 config: Config{ 7949 MaxVersion: VersionTLS13, 7950 Bugs: ProtocolBugs{ 7951 CustomExtension: expectedContents, 7952 ExpectedCustomExtension: &expectedContents, 7953 }, 7954 }, 7955 flags: []string{flag, "-custom-extension-fail-add"}, 7956 shouldFail: true, 7957 expectedError: ":CUSTOM_EXTENSION_ERROR:", 7958 }) 7959 7960 // If the add callback returns zero, no extension should be 7961 // added. 7962 skipCustomExtension := expectedContents 7963 if isClient { 7964 // For the case where the client skips sending the 7965 // custom extension, the server must not echo it. 7966 skipCustomExtension = "" 7967 } 7968 testCases = append(testCases, testCase{ 7969 testType: testType, 7970 name: "CustomExtensions-Skip-" + suffix, 7971 config: Config{ 7972 MaxVersion: VersionTLS12, 7973 Bugs: ProtocolBugs{ 7974 CustomExtension: skipCustomExtension, 7975 ExpectedCustomExtension: &emptyString, 7976 }, 7977 }, 7978 flags: []string{flag, "-custom-extension-skip"}, 7979 }) 7980 testCases = append(testCases, testCase{ 7981 testType: testType, 7982 name: "CustomExtensions-Skip-" + suffix + "-TLS13", 7983 config: Config{ 7984 MaxVersion: VersionTLS13, 7985 Bugs: ProtocolBugs{ 7986 CustomExtension: skipCustomExtension, 7987 ExpectedCustomExtension: &emptyString, 7988 }, 7989 }, 7990 flags: []string{flag, "-custom-extension-skip"}, 7991 }) 7992 } 7993 7994 // The custom extension add callback should not be called if the client 7995 // doesn't send the extension. 7996 testCases = append(testCases, testCase{ 7997 testType: serverTest, 7998 name: "CustomExtensions-NotCalled-Server", 7999 config: Config{ 8000 MaxVersion: VersionTLS12, 8001 Bugs: ProtocolBugs{ 8002 ExpectedCustomExtension: &emptyString, 8003 }, 8004 }, 8005 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"}, 8006 }) 8007 8008 testCases = append(testCases, testCase{ 8009 testType: serverTest, 8010 name: "CustomExtensions-NotCalled-Server-TLS13", 8011 config: Config{ 8012 MaxVersion: VersionTLS13, 8013 Bugs: ProtocolBugs{ 8014 ExpectedCustomExtension: &emptyString, 8015 }, 8016 }, 8017 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"}, 8018 }) 8019 8020 // Test an unknown extension from the server. 8021 testCases = append(testCases, testCase{ 8022 testType: clientTest, 8023 name: "UnknownExtension-Client", 8024 config: Config{ 8025 MaxVersion: VersionTLS12, 8026 Bugs: ProtocolBugs{ 8027 CustomExtension: expectedContents, 8028 }, 8029 }, 8030 shouldFail: true, 8031 expectedError: ":UNEXPECTED_EXTENSION:", 8032 expectedLocalError: "remote error: unsupported extension", 8033 }) 8034 testCases = append(testCases, testCase{ 8035 testType: clientTest, 8036 name: "UnknownExtension-Client-TLS13", 8037 config: Config{ 8038 MaxVersion: VersionTLS13, 8039 Bugs: ProtocolBugs{ 8040 CustomExtension: expectedContents, 8041 }, 8042 }, 8043 shouldFail: true, 8044 expectedError: ":UNEXPECTED_EXTENSION:", 8045 expectedLocalError: "remote error: unsupported extension", 8046 }) 8047 testCases = append(testCases, testCase{ 8048 testType: clientTest, 8049 name: "UnknownUnencryptedExtension-Client-TLS13", 8050 config: Config{ 8051 MaxVersion: VersionTLS13, 8052 Bugs: ProtocolBugs{ 8053 CustomUnencryptedExtension: expectedContents, 8054 }, 8055 }, 8056 shouldFail: true, 8057 expectedError: ":UNEXPECTED_EXTENSION:", 8058 // The shim must send an alert, but alerts at this point do not 8059 // get successfully decrypted by the runner. 8060 expectedLocalError: "local error: bad record MAC", 8061 }) 8062 testCases = append(testCases, testCase{ 8063 testType: clientTest, 8064 name: "UnexpectedUnencryptedExtension-Client-TLS13", 8065 config: Config{ 8066 MaxVersion: VersionTLS13, 8067 Bugs: ProtocolBugs{ 8068 SendUnencryptedALPN: "foo", 8069 }, 8070 }, 8071 flags: []string{ 8072 "-advertise-alpn", "\x03foo\x03bar", 8073 }, 8074 shouldFail: true, 8075 expectedError: ":UNEXPECTED_EXTENSION:", 8076 // The shim must send an alert, but alerts at this point do not 8077 // get successfully decrypted by the runner. 8078 expectedLocalError: "local error: bad record MAC", 8079 }) 8080 8081 // Test a known but unoffered extension from the server. 8082 testCases = append(testCases, testCase{ 8083 testType: clientTest, 8084 name: "UnofferedExtension-Client", 8085 config: Config{ 8086 MaxVersion: VersionTLS12, 8087 Bugs: ProtocolBugs{ 8088 SendALPN: "alpn", 8089 }, 8090 }, 8091 shouldFail: true, 8092 expectedError: ":UNEXPECTED_EXTENSION:", 8093 expectedLocalError: "remote error: unsupported extension", 8094 }) 8095 testCases = append(testCases, testCase{ 8096 testType: clientTest, 8097 name: "UnofferedExtension-Client-TLS13", 8098 config: Config{ 8099 MaxVersion: VersionTLS13, 8100 Bugs: ProtocolBugs{ 8101 SendALPN: "alpn", 8102 }, 8103 }, 8104 shouldFail: true, 8105 expectedError: ":UNEXPECTED_EXTENSION:", 8106 expectedLocalError: "remote error: unsupported extension", 8107 }) 8108 } 8109 8110 func addRSAClientKeyExchangeTests() { 8111 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ { 8112 testCases = append(testCases, testCase{ 8113 testType: serverTest, 8114 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad), 8115 config: Config{ 8116 // Ensure the ClientHello version and final 8117 // version are different, to detect if the 8118 // server uses the wrong one. 8119 MaxVersion: VersionTLS11, 8120 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA}, 8121 Bugs: ProtocolBugs{ 8122 BadRSAClientKeyExchange: bad, 8123 }, 8124 }, 8125 shouldFail: true, 8126 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", 8127 }) 8128 } 8129 8130 // The server must compare whatever was in ClientHello.version for the 8131 // RSA premaster. 8132 testCases = append(testCases, testCase{ 8133 testType: serverTest, 8134 name: "SendClientVersion-RSA", 8135 config: Config{ 8136 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 8137 Bugs: ProtocolBugs{ 8138 SendClientVersion: 0x1234, 8139 }, 8140 }, 8141 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)}, 8142 }) 8143 } 8144 8145 var testCurves = []struct { 8146 name string 8147 id CurveID 8148 }{ 8149 {"P-256", CurveP256}, 8150 {"P-384", CurveP384}, 8151 {"P-521", CurveP521}, 8152 {"X25519", CurveX25519}, 8153 } 8154 8155 const bogusCurve = 0x1234 8156 8157 func addCurveTests() { 8158 for _, curve := range testCurves { 8159 testCases = append(testCases, testCase{ 8160 name: "CurveTest-Client-" + curve.name, 8161 config: Config{ 8162 MaxVersion: VersionTLS12, 8163 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8164 CurvePreferences: []CurveID{curve.id}, 8165 }, 8166 flags: []string{ 8167 "-enable-all-curves", 8168 "-expect-curve-id", strconv.Itoa(int(curve.id)), 8169 }, 8170 expectedCurveID: curve.id, 8171 }) 8172 testCases = append(testCases, testCase{ 8173 name: "CurveTest-Client-" + curve.name + "-TLS13", 8174 config: Config{ 8175 MaxVersion: VersionTLS13, 8176 CurvePreferences: []CurveID{curve.id}, 8177 }, 8178 flags: []string{ 8179 "-enable-all-curves", 8180 "-expect-curve-id", strconv.Itoa(int(curve.id)), 8181 }, 8182 expectedCurveID: curve.id, 8183 }) 8184 testCases = append(testCases, testCase{ 8185 testType: serverTest, 8186 name: "CurveTest-Server-" + curve.name, 8187 config: Config{ 8188 MaxVersion: VersionTLS12, 8189 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8190 CurvePreferences: []CurveID{curve.id}, 8191 }, 8192 flags: []string{ 8193 "-enable-all-curves", 8194 "-expect-curve-id", strconv.Itoa(int(curve.id)), 8195 }, 8196 expectedCurveID: curve.id, 8197 }) 8198 testCases = append(testCases, testCase{ 8199 testType: serverTest, 8200 name: "CurveTest-Server-" + curve.name + "-TLS13", 8201 config: Config{ 8202 MaxVersion: VersionTLS13, 8203 CurvePreferences: []CurveID{curve.id}, 8204 }, 8205 flags: []string{ 8206 "-enable-all-curves", 8207 "-expect-curve-id", strconv.Itoa(int(curve.id)), 8208 }, 8209 expectedCurveID: curve.id, 8210 }) 8211 } 8212 8213 // The server must be tolerant to bogus curves. 8214 testCases = append(testCases, testCase{ 8215 testType: serverTest, 8216 name: "UnknownCurve", 8217 config: Config{ 8218 MaxVersion: VersionTLS12, 8219 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8220 CurvePreferences: []CurveID{bogusCurve, CurveP256}, 8221 }, 8222 }) 8223 8224 // The server must be tolerant to bogus curves. 8225 testCases = append(testCases, testCase{ 8226 testType: serverTest, 8227 name: "UnknownCurve-TLS13", 8228 config: Config{ 8229 MaxVersion: VersionTLS13, 8230 CurvePreferences: []CurveID{bogusCurve, CurveP256}, 8231 }, 8232 }) 8233 8234 // The server must not consider ECDHE ciphers when there are no 8235 // supported curves. 8236 testCases = append(testCases, testCase{ 8237 testType: serverTest, 8238 name: "NoSupportedCurves", 8239 config: Config{ 8240 MaxVersion: VersionTLS12, 8241 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8242 Bugs: ProtocolBugs{ 8243 NoSupportedCurves: true, 8244 }, 8245 }, 8246 shouldFail: true, 8247 expectedError: ":NO_SHARED_CIPHER:", 8248 }) 8249 testCases = append(testCases, testCase{ 8250 testType: serverTest, 8251 name: "NoSupportedCurves-TLS13", 8252 config: Config{ 8253 MaxVersion: VersionTLS13, 8254 Bugs: ProtocolBugs{ 8255 NoSupportedCurves: true, 8256 }, 8257 }, 8258 shouldFail: true, 8259 expectedError: ":NO_SHARED_GROUP:", 8260 }) 8261 8262 // The server must fall back to another cipher when there are no 8263 // supported curves. 8264 testCases = append(testCases, testCase{ 8265 testType: serverTest, 8266 name: "NoCommonCurves", 8267 config: Config{ 8268 MaxVersion: VersionTLS12, 8269 CipherSuites: []uint16{ 8270 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 8271 TLS_RSA_WITH_AES_128_GCM_SHA256, 8272 }, 8273 CurvePreferences: []CurveID{CurveP224}, 8274 }, 8275 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256, 8276 }) 8277 8278 // The client must reject bogus curves and disabled curves. 8279 testCases = append(testCases, testCase{ 8280 name: "BadECDHECurve", 8281 config: Config{ 8282 MaxVersion: VersionTLS12, 8283 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8284 Bugs: ProtocolBugs{ 8285 SendCurve: bogusCurve, 8286 }, 8287 }, 8288 shouldFail: true, 8289 expectedError: ":WRONG_CURVE:", 8290 }) 8291 testCases = append(testCases, testCase{ 8292 name: "BadECDHECurve-TLS13", 8293 config: Config{ 8294 MaxVersion: VersionTLS13, 8295 Bugs: ProtocolBugs{ 8296 SendCurve: bogusCurve, 8297 }, 8298 }, 8299 shouldFail: true, 8300 expectedError: ":WRONG_CURVE:", 8301 }) 8302 8303 testCases = append(testCases, testCase{ 8304 name: "UnsupportedCurve", 8305 config: Config{ 8306 MaxVersion: VersionTLS12, 8307 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8308 CurvePreferences: []CurveID{CurveP256}, 8309 Bugs: ProtocolBugs{ 8310 IgnorePeerCurvePreferences: true, 8311 }, 8312 }, 8313 flags: []string{"-p384-only"}, 8314 shouldFail: true, 8315 expectedError: ":WRONG_CURVE:", 8316 }) 8317 8318 testCases = append(testCases, testCase{ 8319 // TODO(davidben): Add a TLS 1.3 version where 8320 // HelloRetryRequest requests an unsupported curve. 8321 name: "UnsupportedCurve-ServerHello-TLS13", 8322 config: Config{ 8323 MaxVersion: VersionTLS13, 8324 CurvePreferences: []CurveID{CurveP384}, 8325 Bugs: ProtocolBugs{ 8326 SendCurve: CurveP256, 8327 }, 8328 }, 8329 flags: []string{"-p384-only"}, 8330 shouldFail: true, 8331 expectedError: ":WRONG_CURVE:", 8332 }) 8333 8334 // Test invalid curve points. 8335 testCases = append(testCases, testCase{ 8336 name: "InvalidECDHPoint-Client", 8337 config: Config{ 8338 MaxVersion: VersionTLS12, 8339 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8340 CurvePreferences: []CurveID{CurveP256}, 8341 Bugs: ProtocolBugs{ 8342 InvalidECDHPoint: true, 8343 }, 8344 }, 8345 shouldFail: true, 8346 expectedError: ":INVALID_ENCODING:", 8347 }) 8348 testCases = append(testCases, testCase{ 8349 name: "InvalidECDHPoint-Client-TLS13", 8350 config: Config{ 8351 MaxVersion: VersionTLS13, 8352 CurvePreferences: []CurveID{CurveP256}, 8353 Bugs: ProtocolBugs{ 8354 InvalidECDHPoint: true, 8355 }, 8356 }, 8357 shouldFail: true, 8358 expectedError: ":INVALID_ENCODING:", 8359 }) 8360 testCases = append(testCases, testCase{ 8361 testType: serverTest, 8362 name: "InvalidECDHPoint-Server", 8363 config: Config{ 8364 MaxVersion: VersionTLS12, 8365 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8366 CurvePreferences: []CurveID{CurveP256}, 8367 Bugs: ProtocolBugs{ 8368 InvalidECDHPoint: true, 8369 }, 8370 }, 8371 shouldFail: true, 8372 expectedError: ":INVALID_ENCODING:", 8373 }) 8374 testCases = append(testCases, testCase{ 8375 testType: serverTest, 8376 name: "InvalidECDHPoint-Server-TLS13", 8377 config: Config{ 8378 MaxVersion: VersionTLS13, 8379 CurvePreferences: []CurveID{CurveP256}, 8380 Bugs: ProtocolBugs{ 8381 InvalidECDHPoint: true, 8382 }, 8383 }, 8384 shouldFail: true, 8385 expectedError: ":INVALID_ENCODING:", 8386 }) 8387 8388 // The previous curve ID should be reported on TLS 1.2 resumption. 8389 testCases = append(testCases, testCase{ 8390 name: "CurveID-Resume-Client", 8391 config: Config{ 8392 MaxVersion: VersionTLS12, 8393 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8394 CurvePreferences: []CurveID{CurveX25519}, 8395 }, 8396 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))}, 8397 resumeSession: true, 8398 }) 8399 testCases = append(testCases, testCase{ 8400 testType: serverTest, 8401 name: "CurveID-Resume-Server", 8402 config: Config{ 8403 MaxVersion: VersionTLS12, 8404 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 8405 CurvePreferences: []CurveID{CurveX25519}, 8406 }, 8407 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))}, 8408 resumeSession: true, 8409 }) 8410 8411 // TLS 1.3 allows resuming at a differet curve. If this happens, the new 8412 // one should be reported. 8413 testCases = append(testCases, testCase{ 8414 name: "CurveID-Resume-Client-TLS13", 8415 config: Config{ 8416 MaxVersion: VersionTLS13, 8417 CurvePreferences: []CurveID{CurveX25519}, 8418 }, 8419 resumeConfig: &Config{ 8420 MaxVersion: VersionTLS13, 8421 CurvePreferences: []CurveID{CurveP256}, 8422 }, 8423 flags: []string{ 8424 "-expect-curve-id", strconv.Itoa(int(CurveX25519)), 8425 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)), 8426 }, 8427 resumeSession: true, 8428 }) 8429 testCases = append(testCases, testCase{ 8430 testType: serverTest, 8431 name: "CurveID-Resume-Server-TLS13", 8432 config: Config{ 8433 MaxVersion: VersionTLS13, 8434 CurvePreferences: []CurveID{CurveX25519}, 8435 }, 8436 resumeConfig: &Config{ 8437 MaxVersion: VersionTLS13, 8438 CurvePreferences: []CurveID{CurveP256}, 8439 }, 8440 flags: []string{ 8441 "-expect-curve-id", strconv.Itoa(int(CurveX25519)), 8442 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)), 8443 }, 8444 resumeSession: true, 8445 }) 8446 8447 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3. 8448 testCases = append(testCases, testCase{ 8449 name: "PointFormat-ServerHello-TLS12", 8450 config: Config{ 8451 MaxVersion: VersionTLS12, 8452 Bugs: ProtocolBugs{ 8453 SendSupportedPointFormats: []byte{pointFormatUncompressed}, 8454 }, 8455 }, 8456 }) 8457 testCases = append(testCases, testCase{ 8458 name: "PointFormat-EncryptedExtensions-TLS13", 8459 config: Config{ 8460 MaxVersion: VersionTLS13, 8461 Bugs: ProtocolBugs{ 8462 SendSupportedPointFormats: []byte{pointFormatUncompressed}, 8463 }, 8464 }, 8465 shouldFail: true, 8466 expectedError: ":ERROR_PARSING_EXTENSION:", 8467 }) 8468 8469 // Test that we tolerate unknown point formats, as long as 8470 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to 8471 // check they are still functional. 8472 testCases = append(testCases, testCase{ 8473 name: "PointFormat-Client-Tolerance", 8474 config: Config{ 8475 MaxVersion: VersionTLS12, 8476 Bugs: ProtocolBugs{ 8477 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime}, 8478 }, 8479 }, 8480 }) 8481 testCases = append(testCases, testCase{ 8482 testType: serverTest, 8483 name: "PointFormat-Server-Tolerance", 8484 config: Config{ 8485 MaxVersion: VersionTLS12, 8486 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, 8487 Bugs: ProtocolBugs{ 8488 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime}, 8489 }, 8490 }, 8491 }) 8492 8493 // Test TLS 1.2 does not require the point format extension to be 8494 // present. 8495 testCases = append(testCases, testCase{ 8496 name: "PointFormat-Client-Missing", 8497 config: Config{ 8498 MaxVersion: VersionTLS12, 8499 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, 8500 Bugs: ProtocolBugs{ 8501 SendSupportedPointFormats: []byte{}, 8502 }, 8503 }, 8504 }) 8505 testCases = append(testCases, testCase{ 8506 testType: serverTest, 8507 name: "PointFormat-Server-Missing", 8508 config: Config{ 8509 MaxVersion: VersionTLS12, 8510 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, 8511 Bugs: ProtocolBugs{ 8512 SendSupportedPointFormats: []byte{}, 8513 }, 8514 }, 8515 }) 8516 8517 // If the point format extension is present, uncompressed points must be 8518 // offered. BoringSSL requires this whether or not ECDHE is used. 8519 testCases = append(testCases, testCase{ 8520 name: "PointFormat-Client-MissingUncompressed", 8521 config: Config{ 8522 MaxVersion: VersionTLS12, 8523 Bugs: ProtocolBugs{ 8524 SendSupportedPointFormats: []byte{pointFormatCompressedPrime}, 8525 }, 8526 }, 8527 shouldFail: true, 8528 expectedError: ":ERROR_PARSING_EXTENSION:", 8529 }) 8530 testCases = append(testCases, testCase{ 8531 testType: serverTest, 8532 name: "PointFormat-Server-MissingUncompressed", 8533 config: Config{ 8534 MaxVersion: VersionTLS12, 8535 Bugs: ProtocolBugs{ 8536 SendSupportedPointFormats: []byte{pointFormatCompressedPrime}, 8537 }, 8538 }, 8539 shouldFail: true, 8540 expectedError: ":ERROR_PARSING_EXTENSION:", 8541 }) 8542 } 8543 8544 func addTLS13RecordTests() { 8545 testCases = append(testCases, testCase{ 8546 name: "TLS13-RecordPadding", 8547 config: Config{ 8548 MaxVersion: VersionTLS13, 8549 MinVersion: VersionTLS13, 8550 Bugs: ProtocolBugs{ 8551 RecordPadding: 10, 8552 }, 8553 }, 8554 }) 8555 8556 testCases = append(testCases, testCase{ 8557 name: "TLS13-EmptyRecords", 8558 config: Config{ 8559 MaxVersion: VersionTLS13, 8560 MinVersion: VersionTLS13, 8561 Bugs: ProtocolBugs{ 8562 OmitRecordContents: true, 8563 }, 8564 }, 8565 shouldFail: true, 8566 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", 8567 }) 8568 8569 testCases = append(testCases, testCase{ 8570 name: "TLS13-OnlyPadding", 8571 config: Config{ 8572 MaxVersion: VersionTLS13, 8573 MinVersion: VersionTLS13, 8574 Bugs: ProtocolBugs{ 8575 OmitRecordContents: true, 8576 RecordPadding: 10, 8577 }, 8578 }, 8579 shouldFail: true, 8580 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", 8581 }) 8582 8583 testCases = append(testCases, testCase{ 8584 name: "TLS13-WrongOuterRecord", 8585 config: Config{ 8586 MaxVersion: VersionTLS13, 8587 MinVersion: VersionTLS13, 8588 Bugs: ProtocolBugs{ 8589 OuterRecordType: recordTypeHandshake, 8590 }, 8591 }, 8592 shouldFail: true, 8593 expectedError: ":INVALID_OUTER_RECORD_TYPE:", 8594 }) 8595 } 8596 8597 func addSessionTicketTests() { 8598 testCases = append(testCases, testCase{ 8599 // In TLS 1.2 and below, empty NewSessionTicket messages 8600 // mean the server changed its mind on sending a ticket. 8601 name: "SendEmptySessionTicket", 8602 config: Config{ 8603 MaxVersion: VersionTLS12, 8604 Bugs: ProtocolBugs{ 8605 SendEmptySessionTicket: true, 8606 }, 8607 }, 8608 flags: []string{"-expect-no-session"}, 8609 }) 8610 8611 // Test that the server ignores unknown PSK modes. 8612 testCases = append(testCases, testCase{ 8613 testType: serverTest, 8614 name: "TLS13-SendUnknownModeSessionTicket-Server", 8615 config: Config{ 8616 MaxVersion: VersionTLS13, 8617 Bugs: ProtocolBugs{ 8618 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a}, 8619 }, 8620 }, 8621 resumeSession: true, 8622 expectedResumeVersion: VersionTLS13, 8623 }) 8624 8625 // Test that the server does not send session tickets with no matching key exchange mode. 8626 testCases = append(testCases, testCase{ 8627 testType: serverTest, 8628 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server", 8629 config: Config{ 8630 MaxVersion: VersionTLS13, 8631 Bugs: ProtocolBugs{ 8632 SendPSKKeyExchangeModes: []byte{0x1a}, 8633 ExpectNoNewSessionTicket: true, 8634 }, 8635 }, 8636 }) 8637 8638 // Test that the server does not accept a session with no matching key exchange mode. 8639 testCases = append(testCases, testCase{ 8640 testType: serverTest, 8641 name: "TLS13-SendBadKEModeSessionTicket-Server", 8642 config: Config{ 8643 MaxVersion: VersionTLS13, 8644 }, 8645 resumeConfig: &Config{ 8646 MaxVersion: VersionTLS13, 8647 Bugs: ProtocolBugs{ 8648 SendPSKKeyExchangeModes: []byte{0x1a}, 8649 }, 8650 }, 8651 resumeSession: true, 8652 expectResumeRejected: true, 8653 }) 8654 8655 // Test that the client ticket age is sent correctly. 8656 testCases = append(testCases, testCase{ 8657 testType: clientTest, 8658 name: "TLS13-TestValidTicketAge-Client", 8659 config: Config{ 8660 MaxVersion: VersionTLS13, 8661 Bugs: ProtocolBugs{ 8662 ExpectTicketAge: 10 * time.Second, 8663 }, 8664 }, 8665 resumeSession: true, 8666 flags: []string{ 8667 "-resumption-delay", "10", 8668 }, 8669 }) 8670 8671 // Test that the client ticket age is enforced. 8672 testCases = append(testCases, testCase{ 8673 testType: clientTest, 8674 name: "TLS13-TestBadTicketAge-Client", 8675 config: Config{ 8676 MaxVersion: VersionTLS13, 8677 Bugs: ProtocolBugs{ 8678 ExpectTicketAge: 1000 * time.Second, 8679 }, 8680 }, 8681 resumeSession: true, 8682 shouldFail: true, 8683 expectedLocalError: "tls: invalid ticket age", 8684 }) 8685 8686 // Test that the server's ticket age skew reporting works. 8687 testCases = append(testCases, testCase{ 8688 testType: serverTest, 8689 name: "TLS13-TicketAgeSkew-Forward", 8690 config: Config{ 8691 MaxVersion: VersionTLS13, 8692 Bugs: ProtocolBugs{ 8693 SendTicketAge: 15 * time.Second, 8694 }, 8695 }, 8696 resumeSession: true, 8697 resumeRenewedSession: true, 8698 flags: []string{ 8699 "-resumption-delay", "10", 8700 "-expect-ticket-age-skew", "5", 8701 }, 8702 }) 8703 testCases = append(testCases, testCase{ 8704 testType: serverTest, 8705 name: "TLS13-TicketAgeSkew-Backward", 8706 config: Config{ 8707 MaxVersion: VersionTLS13, 8708 Bugs: ProtocolBugs{ 8709 SendTicketAge: 5 * time.Second, 8710 }, 8711 }, 8712 resumeSession: true, 8713 resumeRenewedSession: true, 8714 flags: []string{ 8715 "-resumption-delay", "10", 8716 "-expect-ticket-age-skew", "-5", 8717 }, 8718 }) 8719 8720 testCases = append(testCases, testCase{ 8721 testType: clientTest, 8722 name: "TLS13-SendTicketEarlyDataInfo", 8723 config: Config{ 8724 MaxVersion: VersionTLS13, 8725 MaxEarlyDataSize: 16384, 8726 }, 8727 flags: []string{ 8728 "-enable-early-data", 8729 "-expect-early-data-info", 8730 }, 8731 }) 8732 8733 // Test that 0-RTT tickets are ignored in clients unless opted in. 8734 testCases = append(testCases, testCase{ 8735 testType: clientTest, 8736 name: "TLS13-SendTicketEarlyDataInfo-Disabled", 8737 config: Config{ 8738 MaxVersion: VersionTLS13, 8739 MaxEarlyDataSize: 16384, 8740 }, 8741 }) 8742 8743 testCases = append(testCases, testCase{ 8744 testType: clientTest, 8745 name: "TLS13-DuplicateTicketEarlyDataInfo", 8746 config: Config{ 8747 MaxVersion: VersionTLS13, 8748 MaxEarlyDataSize: 16384, 8749 Bugs: ProtocolBugs{ 8750 DuplicateTicketEarlyDataInfo: true, 8751 }, 8752 }, 8753 shouldFail: true, 8754 expectedError: ":DUPLICATE_EXTENSION:", 8755 expectedLocalError: "remote error: illegal parameter", 8756 }) 8757 8758 testCases = append(testCases, testCase{ 8759 testType: serverTest, 8760 name: "TLS13-ExpectTicketEarlyDataInfo", 8761 config: Config{ 8762 MaxVersion: VersionTLS13, 8763 Bugs: ProtocolBugs{ 8764 ExpectTicketEarlyDataInfo: true, 8765 }, 8766 }, 8767 flags: []string{ 8768 "-enable-early-data", 8769 }, 8770 }) 8771 8772 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime 8773 // is honored. 8774 testCases = append(testCases, testCase{ 8775 testType: clientTest, 8776 name: "TLS13-HonorServerSessionTicketLifetime", 8777 config: Config{ 8778 MaxVersion: VersionTLS13, 8779 Bugs: ProtocolBugs{ 8780 SendTicketLifetime: 20 * time.Second, 8781 }, 8782 }, 8783 flags: []string{ 8784 "-resumption-delay", "19", 8785 }, 8786 resumeSession: true, 8787 }) 8788 testCases = append(testCases, testCase{ 8789 testType: clientTest, 8790 name: "TLS13-HonorServerSessionTicketLifetime-2", 8791 config: Config{ 8792 MaxVersion: VersionTLS13, 8793 Bugs: ProtocolBugs{ 8794 SendTicketLifetime: 20 * time.Second, 8795 // The client should not offer the expired session. 8796 ExpectNoTLS13PSK: true, 8797 }, 8798 }, 8799 flags: []string{ 8800 "-resumption-delay", "21", 8801 }, 8802 resumeSession: true, 8803 expectResumeRejected: true, 8804 }) 8805 } 8806 8807 func addChangeCipherSpecTests() { 8808 // Test missing ChangeCipherSpecs. 8809 testCases = append(testCases, testCase{ 8810 name: "SkipChangeCipherSpec-Client", 8811 config: Config{ 8812 MaxVersion: VersionTLS12, 8813 Bugs: ProtocolBugs{ 8814 SkipChangeCipherSpec: true, 8815 }, 8816 }, 8817 shouldFail: true, 8818 expectedError: ":UNEXPECTED_RECORD:", 8819 }) 8820 testCases = append(testCases, testCase{ 8821 testType: serverTest, 8822 name: "SkipChangeCipherSpec-Server", 8823 config: Config{ 8824 MaxVersion: VersionTLS12, 8825 Bugs: ProtocolBugs{ 8826 SkipChangeCipherSpec: true, 8827 }, 8828 }, 8829 shouldFail: true, 8830 expectedError: ":UNEXPECTED_RECORD:", 8831 }) 8832 testCases = append(testCases, testCase{ 8833 testType: serverTest, 8834 name: "SkipChangeCipherSpec-Server-NPN", 8835 config: Config{ 8836 MaxVersion: VersionTLS12, 8837 NextProtos: []string{"bar"}, 8838 Bugs: ProtocolBugs{ 8839 SkipChangeCipherSpec: true, 8840 }, 8841 }, 8842 flags: []string{ 8843 "-advertise-npn", "\x03foo\x03bar\x03baz", 8844 }, 8845 shouldFail: true, 8846 expectedError: ":UNEXPECTED_RECORD:", 8847 }) 8848 8849 // Test synchronization between the handshake and ChangeCipherSpec. 8850 // Partial post-CCS handshake messages before ChangeCipherSpec should be 8851 // rejected. Test both with and without handshake packing to handle both 8852 // when the partial post-CCS message is in its own record and when it is 8853 // attached to the pre-CCS message. 8854 for _, packed := range []bool{false, true} { 8855 var suffix string 8856 if packed { 8857 suffix = "-Packed" 8858 } 8859 8860 testCases = append(testCases, testCase{ 8861 name: "FragmentAcrossChangeCipherSpec-Client" + suffix, 8862 config: Config{ 8863 MaxVersion: VersionTLS12, 8864 Bugs: ProtocolBugs{ 8865 FragmentAcrossChangeCipherSpec: true, 8866 PackHandshakeFlight: packed, 8867 }, 8868 }, 8869 shouldFail: true, 8870 expectedError: ":UNEXPECTED_RECORD:", 8871 }) 8872 testCases = append(testCases, testCase{ 8873 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix, 8874 config: Config{ 8875 MaxVersion: VersionTLS12, 8876 }, 8877 resumeSession: true, 8878 resumeConfig: &Config{ 8879 MaxVersion: VersionTLS12, 8880 Bugs: ProtocolBugs{ 8881 FragmentAcrossChangeCipherSpec: true, 8882 PackHandshakeFlight: packed, 8883 }, 8884 }, 8885 shouldFail: true, 8886 expectedError: ":UNEXPECTED_RECORD:", 8887 }) 8888 testCases = append(testCases, testCase{ 8889 testType: serverTest, 8890 name: "FragmentAcrossChangeCipherSpec-Server" + suffix, 8891 config: Config{ 8892 MaxVersion: VersionTLS12, 8893 Bugs: ProtocolBugs{ 8894 FragmentAcrossChangeCipherSpec: true, 8895 PackHandshakeFlight: packed, 8896 }, 8897 }, 8898 shouldFail: true, 8899 expectedError: ":UNEXPECTED_RECORD:", 8900 }) 8901 testCases = append(testCases, testCase{ 8902 testType: serverTest, 8903 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix, 8904 config: Config{ 8905 MaxVersion: VersionTLS12, 8906 }, 8907 resumeSession: true, 8908 resumeConfig: &Config{ 8909 MaxVersion: VersionTLS12, 8910 Bugs: ProtocolBugs{ 8911 FragmentAcrossChangeCipherSpec: true, 8912 PackHandshakeFlight: packed, 8913 }, 8914 }, 8915 shouldFail: true, 8916 expectedError: ":UNEXPECTED_RECORD:", 8917 }) 8918 testCases = append(testCases, testCase{ 8919 testType: serverTest, 8920 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix, 8921 config: Config{ 8922 MaxVersion: VersionTLS12, 8923 NextProtos: []string{"bar"}, 8924 Bugs: ProtocolBugs{ 8925 FragmentAcrossChangeCipherSpec: true, 8926 PackHandshakeFlight: packed, 8927 }, 8928 }, 8929 flags: []string{ 8930 "-advertise-npn", "\x03foo\x03bar\x03baz", 8931 }, 8932 shouldFail: true, 8933 expectedError: ":UNEXPECTED_RECORD:", 8934 }) 8935 } 8936 8937 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are 8938 // messages in the handshake queue. Do this by testing the server 8939 // reading the client Finished, reversing the flight so Finished comes 8940 // first. 8941 testCases = append(testCases, testCase{ 8942 protocol: dtls, 8943 testType: serverTest, 8944 name: "SendUnencryptedFinished-DTLS", 8945 config: Config{ 8946 MaxVersion: VersionTLS12, 8947 Bugs: ProtocolBugs{ 8948 SendUnencryptedFinished: true, 8949 ReverseHandshakeFragments: true, 8950 }, 8951 }, 8952 shouldFail: true, 8953 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:", 8954 }) 8955 8956 // Test synchronization between encryption changes and the handshake in 8957 // TLS 1.3, where ChangeCipherSpec is implicit. 8958 testCases = append(testCases, testCase{ 8959 name: "PartialEncryptedExtensionsWithServerHello", 8960 config: Config{ 8961 MaxVersion: VersionTLS13, 8962 Bugs: ProtocolBugs{ 8963 PartialEncryptedExtensionsWithServerHello: true, 8964 }, 8965 }, 8966 shouldFail: true, 8967 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:", 8968 }) 8969 testCases = append(testCases, testCase{ 8970 testType: serverTest, 8971 name: "PartialClientFinishedWithClientHello", 8972 config: Config{ 8973 MaxVersion: VersionTLS13, 8974 Bugs: ProtocolBugs{ 8975 PartialClientFinishedWithClientHello: true, 8976 }, 8977 }, 8978 shouldFail: true, 8979 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:", 8980 }) 8981 8982 // Test that early ChangeCipherSpecs are handled correctly. 8983 testCases = append(testCases, testCase{ 8984 testType: serverTest, 8985 name: "EarlyChangeCipherSpec-server-1", 8986 config: Config{ 8987 MaxVersion: VersionTLS12, 8988 Bugs: ProtocolBugs{ 8989 EarlyChangeCipherSpec: 1, 8990 }, 8991 }, 8992 shouldFail: true, 8993 expectedError: ":UNEXPECTED_RECORD:", 8994 }) 8995 testCases = append(testCases, testCase{ 8996 testType: serverTest, 8997 name: "EarlyChangeCipherSpec-server-2", 8998 config: Config{ 8999 MaxVersion: VersionTLS12, 9000 Bugs: ProtocolBugs{ 9001 EarlyChangeCipherSpec: 2, 9002 }, 9003 }, 9004 shouldFail: true, 9005 expectedError: ":UNEXPECTED_RECORD:", 9006 }) 9007 testCases = append(testCases, testCase{ 9008 protocol: dtls, 9009 name: "StrayChangeCipherSpec", 9010 config: Config{ 9011 // TODO(davidben): Once DTLS 1.3 exists, test 9012 // that stray ChangeCipherSpec messages are 9013 // rejected. 9014 MaxVersion: VersionTLS12, 9015 Bugs: ProtocolBugs{ 9016 StrayChangeCipherSpec: true, 9017 }, 9018 }, 9019 }) 9020 9021 // Test that the contents of ChangeCipherSpec are checked. 9022 testCases = append(testCases, testCase{ 9023 name: "BadChangeCipherSpec-1", 9024 config: Config{ 9025 MaxVersion: VersionTLS12, 9026 Bugs: ProtocolBugs{ 9027 BadChangeCipherSpec: []byte{2}, 9028 }, 9029 }, 9030 shouldFail: true, 9031 expectedError: ":BAD_CHANGE_CIPHER_SPEC:", 9032 }) 9033 testCases = append(testCases, testCase{ 9034 name: "BadChangeCipherSpec-2", 9035 config: Config{ 9036 MaxVersion: VersionTLS12, 9037 Bugs: ProtocolBugs{ 9038 BadChangeCipherSpec: []byte{1, 1}, 9039 }, 9040 }, 9041 shouldFail: true, 9042 expectedError: ":BAD_CHANGE_CIPHER_SPEC:", 9043 }) 9044 testCases = append(testCases, testCase{ 9045 protocol: dtls, 9046 name: "BadChangeCipherSpec-DTLS-1", 9047 config: Config{ 9048 MaxVersion: VersionTLS12, 9049 Bugs: ProtocolBugs{ 9050 BadChangeCipherSpec: []byte{2}, 9051 }, 9052 }, 9053 shouldFail: true, 9054 expectedError: ":BAD_CHANGE_CIPHER_SPEC:", 9055 }) 9056 testCases = append(testCases, testCase{ 9057 protocol: dtls, 9058 name: "BadChangeCipherSpec-DTLS-2", 9059 config: Config{ 9060 MaxVersion: VersionTLS12, 9061 Bugs: ProtocolBugs{ 9062 BadChangeCipherSpec: []byte{1, 1}, 9063 }, 9064 }, 9065 shouldFail: true, 9066 expectedError: ":BAD_CHANGE_CIPHER_SPEC:", 9067 }) 9068 } 9069 9070 type perMessageTest struct { 9071 messageType uint8 9072 test testCase 9073 } 9074 9075 // makePerMessageTests returns a series of test templates which cover each 9076 // message in the TLS handshake. These may be used with bugs like 9077 // WrongMessageType to fully test a per-message bug. 9078 func makePerMessageTests() []perMessageTest { 9079 var ret []perMessageTest 9080 for _, protocol := range []protocol{tls, dtls} { 9081 var suffix string 9082 if protocol == dtls { 9083 suffix = "-DTLS" 9084 } 9085 9086 ret = append(ret, perMessageTest{ 9087 messageType: typeClientHello, 9088 test: testCase{ 9089 protocol: protocol, 9090 testType: serverTest, 9091 name: "ClientHello" + suffix, 9092 config: Config{ 9093 MaxVersion: VersionTLS12, 9094 }, 9095 }, 9096 }) 9097 9098 if protocol == dtls { 9099 ret = append(ret, perMessageTest{ 9100 messageType: typeHelloVerifyRequest, 9101 test: testCase{ 9102 protocol: protocol, 9103 name: "HelloVerifyRequest" + suffix, 9104 config: Config{ 9105 MaxVersion: VersionTLS12, 9106 }, 9107 }, 9108 }) 9109 } 9110 9111 ret = append(ret, perMessageTest{ 9112 messageType: typeServerHello, 9113 test: testCase{ 9114 protocol: protocol, 9115 name: "ServerHello" + suffix, 9116 config: Config{ 9117 MaxVersion: VersionTLS12, 9118 }, 9119 }, 9120 }) 9121 9122 ret = append(ret, perMessageTest{ 9123 messageType: typeCertificate, 9124 test: testCase{ 9125 protocol: protocol, 9126 name: "ServerCertificate" + suffix, 9127 config: Config{ 9128 MaxVersion: VersionTLS12, 9129 }, 9130 }, 9131 }) 9132 9133 ret = append(ret, perMessageTest{ 9134 messageType: typeCertificateStatus, 9135 test: testCase{ 9136 protocol: protocol, 9137 name: "CertificateStatus" + suffix, 9138 config: Config{ 9139 MaxVersion: VersionTLS12, 9140 }, 9141 flags: []string{"-enable-ocsp-stapling"}, 9142 }, 9143 }) 9144 9145 ret = append(ret, perMessageTest{ 9146 messageType: typeServerKeyExchange, 9147 test: testCase{ 9148 protocol: protocol, 9149 name: "ServerKeyExchange" + suffix, 9150 config: Config{ 9151 MaxVersion: VersionTLS12, 9152 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, 9153 }, 9154 }, 9155 }) 9156 9157 ret = append(ret, perMessageTest{ 9158 messageType: typeCertificateRequest, 9159 test: testCase{ 9160 protocol: protocol, 9161 name: "CertificateRequest" + suffix, 9162 config: Config{ 9163 MaxVersion: VersionTLS12, 9164 ClientAuth: RequireAnyClientCert, 9165 }, 9166 }, 9167 }) 9168 9169 ret = append(ret, perMessageTest{ 9170 messageType: typeServerHelloDone, 9171 test: testCase{ 9172 protocol: protocol, 9173 name: "ServerHelloDone" + suffix, 9174 config: Config{ 9175 MaxVersion: VersionTLS12, 9176 }, 9177 }, 9178 }) 9179 9180 ret = append(ret, perMessageTest{ 9181 messageType: typeCertificate, 9182 test: testCase{ 9183 testType: serverTest, 9184 protocol: protocol, 9185 name: "ClientCertificate" + suffix, 9186 config: Config{ 9187 Certificates: []Certificate{rsaCertificate}, 9188 MaxVersion: VersionTLS12, 9189 }, 9190 flags: []string{"-require-any-client-certificate"}, 9191 }, 9192 }) 9193 9194 ret = append(ret, perMessageTest{ 9195 messageType: typeCertificateVerify, 9196 test: testCase{ 9197 testType: serverTest, 9198 protocol: protocol, 9199 name: "CertificateVerify" + suffix, 9200 config: Config{ 9201 Certificates: []Certificate{rsaCertificate}, 9202 MaxVersion: VersionTLS12, 9203 }, 9204 flags: []string{"-require-any-client-certificate"}, 9205 }, 9206 }) 9207 9208 ret = append(ret, perMessageTest{ 9209 messageType: typeClientKeyExchange, 9210 test: testCase{ 9211 testType: serverTest, 9212 protocol: protocol, 9213 name: "ClientKeyExchange" + suffix, 9214 config: Config{ 9215 MaxVersion: VersionTLS12, 9216 }, 9217 }, 9218 }) 9219 9220 if protocol != dtls { 9221 ret = append(ret, perMessageTest{ 9222 messageType: typeNextProtocol, 9223 test: testCase{ 9224 testType: serverTest, 9225 protocol: protocol, 9226 name: "NextProtocol" + suffix, 9227 config: Config{ 9228 MaxVersion: VersionTLS12, 9229 NextProtos: []string{"bar"}, 9230 }, 9231 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"}, 9232 }, 9233 }) 9234 9235 ret = append(ret, perMessageTest{ 9236 messageType: typeChannelID, 9237 test: testCase{ 9238 testType: serverTest, 9239 protocol: protocol, 9240 name: "ChannelID" + suffix, 9241 config: Config{ 9242 MaxVersion: VersionTLS12, 9243 ChannelID: channelIDKey, 9244 }, 9245 flags: []string{ 9246 "-expect-channel-id", 9247 base64.StdEncoding.EncodeToString(channelIDBytes), 9248 }, 9249 }, 9250 }) 9251 } 9252 9253 ret = append(ret, perMessageTest{ 9254 messageType: typeFinished, 9255 test: testCase{ 9256 testType: serverTest, 9257 protocol: protocol, 9258 name: "ClientFinished" + suffix, 9259 config: Config{ 9260 MaxVersion: VersionTLS12, 9261 }, 9262 }, 9263 }) 9264 9265 ret = append(ret, perMessageTest{ 9266 messageType: typeNewSessionTicket, 9267 test: testCase{ 9268 protocol: protocol, 9269 name: "NewSessionTicket" + suffix, 9270 config: Config{ 9271 MaxVersion: VersionTLS12, 9272 }, 9273 }, 9274 }) 9275 9276 ret = append(ret, perMessageTest{ 9277 messageType: typeFinished, 9278 test: testCase{ 9279 protocol: protocol, 9280 name: "ServerFinished" + suffix, 9281 config: Config{ 9282 MaxVersion: VersionTLS12, 9283 }, 9284 }, 9285 }) 9286 9287 } 9288 9289 ret = append(ret, perMessageTest{ 9290 messageType: typeClientHello, 9291 test: testCase{ 9292 testType: serverTest, 9293 name: "TLS13-ClientHello", 9294 config: Config{ 9295 MaxVersion: VersionTLS13, 9296 }, 9297 }, 9298 }) 9299 9300 ret = append(ret, perMessageTest{ 9301 messageType: typeServerHello, 9302 test: testCase{ 9303 name: "TLS13-ServerHello", 9304 config: Config{ 9305 MaxVersion: VersionTLS13, 9306 }, 9307 }, 9308 }) 9309 9310 ret = append(ret, perMessageTest{ 9311 messageType: typeEncryptedExtensions, 9312 test: testCase{ 9313 name: "TLS13-EncryptedExtensions", 9314 config: Config{ 9315 MaxVersion: VersionTLS13, 9316 }, 9317 }, 9318 }) 9319 9320 ret = append(ret, perMessageTest{ 9321 messageType: typeCertificateRequest, 9322 test: testCase{ 9323 name: "TLS13-CertificateRequest", 9324 config: Config{ 9325 MaxVersion: VersionTLS13, 9326 ClientAuth: RequireAnyClientCert, 9327 }, 9328 }, 9329 }) 9330 9331 ret = append(ret, perMessageTest{ 9332 messageType: typeCertificate, 9333 test: testCase{ 9334 name: "TLS13-ServerCertificate", 9335 config: Config{ 9336 MaxVersion: VersionTLS13, 9337 }, 9338 }, 9339 }) 9340 9341 ret = append(ret, perMessageTest{ 9342 messageType: typeCertificateVerify, 9343 test: testCase{ 9344 name: "TLS13-ServerCertificateVerify", 9345 config: Config{ 9346 MaxVersion: VersionTLS13, 9347 }, 9348 }, 9349 }) 9350 9351 ret = append(ret, perMessageTest{ 9352 messageType: typeFinished, 9353 test: testCase{ 9354 name: "TLS13-ServerFinished", 9355 config: Config{ 9356 MaxVersion: VersionTLS13, 9357 }, 9358 }, 9359 }) 9360 9361 ret = append(ret, perMessageTest{ 9362 messageType: typeCertificate, 9363 test: testCase{ 9364 testType: serverTest, 9365 name: "TLS13-ClientCertificate", 9366 config: Config{ 9367 Certificates: []Certificate{rsaCertificate}, 9368 MaxVersion: VersionTLS13, 9369 }, 9370 flags: []string{"-require-any-client-certificate"}, 9371 }, 9372 }) 9373 9374 ret = append(ret, perMessageTest{ 9375 messageType: typeCertificateVerify, 9376 test: testCase{ 9377 testType: serverTest, 9378 name: "TLS13-ClientCertificateVerify", 9379 config: Config{ 9380 Certificates: []Certificate{rsaCertificate}, 9381 MaxVersion: VersionTLS13, 9382 }, 9383 flags: []string{"-require-any-client-certificate"}, 9384 }, 9385 }) 9386 9387 ret = append(ret, perMessageTest{ 9388 messageType: typeFinished, 9389 test: testCase{ 9390 testType: serverTest, 9391 name: "TLS13-ClientFinished", 9392 config: Config{ 9393 MaxVersion: VersionTLS13, 9394 }, 9395 }, 9396 }) 9397 9398 return ret 9399 } 9400 9401 func addWrongMessageTypeTests() { 9402 for _, t := range makePerMessageTests() { 9403 t.test.name = "WrongMessageType-" + t.test.name 9404 t.test.config.Bugs.SendWrongMessageType = t.messageType 9405 t.test.shouldFail = true 9406 t.test.expectedError = ":UNEXPECTED_MESSAGE:" 9407 t.test.expectedLocalError = "remote error: unexpected message" 9408 9409 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello { 9410 // In TLS 1.3, a bad ServerHello means the client sends 9411 // an unencrypted alert while the server expects 9412 // encryption, so the alert is not readable by runner. 9413 t.test.expectedLocalError = "local error: bad record MAC" 9414 } 9415 9416 testCases = append(testCases, t.test) 9417 } 9418 } 9419 9420 func addTrailingMessageDataTests() { 9421 for _, t := range makePerMessageTests() { 9422 t.test.name = "TrailingMessageData-" + t.test.name 9423 t.test.config.Bugs.SendTrailingMessageData = t.messageType 9424 t.test.shouldFail = true 9425 t.test.expectedError = ":DECODE_ERROR:" 9426 t.test.expectedLocalError = "remote error: error decoding message" 9427 9428 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello { 9429 // In TLS 1.3, a bad ServerHello means the client sends 9430 // an unencrypted alert while the server expects 9431 // encryption, so the alert is not readable by runner. 9432 t.test.expectedLocalError = "local error: bad record MAC" 9433 } 9434 9435 if t.messageType == typeFinished { 9436 // Bad Finished messages read as the verify data having 9437 // the wrong length. 9438 t.test.expectedError = ":DIGEST_CHECK_FAILED:" 9439 t.test.expectedLocalError = "remote error: error decrypting message" 9440 } 9441 9442 testCases = append(testCases, t.test) 9443 } 9444 } 9445 9446 func addTLS13HandshakeTests() { 9447 testCases = append(testCases, testCase{ 9448 testType: clientTest, 9449 name: "NegotiatePSKResumption-TLS13", 9450 config: Config{ 9451 MaxVersion: VersionTLS13, 9452 Bugs: ProtocolBugs{ 9453 NegotiatePSKResumption: true, 9454 }, 9455 }, 9456 resumeSession: true, 9457 shouldFail: true, 9458 expectedError: ":MISSING_KEY_SHARE:", 9459 }) 9460 9461 testCases = append(testCases, testCase{ 9462 testType: clientTest, 9463 name: "MissingKeyShare-Client", 9464 config: Config{ 9465 MaxVersion: VersionTLS13, 9466 Bugs: ProtocolBugs{ 9467 MissingKeyShare: true, 9468 }, 9469 }, 9470 shouldFail: true, 9471 expectedError: ":MISSING_KEY_SHARE:", 9472 }) 9473 9474 testCases = append(testCases, testCase{ 9475 testType: serverTest, 9476 name: "MissingKeyShare-Server", 9477 config: Config{ 9478 MaxVersion: VersionTLS13, 9479 Bugs: ProtocolBugs{ 9480 MissingKeyShare: true, 9481 }, 9482 }, 9483 shouldFail: true, 9484 expectedError: ":MISSING_KEY_SHARE:", 9485 }) 9486 9487 testCases = append(testCases, testCase{ 9488 testType: serverTest, 9489 name: "DuplicateKeyShares", 9490 config: Config{ 9491 MaxVersion: VersionTLS13, 9492 Bugs: ProtocolBugs{ 9493 DuplicateKeyShares: true, 9494 }, 9495 }, 9496 shouldFail: true, 9497 expectedError: ":DUPLICATE_KEY_SHARE:", 9498 }) 9499 9500 testCases = append(testCases, testCase{ 9501 testType: serverTest, 9502 name: "SkipEarlyData", 9503 config: Config{ 9504 MaxVersion: VersionTLS13, 9505 Bugs: ProtocolBugs{ 9506 SendFakeEarlyDataLength: 4, 9507 }, 9508 }, 9509 }) 9510 9511 testCases = append(testCases, testCase{ 9512 testType: serverTest, 9513 name: "SkipEarlyData-OmitEarlyDataExtension", 9514 config: Config{ 9515 MaxVersion: VersionTLS13, 9516 Bugs: ProtocolBugs{ 9517 SendFakeEarlyDataLength: 4, 9518 OmitEarlyDataExtension: true, 9519 }, 9520 }, 9521 shouldFail: true, 9522 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", 9523 }) 9524 9525 testCases = append(testCases, testCase{ 9526 testType: serverTest, 9527 name: "SkipEarlyData-TooMuchData", 9528 config: Config{ 9529 MaxVersion: VersionTLS13, 9530 Bugs: ProtocolBugs{ 9531 SendFakeEarlyDataLength: 16384 + 1, 9532 }, 9533 }, 9534 shouldFail: true, 9535 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:", 9536 }) 9537 9538 testCases = append(testCases, testCase{ 9539 testType: serverTest, 9540 name: "SkipEarlyData-Interleaved", 9541 config: Config{ 9542 MaxVersion: VersionTLS13, 9543 Bugs: ProtocolBugs{ 9544 SendFakeEarlyDataLength: 4, 9545 InterleaveEarlyData: true, 9546 }, 9547 }, 9548 shouldFail: true, 9549 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", 9550 }) 9551 9552 testCases = append(testCases, testCase{ 9553 testType: serverTest, 9554 name: "SkipEarlyData-EarlyDataInTLS12", 9555 config: Config{ 9556 MaxVersion: VersionTLS13, 9557 Bugs: ProtocolBugs{ 9558 SendFakeEarlyDataLength: 4, 9559 }, 9560 }, 9561 shouldFail: true, 9562 expectedError: ":UNEXPECTED_RECORD:", 9563 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)}, 9564 }) 9565 9566 testCases = append(testCases, testCase{ 9567 testType: serverTest, 9568 name: "SkipEarlyData-HRR", 9569 config: Config{ 9570 MaxVersion: VersionTLS13, 9571 Bugs: ProtocolBugs{ 9572 SendFakeEarlyDataLength: 4, 9573 }, 9574 DefaultCurves: []CurveID{}, 9575 }, 9576 }) 9577 9578 testCases = append(testCases, testCase{ 9579 testType: serverTest, 9580 name: "SkipEarlyData-HRR-Interleaved", 9581 config: Config{ 9582 MaxVersion: VersionTLS13, 9583 Bugs: ProtocolBugs{ 9584 SendFakeEarlyDataLength: 4, 9585 InterleaveEarlyData: true, 9586 }, 9587 DefaultCurves: []CurveID{}, 9588 }, 9589 shouldFail: true, 9590 expectedError: ":UNEXPECTED_RECORD:", 9591 }) 9592 9593 testCases = append(testCases, testCase{ 9594 testType: serverTest, 9595 name: "SkipEarlyData-HRR-TooMuchData", 9596 config: Config{ 9597 MaxVersion: VersionTLS13, 9598 Bugs: ProtocolBugs{ 9599 SendFakeEarlyDataLength: 16384 + 1, 9600 }, 9601 DefaultCurves: []CurveID{}, 9602 }, 9603 shouldFail: true, 9604 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:", 9605 }) 9606 9607 // Test that skipping early data looking for cleartext correctly 9608 // processes an alert record. 9609 testCases = append(testCases, testCase{ 9610 testType: serverTest, 9611 name: "SkipEarlyData-HRR-FatalAlert", 9612 config: Config{ 9613 MaxVersion: VersionTLS13, 9614 Bugs: ProtocolBugs{ 9615 SendEarlyAlert: true, 9616 SendFakeEarlyDataLength: 4, 9617 }, 9618 DefaultCurves: []CurveID{}, 9619 }, 9620 shouldFail: true, 9621 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:", 9622 }) 9623 9624 testCases = append(testCases, testCase{ 9625 testType: serverTest, 9626 name: "SkipEarlyData-SecondClientHelloEarlyData", 9627 config: Config{ 9628 MaxVersion: VersionTLS13, 9629 Bugs: ProtocolBugs{ 9630 SendEarlyDataOnSecondClientHello: true, 9631 }, 9632 DefaultCurves: []CurveID{}, 9633 }, 9634 shouldFail: true, 9635 expectedLocalError: "remote error: bad record MAC", 9636 }) 9637 9638 testCases = append(testCases, testCase{ 9639 testType: clientTest, 9640 name: "EmptyEncryptedExtensions", 9641 config: Config{ 9642 MaxVersion: VersionTLS13, 9643 Bugs: ProtocolBugs{ 9644 EmptyEncryptedExtensions: true, 9645 }, 9646 }, 9647 shouldFail: true, 9648 expectedLocalError: "remote error: error decoding message", 9649 }) 9650 9651 testCases = append(testCases, testCase{ 9652 testType: clientTest, 9653 name: "EncryptedExtensionsWithKeyShare", 9654 config: Config{ 9655 MaxVersion: VersionTLS13, 9656 Bugs: ProtocolBugs{ 9657 EncryptedExtensionsWithKeyShare: true, 9658 }, 9659 }, 9660 shouldFail: true, 9661 expectedLocalError: "remote error: unsupported extension", 9662 }) 9663 9664 testCases = append(testCases, testCase{ 9665 testType: serverTest, 9666 name: "SendHelloRetryRequest", 9667 config: Config{ 9668 MaxVersion: VersionTLS13, 9669 // Require a HelloRetryRequest for every curve. 9670 DefaultCurves: []CurveID{}, 9671 }, 9672 expectedCurveID: CurveX25519, 9673 }) 9674 9675 testCases = append(testCases, testCase{ 9676 testType: serverTest, 9677 name: "SendHelloRetryRequest-2", 9678 config: Config{ 9679 MaxVersion: VersionTLS13, 9680 DefaultCurves: []CurveID{CurveP384}, 9681 }, 9682 // Although the ClientHello did not predict our preferred curve, 9683 // we always select it whether it is predicted or not. 9684 expectedCurveID: CurveX25519, 9685 }) 9686 9687 testCases = append(testCases, testCase{ 9688 name: "UnknownCurve-HelloRetryRequest", 9689 config: Config{ 9690 MaxVersion: VersionTLS13, 9691 // P-384 requires HelloRetryRequest in BoringSSL. 9692 CurvePreferences: []CurveID{CurveP384}, 9693 Bugs: ProtocolBugs{ 9694 SendHelloRetryRequestCurve: bogusCurve, 9695 }, 9696 }, 9697 shouldFail: true, 9698 expectedError: ":WRONG_CURVE:", 9699 }) 9700 9701 testCases = append(testCases, testCase{ 9702 name: "DisabledCurve-HelloRetryRequest", 9703 config: Config{ 9704 MaxVersion: VersionTLS13, 9705 CurvePreferences: []CurveID{CurveP256}, 9706 Bugs: ProtocolBugs{ 9707 IgnorePeerCurvePreferences: true, 9708 }, 9709 }, 9710 flags: []string{"-p384-only"}, 9711 shouldFail: true, 9712 expectedError: ":WRONG_CURVE:", 9713 }) 9714 9715 testCases = append(testCases, testCase{ 9716 name: "UnnecessaryHelloRetryRequest", 9717 config: Config{ 9718 MaxVersion: VersionTLS13, 9719 CurvePreferences: []CurveID{CurveX25519}, 9720 Bugs: ProtocolBugs{ 9721 SendHelloRetryRequestCurve: CurveX25519, 9722 }, 9723 }, 9724 shouldFail: true, 9725 expectedError: ":WRONG_CURVE:", 9726 }) 9727 9728 testCases = append(testCases, testCase{ 9729 name: "SecondHelloRetryRequest", 9730 config: Config{ 9731 MaxVersion: VersionTLS13, 9732 // P-384 requires HelloRetryRequest in BoringSSL. 9733 CurvePreferences: []CurveID{CurveP384}, 9734 Bugs: ProtocolBugs{ 9735 SecondHelloRetryRequest: true, 9736 }, 9737 }, 9738 shouldFail: true, 9739 expectedError: ":UNEXPECTED_MESSAGE:", 9740 }) 9741 9742 testCases = append(testCases, testCase{ 9743 name: "HelloRetryRequest-Empty", 9744 config: Config{ 9745 MaxVersion: VersionTLS13, 9746 Bugs: ProtocolBugs{ 9747 AlwaysSendHelloRetryRequest: true, 9748 }, 9749 }, 9750 shouldFail: true, 9751 expectedError: ":DECODE_ERROR:", 9752 }) 9753 9754 testCases = append(testCases, testCase{ 9755 name: "HelloRetryRequest-DuplicateCurve", 9756 config: Config{ 9757 MaxVersion: VersionTLS13, 9758 // P-384 requires a HelloRetryRequest against BoringSSL's default 9759 // configuration. Assert this ExpectMissingKeyShare. 9760 CurvePreferences: []CurveID{CurveP384}, 9761 Bugs: ProtocolBugs{ 9762 ExpectMissingKeyShare: true, 9763 DuplicateHelloRetryRequestExtensions: true, 9764 }, 9765 }, 9766 shouldFail: true, 9767 expectedError: ":DUPLICATE_EXTENSION:", 9768 expectedLocalError: "remote error: illegal parameter", 9769 }) 9770 9771 testCases = append(testCases, testCase{ 9772 name: "HelloRetryRequest-Cookie", 9773 config: Config{ 9774 MaxVersion: VersionTLS13, 9775 Bugs: ProtocolBugs{ 9776 SendHelloRetryRequestCookie: []byte("cookie"), 9777 }, 9778 }, 9779 }) 9780 9781 testCases = append(testCases, testCase{ 9782 name: "HelloRetryRequest-DuplicateCookie", 9783 config: Config{ 9784 MaxVersion: VersionTLS13, 9785 Bugs: ProtocolBugs{ 9786 SendHelloRetryRequestCookie: []byte("cookie"), 9787 DuplicateHelloRetryRequestExtensions: true, 9788 }, 9789 }, 9790 shouldFail: true, 9791 expectedError: ":DUPLICATE_EXTENSION:", 9792 expectedLocalError: "remote error: illegal parameter", 9793 }) 9794 9795 testCases = append(testCases, testCase{ 9796 name: "HelloRetryRequest-EmptyCookie", 9797 config: Config{ 9798 MaxVersion: VersionTLS13, 9799 Bugs: ProtocolBugs{ 9800 SendHelloRetryRequestCookie: []byte{}, 9801 }, 9802 }, 9803 shouldFail: true, 9804 expectedError: ":DECODE_ERROR:", 9805 }) 9806 9807 testCases = append(testCases, testCase{ 9808 name: "HelloRetryRequest-Cookie-Curve", 9809 config: Config{ 9810 MaxVersion: VersionTLS13, 9811 // P-384 requires HelloRetryRequest in BoringSSL. 9812 CurvePreferences: []CurveID{CurveP384}, 9813 Bugs: ProtocolBugs{ 9814 SendHelloRetryRequestCookie: []byte("cookie"), 9815 ExpectMissingKeyShare: true, 9816 }, 9817 }, 9818 }) 9819 9820 testCases = append(testCases, testCase{ 9821 name: "HelloRetryRequest-Unknown", 9822 config: Config{ 9823 MaxVersion: VersionTLS13, 9824 Bugs: ProtocolBugs{ 9825 CustomHelloRetryRequestExtension: "extension", 9826 }, 9827 }, 9828 shouldFail: true, 9829 expectedError: ":UNEXPECTED_EXTENSION:", 9830 expectedLocalError: "remote error: unsupported extension", 9831 }) 9832 9833 testCases = append(testCases, testCase{ 9834 testType: serverTest, 9835 name: "SecondClientHelloMissingKeyShare", 9836 config: Config{ 9837 MaxVersion: VersionTLS13, 9838 DefaultCurves: []CurveID{}, 9839 Bugs: ProtocolBugs{ 9840 SecondClientHelloMissingKeyShare: true, 9841 }, 9842 }, 9843 shouldFail: true, 9844 expectedError: ":MISSING_KEY_SHARE:", 9845 }) 9846 9847 testCases = append(testCases, testCase{ 9848 testType: serverTest, 9849 name: "SecondClientHelloWrongCurve", 9850 config: Config{ 9851 MaxVersion: VersionTLS13, 9852 DefaultCurves: []CurveID{}, 9853 Bugs: ProtocolBugs{ 9854 MisinterpretHelloRetryRequestCurve: CurveP521, 9855 }, 9856 }, 9857 shouldFail: true, 9858 expectedError: ":WRONG_CURVE:", 9859 }) 9860 9861 testCases = append(testCases, testCase{ 9862 name: "HelloRetryRequestVersionMismatch", 9863 config: Config{ 9864 MaxVersion: VersionTLS13, 9865 // P-384 requires HelloRetryRequest in BoringSSL. 9866 CurvePreferences: []CurveID{CurveP384}, 9867 Bugs: ProtocolBugs{ 9868 SendServerHelloVersion: 0x0305, 9869 }, 9870 }, 9871 shouldFail: true, 9872 expectedError: ":WRONG_VERSION_NUMBER:", 9873 }) 9874 9875 testCases = append(testCases, testCase{ 9876 name: "HelloRetryRequestCurveMismatch", 9877 config: Config{ 9878 MaxVersion: VersionTLS13, 9879 // P-384 requires HelloRetryRequest in BoringSSL. 9880 CurvePreferences: []CurveID{CurveP384}, 9881 Bugs: ProtocolBugs{ 9882 // Send P-384 (correct) in the HelloRetryRequest. 9883 SendHelloRetryRequestCurve: CurveP384, 9884 // But send P-256 in the ServerHello. 9885 SendCurve: CurveP256, 9886 }, 9887 }, 9888 shouldFail: true, 9889 expectedError: ":WRONG_CURVE:", 9890 }) 9891 9892 // Test the server selecting a curve that requires a HelloRetryRequest 9893 // without sending it. 9894 testCases = append(testCases, testCase{ 9895 name: "SkipHelloRetryRequest", 9896 config: Config{ 9897 MaxVersion: VersionTLS13, 9898 // P-384 requires HelloRetryRequest in BoringSSL. 9899 CurvePreferences: []CurveID{CurveP384}, 9900 Bugs: ProtocolBugs{ 9901 SkipHelloRetryRequest: true, 9902 }, 9903 }, 9904 shouldFail: true, 9905 expectedError: ":WRONG_CURVE:", 9906 }) 9907 9908 testCases = append(testCases, testCase{ 9909 name: "TLS13-RequestContextInHandshake", 9910 config: Config{ 9911 MaxVersion: VersionTLS13, 9912 MinVersion: VersionTLS13, 9913 ClientAuth: RequireAnyClientCert, 9914 Bugs: ProtocolBugs{ 9915 SendRequestContext: []byte("request context"), 9916 }, 9917 }, 9918 flags: []string{ 9919 "-cert-file", path.Join(*resourceDir, rsaCertificateFile), 9920 "-key-file", path.Join(*resourceDir, rsaKeyFile), 9921 }, 9922 shouldFail: true, 9923 expectedError: ":DECODE_ERROR:", 9924 }) 9925 9926 testCases = append(testCases, testCase{ 9927 testType: serverTest, 9928 name: "TLS13-TrailingKeyShareData", 9929 config: Config{ 9930 MaxVersion: VersionTLS13, 9931 Bugs: ProtocolBugs{ 9932 TrailingKeyShareData: true, 9933 }, 9934 }, 9935 shouldFail: true, 9936 expectedError: ":DECODE_ERROR:", 9937 }) 9938 9939 testCases = append(testCases, testCase{ 9940 name: "TLS13-AlwaysSelectPSKIdentity", 9941 config: Config{ 9942 MaxVersion: VersionTLS13, 9943 Bugs: ProtocolBugs{ 9944 AlwaysSelectPSKIdentity: true, 9945 }, 9946 }, 9947 shouldFail: true, 9948 expectedError: ":UNEXPECTED_EXTENSION:", 9949 }) 9950 9951 testCases = append(testCases, testCase{ 9952 name: "TLS13-InvalidPSKIdentity", 9953 config: Config{ 9954 MaxVersion: VersionTLS13, 9955 Bugs: ProtocolBugs{ 9956 SelectPSKIdentityOnResume: 1, 9957 }, 9958 }, 9959 resumeSession: true, 9960 shouldFail: true, 9961 expectedError: ":PSK_IDENTITY_NOT_FOUND:", 9962 }) 9963 9964 testCases = append(testCases, testCase{ 9965 testType: serverTest, 9966 name: "TLS13-ExtraPSKIdentity", 9967 config: Config{ 9968 MaxVersion: VersionTLS13, 9969 Bugs: ProtocolBugs{ 9970 ExtraPSKIdentity: true, 9971 SendExtraPSKBinder: true, 9972 }, 9973 }, 9974 resumeSession: true, 9975 }) 9976 9977 // Test that unknown NewSessionTicket extensions are tolerated. 9978 testCases = append(testCases, testCase{ 9979 name: "TLS13-CustomTicketExtension", 9980 config: Config{ 9981 MaxVersion: VersionTLS13, 9982 Bugs: ProtocolBugs{ 9983 CustomTicketExtension: "1234", 9984 }, 9985 }, 9986 }) 9987 9988 testCases = append(testCases, testCase{ 9989 testType: clientTest, 9990 name: "TLS13-DataLessEarlyData-Reject-Client", 9991 config: Config{ 9992 MaxVersion: VersionTLS13, 9993 MaxEarlyDataSize: 16384, 9994 }, 9995 resumeConfig: &Config{ 9996 MaxVersion: VersionTLS13, 9997 MaxEarlyDataSize: 16384, 9998 Bugs: ProtocolBugs{ 9999 AlwaysRejectEarlyData: true, 10000 }, 10001 }, 10002 resumeSession: true, 10003 flags: []string{ 10004 "-enable-early-data", 10005 "-expect-early-data-info", 10006 "-expect-reject-early-data", 10007 }, 10008 }) 10009 10010 testCases = append(testCases, testCase{ 10011 testType: clientTest, 10012 name: "TLS13-DataLessEarlyData-HRR-Client", 10013 config: Config{ 10014 MaxVersion: VersionTLS13, 10015 MaxEarlyDataSize: 16384, 10016 }, 10017 resumeConfig: &Config{ 10018 MaxVersion: VersionTLS13, 10019 MaxEarlyDataSize: 16384, 10020 Bugs: ProtocolBugs{ 10021 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4}, 10022 }, 10023 }, 10024 resumeSession: true, 10025 flags: []string{ 10026 "-enable-early-data", 10027 "-expect-early-data-info", 10028 "-expect-reject-early-data", 10029 }, 10030 }) 10031 10032 // The client must check the server does not send the early_data 10033 // extension while rejecting the session. 10034 testCases = append(testCases, testCase{ 10035 testType: clientTest, 10036 name: "TLS13-EarlyDataWithoutResume-Client", 10037 config: Config{ 10038 MaxVersion: VersionTLS13, 10039 MaxEarlyDataSize: 16384, 10040 }, 10041 resumeConfig: &Config{ 10042 MaxVersion: VersionTLS13, 10043 SessionTicketsDisabled: true, 10044 Bugs: ProtocolBugs{ 10045 SendEarlyDataExtension: true, 10046 }, 10047 }, 10048 resumeSession: true, 10049 flags: []string{ 10050 "-enable-early-data", 10051 "-expect-early-data-info", 10052 }, 10053 shouldFail: true, 10054 expectedError: ":UNEXPECTED_EXTENSION:", 10055 }) 10056 10057 // The client must fail with a dedicated error code if the server 10058 // responds with TLS 1.2 when offering 0-RTT. 10059 testCases = append(testCases, testCase{ 10060 testType: clientTest, 10061 name: "TLS13-EarlyDataVersionDowngrade-Client", 10062 config: Config{ 10063 MaxVersion: VersionTLS13, 10064 MaxEarlyDataSize: 16384, 10065 }, 10066 resumeConfig: &Config{ 10067 MaxVersion: VersionTLS12, 10068 }, 10069 resumeSession: true, 10070 flags: []string{ 10071 "-enable-early-data", 10072 "-expect-early-data-info", 10073 }, 10074 shouldFail: true, 10075 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:", 10076 }) 10077 10078 // Test that the client rejects an (unsolicited) early_data extension if 10079 // the server sent an HRR. 10080 testCases = append(testCases, testCase{ 10081 testType: clientTest, 10082 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client", 10083 config: Config{ 10084 MaxVersion: VersionTLS13, 10085 MaxEarlyDataSize: 16384, 10086 }, 10087 resumeConfig: &Config{ 10088 MaxVersion: VersionTLS13, 10089 MaxEarlyDataSize: 16384, 10090 Bugs: ProtocolBugs{ 10091 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4}, 10092 SendEarlyDataExtension: true, 10093 }, 10094 }, 10095 resumeSession: true, 10096 flags: []string{ 10097 "-enable-early-data", 10098 "-expect-early-data-info", 10099 }, 10100 shouldFail: true, 10101 expectedError: ":UNEXPECTED_EXTENSION:", 10102 }) 10103 10104 fooString := "foo" 10105 barString := "bar" 10106 10107 // Test that the client reports the correct ALPN after a 0-RTT reject 10108 // that changed it. 10109 testCases = append(testCases, testCase{ 10110 testType: clientTest, 10111 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client", 10112 config: Config{ 10113 MaxVersion: VersionTLS13, 10114 MaxEarlyDataSize: 16384, 10115 Bugs: ProtocolBugs{ 10116 ALPNProtocol: &fooString, 10117 }, 10118 }, 10119 resumeConfig: &Config{ 10120 MaxVersion: VersionTLS13, 10121 MaxEarlyDataSize: 16384, 10122 Bugs: ProtocolBugs{ 10123 ALPNProtocol: &barString, 10124 }, 10125 }, 10126 resumeSession: true, 10127 flags: []string{ 10128 "-advertise-alpn", "\x03foo\x03bar", 10129 "-enable-early-data", 10130 "-expect-early-data-info", 10131 "-expect-reject-early-data", 10132 "-expect-alpn", "foo", 10133 "-expect-resume-alpn", "bar", 10134 }, 10135 }) 10136 10137 // Test that the client reports the correct ALPN after a 0-RTT reject if 10138 // ALPN was omitted from the first connection. 10139 testCases = append(testCases, testCase{ 10140 testType: clientTest, 10141 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client", 10142 config: Config{ 10143 MaxVersion: VersionTLS13, 10144 MaxEarlyDataSize: 16384, 10145 }, 10146 resumeConfig: &Config{ 10147 MaxVersion: VersionTLS13, 10148 MaxEarlyDataSize: 16384, 10149 NextProtos: []string{"foo"}, 10150 }, 10151 resumeSession: true, 10152 flags: []string{ 10153 "-advertise-alpn", "\x03foo\x03bar", 10154 "-enable-early-data", 10155 "-expect-early-data-info", 10156 "-expect-reject-early-data", 10157 "-expect-no-alpn", 10158 "-expect-resume-alpn", "foo", 10159 }, 10160 }) 10161 10162 // Test that the client reports the correct ALPN after a 0-RTT reject if 10163 // ALPN was omitted from the second connection. 10164 testCases = append(testCases, testCase{ 10165 testType: clientTest, 10166 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client", 10167 config: Config{ 10168 MaxVersion: VersionTLS13, 10169 MaxEarlyDataSize: 16384, 10170 NextProtos: []string{"foo"}, 10171 }, 10172 resumeConfig: &Config{ 10173 MaxVersion: VersionTLS13, 10174 MaxEarlyDataSize: 16384, 10175 }, 10176 resumeSession: true, 10177 flags: []string{ 10178 "-advertise-alpn", "\x03foo\x03bar", 10179 "-enable-early-data", 10180 "-expect-early-data-info", 10181 "-expect-reject-early-data", 10182 "-expect-alpn", "foo", 10183 "-expect-no-resume-alpn", 10184 }, 10185 }) 10186 10187 // Test that the client enforces ALPN match on 0-RTT accept. 10188 testCases = append(testCases, testCase{ 10189 testType: clientTest, 10190 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client", 10191 config: Config{ 10192 MaxVersion: VersionTLS13, 10193 MaxEarlyDataSize: 16384, 10194 Bugs: ProtocolBugs{ 10195 ALPNProtocol: &fooString, 10196 }, 10197 }, 10198 resumeConfig: &Config{ 10199 MaxVersion: VersionTLS13, 10200 MaxEarlyDataSize: 16384, 10201 Bugs: ProtocolBugs{ 10202 AlwaysAcceptEarlyData: true, 10203 ALPNProtocol: &barString, 10204 }, 10205 }, 10206 resumeSession: true, 10207 flags: []string{ 10208 "-advertise-alpn", "\x03foo\x03bar", 10209 "-enable-early-data", 10210 "-expect-early-data-info", 10211 }, 10212 shouldFail: true, 10213 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:", 10214 }) 10215 10216 // Test that the server correctly rejects 0-RTT when the previous 10217 // session did not allow early data on resumption. 10218 testCases = append(testCases, testCase{ 10219 testType: serverTest, 10220 name: "TLS13-EarlyData-NonZeroRTTSession-Server", 10221 config: Config{ 10222 MaxVersion: VersionTLS13, 10223 }, 10224 resumeConfig: &Config{ 10225 MaxVersion: VersionTLS13, 10226 Bugs: ProtocolBugs{ 10227 SendEarlyData: [][]byte{{1, 2, 3, 4}}, 10228 ExpectEarlyDataAccepted: false, 10229 }, 10230 }, 10231 resumeSession: true, 10232 flags: []string{ 10233 "-enable-resume-early-data", 10234 "-expect-reject-early-data", 10235 }, 10236 }) 10237 10238 // Test that we reject early data where ALPN is omitted from the first 10239 // connection. 10240 testCases = append(testCases, testCase{ 10241 testType: serverTest, 10242 name: "TLS13-EarlyData-ALPNOmitted1-Server", 10243 config: Config{ 10244 MaxVersion: VersionTLS13, 10245 NextProtos: []string{}, 10246 }, 10247 resumeConfig: &Config{ 10248 MaxVersion: VersionTLS13, 10249 NextProtos: []string{"foo"}, 10250 Bugs: ProtocolBugs{ 10251 SendEarlyData: [][]byte{{1, 2, 3, 4}}, 10252 ExpectEarlyDataAccepted: false, 10253 }, 10254 }, 10255 resumeSession: true, 10256 flags: []string{ 10257 "-enable-early-data", 10258 "-select-alpn", "", 10259 "-select-resume-alpn", "foo", 10260 }, 10261 }) 10262 10263 // Test that we reject early data where ALPN is omitted from the second 10264 // connection. 10265 testCases = append(testCases, testCase{ 10266 testType: serverTest, 10267 name: "TLS13-EarlyData-ALPNOmitted2-Server", 10268 config: Config{ 10269 MaxVersion: VersionTLS13, 10270 NextProtos: []string{"foo"}, 10271 }, 10272 resumeConfig: &Config{ 10273 MaxVersion: VersionTLS13, 10274 NextProtos: []string{}, 10275 Bugs: ProtocolBugs{ 10276 SendEarlyData: [][]byte{{1, 2, 3, 4}}, 10277 ExpectEarlyDataAccepted: false, 10278 }, 10279 }, 10280 resumeSession: true, 10281 flags: []string{ 10282 "-enable-early-data", 10283 "-select-alpn", "foo", 10284 "-select-resume-alpn", "", 10285 }, 10286 }) 10287 10288 // Test that we reject early data with mismatched ALPN. 10289 testCases = append(testCases, testCase{ 10290 testType: serverTest, 10291 name: "TLS13-EarlyData-ALPNMismatch-Server", 10292 config: Config{ 10293 MaxVersion: VersionTLS13, 10294 NextProtos: []string{"foo"}, 10295 }, 10296 resumeConfig: &Config{ 10297 MaxVersion: VersionTLS13, 10298 NextProtos: []string{"bar"}, 10299 Bugs: ProtocolBugs{ 10300 SendEarlyData: [][]byte{{1, 2, 3, 4}}, 10301 ExpectEarlyDataAccepted: false, 10302 }, 10303 }, 10304 resumeSession: true, 10305 flags: []string{ 10306 "-enable-early-data", 10307 "-select-alpn", "foo", 10308 "-select-resume-alpn", "bar", 10309 }, 10310 }) 10311 10312 // Test that we fail on early data with Channel ID. 10313 testCases = append(testCases, testCase{ 10314 testType: clientTest, 10315 name: "TLS13-EarlyData-ChannelID-Client", 10316 config: Config{ 10317 MaxVersion: VersionTLS13, 10318 MaxEarlyDataSize: 16384, 10319 RequestChannelID: true, 10320 }, 10321 resumeSession: true, 10322 expectChannelID: true, 10323 shouldFail: true, 10324 expectedError: ":CHANNEL_ID_ON_EARLY_DATA:", 10325 flags: []string{ 10326 "-enable-early-data", 10327 "-expect-early-data-info", 10328 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile), 10329 }, 10330 }) 10331 10332 testCases = append(testCases, testCase{ 10333 testType: serverTest, 10334 name: "TLS13-EarlyData-ChannelID-Server", 10335 config: Config{ 10336 MaxVersion: VersionTLS13, 10337 ChannelID: channelIDKey, 10338 Bugs: ProtocolBugs{ 10339 SendEarlyData: [][]byte{{}}, 10340 ExpectEarlyDataAccepted: false, 10341 }, 10342 }, 10343 resumeSession: true, 10344 expectChannelID: true, 10345 flags: []string{ 10346 "-enable-early-data", 10347 "-expect-reject-early-data", 10348 "-expect-channel-id", 10349 base64.StdEncoding.EncodeToString(channelIDBytes), 10350 }, 10351 }) 10352 10353 // Test that the server rejects 0-RTT streams without end_of_early_data. 10354 // The subsequent records should fail to decrypt. 10355 testCases = append(testCases, testCase{ 10356 testType: serverTest, 10357 name: "TLS13-EarlyData-SkipEndOfEarlyData", 10358 config: Config{ 10359 MaxVersion: VersionTLS13, 10360 Bugs: ProtocolBugs{ 10361 SendEarlyData: [][]byte{{1, 2, 3, 4}}, 10362 ExpectEarlyDataAccepted: true, 10363 SkipEndOfEarlyData: true, 10364 }, 10365 }, 10366 resumeSession: true, 10367 flags: []string{"-enable-early-data"}, 10368 shouldFail: true, 10369 expectedLocalError: "remote error: bad record MAC", 10370 expectedError: ":BAD_DECRYPT:", 10371 }) 10372 10373 testCases = append(testCases, testCase{ 10374 testType: serverTest, 10375 name: "TLS13-EarlyData-UnexpectedHandshake-Server", 10376 config: Config{ 10377 MaxVersion: VersionTLS13, 10378 }, 10379 resumeConfig: &Config{ 10380 MaxVersion: VersionTLS13, 10381 Bugs: ProtocolBugs{ 10382 SendEarlyData: [][]byte{{1, 2, 3, 4}}, 10383 SendStrayEarlyHandshake: true, 10384 ExpectEarlyDataAccepted: true}, 10385 }, 10386 resumeSession: true, 10387 shouldFail: true, 10388 expectedError: ":UNEXPECTED_RECORD:", 10389 expectedLocalError: "remote error: unexpected message", 10390 flags: []string{ 10391 "-enable-early-data", 10392 }, 10393 }) 10394 } 10395 10396 func addTLS13CipherPreferenceTests() { 10397 // Test that client preference is honored if the shim has AES hardware 10398 // and ChaCha20-Poly1305 is preferred otherwise. 10399 testCases = append(testCases, testCase{ 10400 testType: serverTest, 10401 name: "TLS13-CipherPreference-Server-ChaCha20-AES", 10402 config: Config{ 10403 MaxVersion: VersionTLS13, 10404 CipherSuites: []uint16{ 10405 TLS_CHACHA20_POLY1305_SHA256, 10406 TLS_AES_128_GCM_SHA256, 10407 }, 10408 }, 10409 flags: []string{ 10410 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)), 10411 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)), 10412 }, 10413 }) 10414 10415 testCases = append(testCases, testCase{ 10416 testType: serverTest, 10417 name: "TLS13-CipherPreference-Server-AES-ChaCha20", 10418 config: Config{ 10419 MaxVersion: VersionTLS13, 10420 CipherSuites: []uint16{ 10421 TLS_AES_128_GCM_SHA256, 10422 TLS_CHACHA20_POLY1305_SHA256, 10423 }, 10424 }, 10425 flags: []string{ 10426 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)), 10427 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)), 10428 }, 10429 }) 10430 10431 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on 10432 // whether it has AES hardware. 10433 testCases = append(testCases, testCase{ 10434 name: "TLS13-CipherPreference-Client", 10435 config: Config{ 10436 MaxVersion: VersionTLS13, 10437 // Use the client cipher order. (This is the default but 10438 // is listed to be explicit.) 10439 PreferServerCipherSuites: false, 10440 }, 10441 flags: []string{ 10442 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)), 10443 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)), 10444 }, 10445 }) 10446 } 10447 10448 func addPeekTests() { 10449 // Test SSL_peek works, including on empty records. 10450 testCases = append(testCases, testCase{ 10451 name: "Peek-Basic", 10452 sendEmptyRecords: 1, 10453 flags: []string{"-peek-then-read"}, 10454 }) 10455 10456 // Test SSL_peek can drive the initial handshake. 10457 testCases = append(testCases, testCase{ 10458 name: "Peek-ImplicitHandshake", 10459 flags: []string{ 10460 "-peek-then-read", 10461 "-implicit-handshake", 10462 }, 10463 }) 10464 10465 // Test SSL_peek can discover and drive a renegotiation. 10466 testCases = append(testCases, testCase{ 10467 name: "Peek-Renegotiate", 10468 config: Config{ 10469 MaxVersion: VersionTLS12, 10470 }, 10471 renegotiate: 1, 10472 flags: []string{ 10473 "-peek-then-read", 10474 "-renegotiate-freely", 10475 "-expect-total-renegotiations", "1", 10476 }, 10477 }) 10478 10479 // Test SSL_peek can discover a close_notify. 10480 testCases = append(testCases, testCase{ 10481 name: "Peek-Shutdown", 10482 config: Config{ 10483 Bugs: ProtocolBugs{ 10484 ExpectCloseNotify: true, 10485 }, 10486 }, 10487 flags: []string{ 10488 "-peek-then-read", 10489 "-check-close-notify", 10490 }, 10491 }) 10492 10493 // Test SSL_peek can discover an alert. 10494 testCases = append(testCases, testCase{ 10495 name: "Peek-Alert", 10496 config: Config{ 10497 Bugs: ProtocolBugs{ 10498 SendSpuriousAlert: alertRecordOverflow, 10499 }, 10500 }, 10501 flags: []string{"-peek-then-read"}, 10502 shouldFail: true, 10503 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:", 10504 }) 10505 10506 // Test SSL_peek can handle KeyUpdate. 10507 testCases = append(testCases, testCase{ 10508 name: "Peek-KeyUpdate", 10509 config: Config{ 10510 MaxVersion: VersionTLS13, 10511 }, 10512 sendKeyUpdates: 1, 10513 keyUpdateRequest: keyUpdateNotRequested, 10514 flags: []string{"-peek-then-read"}, 10515 }) 10516 } 10517 10518 func addRecordVersionTests() { 10519 for _, ver := range tlsVersions { 10520 // Test that the record version is enforced. 10521 testCases = append(testCases, testCase{ 10522 name: "CheckRecordVersion-" + ver.name, 10523 config: Config{ 10524 MinVersion: ver.version, 10525 MaxVersion: ver.version, 10526 Bugs: ProtocolBugs{ 10527 SendRecordVersion: 0x03ff, 10528 }, 10529 }, 10530 shouldFail: true, 10531 expectedError: ":WRONG_VERSION_NUMBER:", 10532 }) 10533 10534 // Test that the ClientHello may use any record version, for 10535 // compatibility reasons. 10536 testCases = append(testCases, testCase{ 10537 testType: serverTest, 10538 name: "LooseInitialRecordVersion-" + ver.name, 10539 config: Config{ 10540 MinVersion: ver.version, 10541 MaxVersion: ver.version, 10542 Bugs: ProtocolBugs{ 10543 SendInitialRecordVersion: 0x03ff, 10544 }, 10545 }, 10546 }) 10547 10548 // Test that garbage ClientHello record versions are rejected. 10549 testCases = append(testCases, testCase{ 10550 testType: serverTest, 10551 name: "GarbageInitialRecordVersion-" + ver.name, 10552 config: Config{ 10553 MinVersion: ver.version, 10554 MaxVersion: ver.version, 10555 Bugs: ProtocolBugs{ 10556 SendInitialRecordVersion: 0xffff, 10557 }, 10558 }, 10559 shouldFail: true, 10560 expectedError: ":WRONG_VERSION_NUMBER:", 10561 }) 10562 } 10563 } 10564 10565 func addCertificateTests() { 10566 // Test that a certificate chain with intermediate may be sent and 10567 // received as both client and server. 10568 for _, ver := range tlsVersions { 10569 testCases = append(testCases, testCase{ 10570 testType: clientTest, 10571 name: "SendReceiveIntermediate-Client-" + ver.name, 10572 config: Config{ 10573 MinVersion: ver.version, 10574 MaxVersion: ver.version, 10575 Certificates: []Certificate{rsaChainCertificate}, 10576 ClientAuth: RequireAnyClientCert, 10577 }, 10578 expectPeerCertificate: &rsaChainCertificate, 10579 flags: []string{ 10580 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile), 10581 "-key-file", path.Join(*resourceDir, rsaChainKeyFile), 10582 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile), 10583 }, 10584 }) 10585 10586 testCases = append(testCases, testCase{ 10587 testType: serverTest, 10588 name: "SendReceiveIntermediate-Server-" + ver.name, 10589 config: Config{ 10590 MinVersion: ver.version, 10591 MaxVersion: ver.version, 10592 Certificates: []Certificate{rsaChainCertificate}, 10593 }, 10594 expectPeerCertificate: &rsaChainCertificate, 10595 flags: []string{ 10596 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile), 10597 "-key-file", path.Join(*resourceDir, rsaChainKeyFile), 10598 "-require-any-client-certificate", 10599 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile), 10600 }, 10601 }) 10602 } 10603 } 10604 10605 func addRetainOnlySHA256ClientCertTests() { 10606 for _, ver := range tlsVersions { 10607 // Test that enabling 10608 // SSL_CTX_set_retain_only_sha256_of_client_certs without 10609 // actually requesting a client certificate is a no-op. 10610 testCases = append(testCases, testCase{ 10611 testType: serverTest, 10612 name: "RetainOnlySHA256-NoCert-" + ver.name, 10613 config: Config{ 10614 MinVersion: ver.version, 10615 MaxVersion: ver.version, 10616 }, 10617 flags: []string{ 10618 "-retain-only-sha256-client-cert-initial", 10619 "-retain-only-sha256-client-cert-resume", 10620 }, 10621 resumeSession: true, 10622 }) 10623 10624 // Test that when retaining only a SHA-256 certificate is 10625 // enabled, the hash appears as expected. 10626 testCases = append(testCases, testCase{ 10627 testType: serverTest, 10628 name: "RetainOnlySHA256-Cert-" + ver.name, 10629 config: Config{ 10630 MinVersion: ver.version, 10631 MaxVersion: ver.version, 10632 Certificates: []Certificate{rsaCertificate}, 10633 }, 10634 flags: []string{ 10635 "-verify-peer", 10636 "-retain-only-sha256-client-cert-initial", 10637 "-retain-only-sha256-client-cert-resume", 10638 "-expect-sha256-client-cert-initial", 10639 "-expect-sha256-client-cert-resume", 10640 }, 10641 resumeSession: true, 10642 }) 10643 10644 // Test that when the config changes from on to off, a 10645 // resumption is rejected because the server now wants the full 10646 // certificate chain. 10647 testCases = append(testCases, testCase{ 10648 testType: serverTest, 10649 name: "RetainOnlySHA256-OnOff-" + ver.name, 10650 config: Config{ 10651 MinVersion: ver.version, 10652 MaxVersion: ver.version, 10653 Certificates: []Certificate{rsaCertificate}, 10654 }, 10655 flags: []string{ 10656 "-verify-peer", 10657 "-retain-only-sha256-client-cert-initial", 10658 "-expect-sha256-client-cert-initial", 10659 }, 10660 resumeSession: true, 10661 expectResumeRejected: true, 10662 }) 10663 10664 // Test that when the config changes from off to on, a 10665 // resumption is rejected because the server now wants just the 10666 // hash. 10667 testCases = append(testCases, testCase{ 10668 testType: serverTest, 10669 name: "RetainOnlySHA256-OffOn-" + ver.name, 10670 config: Config{ 10671 MinVersion: ver.version, 10672 MaxVersion: ver.version, 10673 Certificates: []Certificate{rsaCertificate}, 10674 }, 10675 flags: []string{ 10676 "-verify-peer", 10677 "-retain-only-sha256-client-cert-resume", 10678 "-expect-sha256-client-cert-resume", 10679 }, 10680 resumeSession: true, 10681 expectResumeRejected: true, 10682 }) 10683 } 10684 } 10685 10686 func addECDSAKeyUsageTests() { 10687 p256 := elliptic.P256() 10688 priv, err := ecdsa.GenerateKey(p256, rand.Reader) 10689 if err != nil { 10690 panic(err) 10691 } 10692 10693 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) 10694 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) 10695 if err != nil { 10696 panic(err) 10697 } 10698 10699 template := x509.Certificate{ 10700 SerialNumber: serialNumber, 10701 Subject: pkix.Name{ 10702 Organization: []string{"Acme Co"}, 10703 }, 10704 NotBefore: time.Now(), 10705 NotAfter: time.Now(), 10706 10707 // An ECC certificate with only the keyAgreement key usgae may 10708 // be used with ECDH, but not ECDSA. 10709 KeyUsage: x509.KeyUsageKeyAgreement, 10710 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, 10711 BasicConstraintsValid: true, 10712 } 10713 10714 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) 10715 if err != nil { 10716 panic(err) 10717 } 10718 10719 cert := Certificate{ 10720 Certificate: [][]byte{derBytes}, 10721 PrivateKey: priv, 10722 } 10723 10724 for _, ver := range tlsVersions { 10725 if ver.version < VersionTLS12 { 10726 continue 10727 } 10728 10729 testCases = append(testCases, testCase{ 10730 testType: clientTest, 10731 name: "ECDSAKeyUsage-" + ver.name, 10732 config: Config{ 10733 MinVersion: ver.version, 10734 MaxVersion: ver.version, 10735 Certificates: []Certificate{cert}, 10736 }, 10737 shouldFail: true, 10738 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:", 10739 }) 10740 } 10741 } 10742 10743 func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) { 10744 defer wg.Done() 10745 10746 for test := range c { 10747 var err error 10748 10749 if *mallocTest >= 0 { 10750 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ { 10751 statusChan <- statusMsg{test: test, started: true} 10752 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs { 10753 if err != nil { 10754 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err) 10755 } 10756 break 10757 } 10758 } 10759 } else if *repeatUntilFailure { 10760 for err == nil { 10761 statusChan <- statusMsg{test: test, started: true} 10762 err = runTest(test, shimPath, -1) 10763 } 10764 } else { 10765 statusChan <- statusMsg{test: test, started: true} 10766 err = runTest(test, shimPath, -1) 10767 } 10768 statusChan <- statusMsg{test: test, err: err} 10769 } 10770 } 10771 10772 type statusMsg struct { 10773 test *testCase 10774 started bool 10775 err error 10776 } 10777 10778 func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) { 10779 var started, done, failed, unimplemented, lineLen int 10780 10781 testOutput := newTestOutput() 10782 for msg := range statusChan { 10783 if !*pipe { 10784 // Erase the previous status line. 10785 var erase string 10786 for i := 0; i < lineLen; i++ { 10787 erase += "\b \b" 10788 } 10789 fmt.Print(erase) 10790 } 10791 10792 if msg.started { 10793 started++ 10794 } else { 10795 done++ 10796 10797 if msg.err != nil { 10798 if msg.err == errUnimplemented { 10799 if *pipe { 10800 // Print each test instead of a status line. 10801 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name) 10802 } 10803 unimplemented++ 10804 testOutput.addResult(msg.test.name, "UNIMPLEMENTED") 10805 } else { 10806 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err) 10807 failed++ 10808 testOutput.addResult(msg.test.name, "FAIL") 10809 } 10810 } else { 10811 if *pipe { 10812 // Print each test instead of a status line. 10813 fmt.Printf("PASSED (%s)\n", msg.test.name) 10814 } 10815 testOutput.addResult(msg.test.name, "PASS") 10816 } 10817 } 10818 10819 if !*pipe { 10820 // Print a new status line. 10821 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total) 10822 lineLen = len(line) 10823 os.Stdout.WriteString(line) 10824 } 10825 } 10826 10827 doneChan <- testOutput 10828 } 10829 10830 func main() { 10831 flag.Parse() 10832 *resourceDir = path.Clean(*resourceDir) 10833 initCertificates() 10834 10835 addBasicTests() 10836 addCipherSuiteTests() 10837 addBadECDSASignatureTests() 10838 addCBCPaddingTests() 10839 addCBCSplittingTests() 10840 addClientAuthTests() 10841 addDDoSCallbackTests() 10842 addVersionNegotiationTests() 10843 addMinimumVersionTests() 10844 addExtensionTests() 10845 addResumptionVersionTests() 10846 addExtendedMasterSecretTests() 10847 addRenegotiationTests() 10848 addDTLSReplayTests() 10849 addSignatureAlgorithmTests() 10850 addDTLSRetransmitTests() 10851 addExportKeyingMaterialTests() 10852 addTLSUniqueTests() 10853 addCustomExtensionTests() 10854 addRSAClientKeyExchangeTests() 10855 addCurveTests() 10856 addSessionTicketTests() 10857 addTLS13RecordTests() 10858 addAllStateMachineCoverageTests() 10859 addChangeCipherSpecTests() 10860 addWrongMessageTypeTests() 10861 addTrailingMessageDataTests() 10862 addTLS13HandshakeTests() 10863 addTLS13CipherPreferenceTests() 10864 addPeekTests() 10865 addRecordVersionTests() 10866 addCertificateTests() 10867 addRetainOnlySHA256ClientCertTests() 10868 addECDSAKeyUsageTests() 10869 10870 var wg sync.WaitGroup 10871 10872 statusChan := make(chan statusMsg, *numWorkers) 10873 testChan := make(chan *testCase, *numWorkers) 10874 doneChan := make(chan *testOutput) 10875 10876 if len(*shimConfigFile) != 0 { 10877 encoded, err := ioutil.ReadFile(*shimConfigFile) 10878 if err != nil { 10879 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err) 10880 os.Exit(1) 10881 } 10882 10883 if err := json.Unmarshal(encoded, &shimConfig); err != nil { 10884 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err) 10885 os.Exit(1) 10886 } 10887 } 10888 10889 go statusPrinter(doneChan, statusChan, len(testCases)) 10890 10891 for i := 0; i < *numWorkers; i++ { 10892 wg.Add(1) 10893 go worker(statusChan, testChan, *shimPath, &wg) 10894 } 10895 10896 var foundTest bool 10897 for i := range testCases { 10898 matched := true 10899 if len(*testToRun) != 0 { 10900 var err error 10901 matched, err = filepath.Match(*testToRun, testCases[i].name) 10902 if err != nil { 10903 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err) 10904 os.Exit(1) 10905 } 10906 } 10907 10908 if !*includeDisabled { 10909 for pattern := range shimConfig.DisabledTests { 10910 isDisabled, err := filepath.Match(pattern, testCases[i].name) 10911 if err != nil { 10912 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err) 10913 os.Exit(1) 10914 } 10915 10916 if isDisabled { 10917 matched = false 10918 break 10919 } 10920 } 10921 } 10922 10923 if matched { 10924 foundTest = true 10925 testChan <- &testCases[i] 10926 10927 // Only run one test if repeating until failure. 10928 if *repeatUntilFailure { 10929 break 10930 } 10931 } 10932 } 10933 10934 if !foundTest { 10935 fmt.Fprintf(os.Stderr, "No tests run\n") 10936 os.Exit(1) 10937 } 10938 10939 close(testChan) 10940 wg.Wait() 10941 close(statusChan) 10942 testOutput := <-doneChan 10943 10944 fmt.Printf("\n") 10945 10946 if *jsonOutput != "" { 10947 if err := testOutput.writeTo(*jsonOutput); err != nil { 10948 fmt.Fprintf(os.Stderr, "Error: %s\n", err) 10949 } 10950 } 10951 10952 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 { 10953 os.Exit(1) 10954 } 10955 10956 if !testOutput.noneFailed { 10957 os.Exit(1) 10958 } 10959 } 10960
