• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15package runner
16
17import (
18	"bytes"
19	"crypto"
20	"crypto/ecdsa"
21	"crypto/elliptic"
22	"crypto/rand"
23	"crypto/rsa"
24	"crypto/x509"
25	"crypto/x509/pkix"
26	"encoding/base64"
27	"encoding/binary"
28	"encoding/hex"
29	"encoding/json"
30	"encoding/pem"
31	"errors"
32	"flag"
33	"fmt"
34	"io"
35	"io/ioutil"
36	"math/big"
37	"net"
38	"os"
39	"os/exec"
40	"path"
41	"path/filepath"
42	"runtime"
43	"strconv"
44	"strings"
45	"sync"
46	"syscall"
47	"time"
48
49	"boringssl.googlesource.com/boringssl/util/testresult"
50)
51
52var (
53	useValgrind        = flag.Bool("valgrind", false, "If true, run code under valgrind")
54	useGDB             = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
55	useLLDB            = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
56	flagDebug          = flag.Bool("debug", false, "Hexdump the contents of the connection")
57	mallocTest         = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
58	mallocTestDebug    = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
59	jsonOutput         = flag.String("json-output", "", "The file to output JSON results to.")
60	pipe               = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
61	testToRun          = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
62	numWorkers         = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
63	shimPath           = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
64	handshakerPath     = flag.String("handshaker-path", "../../../build/ssl/test/handshaker", "The location of the handshaker binary.")
65	resourceDir        = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
66	fuzzer             = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
67	transcriptDir      = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
68	idleTimeout        = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
69	deterministic      = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
70	allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
71	looseErrors        = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
72	shimConfigFile     = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
73	includeDisabled    = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
74	repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
75)
76
77// ShimConfigurations is used with the “json” package and represents a shim
78// config file.
79type ShimConfiguration struct {
80	// DisabledTests maps from a glob-based pattern to a freeform string.
81	// The glob pattern is used to exclude tests from being run and the
82	// freeform string is unparsed but expected to explain why the test is
83	// disabled.
84	DisabledTests map[string]string
85
86	// ErrorMap maps from expected error strings to the correct error
87	// string for the shim in question. For example, it might map
88	// “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
89	// like “SSL_ERROR_NO_CYPHER_OVERLAP”.
90	ErrorMap map[string]string
91
92	// HalfRTTTickets is the number of half-RTT tickets the client should
93	// expect before half-RTT data when testing 0-RTT.
94	HalfRTTTickets int
95}
96
97// Setup shimConfig defaults aligning with BoringSSL.
98var shimConfig ShimConfiguration = ShimConfiguration{
99	HalfRTTTickets: 2,
100}
101
102type testCert int
103
104const (
105	testCertRSA testCert = iota
106	testCertRSA1024
107	testCertRSAChain
108	testCertECDSAP224
109	testCertECDSAP256
110	testCertECDSAP384
111	testCertECDSAP521
112	testCertEd25519
113)
114
115const (
116	rsaCertificateFile       = "cert.pem"
117	rsa1024CertificateFile   = "rsa_1024_cert.pem"
118	rsaChainCertificateFile  = "rsa_chain_cert.pem"
119	ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
120	ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
121	ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
122	ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
123	ed25519CertificateFile   = "ed25519_cert.pem"
124)
125
126const (
127	rsaKeyFile       = "key.pem"
128	rsa1024KeyFile   = "rsa_1024_key.pem"
129	rsaChainKeyFile  = "rsa_chain_key.pem"
130	ecdsaP224KeyFile = "ecdsa_p224_key.pem"
131	ecdsaP256KeyFile = "ecdsa_p256_key.pem"
132	ecdsaP384KeyFile = "ecdsa_p384_key.pem"
133	ecdsaP521KeyFile = "ecdsa_p521_key.pem"
134	ed25519KeyFile   = "ed25519_key.pem"
135	channelIDKeyFile = "channel_id_key.pem"
136)
137
138var (
139	rsaCertificate       Certificate
140	rsa1024Certificate   Certificate
141	rsaChainCertificate  Certificate
142	ecdsaP224Certificate Certificate
143	ecdsaP256Certificate Certificate
144	ecdsaP384Certificate Certificate
145	ecdsaP521Certificate Certificate
146	ed25519Certificate   Certificate
147	garbageCertificate   Certificate
148)
149
150var testCerts = []struct {
151	id                testCert
152	certFile, keyFile string
153	cert              *Certificate
154}{
155	{
156		id:       testCertRSA,
157		certFile: rsaCertificateFile,
158		keyFile:  rsaKeyFile,
159		cert:     &rsaCertificate,
160	},
161	{
162		id:       testCertRSA1024,
163		certFile: rsa1024CertificateFile,
164		keyFile:  rsa1024KeyFile,
165		cert:     &rsa1024Certificate,
166	},
167	{
168		id:       testCertRSAChain,
169		certFile: rsaChainCertificateFile,
170		keyFile:  rsaChainKeyFile,
171		cert:     &rsaChainCertificate,
172	},
173	{
174		id:       testCertECDSAP224,
175		certFile: ecdsaP224CertificateFile,
176		keyFile:  ecdsaP224KeyFile,
177		cert:     &ecdsaP224Certificate,
178	},
179	{
180		id:       testCertECDSAP256,
181		certFile: ecdsaP256CertificateFile,
182		keyFile:  ecdsaP256KeyFile,
183		cert:     &ecdsaP256Certificate,
184	},
185	{
186		id:       testCertECDSAP384,
187		certFile: ecdsaP384CertificateFile,
188		keyFile:  ecdsaP384KeyFile,
189		cert:     &ecdsaP384Certificate,
190	},
191	{
192		id:       testCertECDSAP521,
193		certFile: ecdsaP521CertificateFile,
194		keyFile:  ecdsaP521KeyFile,
195		cert:     &ecdsaP521Certificate,
196	},
197	{
198		id:       testCertEd25519,
199		certFile: ed25519CertificateFile,
200		keyFile:  ed25519KeyFile,
201		cert:     &ed25519Certificate,
202	},
203}
204
205var channelIDKey *ecdsa.PrivateKey
206var channelIDBytes []byte
207
208var testOCSPResponse = []byte{1, 2, 3, 4}
209var testOCSPResponse2 = []byte{5, 6, 7, 8}
210var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
211var testSCTList2 = []byte{0, 6, 0, 4, 1, 2, 3, 4}
212
213var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
214var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
215
216func initCertificates() {
217	for i := range testCerts {
218		cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
219		if err != nil {
220			panic(err)
221		}
222		cert.OCSPStaple = testOCSPResponse
223		cert.SignedCertificateTimestampList = testSCTList
224		*testCerts[i].cert = cert
225	}
226
227	channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
228	if err != nil {
229		panic(err)
230	}
231	channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
232	if channelIDDERBlock.Type != "EC PRIVATE KEY" {
233		panic("bad key type")
234	}
235	channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
236	if err != nil {
237		panic(err)
238	}
239	if channelIDKey.Curve != elliptic.P256() {
240		panic("bad curve")
241	}
242
243	channelIDBytes = make([]byte, 64)
244	writeIntPadded(channelIDBytes[:32], channelIDKey.X)
245	writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
246
247	garbageCertificate.Certificate = [][]byte{[]byte("GARBAGE")}
248	garbageCertificate.PrivateKey = rsaCertificate.PrivateKey
249}
250
251// delegatedCredentialConfig specifies the shape of a delegated credential, not
252// including the keys themselves.
253type delegatedCredentialConfig struct {
254	// lifetime is the amount of time, from the notBefore of the parent
255	// certificate, that the delegated credential is valid for. If zero, then 24
256	// hours is assumed.
257	lifetime time.Duration
258	// expectedAlgo is the signature scheme that should be used with this
259	// delegated credential. If zero, ECDSA with P-256 is assumed.
260	expectedAlgo signatureAlgorithm
261	// tlsVersion is the version of TLS that should be used with this delegated
262	// credential. If zero, TLS 1.3 is assumed.
263	tlsVersion uint16
264	// algo is the signature algorithm that the delegated credential itself is
265	// signed with. Cannot be zero.
266	algo signatureAlgorithm
267}
268
269func loadRSAPrivateKey(filename string) (priv *rsa.PrivateKey, privPKCS8 []byte, err error) {
270	pemPath := path.Join(*resourceDir, filename)
271	pemBytes, err := ioutil.ReadFile(pemPath)
272	if err != nil {
273		return nil, nil, err
274	}
275
276	block, _ := pem.Decode(pemBytes)
277	if block == nil {
278		return nil, nil, fmt.Errorf("no PEM block found in %q", pemPath)
279	}
280	privPKCS8 = block.Bytes
281
282	parsed, err := x509.ParsePKCS8PrivateKey(privPKCS8)
283	if err != nil {
284		return nil, nil, fmt.Errorf("failed to parse PKCS#8 key from %q", pemPath)
285	}
286
287	priv, ok := parsed.(*rsa.PrivateKey)
288	if !ok {
289		return nil, nil, fmt.Errorf("found %T in %q rather than an RSA private key", parsed, pemPath)
290	}
291
292	return priv, privPKCS8, nil
293}
294
295func createDelegatedCredential(config delegatedCredentialConfig, parentDER []byte, parentPriv crypto.PrivateKey) (dc, privPKCS8 []uint8, err error) {
296	expectedAlgo := config.expectedAlgo
297	if expectedAlgo == signatureAlgorithm(0) {
298		expectedAlgo = signatureECDSAWithP256AndSHA256
299	}
300
301	var pub crypto.PublicKey
302
303	switch expectedAlgo {
304	case signatureRSAPKCS1WithMD5, signatureRSAPKCS1WithSHA1, signatureRSAPKCS1WithSHA256, signatureRSAPKCS1WithSHA384, signatureRSAPKCS1WithSHA512, signatureRSAPSSWithSHA256, signatureRSAPSSWithSHA384, signatureRSAPSSWithSHA512:
305		// RSA keys are expensive to generate so load from disk instead.
306		var priv *rsa.PrivateKey
307		if priv, privPKCS8, err = loadRSAPrivateKey(rsaKeyFile); err != nil {
308			return nil, nil, err
309		}
310
311		pub = &priv.PublicKey
312
313	case signatureECDSAWithSHA1, signatureECDSAWithP256AndSHA256, signatureECDSAWithP384AndSHA384, signatureECDSAWithP521AndSHA512:
314		var curve elliptic.Curve
315		switch expectedAlgo {
316		case signatureECDSAWithSHA1, signatureECDSAWithP256AndSHA256:
317			curve = elliptic.P256()
318		case signatureECDSAWithP384AndSHA384:
319			curve = elliptic.P384()
320		case signatureECDSAWithP521AndSHA512:
321			curve = elliptic.P521()
322		default:
323			panic("internal error")
324		}
325
326		priv, err := ecdsa.GenerateKey(curve, rand.Reader)
327		if err != nil {
328			return nil, nil, err
329		}
330
331		if privPKCS8, err = x509.MarshalPKCS8PrivateKey(priv); err != nil {
332			return nil, nil, err
333		}
334
335		pub = &priv.PublicKey
336
337	default:
338		return nil, nil, fmt.Errorf("unsupported expected signature algorithm: %x", expectedAlgo)
339	}
340
341	lifetime := config.lifetime
342	if lifetime == 0 {
343		lifetime = 24 * time.Hour
344	}
345	lifetimeSecs := int64(lifetime.Seconds())
346	if lifetimeSecs > 1<<32 {
347		return nil, nil, fmt.Errorf("lifetime %s is too long to be expressed", lifetime)
348	}
349	tlsVersion := config.tlsVersion
350	if tlsVersion == 0 {
351		tlsVersion = VersionTLS13
352	}
353
354	if tlsVersion < VersionTLS13 {
355		return nil, nil, fmt.Errorf("delegated credentials require TLS 1.3")
356	}
357
358	// https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3
359	dc = append(dc, byte(lifetimeSecs>>24), byte(lifetimeSecs>>16), byte(lifetimeSecs>>8), byte(lifetimeSecs))
360	dc = append(dc, byte(expectedAlgo>>8), byte(expectedAlgo))
361
362	pubBytes, err := x509.MarshalPKIXPublicKey(pub)
363	if err != nil {
364		return nil, nil, err
365	}
366
367	dc = append(dc, byte(len(pubBytes)>>16), byte(len(pubBytes)>>8), byte(len(pubBytes)))
368	dc = append(dc, pubBytes...)
369
370	var dummyConfig Config
371	parentSigner, err := getSigner(tlsVersion, parentPriv, &dummyConfig, config.algo, false /* not for verification */)
372	if err != nil {
373		return nil, nil, err
374	}
375
376	parentSignature, err := parentSigner.signMessage(parentPriv, &dummyConfig, delegatedCredentialSignedMessage(dc, config.algo, parentDER))
377	if err != nil {
378		return nil, nil, err
379	}
380
381	dc = append(dc, byte(config.algo>>8), byte(config.algo))
382	dc = append(dc, byte(len(parentSignature)>>8), byte(len(parentSignature)))
383	dc = append(dc, parentSignature...)
384
385	return dc, privPKCS8, nil
386}
387
388func getRunnerCertificate(t testCert) Certificate {
389	for _, cert := range testCerts {
390		if cert.id == t {
391			return *cert.cert
392		}
393	}
394	panic("Unknown test certificate")
395}
396
397func getShimCertificate(t testCert) string {
398	for _, cert := range testCerts {
399		if cert.id == t {
400			return cert.certFile
401		}
402	}
403	panic("Unknown test certificate")
404}
405
406func getShimKey(t testCert) string {
407	for _, cert := range testCerts {
408		if cert.id == t {
409			return cert.keyFile
410		}
411	}
412	panic("Unknown test certificate")
413}
414
415// recordVersionToWire maps a record-layer protocol version to its wire
416// representation.
417func recordVersionToWire(vers uint16, protocol protocol) uint16 {
418	if protocol == dtls {
419		switch vers {
420		case VersionTLS12:
421			return VersionDTLS12
422		case VersionTLS10:
423			return VersionDTLS10
424		}
425	} else {
426		switch vers {
427		case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
428			return vers
429		}
430	}
431
432	panic("unknown version")
433}
434
435// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
436func encodeDERValues(values [][]byte) string {
437	var ret string
438	for i, v := range values {
439		if i > 0 {
440			ret += ","
441		}
442		ret += hex.EncodeToString(v)
443	}
444
445	return ret
446}
447
448func decodeHexOrPanic(in string) []byte {
449	ret, err := hex.DecodeString(in)
450	if err != nil {
451		panic(err)
452	}
453	return ret
454}
455
456type testType int
457
458const (
459	clientTest testType = iota
460	serverTest
461)
462
463type protocol int
464
465const (
466	tls protocol = iota
467	dtls
468)
469
470const (
471	alpn = 1
472	npn  = 2
473)
474
475type testCase struct {
476	testType      testType
477	protocol      protocol
478	name          string
479	config        Config
480	shouldFail    bool
481	expectedError string
482	// expectedLocalError, if not empty, contains a substring that must be
483	// found in the local error.
484	expectedLocalError string
485	// expectedVersion, if non-zero, specifies the TLS version that must be
486	// negotiated.
487	expectedVersion uint16
488	// expectedResumeVersion, if non-zero, specifies the TLS version that
489	// must be negotiated on resumption. If zero, expectedVersion is used.
490	expectedResumeVersion uint16
491	// expectedCipher, if non-zero, specifies the TLS cipher suite that
492	// should be negotiated.
493	expectedCipher uint16
494	// expectChannelID controls whether the connection should have
495	// negotiated a Channel ID with channelIDKey.
496	expectChannelID bool
497	// expectTokenBinding controls whether the connection should have
498	// negotiated Token Binding.
499	expectTokenBinding bool
500	// expectedTokenBindingParam is the Token Binding parameter that should
501	// have been negotiated (if expectTokenBinding is true).
502	expectedTokenBindingParam uint8
503	// expectedNextProto controls whether the connection should
504	// negotiate a next protocol via NPN or ALPN.
505	expectedNextProto string
506	// expectNoNextProto, if true, means that no next protocol should be
507	// negotiated.
508	expectNoNextProto bool
509	// expectedNextProtoType, if non-zero, is the expected next
510	// protocol negotiation mechanism.
511	expectedNextProtoType int
512	// expectedSRTPProtectionProfile is the DTLS-SRTP profile that
513	// should be negotiated. If zero, none should be negotiated.
514	expectedSRTPProtectionProfile uint16
515	// expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
516	expectedOCSPResponse []uint8
517	// expectedSCTList, if not nil, is the expected SCT list to be received.
518	expectedSCTList []uint8
519	// expectedPeerSignatureAlgorithm, if not zero, is the signature
520	// algorithm that the peer should have used in the handshake.
521	expectedPeerSignatureAlgorithm signatureAlgorithm
522	// expectedCurveID, if not zero, is the curve that the handshake should
523	// have used.
524	expectedCurveID CurveID
525	// messageLen is the length, in bytes, of the test message that will be
526	// sent.
527	messageLen int
528	// messageCount is the number of test messages that will be sent.
529	messageCount int
530	// certFile is the path to the certificate to use for the server.
531	certFile string
532	// keyFile is the path to the private key to use for the server.
533	keyFile string
534	// resumeSession controls whether a second connection should be tested
535	// which attempts to resume the first session.
536	resumeSession bool
537	// resumeRenewedSession controls whether a third connection should be
538	// tested which attempts to resume the second connection's session.
539	resumeRenewedSession bool
540	// expectResumeRejected, if true, specifies that the attempted
541	// resumption must be rejected by the client. This is only valid for a
542	// serverTest.
543	expectResumeRejected bool
544	// resumeConfig, if not nil, points to a Config to be used on
545	// resumption. Unless newSessionsOnResume is set,
546	// SessionTicketKey, ServerSessionCache, and
547	// ClientSessionCache are copied from the initial connection's
548	// config. If nil, the initial connection's config is used.
549	resumeConfig *Config
550	// newSessionsOnResume, if true, will cause resumeConfig to
551	// use a different session resumption context.
552	newSessionsOnResume bool
553	// noSessionCache, if true, will cause the server to run without a
554	// session cache.
555	noSessionCache bool
556	// sendPrefix sends a prefix on the socket before actually performing a
557	// handshake.
558	sendPrefix string
559	// shimWritesFirst controls whether the shim sends an initial "hello"
560	// message before doing a roundtrip with the runner.
561	shimWritesFirst bool
562	// readWithUnfinishedWrite behaves like shimWritesFirst, but the shim
563	// does not complete the write until responding to the first runner
564	// message.
565	readWithUnfinishedWrite bool
566	// shimShutsDown, if true, runs a test where the shim shuts down the
567	// connection immediately after the handshake rather than echoing
568	// messages from the runner. The runner will default to not sending
569	// application data.
570	shimShutsDown bool
571	// renegotiate indicates the number of times the connection should be
572	// renegotiated during the exchange.
573	renegotiate int
574	// sendHalfHelloRequest, if true, causes the server to send half a
575	// HelloRequest when the handshake completes.
576	sendHalfHelloRequest bool
577	// renegotiateCiphers is a list of ciphersuite ids that will be
578	// switched in just before renegotiation.
579	renegotiateCiphers []uint16
580	// replayWrites, if true, configures the underlying transport
581	// to replay every write it makes in DTLS tests.
582	replayWrites bool
583	// damageFirstWrite, if true, configures the underlying transport to
584	// damage the final byte of the first application data write.
585	damageFirstWrite bool
586	// exportKeyingMaterial, if non-zero, configures the test to exchange
587	// keying material and verify they match.
588	exportKeyingMaterial int
589	exportLabel          string
590	exportContext        string
591	useExportContext     bool
592	// exportEarlyKeyingMaterial, if non-zero, behaves like
593	// exportKeyingMaterial, but for the early exporter.
594	exportEarlyKeyingMaterial int
595	// flags, if not empty, contains a list of command-line flags that will
596	// be passed to the shim program.
597	flags []string
598	// testTLSUnique, if true, causes the shim to send the tls-unique value
599	// which will be compared against the expected value.
600	testTLSUnique bool
601	// sendEmptyRecords is the number of consecutive empty records to send
602	// before each test message.
603	sendEmptyRecords int
604	// sendWarningAlerts is the number of consecutive warning alerts to send
605	// before each test message.
606	sendWarningAlerts int
607	// sendBogusAlertType, if true, causes a bogus alert of invalid type to
608	// be sent before each test message.
609	sendBogusAlertType bool
610	// sendKeyUpdates is the number of consecutive key updates to send
611	// before and after the test message.
612	sendKeyUpdates int
613	// keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
614	keyUpdateRequest byte
615	// expectUnsolicitedKeyUpdate makes the test expect a one or more KeyUpdate
616	// messages while reading data from the shim. Don't use this in combination
617	// with any of the fields that send a KeyUpdate otherwise any received
618	// KeyUpdate might not be as unsolicited as expected.
619	expectUnsolicitedKeyUpdate bool
620	// expectMessageDropped, if true, means the test message is expected to
621	// be dropped by the client rather than echoed back.
622	expectMessageDropped bool
623	// expectPeerCertificate, if not nil, is the certificate chain the peer
624	// is expected to send.
625	expectPeerCertificate *Certificate
626	// shimPrefix is the prefix that the shim will send to the server.
627	shimPrefix string
628	// resumeShimPrefix is the prefix that the shim will send to the server on a
629	// resumption.
630	resumeShimPrefix string
631	// expectedQUICTransportParams contains the QUIC transport
632	// parameters that are expected to be sent by the peer.
633	expectedQUICTransportParams []byte
634	// exportTrafficSecrets, if true, configures the test to export the TLS 1.3
635	// traffic secrets and confirms that they match.
636	exportTrafficSecrets bool
637}
638
639var testCases []testCase
640
641func appendTranscript(path string, data []byte) error {
642	if len(data) == 0 {
643		return nil
644	}
645
646	settings, err := ioutil.ReadFile(path)
647	if err != nil {
648		if !os.IsNotExist(err) {
649			return err
650		}
651		// If the shim aborted before writing a file, use a default
652		// settings block, so the transcript is still somewhat valid.
653		settings = []byte{0, 0} // kDataTag
654	}
655
656	settings = append(settings, data...)
657	return ioutil.WriteFile(path, settings, 0644)
658}
659
660// A timeoutConn implements an idle timeout on each Read and Write operation.
661type timeoutConn struct {
662	net.Conn
663	timeout time.Duration
664}
665
666func (t *timeoutConn) Read(b []byte) (int, error) {
667	if !*useGDB {
668		if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
669			return 0, err
670		}
671	}
672	return t.Conn.Read(b)
673}
674
675func (t *timeoutConn) Write(b []byte) (int, error) {
676	if !*useGDB {
677		if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
678			return 0, err
679		}
680	}
681	return t.Conn.Write(b)
682}
683
684func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, transcripts *[][]byte, num int) error {
685	if !test.noSessionCache {
686		if config.ClientSessionCache == nil {
687			config.ClientSessionCache = NewLRUClientSessionCache(1)
688		}
689		if config.ServerSessionCache == nil {
690			config.ServerSessionCache = NewLRUServerSessionCache(1)
691		}
692	}
693	if test.testType == clientTest {
694		if len(config.Certificates) == 0 {
695			config.Certificates = []Certificate{rsaCertificate}
696		}
697	} else {
698		// Supply a ServerName to ensure a constant session cache key,
699		// rather than falling back to net.Conn.RemoteAddr.
700		if len(config.ServerName) == 0 {
701			config.ServerName = "test"
702		}
703	}
704	if *fuzzer {
705		config.Bugs.NullAllCiphers = true
706	}
707	if *deterministic {
708		config.Time = func() time.Time { return time.Unix(1234, 1234) }
709	}
710
711	conn = &timeoutConn{conn, *idleTimeout}
712
713	if test.protocol == dtls {
714		config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
715		conn = config.Bugs.PacketAdaptor
716	}
717
718	if *flagDebug || len(*transcriptDir) != 0 {
719		local, peer := "client", "server"
720		if test.testType == clientTest {
721			local, peer = peer, local
722		}
723		connDebug := &recordingConn{
724			Conn:       conn,
725			isDatagram: test.protocol == dtls,
726			local:      local,
727			peer:       peer,
728		}
729		conn = connDebug
730		if *flagDebug {
731			defer connDebug.WriteTo(os.Stdout)
732		}
733		if len(*transcriptDir) != 0 {
734			defer func() {
735				if num == len(*transcripts) {
736					*transcripts = append(*transcripts, connDebug.Transcript())
737				} else {
738					panic("transcripts are out of sync")
739				}
740			}()
741		}
742
743		if config.Bugs.PacketAdaptor != nil {
744			config.Bugs.PacketAdaptor.debug = connDebug
745		}
746	}
747
748	if test.replayWrites {
749		conn = newReplayAdaptor(conn)
750	}
751
752	var connDamage *damageAdaptor
753	if test.damageFirstWrite {
754		connDamage = newDamageAdaptor(conn)
755		conn = connDamage
756	}
757
758	if test.sendPrefix != "" {
759		if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
760			return err
761		}
762	}
763
764	var tlsConn *Conn
765	if test.testType == clientTest {
766		if test.protocol == dtls {
767			tlsConn = DTLSServer(conn, config)
768		} else {
769			tlsConn = Server(conn, config)
770		}
771	} else {
772		config.InsecureSkipVerify = true
773		if test.protocol == dtls {
774			tlsConn = DTLSClient(conn, config)
775		} else {
776			tlsConn = Client(conn, config)
777		}
778	}
779	defer tlsConn.Close()
780
781	if err := tlsConn.Handshake(); err != nil {
782		return err
783	}
784
785	// TODO(davidben): move all per-connection expectations into a dedicated
786	// expectations struct that can be specified separately for the two
787	// legs.
788	expectedVersion := test.expectedVersion
789	if isResume && test.expectedResumeVersion != 0 {
790		expectedVersion = test.expectedResumeVersion
791	}
792	connState := tlsConn.ConnectionState()
793	if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
794		return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
795	}
796
797	if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
798		return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
799	}
800	if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
801		return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
802	}
803
804	if test.expectChannelID {
805		channelID := connState.ChannelID
806		if channelID == nil {
807			return fmt.Errorf("no channel ID negotiated")
808		}
809		if channelID.Curve != channelIDKey.Curve ||
810			channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
811			channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
812			return fmt.Errorf("incorrect channel ID")
813		}
814	} else if connState.ChannelID != nil {
815		return fmt.Errorf("channel ID unexpectedly negotiated")
816	}
817
818	if test.expectTokenBinding {
819		if !connState.TokenBindingNegotiated {
820			return errors.New("no Token Binding negotiated")
821		}
822		if connState.TokenBindingParam != test.expectedTokenBindingParam {
823			return fmt.Errorf("expected param %02x, but got %02x", test.expectedTokenBindingParam, connState.TokenBindingParam)
824		}
825	} else if connState.TokenBindingNegotiated {
826		return errors.New("Token Binding unexpectedly negotiated")
827	}
828
829	if expected := test.expectedNextProto; expected != "" {
830		if actual := connState.NegotiatedProtocol; actual != expected {
831			return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
832		}
833	}
834
835	if test.expectNoNextProto {
836		if actual := connState.NegotiatedProtocol; actual != "" {
837			return fmt.Errorf("got unexpected next proto %s", actual)
838		}
839	}
840
841	if test.expectedNextProtoType != 0 {
842		if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
843			return fmt.Errorf("next proto type mismatch")
844		}
845	}
846
847	if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
848		return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
849	}
850
851	if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
852		return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
853	}
854
855	if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
856		return fmt.Errorf("SCT list mismatch")
857	}
858
859	if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
860		return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
861	}
862
863	if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
864		return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
865	}
866
867	if test.expectPeerCertificate != nil {
868		if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
869			return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
870		}
871		for i, cert := range connState.PeerCertificates {
872			if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
873				return fmt.Errorf("peer certificate %d did not match", i+1)
874			}
875		}
876	}
877
878	if len(test.expectedQUICTransportParams) > 0 {
879		if !bytes.Equal(test.expectedQUICTransportParams, connState.QUICTransportParams) {
880			return errors.New("Peer did not send expected QUIC transport params")
881		}
882	}
883
884	if isResume && test.exportEarlyKeyingMaterial > 0 {
885		actual := make([]byte, test.exportEarlyKeyingMaterial)
886		if _, err := io.ReadFull(tlsConn, actual); err != nil {
887			return err
888		}
889		expected, err := tlsConn.ExportEarlyKeyingMaterial(test.exportEarlyKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext))
890		if err != nil {
891			return err
892		}
893		if !bytes.Equal(actual, expected) {
894			return fmt.Errorf("early keying material mismatch; got %x, wanted %x", actual, expected)
895		}
896	}
897
898	if test.exportKeyingMaterial > 0 {
899		actual := make([]byte, test.exportKeyingMaterial)
900		if _, err := io.ReadFull(tlsConn, actual); err != nil {
901			return err
902		}
903		expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
904		if err != nil {
905			return err
906		}
907		if !bytes.Equal(actual, expected) {
908			return fmt.Errorf("keying material mismatch; got %x, wanted %x", actual, expected)
909		}
910	}
911
912	if test.exportTrafficSecrets {
913		secretLenBytes := make([]byte, 2)
914		if _, err := io.ReadFull(tlsConn, secretLenBytes); err != nil {
915			return err
916		}
917		secretLen := binary.LittleEndian.Uint16(secretLenBytes)
918
919		theirReadSecret := make([]byte, secretLen)
920		theirWriteSecret := make([]byte, secretLen)
921		if _, err := io.ReadFull(tlsConn, theirReadSecret); err != nil {
922			return err
923		}
924		if _, err := io.ReadFull(tlsConn, theirWriteSecret); err != nil {
925			return err
926		}
927
928		myReadSecret := tlsConn.in.trafficSecret
929		myWriteSecret := tlsConn.out.trafficSecret
930		if !bytes.Equal(myWriteSecret, theirReadSecret) {
931			return fmt.Errorf("read traffic-secret mismatch; got %x, wanted %x", theirReadSecret, myWriteSecret)
932		}
933		if !bytes.Equal(myReadSecret, theirWriteSecret) {
934			return fmt.Errorf("write traffic-secret mismatch; got %x, wanted %x", theirWriteSecret, myReadSecret)
935		}
936	}
937
938	if test.testTLSUnique {
939		var peersValue [12]byte
940		if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
941			return err
942		}
943		expected := tlsConn.ConnectionState().TLSUnique
944		if !bytes.Equal(peersValue[:], expected) {
945			return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
946		}
947	}
948
949	if test.sendHalfHelloRequest {
950		tlsConn.SendHalfHelloRequest()
951	}
952
953	shimPrefix := test.shimPrefix
954	if isResume {
955		shimPrefix = test.resumeShimPrefix
956	}
957	if test.shimWritesFirst || test.readWithUnfinishedWrite {
958		shimPrefix = "hello"
959	}
960	if test.renegotiate > 0 {
961		// If readWithUnfinishedWrite is set, the shim prefix will be
962		// available later.
963		if shimPrefix != "" && !test.readWithUnfinishedWrite {
964			var buf = make([]byte, len(shimPrefix))
965			_, err := io.ReadFull(tlsConn, buf)
966			if err != nil {
967				return err
968			}
969			if string(buf) != shimPrefix {
970				return fmt.Errorf("bad initial message %v vs %v", string(buf), shimPrefix)
971			}
972			shimPrefix = ""
973		}
974
975		if test.renegotiateCiphers != nil {
976			config.CipherSuites = test.renegotiateCiphers
977		}
978		for i := 0; i < test.renegotiate; i++ {
979			if err := tlsConn.Renegotiate(); err != nil {
980				return err
981			}
982		}
983	} else if test.renegotiateCiphers != nil {
984		panic("renegotiateCiphers without renegotiate")
985	}
986
987	if test.damageFirstWrite {
988		connDamage.setDamage(true)
989		tlsConn.Write([]byte("DAMAGED WRITE"))
990		connDamage.setDamage(false)
991	}
992
993	messageLen := test.messageLen
994	if messageLen < 0 {
995		if test.protocol == dtls {
996			return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
997		}
998		// Read until EOF.
999		_, err := io.Copy(ioutil.Discard, tlsConn)
1000		return err
1001	}
1002	if messageLen == 0 {
1003		messageLen = 32
1004	}
1005
1006	messageCount := test.messageCount
1007	// shimShutsDown sets the default message count to zero.
1008	if messageCount == 0 && !test.shimShutsDown {
1009		messageCount = 1
1010	}
1011
1012	for j := 0; j < messageCount; j++ {
1013		for i := 0; i < test.sendKeyUpdates; i++ {
1014			tlsConn.SendKeyUpdate(test.keyUpdateRequest)
1015		}
1016
1017		for i := 0; i < test.sendEmptyRecords; i++ {
1018			tlsConn.Write(nil)
1019		}
1020
1021		for i := 0; i < test.sendWarningAlerts; i++ {
1022			tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
1023		}
1024
1025		if test.sendBogusAlertType {
1026			tlsConn.SendAlert(0x42, alertUnexpectedMessage)
1027		}
1028
1029		testMessage := make([]byte, messageLen)
1030		for i := range testMessage {
1031			testMessage[i] = 0x42 ^ byte(j)
1032		}
1033		tlsConn.Write(testMessage)
1034
1035		// Consume the shim prefix if needed.
1036		if shimPrefix != "" {
1037			var buf = make([]byte, len(shimPrefix))
1038			_, err := io.ReadFull(tlsConn, buf)
1039			if err != nil {
1040				return err
1041			}
1042			if string(buf) != shimPrefix {
1043				return fmt.Errorf("bad initial message %v vs %v", string(buf), shimPrefix)
1044			}
1045			shimPrefix = ""
1046		}
1047
1048		if test.shimShutsDown || test.expectMessageDropped {
1049			// The shim will not respond.
1050			continue
1051		}
1052
1053		// Process the KeyUpdate ACK. However many KeyUpdates the runner
1054		// sends, the shim should respond only once.
1055		if test.sendKeyUpdates > 0 && test.keyUpdateRequest == keyUpdateRequested {
1056			if err := tlsConn.ReadKeyUpdateACK(); err != nil {
1057				return err
1058			}
1059		}
1060
1061		buf := make([]byte, len(testMessage))
1062		if test.protocol == dtls {
1063			bufTmp := make([]byte, len(buf)+1)
1064			n, err := tlsConn.Read(bufTmp)
1065			if err != nil {
1066				return err
1067			}
1068			if config.Bugs.SplitAndPackAppData {
1069				m, err := tlsConn.Read(bufTmp[n:])
1070				if err != nil {
1071					return err
1072				}
1073				n += m
1074			}
1075			if n != len(buf) {
1076				return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
1077			}
1078			copy(buf, bufTmp)
1079		} else {
1080			_, err := io.ReadFull(tlsConn, buf)
1081			if err != nil {
1082				return err
1083			}
1084		}
1085
1086		for i, v := range buf {
1087			if v != testMessage[i]^0xff {
1088				return fmt.Errorf("bad reply contents at byte %d; got %q and wanted %q", i, buf, testMessage)
1089			}
1090		}
1091
1092		if seen := tlsConn.keyUpdateSeen; seen != test.expectUnsolicitedKeyUpdate {
1093			return fmt.Errorf("keyUpdateSeen (%t) != expectUnsolicitedKeyUpdate", seen)
1094		}
1095	}
1096
1097	return nil
1098}
1099
1100const xtermSize = "140x50"
1101
1102func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
1103	valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
1104	if dbAttach {
1105		valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -geometry "+xtermSize+" -e gdb -nw %f %p")
1106	}
1107	valgrindArgs = append(valgrindArgs, path)
1108	valgrindArgs = append(valgrindArgs, args...)
1109
1110	return exec.Command("valgrind", valgrindArgs...)
1111}
1112
1113func gdbOf(path string, args ...string) *exec.Cmd {
1114	xtermArgs := []string{"-geometry", xtermSize, "-e", "gdb", "--args"}
1115	xtermArgs = append(xtermArgs, path)
1116	xtermArgs = append(xtermArgs, args...)
1117
1118	return exec.Command("xterm", xtermArgs...)
1119}
1120
1121func lldbOf(path string, args ...string) *exec.Cmd {
1122	xtermArgs := []string{"-geometry", xtermSize, "-e", "lldb", "--"}
1123	xtermArgs = append(xtermArgs, path)
1124	xtermArgs = append(xtermArgs, args...)
1125
1126	return exec.Command("xterm", xtermArgs...)
1127}
1128
1129func removeFirstLineIfSuffix(s, suffix string) string {
1130	idx := strings.IndexByte(s, '\n')
1131	if idx < 0 {
1132		return s
1133	}
1134	if strings.HasSuffix(s[:idx], suffix) {
1135		return s[idx+1:]
1136	}
1137	return s
1138}
1139
1140var (
1141	errMoreMallocs   = errors.New("child process did not exhaust all allocation calls")
1142	errUnimplemented = errors.New("child process does not implement needed flags")
1143)
1144
1145// accept accepts a connection from listener, unless waitChan signals a process
1146// exit first.
1147func acceptOrWait(listener *net.TCPListener, waitChan chan error) (net.Conn, error) {
1148	type connOrError struct {
1149		conn net.Conn
1150		err  error
1151	}
1152	connChan := make(chan connOrError, 1)
1153	go func() {
1154		if !*useGDB {
1155			listener.SetDeadline(time.Now().Add(*idleTimeout))
1156		}
1157		conn, err := listener.Accept()
1158		connChan <- connOrError{conn, err}
1159		close(connChan)
1160	}()
1161	select {
1162	case result := <-connChan:
1163		return result.conn, result.err
1164	case childErr := <-waitChan:
1165		waitChan <- childErr
1166		return nil, fmt.Errorf("child exited early: %s", childErr)
1167	}
1168}
1169
1170func translateExpectedError(errorStr string) string {
1171	if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
1172		return translated
1173	}
1174
1175	if *looseErrors {
1176		return ""
1177	}
1178
1179	return errorStr
1180}
1181
1182func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
1183	// Help debugging panics on the Go side.
1184	defer func() {
1185		if r := recover(); r != nil {
1186			fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
1187			panic(r)
1188		}
1189	}()
1190
1191	if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
1192		panic("Error expected without shouldFail in " + test.name)
1193	}
1194
1195	if test.expectResumeRejected && !test.resumeSession {
1196		panic("expectResumeRejected without resumeSession in " + test.name)
1197	}
1198
1199	for _, ver := range tlsVersions {
1200		if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
1201			continue
1202		}
1203
1204		if test.config.MaxVersion == 0 && test.config.MinVersion == 0 && test.expectedVersion == 0 {
1205			panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
1206		}
1207	}
1208
1209	listener, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv6loopback})
1210	if err != nil {
1211		listener, err = net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
1212	}
1213	if err != nil {
1214		panic(err)
1215	}
1216	defer func() {
1217		if listener != nil {
1218			listener.Close()
1219		}
1220	}()
1221
1222	flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
1223	if test.testType == serverTest {
1224		flags = append(flags, "-server")
1225
1226		flags = append(flags, "-key-file")
1227		if test.keyFile == "" {
1228			flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
1229		} else {
1230			flags = append(flags, path.Join(*resourceDir, test.keyFile))
1231		}
1232
1233		flags = append(flags, "-cert-file")
1234		if test.certFile == "" {
1235			flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
1236		} else {
1237			flags = append(flags, path.Join(*resourceDir, test.certFile))
1238		}
1239	}
1240
1241	if test.protocol == dtls {
1242		flags = append(flags, "-dtls")
1243	}
1244
1245	var resumeCount int
1246	if test.resumeSession {
1247		resumeCount++
1248		if test.resumeRenewedSession {
1249			resumeCount++
1250		}
1251	}
1252
1253	if resumeCount > 0 {
1254		flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
1255	}
1256
1257	if test.shimWritesFirst {
1258		flags = append(flags, "-shim-writes-first")
1259	}
1260
1261	if test.readWithUnfinishedWrite {
1262		flags = append(flags, "-read-with-unfinished-write")
1263	}
1264
1265	if test.shimShutsDown {
1266		flags = append(flags, "-shim-shuts-down")
1267	}
1268
1269	if test.exportKeyingMaterial > 0 {
1270		flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
1271		if test.useExportContext {
1272			flags = append(flags, "-use-export-context")
1273		}
1274	}
1275	if test.exportEarlyKeyingMaterial > 0 {
1276		flags = append(flags, "-on-resume-export-early-keying-material", strconv.Itoa(test.exportEarlyKeyingMaterial))
1277	}
1278	if test.exportKeyingMaterial > 0 || test.exportEarlyKeyingMaterial > 0 {
1279		flags = append(flags, "-export-label", test.exportLabel)
1280		flags = append(flags, "-export-context", test.exportContext)
1281	}
1282
1283	if test.exportTrafficSecrets {
1284		flags = append(flags, "-export-traffic-secrets")
1285	}
1286
1287	if test.expectResumeRejected {
1288		flags = append(flags, "-expect-session-miss")
1289	}
1290
1291	if test.testTLSUnique {
1292		flags = append(flags, "-tls-unique")
1293	}
1294
1295	flags = append(flags, "-handshaker-path", *handshakerPath)
1296
1297	var transcriptPrefix string
1298	var transcripts [][]byte
1299	if len(*transcriptDir) != 0 {
1300		protocol := "tls"
1301		if test.protocol == dtls {
1302			protocol = "dtls"
1303		}
1304
1305		side := "client"
1306		if test.testType == serverTest {
1307			side = "server"
1308		}
1309
1310		dir := filepath.Join(*transcriptDir, protocol, side)
1311		if err := os.MkdirAll(dir, 0755); err != nil {
1312			return err
1313		}
1314		transcriptPrefix = filepath.Join(dir, test.name+"-")
1315		flags = append(flags, "-write-settings", transcriptPrefix)
1316	}
1317
1318	flags = append(flags, test.flags...)
1319
1320	var shim *exec.Cmd
1321	if *useValgrind {
1322		shim = valgrindOf(false, shimPath, flags...)
1323	} else if *useGDB {
1324		shim = gdbOf(shimPath, flags...)
1325	} else if *useLLDB {
1326		shim = lldbOf(shimPath, flags...)
1327	} else {
1328		shim = exec.Command(shimPath, flags...)
1329	}
1330	shim.Stdin = os.Stdin
1331	var stdoutBuf, stderrBuf bytes.Buffer
1332	shim.Stdout = &stdoutBuf
1333	shim.Stderr = &stderrBuf
1334	if mallocNumToFail >= 0 {
1335		shim.Env = os.Environ()
1336		shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
1337		if *mallocTestDebug {
1338			shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
1339		}
1340		shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
1341	}
1342
1343	if err := shim.Start(); err != nil {
1344		panic(err)
1345	}
1346	waitChan := make(chan error, 1)
1347	go func() { waitChan <- shim.Wait() }()
1348
1349	config := test.config
1350
1351	if *deterministic {
1352		config.Rand = &deterministicRand{}
1353	}
1354
1355	conn, err := acceptOrWait(listener, waitChan)
1356	if err == nil {
1357		err = doExchange(test, &config, conn, false /* not a resumption */, &transcripts, 0)
1358		conn.Close()
1359	}
1360
1361	for i := 0; err == nil && i < resumeCount; i++ {
1362		var resumeConfig Config
1363		if test.resumeConfig != nil {
1364			resumeConfig = *test.resumeConfig
1365			if !test.newSessionsOnResume {
1366				resumeConfig.SessionTicketKey = config.SessionTicketKey
1367				resumeConfig.ClientSessionCache = config.ClientSessionCache
1368				resumeConfig.ServerSessionCache = config.ServerSessionCache
1369			}
1370			resumeConfig.Rand = config.Rand
1371		} else {
1372			resumeConfig = config
1373		}
1374		var connResume net.Conn
1375		connResume, err = acceptOrWait(listener, waitChan)
1376		if err == nil {
1377			err = doExchange(test, &resumeConfig, connResume, true /* resumption */, &transcripts, i+1)
1378			connResume.Close()
1379		}
1380	}
1381
1382	// Close the listener now. This is to avoid hangs should the shim try to
1383	// open more connections than expected.
1384	listener.Close()
1385	listener = nil
1386
1387	var childErr error
1388	if *useGDB {
1389		childErr = <-waitChan
1390	} else {
1391		waitTimeout := time.AfterFunc(*idleTimeout, func() {
1392			shim.Process.Kill()
1393		})
1394		childErr = <-waitChan
1395		waitTimeout.Stop()
1396	}
1397
1398	// Now that the shim has exitted, all the settings files have been
1399	// written. Append the saved transcripts.
1400	for i, transcript := range transcripts {
1401		if err := appendTranscript(transcriptPrefix+strconv.Itoa(i), transcript); err != nil {
1402			return err
1403		}
1404	}
1405
1406	var isValgrindError, mustFail bool
1407	if exitError, ok := childErr.(*exec.ExitError); ok {
1408		switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1409		case 88:
1410			return errMoreMallocs
1411		case 89:
1412			return errUnimplemented
1413		case 90:
1414			mustFail = true
1415		case 99:
1416			isValgrindError = true
1417		}
1418	}
1419
1420	// Account for Windows line endings.
1421	stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1422	stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
1423
1424	// Work around an NDK / Android bug. The NDK r16 sometimes generates
1425	// binaries with the DF_1_PIE, which the runtime linker on Android N
1426	// complains about. The next NDK revision should work around this but,
1427	// in the meantime, strip its error out.
1428	//
1429	// https://github.com/android-ndk/ndk/issues/602
1430	// https://android-review.googlesource.com/c/platform/bionic/+/259790
1431	// https://android-review.googlesource.com/c/toolchain/binutils/+/571550
1432	//
1433	// Remove this after switching to the r17 NDK.
1434	stderr = removeFirstLineIfSuffix(stderr, ": unsupported flags DT_FLAGS_1=0x8000001")
1435
1436	// Separate the errors from the shim and those from tools like
1437	// AddressSanitizer.
1438	var extraStderr string
1439	if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1440		stderr = stderrParts[0]
1441		extraStderr = stderrParts[1]
1442	}
1443
1444	failed := err != nil || childErr != nil
1445	expectedError := translateExpectedError(test.expectedError)
1446	correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
1447
1448	localError := "none"
1449	if err != nil {
1450		localError = err.Error()
1451	}
1452	if len(test.expectedLocalError) != 0 {
1453		correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1454	}
1455
1456	if failed != test.shouldFail || failed && !correctFailure || mustFail {
1457		childError := "none"
1458		if childErr != nil {
1459			childError = childErr.Error()
1460		}
1461
1462		var msg string
1463		switch {
1464		case failed && !test.shouldFail:
1465			msg = "unexpected failure"
1466		case !failed && test.shouldFail:
1467			msg = "unexpected success"
1468		case failed && !correctFailure:
1469			msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
1470		case mustFail:
1471			msg = "test failure"
1472		default:
1473			panic("internal error")
1474		}
1475
1476		return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
1477	}
1478
1479	if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
1480		return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
1481	}
1482
1483	if *useValgrind && isValgrindError {
1484		return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1485	}
1486
1487	return nil
1488}
1489
1490type tlsVersion struct {
1491	name string
1492	// version is the protocol version.
1493	version uint16
1494	// excludeFlag is the legacy shim flag to disable the version.
1495	excludeFlag string
1496	hasDTLS     bool
1497	// versionDTLS, if non-zero, is the DTLS-specific representation of the version.
1498	versionDTLS uint16
1499	// versionWire, if non-zero, is the wire representation of the
1500	// version. Otherwise the wire version is the protocol version or
1501	// versionDTLS.
1502	versionWire uint16
1503}
1504
1505func (vers tlsVersion) shimFlag(protocol protocol) string {
1506	// The shim uses the protocol version in its public API, but uses the
1507	// DTLS-specific version if it exists.
1508	if protocol == dtls && vers.versionDTLS != 0 {
1509		return strconv.Itoa(int(vers.versionDTLS))
1510	}
1511	return strconv.Itoa(int(vers.version))
1512}
1513
1514func (vers tlsVersion) wire(protocol protocol) uint16 {
1515	if protocol == dtls && vers.versionDTLS != 0 {
1516		return vers.versionDTLS
1517	}
1518	if vers.versionWire != 0 {
1519		return vers.versionWire
1520	}
1521	return vers.version
1522}
1523
1524var tlsVersions = []tlsVersion{
1525	{
1526		name:        "TLS1",
1527		version:     VersionTLS10,
1528		excludeFlag: "-no-tls1",
1529		hasDTLS:     true,
1530		versionDTLS: VersionDTLS10,
1531	},
1532	{
1533		name:        "TLS11",
1534		version:     VersionTLS11,
1535		excludeFlag: "-no-tls11",
1536	},
1537	{
1538		name:        "TLS12",
1539		version:     VersionTLS12,
1540		excludeFlag: "-no-tls12",
1541		hasDTLS:     true,
1542		versionDTLS: VersionDTLS12,
1543	},
1544	{
1545		name:        "TLS13",
1546		version:     VersionTLS13,
1547		excludeFlag: "-no-tls13",
1548		versionWire: VersionTLS13,
1549	},
1550}
1551
1552func allVersions(protocol protocol) []tlsVersion {
1553	if protocol == tls {
1554		return tlsVersions
1555	}
1556
1557	var ret []tlsVersion
1558	for _, vers := range tlsVersions {
1559		if vers.hasDTLS {
1560			ret = append(ret, vers)
1561		}
1562	}
1563	return ret
1564}
1565
1566type testCipherSuite struct {
1567	name string
1568	id   uint16
1569}
1570
1571var testCipherSuites = []testCipherSuite{
1572	{"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
1573	{"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
1574	{"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
1575	{"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
1576	{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
1577	{"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1578	{"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
1579	{"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
1580	{"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
1581	{"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
1582	{"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1583	{"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1584	{"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
1585	{"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
1586	{"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
1587	{"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1588	{"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
1589	{"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1590	{"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
1591	{"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
1592	{"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1593	{"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1594	{"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
1595	{"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
1596}
1597
1598func hasComponent(suiteName, component string) bool {
1599	return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1600}
1601
1602func isTLS12Only(suiteName string) bool {
1603	return hasComponent(suiteName, "GCM") ||
1604		hasComponent(suiteName, "SHA256") ||
1605		hasComponent(suiteName, "SHA384") ||
1606		hasComponent(suiteName, "POLY1305")
1607}
1608
1609func isTLS13Suite(suiteName string) bool {
1610	return strings.HasPrefix(suiteName, "AEAD-")
1611}
1612
1613func bigFromHex(hex string) *big.Int {
1614	ret, ok := new(big.Int).SetString(hex, 16)
1615	if !ok {
1616		panic("failed to parse hex number 0x" + hex)
1617	}
1618	return ret
1619}
1620
1621func convertToSplitHandshakeTests(tests []testCase) (splitHandshakeTests []testCase) {
1622	var stdout bytes.Buffer
1623	shim := exec.Command(*shimPath, "-is-handshaker-supported")
1624	shim.Stdout = &stdout
1625	if err := shim.Run(); err != nil {
1626		panic(err)
1627	}
1628
1629	switch strings.TrimSpace(string(stdout.Bytes())) {
1630	case "No":
1631		return
1632	case "Yes":
1633		break
1634	default:
1635		panic("Unknown output from shim: 0x" + hex.EncodeToString(stdout.Bytes()))
1636	}
1637
1638NextTest:
1639	for _, test := range tests {
1640		if test.protocol != tls ||
1641			test.testType != serverTest ||
1642			test.config.MaxVersion >= VersionTLS13 ||
1643			test.config.MaxVersion < VersionTLS10 ||
1644			(test.resumeConfig != nil && (test.resumeConfig.MaxVersion < VersionTLS10 || test.resumeConfig.MaxVersion >= VersionTLS13)) ||
1645			strings.HasPrefix(test.name, "VersionNegotiation-") {
1646			continue
1647		}
1648
1649		for _, flag := range test.flags {
1650			if flag == "-implicit-handshake" {
1651				continue NextTest
1652			}
1653		}
1654
1655		shTest := test
1656		shTest.name += "-Split"
1657		shTest.flags = make([]string, len(test.flags), len(test.flags)+1)
1658		copy(shTest.flags, test.flags)
1659		shTest.flags = append(shTest.flags, "-handoff")
1660
1661		splitHandshakeTests = append(splitHandshakeTests, shTest)
1662	}
1663
1664	return splitHandshakeTests
1665}
1666
1667func addBasicTests() {
1668	basicTests := []testCase{
1669		{
1670			name: "NoFallbackSCSV",
1671			config: Config{
1672				Bugs: ProtocolBugs{
1673					FailIfNotFallbackSCSV: true,
1674				},
1675			},
1676			shouldFail:         true,
1677			expectedLocalError: "no fallback SCSV found",
1678		},
1679		{
1680			name: "SendFallbackSCSV",
1681			config: Config{
1682				Bugs: ProtocolBugs{
1683					FailIfNotFallbackSCSV: true,
1684				},
1685			},
1686			flags: []string{"-fallback-scsv"},
1687		},
1688		{
1689			name: "ClientCertificateTypes",
1690			config: Config{
1691				MaxVersion: VersionTLS12,
1692				ClientAuth: RequestClientCert,
1693				ClientCertificateTypes: []byte{
1694					CertTypeDSSSign,
1695					CertTypeRSASign,
1696					CertTypeECDSASign,
1697				},
1698			},
1699			flags: []string{
1700				"-expect-certificate-types",
1701				base64.StdEncoding.EncodeToString([]byte{
1702					CertTypeDSSSign,
1703					CertTypeRSASign,
1704					CertTypeECDSASign,
1705				}),
1706			},
1707		},
1708		{
1709			name: "UnauthenticatedECDH",
1710			config: Config{
1711				MaxVersion:   VersionTLS12,
1712				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1713				Bugs: ProtocolBugs{
1714					UnauthenticatedECDH: true,
1715				},
1716			},
1717			shouldFail:    true,
1718			expectedError: ":UNEXPECTED_MESSAGE:",
1719		},
1720		{
1721			name: "SkipCertificateStatus",
1722			config: Config{
1723				MaxVersion:   VersionTLS12,
1724				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1725				Bugs: ProtocolBugs{
1726					SkipCertificateStatus: true,
1727				},
1728			},
1729			flags: []string{
1730				"-enable-ocsp-stapling",
1731				// This test involves an optional message. Test the message callback
1732				// trace to ensure we do not miss or double-report any.
1733				"-expect-msg-callback",
1734				`write hs 1
1735read hs 2
1736read hs 11
1737read hs 12
1738read hs 14
1739write hs 16
1740write ccs
1741write hs 20
1742read hs 4
1743read ccs
1744read hs 20
1745read alert 1 0
1746`,
1747			},
1748		},
1749		{
1750			protocol: dtls,
1751			name:     "SkipCertificateStatus-DTLS",
1752			config: Config{
1753				MaxVersion:   VersionTLS12,
1754				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1755				Bugs: ProtocolBugs{
1756					SkipCertificateStatus: true,
1757				},
1758			},
1759			flags: []string{
1760				"-enable-ocsp-stapling",
1761				// This test involves an optional message. Test the message callback
1762				// trace to ensure we do not miss or double-report any.
1763				"-expect-msg-callback",
1764				`write hs 1
1765read hs 3
1766write hs 1
1767read hs 2
1768read hs 11
1769read hs 12
1770read hs 14
1771write hs 16
1772write ccs
1773write hs 20
1774read hs 4
1775read ccs
1776read hs 20
1777read alert 1 0
1778`,
1779			},
1780		},
1781		{
1782			name: "SkipServerKeyExchange",
1783			config: Config{
1784				MaxVersion:   VersionTLS12,
1785				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1786				Bugs: ProtocolBugs{
1787					SkipServerKeyExchange: true,
1788				},
1789			},
1790			shouldFail:    true,
1791			expectedError: ":UNEXPECTED_MESSAGE:",
1792		},
1793		{
1794			testType: serverTest,
1795			name:     "ServerSkipCertificateVerify",
1796			config: Config{
1797				MaxVersion:   VersionTLS12,
1798				Certificates: []Certificate{rsaChainCertificate},
1799				Bugs: ProtocolBugs{
1800					SkipCertificateVerify: true,
1801				},
1802			},
1803			expectPeerCertificate: &rsaChainCertificate,
1804			flags: []string{
1805				"-require-any-client-certificate",
1806			},
1807			shouldFail:         true,
1808			expectedError:      ":UNEXPECTED_RECORD:",
1809			expectedLocalError: "remote error: unexpected message",
1810		},
1811		{
1812			testType: serverTest,
1813			name:     "Alert",
1814			config: Config{
1815				Bugs: ProtocolBugs{
1816					SendSpuriousAlert: alertRecordOverflow,
1817				},
1818			},
1819			shouldFail:    true,
1820			expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1821		},
1822		{
1823			protocol: dtls,
1824			testType: serverTest,
1825			name:     "Alert-DTLS",
1826			config: Config{
1827				Bugs: ProtocolBugs{
1828					SendSpuriousAlert: alertRecordOverflow,
1829				},
1830			},
1831			shouldFail:    true,
1832			expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1833		},
1834		{
1835			testType: serverTest,
1836			name:     "FragmentAlert",
1837			config: Config{
1838				Bugs: ProtocolBugs{
1839					FragmentAlert:     true,
1840					SendSpuriousAlert: alertRecordOverflow,
1841				},
1842			},
1843			shouldFail:    true,
1844			expectedError: ":BAD_ALERT:",
1845		},
1846		{
1847			protocol: dtls,
1848			testType: serverTest,
1849			name:     "FragmentAlert-DTLS",
1850			config: Config{
1851				Bugs: ProtocolBugs{
1852					FragmentAlert:     true,
1853					SendSpuriousAlert: alertRecordOverflow,
1854				},
1855			},
1856			shouldFail:    true,
1857			expectedError: ":BAD_ALERT:",
1858		},
1859		{
1860			testType: serverTest,
1861			name:     "DoubleAlert",
1862			config: Config{
1863				Bugs: ProtocolBugs{
1864					DoubleAlert:       true,
1865					SendSpuriousAlert: alertRecordOverflow,
1866				},
1867			},
1868			shouldFail:    true,
1869			expectedError: ":BAD_ALERT:",
1870		},
1871		{
1872			protocol: dtls,
1873			testType: serverTest,
1874			name:     "DoubleAlert-DTLS",
1875			config: Config{
1876				Bugs: ProtocolBugs{
1877					DoubleAlert:       true,
1878					SendSpuriousAlert: alertRecordOverflow,
1879				},
1880			},
1881			shouldFail:    true,
1882			expectedError: ":BAD_ALERT:",
1883		},
1884		{
1885			name: "SkipNewSessionTicket",
1886			config: Config{
1887				MaxVersion: VersionTLS12,
1888				Bugs: ProtocolBugs{
1889					SkipNewSessionTicket: true,
1890				},
1891			},
1892			shouldFail:    true,
1893			expectedError: ":UNEXPECTED_RECORD:",
1894		},
1895		{
1896			testType: serverTest,
1897			name:     "FallbackSCSV",
1898			config: Config{
1899				MaxVersion: VersionTLS11,
1900				Bugs: ProtocolBugs{
1901					SendFallbackSCSV: true,
1902				},
1903			},
1904			shouldFail:         true,
1905			expectedError:      ":INAPPROPRIATE_FALLBACK:",
1906			expectedLocalError: "remote error: inappropriate fallback",
1907		},
1908		{
1909			testType: serverTest,
1910			name:     "FallbackSCSV-VersionMatch-TLS13",
1911			config: Config{
1912				MaxVersion: VersionTLS13,
1913				Bugs: ProtocolBugs{
1914					SendFallbackSCSV: true,
1915				},
1916			},
1917		},
1918		{
1919			testType: serverTest,
1920			name:     "FallbackSCSV-VersionMatch-TLS12",
1921			config: Config{
1922				MaxVersion: VersionTLS12,
1923				Bugs: ProtocolBugs{
1924					SendFallbackSCSV: true,
1925				},
1926			},
1927			flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1928		},
1929		{
1930			testType: serverTest,
1931			name:     "FragmentedClientVersion",
1932			config: Config{
1933				Bugs: ProtocolBugs{
1934					MaxHandshakeRecordLength: 1,
1935					FragmentClientVersion:    true,
1936				},
1937			},
1938			expectedVersion: VersionTLS13,
1939		},
1940		{
1941			testType:      serverTest,
1942			name:          "HttpGET",
1943			sendPrefix:    "GET / HTTP/1.0\n",
1944			shouldFail:    true,
1945			expectedError: ":HTTP_REQUEST:",
1946		},
1947		{
1948			testType:      serverTest,
1949			name:          "HttpPOST",
1950			sendPrefix:    "POST / HTTP/1.0\n",
1951			shouldFail:    true,
1952			expectedError: ":HTTP_REQUEST:",
1953		},
1954		{
1955			testType:      serverTest,
1956			name:          "HttpHEAD",
1957			sendPrefix:    "HEAD / HTTP/1.0\n",
1958			shouldFail:    true,
1959			expectedError: ":HTTP_REQUEST:",
1960		},
1961		{
1962			testType:      serverTest,
1963			name:          "HttpPUT",
1964			sendPrefix:    "PUT / HTTP/1.0\n",
1965			shouldFail:    true,
1966			expectedError: ":HTTP_REQUEST:",
1967		},
1968		{
1969			testType:      serverTest,
1970			name:          "HttpCONNECT",
1971			sendPrefix:    "CONNECT www.google.com:443 HTTP/1.0\n",
1972			shouldFail:    true,
1973			expectedError: ":HTTPS_PROXY_REQUEST:",
1974		},
1975		{
1976			testType:      serverTest,
1977			name:          "Garbage",
1978			sendPrefix:    "blah",
1979			shouldFail:    true,
1980			expectedError: ":WRONG_VERSION_NUMBER:",
1981		},
1982		{
1983			name: "RSAEphemeralKey",
1984			config: Config{
1985				MaxVersion:   VersionTLS12,
1986				CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1987				Bugs: ProtocolBugs{
1988					RSAEphemeralKey: true,
1989				},
1990			},
1991			shouldFail:    true,
1992			expectedError: ":UNEXPECTED_MESSAGE:",
1993		},
1994		{
1995			name:          "DisableEverything",
1996			flags:         []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1"},
1997			shouldFail:    true,
1998			expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
1999		},
2000		{
2001			protocol:      dtls,
2002			name:          "DisableEverything-DTLS",
2003			flags:         []string{"-no-tls12", "-no-tls1"},
2004			shouldFail:    true,
2005			expectedError: ":NO_SUPPORTED_VERSIONS_ENABLED:",
2006		},
2007		{
2008			protocol: dtls,
2009			testType: serverTest,
2010			name:     "MTU",
2011			config: Config{
2012				Bugs: ProtocolBugs{
2013					MaxPacketLength: 256,
2014				},
2015			},
2016			flags: []string{"-mtu", "256"},
2017		},
2018		{
2019			protocol: dtls,
2020			testType: serverTest,
2021			name:     "MTUExceeded",
2022			config: Config{
2023				Bugs: ProtocolBugs{
2024					MaxPacketLength: 255,
2025				},
2026			},
2027			flags:              []string{"-mtu", "256"},
2028			shouldFail:         true,
2029			expectedLocalError: "dtls: exceeded maximum packet length",
2030		},
2031		{
2032			name: "EmptyCertificateList",
2033			config: Config{
2034				MaxVersion: VersionTLS12,
2035				Bugs: ProtocolBugs{
2036					EmptyCertificateList: true,
2037				},
2038			},
2039			shouldFail:    true,
2040			expectedError: ":DECODE_ERROR:",
2041		},
2042		{
2043			name: "EmptyCertificateList-TLS13",
2044			config: Config{
2045				MaxVersion: VersionTLS13,
2046				Bugs: ProtocolBugs{
2047					EmptyCertificateList: true,
2048				},
2049			},
2050			shouldFail:    true,
2051			expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
2052		},
2053		{
2054			name:             "TLSFatalBadPackets",
2055			damageFirstWrite: true,
2056			shouldFail:       true,
2057			expectedError:    ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
2058		},
2059		{
2060			protocol:         dtls,
2061			name:             "DTLSIgnoreBadPackets",
2062			damageFirstWrite: true,
2063		},
2064		{
2065			protocol:         dtls,
2066			name:             "DTLSIgnoreBadPackets-Async",
2067			damageFirstWrite: true,
2068			flags:            []string{"-async"},
2069		},
2070		{
2071			name: "AppDataBeforeHandshake",
2072			config: Config{
2073				Bugs: ProtocolBugs{
2074					AppDataBeforeHandshake: []byte("TEST MESSAGE"),
2075				},
2076			},
2077			shouldFail:    true,
2078			expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
2079		},
2080		{
2081			name: "AppDataBeforeHandshake-Empty",
2082			config: Config{
2083				Bugs: ProtocolBugs{
2084					AppDataBeforeHandshake: []byte{},
2085				},
2086			},
2087			shouldFail:    true,
2088			expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
2089		},
2090		{
2091			protocol: dtls,
2092			name:     "AppDataBeforeHandshake-DTLS",
2093			config: Config{
2094				Bugs: ProtocolBugs{
2095					AppDataBeforeHandshake: []byte("TEST MESSAGE"),
2096				},
2097			},
2098			shouldFail:    true,
2099			expectedError: ":UNEXPECTED_RECORD:",
2100		},
2101		{
2102			protocol: dtls,
2103			name:     "AppDataBeforeHandshake-DTLS-Empty",
2104			config: Config{
2105				Bugs: ProtocolBugs{
2106					AppDataBeforeHandshake: []byte{},
2107				},
2108			},
2109			shouldFail:    true,
2110			expectedError: ":UNEXPECTED_RECORD:",
2111		},
2112		{
2113			name: "AppDataAfterChangeCipherSpec",
2114			config: Config{
2115				MaxVersion: VersionTLS12,
2116				Bugs: ProtocolBugs{
2117					AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
2118				},
2119			},
2120			shouldFail:    true,
2121			expectedError: ":UNEXPECTED_RECORD:",
2122		},
2123		{
2124			name: "AppDataAfterChangeCipherSpec-Empty",
2125			config: Config{
2126				MaxVersion: VersionTLS12,
2127				Bugs: ProtocolBugs{
2128					AppDataAfterChangeCipherSpec: []byte{},
2129				},
2130			},
2131			shouldFail:    true,
2132			expectedError: ":UNEXPECTED_RECORD:",
2133		},
2134		{
2135			protocol: dtls,
2136			name:     "AppDataAfterChangeCipherSpec-DTLS",
2137			config: Config{
2138				MaxVersion: VersionTLS12,
2139				Bugs: ProtocolBugs{
2140					AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
2141				},
2142			},
2143			// BoringSSL's DTLS implementation will drop the out-of-order
2144			// application data.
2145		},
2146		{
2147			protocol: dtls,
2148			name:     "AppDataAfterChangeCipherSpec-DTLS-Empty",
2149			config: Config{
2150				MaxVersion: VersionTLS12,
2151				Bugs: ProtocolBugs{
2152					AppDataAfterChangeCipherSpec: []byte{},
2153				},
2154			},
2155			// BoringSSL's DTLS implementation will drop the out-of-order
2156			// application data.
2157		},
2158		{
2159			name: "AlertAfterChangeCipherSpec",
2160			config: Config{
2161				MaxVersion: VersionTLS12,
2162				Bugs: ProtocolBugs{
2163					AlertAfterChangeCipherSpec: alertRecordOverflow,
2164				},
2165			},
2166			shouldFail:    true,
2167			expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
2168		},
2169		{
2170			protocol: dtls,
2171			name:     "AlertAfterChangeCipherSpec-DTLS",
2172			config: Config{
2173				MaxVersion: VersionTLS12,
2174				Bugs: ProtocolBugs{
2175					AlertAfterChangeCipherSpec: alertRecordOverflow,
2176				},
2177			},
2178			shouldFail:    true,
2179			expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
2180		},
2181		{
2182			protocol: dtls,
2183			name:     "ReorderHandshakeFragments-Small-DTLS",
2184			config: Config{
2185				Bugs: ProtocolBugs{
2186					ReorderHandshakeFragments: true,
2187					// Small enough that every handshake message is
2188					// fragmented.
2189					MaxHandshakeRecordLength: 2,
2190				},
2191			},
2192		},
2193		{
2194			protocol: dtls,
2195			name:     "ReorderHandshakeFragments-Large-DTLS",
2196			config: Config{
2197				Bugs: ProtocolBugs{
2198					ReorderHandshakeFragments: true,
2199					// Large enough that no handshake message is
2200					// fragmented.
2201					MaxHandshakeRecordLength: 2048,
2202				},
2203			},
2204		},
2205		{
2206			protocol: dtls,
2207			name:     "MixCompleteMessageWithFragments-DTLS",
2208			config: Config{
2209				Bugs: ProtocolBugs{
2210					ReorderHandshakeFragments:       true,
2211					MixCompleteMessageWithFragments: true,
2212					MaxHandshakeRecordLength:        2,
2213				},
2214			},
2215		},
2216		{
2217			name: "SendInvalidRecordType",
2218			config: Config{
2219				Bugs: ProtocolBugs{
2220					SendInvalidRecordType: true,
2221				},
2222			},
2223			shouldFail:    true,
2224			expectedError: ":UNEXPECTED_RECORD:",
2225		},
2226		{
2227			protocol: dtls,
2228			name:     "SendInvalidRecordType-DTLS",
2229			config: Config{
2230				Bugs: ProtocolBugs{
2231					SendInvalidRecordType: true,
2232				},
2233			},
2234			shouldFail:    true,
2235			expectedError: ":UNEXPECTED_RECORD:",
2236		},
2237		{
2238			name: "FalseStart-SkipServerSecondLeg",
2239			config: Config{
2240				MaxVersion:   VersionTLS12,
2241				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2242				NextProtos:   []string{"foo"},
2243				Bugs: ProtocolBugs{
2244					SkipNewSessionTicket: true,
2245					SkipChangeCipherSpec: true,
2246					SkipFinished:         true,
2247					ExpectFalseStart:     true,
2248				},
2249			},
2250			flags: []string{
2251				"-false-start",
2252				"-handshake-never-done",
2253				"-advertise-alpn", "\x03foo",
2254				"-expect-alpn", "foo",
2255			},
2256			shimWritesFirst: true,
2257			shouldFail:      true,
2258			expectedError:   ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
2259		},
2260		{
2261			name: "FalseStart-SkipServerSecondLeg-Implicit",
2262			config: Config{
2263				MaxVersion:   VersionTLS12,
2264				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2265				NextProtos:   []string{"foo"},
2266				Bugs: ProtocolBugs{
2267					SkipNewSessionTicket: true,
2268					SkipChangeCipherSpec: true,
2269					SkipFinished:         true,
2270				},
2271			},
2272			flags: []string{
2273				"-implicit-handshake",
2274				"-false-start",
2275				"-handshake-never-done",
2276				"-advertise-alpn", "\x03foo",
2277			},
2278			shouldFail:    true,
2279			expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
2280		},
2281		{
2282			testType:           serverTest,
2283			name:               "FailEarlyCallback",
2284			flags:              []string{"-fail-early-callback"},
2285			shouldFail:         true,
2286			expectedError:      ":CONNECTION_REJECTED:",
2287			expectedLocalError: "remote error: handshake failure",
2288		},
2289		{
2290			name: "FailCertCallback-Client-TLS12",
2291			config: Config{
2292				MaxVersion: VersionTLS12,
2293				ClientAuth: RequestClientCert,
2294			},
2295			flags:              []string{"-fail-cert-callback"},
2296			shouldFail:         true,
2297			expectedError:      ":CERT_CB_ERROR:",
2298			expectedLocalError: "remote error: internal error",
2299		},
2300		{
2301			testType: serverTest,
2302			name:     "FailCertCallback-Server-TLS12",
2303			config: Config{
2304				MaxVersion: VersionTLS12,
2305			},
2306			flags:              []string{"-fail-cert-callback"},
2307			shouldFail:         true,
2308			expectedError:      ":CERT_CB_ERROR:",
2309			expectedLocalError: "remote error: internal error",
2310		},
2311		{
2312			name: "FailCertCallback-Client-TLS13",
2313			config: Config{
2314				MaxVersion: VersionTLS13,
2315				ClientAuth: RequestClientCert,
2316			},
2317			flags:              []string{"-fail-cert-callback"},
2318			shouldFail:         true,
2319			expectedError:      ":CERT_CB_ERROR:",
2320			expectedLocalError: "remote error: internal error",
2321		},
2322		{
2323			testType: serverTest,
2324			name:     "FailCertCallback-Server-TLS13",
2325			config: Config{
2326				MaxVersion: VersionTLS13,
2327			},
2328			flags:              []string{"-fail-cert-callback"},
2329			shouldFail:         true,
2330			expectedError:      ":CERT_CB_ERROR:",
2331			expectedLocalError: "remote error: internal error",
2332		},
2333		{
2334			protocol: dtls,
2335			name:     "FragmentMessageTypeMismatch-DTLS",
2336			config: Config{
2337				Bugs: ProtocolBugs{
2338					MaxHandshakeRecordLength:    2,
2339					FragmentMessageTypeMismatch: true,
2340				},
2341			},
2342			shouldFail:    true,
2343			expectedError: ":FRAGMENT_MISMATCH:",
2344		},
2345		{
2346			protocol: dtls,
2347			name:     "FragmentMessageLengthMismatch-DTLS",
2348			config: Config{
2349				Bugs: ProtocolBugs{
2350					MaxHandshakeRecordLength:      2,
2351					FragmentMessageLengthMismatch: true,
2352				},
2353			},
2354			shouldFail:    true,
2355			expectedError: ":FRAGMENT_MISMATCH:",
2356		},
2357		{
2358			protocol: dtls,
2359			name:     "SplitFragments-Header-DTLS",
2360			config: Config{
2361				Bugs: ProtocolBugs{
2362					SplitFragments: 2,
2363				},
2364			},
2365			shouldFail:    true,
2366			expectedError: ":BAD_HANDSHAKE_RECORD:",
2367		},
2368		{
2369			protocol: dtls,
2370			name:     "SplitFragments-Boundary-DTLS",
2371			config: Config{
2372				Bugs: ProtocolBugs{
2373					SplitFragments: dtlsRecordHeaderLen,
2374				},
2375			},
2376			shouldFail:    true,
2377			expectedError: ":BAD_HANDSHAKE_RECORD:",
2378		},
2379		{
2380			protocol: dtls,
2381			name:     "SplitFragments-Body-DTLS",
2382			config: Config{
2383				Bugs: ProtocolBugs{
2384					SplitFragments: dtlsRecordHeaderLen + 1,
2385				},
2386			},
2387			shouldFail:    true,
2388			expectedError: ":BAD_HANDSHAKE_RECORD:",
2389		},
2390		{
2391			protocol: dtls,
2392			name:     "SendEmptyFragments-DTLS",
2393			config: Config{
2394				Bugs: ProtocolBugs{
2395					SendEmptyFragments: true,
2396				},
2397			},
2398		},
2399		{
2400			testType: serverTest,
2401			protocol: dtls,
2402			name:     "SendEmptyFragments-Padded-DTLS",
2403			config: Config{
2404				Bugs: ProtocolBugs{
2405					// Test empty fragments for a message with a
2406					// nice power-of-two length.
2407					PadClientHello:     64,
2408					SendEmptyFragments: true,
2409				},
2410			},
2411		},
2412		{
2413			name: "BadFinished-Client",
2414			config: Config{
2415				MaxVersion: VersionTLS12,
2416				Bugs: ProtocolBugs{
2417					BadFinished: true,
2418				},
2419			},
2420			shouldFail:    true,
2421			expectedError: ":DIGEST_CHECK_FAILED:",
2422		},
2423		{
2424			name: "BadFinished-Client-TLS13",
2425			config: Config{
2426				MaxVersion: VersionTLS13,
2427				Bugs: ProtocolBugs{
2428					BadFinished: true,
2429				},
2430			},
2431			shouldFail:    true,
2432			expectedError: ":DIGEST_CHECK_FAILED:",
2433		},
2434		{
2435			testType: serverTest,
2436			name:     "BadFinished-Server",
2437			config: Config{
2438				MaxVersion: VersionTLS12,
2439				Bugs: ProtocolBugs{
2440					BadFinished: true,
2441				},
2442			},
2443			shouldFail:    true,
2444			expectedError: ":DIGEST_CHECK_FAILED:",
2445		},
2446		{
2447			testType: serverTest,
2448			name:     "BadFinished-Server-TLS13",
2449			config: Config{
2450				MaxVersion: VersionTLS13,
2451				Bugs: ProtocolBugs{
2452					BadFinished: true,
2453				},
2454			},
2455			shouldFail:    true,
2456			expectedError: ":DIGEST_CHECK_FAILED:",
2457		},
2458		{
2459			name: "FalseStart-BadFinished",
2460			config: Config{
2461				MaxVersion:   VersionTLS12,
2462				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2463				NextProtos:   []string{"foo"},
2464				Bugs: ProtocolBugs{
2465					BadFinished:      true,
2466					ExpectFalseStart: true,
2467				},
2468			},
2469			flags: []string{
2470				"-false-start",
2471				"-handshake-never-done",
2472				"-advertise-alpn", "\x03foo",
2473				"-expect-alpn", "foo",
2474			},
2475			shimWritesFirst: true,
2476			shouldFail:      true,
2477			expectedError:   ":DIGEST_CHECK_FAILED:",
2478		},
2479		{
2480			name: "NoFalseStart-NoALPN",
2481			config: Config{
2482				MaxVersion:   VersionTLS12,
2483				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2484				Bugs: ProtocolBugs{
2485					ExpectFalseStart:          true,
2486					AlertBeforeFalseStartTest: alertAccessDenied,
2487				},
2488			},
2489			flags: []string{
2490				"-false-start",
2491			},
2492			shimWritesFirst:    true,
2493			shouldFail:         true,
2494			expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
2495			expectedLocalError: "tls: peer did not false start: EOF",
2496		},
2497		{
2498			name: "FalseStart-NoALPNAllowed",
2499			config: Config{
2500				MaxVersion:   VersionTLS12,
2501				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
2502				Bugs: ProtocolBugs{
2503					ExpectFalseStart: true,
2504				},
2505			},
2506			flags: []string{
2507				"-false-start",
2508				"-allow-false-start-without-alpn",
2509			},
2510			shimWritesFirst: true,
2511		},
2512		{
2513			name: "NoFalseStart-NoAEAD",
2514			config: Config{
2515				MaxVersion:   VersionTLS12,
2516				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2517				NextProtos:   []string{"foo"},
2518				Bugs: ProtocolBugs{
2519					ExpectFalseStart:          true,
2520					AlertBeforeFalseStartTest: alertAccessDenied,
2521				},
2522			},
2523			flags: []string{
2524				"-false-start",
2525				"-advertise-alpn", "\x03foo",
2526			},
2527			shimWritesFirst:    true,
2528			shouldFail:         true,
2529			expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
2530			expectedLocalError: "tls: peer did not false start: EOF",
2531		},
2532		{
2533			name: "NoFalseStart-RSA",
2534			config: Config{
2535				MaxVersion:   VersionTLS12,
2536				CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
2537				NextProtos:   []string{"foo"},
2538				Bugs: ProtocolBugs{
2539					ExpectFalseStart:          true,
2540					AlertBeforeFalseStartTest: alertAccessDenied,
2541				},
2542			},
2543			flags: []string{
2544				"-false-start",
2545				"-advertise-alpn", "\x03foo",
2546			},
2547			shimWritesFirst:    true,
2548			shouldFail:         true,
2549			expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
2550			expectedLocalError: "tls: peer did not false start: EOF",
2551		},
2552		{
2553			protocol: dtls,
2554			name:     "SendSplitAlert-Sync",
2555			config: Config{
2556				Bugs: ProtocolBugs{
2557					SendSplitAlert: true,
2558				},
2559			},
2560		},
2561		{
2562			protocol: dtls,
2563			name:     "SendSplitAlert-Async",
2564			config: Config{
2565				Bugs: ProtocolBugs{
2566					SendSplitAlert: true,
2567				},
2568			},
2569			flags: []string{"-async"},
2570		},
2571		{
2572			name:             "SendEmptyRecords-Pass",
2573			sendEmptyRecords: 32,
2574		},
2575		{
2576			name:             "SendEmptyRecords",
2577			sendEmptyRecords: 33,
2578			shouldFail:       true,
2579			expectedError:    ":TOO_MANY_EMPTY_FRAGMENTS:",
2580		},
2581		{
2582			name:             "SendEmptyRecords-Async",
2583			sendEmptyRecords: 33,
2584			flags:            []string{"-async"},
2585			shouldFail:       true,
2586			expectedError:    ":TOO_MANY_EMPTY_FRAGMENTS:",
2587		},
2588		{
2589			name: "SendWarningAlerts-Pass",
2590			config: Config{
2591				MaxVersion: VersionTLS12,
2592			},
2593			sendWarningAlerts: 4,
2594		},
2595		{
2596			protocol: dtls,
2597			name:     "SendWarningAlerts-DTLS-Pass",
2598			config: Config{
2599				MaxVersion: VersionTLS12,
2600			},
2601			sendWarningAlerts: 4,
2602		},
2603		{
2604			name: "SendWarningAlerts-TLS13",
2605			config: Config{
2606				MaxVersion: VersionTLS13,
2607			},
2608			sendWarningAlerts:  4,
2609			shouldFail:         true,
2610			expectedError:      ":BAD_ALERT:",
2611			expectedLocalError: "remote error: error decoding message",
2612		},
2613		{
2614			name: "SendWarningAlerts",
2615			config: Config{
2616				MaxVersion: VersionTLS12,
2617			},
2618			sendWarningAlerts: 5,
2619			shouldFail:        true,
2620			expectedError:     ":TOO_MANY_WARNING_ALERTS:",
2621		},
2622		{
2623			name: "SendWarningAlerts-Async",
2624			config: Config{
2625				MaxVersion: VersionTLS12,
2626			},
2627			sendWarningAlerts: 5,
2628			flags:             []string{"-async"},
2629			shouldFail:        true,
2630			expectedError:     ":TOO_MANY_WARNING_ALERTS:",
2631		},
2632		{
2633			name:               "SendBogusAlertType",
2634			sendBogusAlertType: true,
2635			shouldFail:         true,
2636			expectedError:      ":UNKNOWN_ALERT_TYPE:",
2637			expectedLocalError: "remote error: illegal parameter",
2638		},
2639		{
2640			protocol:           dtls,
2641			name:               "SendBogusAlertType-DTLS",
2642			sendBogusAlertType: true,
2643			shouldFail:         true,
2644			expectedError:      ":UNKNOWN_ALERT_TYPE:",
2645			expectedLocalError: "remote error: illegal parameter",
2646		},
2647		{
2648			name: "TooManyKeyUpdates",
2649			config: Config{
2650				MaxVersion: VersionTLS13,
2651			},
2652			sendKeyUpdates:   33,
2653			keyUpdateRequest: keyUpdateNotRequested,
2654			shouldFail:       true,
2655			expectedError:    ":TOO_MANY_KEY_UPDATES:",
2656		},
2657		{
2658			name: "EmptySessionID",
2659			config: Config{
2660				MaxVersion:             VersionTLS12,
2661				SessionTicketsDisabled: true,
2662			},
2663			noSessionCache: true,
2664			flags:          []string{"-expect-no-session"},
2665		},
2666		{
2667			name: "Unclean-Shutdown",
2668			config: Config{
2669				Bugs: ProtocolBugs{
2670					NoCloseNotify:     true,
2671					ExpectCloseNotify: true,
2672				},
2673			},
2674			shimShutsDown: true,
2675			flags:         []string{"-check-close-notify"},
2676			shouldFail:    true,
2677			expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2678		},
2679		{
2680			name: "Unclean-Shutdown-Ignored",
2681			config: Config{
2682				Bugs: ProtocolBugs{
2683					NoCloseNotify: true,
2684				},
2685			},
2686			shimShutsDown: true,
2687		},
2688		{
2689			name: "Unclean-Shutdown-Alert",
2690			config: Config{
2691				Bugs: ProtocolBugs{
2692					SendAlertOnShutdown: alertDecompressionFailure,
2693					ExpectCloseNotify:   true,
2694				},
2695			},
2696			shimShutsDown: true,
2697			flags:         []string{"-check-close-notify"},
2698			shouldFail:    true,
2699			expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2700		},
2701		{
2702			name: "LargePlaintext",
2703			config: Config{
2704				Bugs: ProtocolBugs{
2705					SendLargeRecords: true,
2706				},
2707			},
2708			messageLen:         maxPlaintext + 1,
2709			shouldFail:         true,
2710			expectedError:      ":DATA_LENGTH_TOO_LONG:",
2711			expectedLocalError: "remote error: record overflow",
2712		},
2713		{
2714			protocol: dtls,
2715			name:     "LargePlaintext-DTLS",
2716			config: Config{
2717				Bugs: ProtocolBugs{
2718					SendLargeRecords: true,
2719				},
2720			},
2721			messageLen:         maxPlaintext + 1,
2722			shouldFail:         true,
2723			expectedError:      ":DATA_LENGTH_TOO_LONG:",
2724			expectedLocalError: "remote error: record overflow",
2725		},
2726		{
2727			name: "LargePlaintext-TLS13-Padded-8192-8192",
2728			config: Config{
2729				MinVersion: VersionTLS13,
2730				MaxVersion: VersionTLS13,
2731				Bugs: ProtocolBugs{
2732					RecordPadding:    8192,
2733					SendLargeRecords: true,
2734				},
2735			},
2736			messageLen: 8192,
2737		},
2738		{
2739			name: "LargePlaintext-TLS13-Padded-8193-8192",
2740			config: Config{
2741				MinVersion: VersionTLS13,
2742				MaxVersion: VersionTLS13,
2743				Bugs: ProtocolBugs{
2744					RecordPadding:    8193,
2745					SendLargeRecords: true,
2746				},
2747			},
2748			messageLen:         8192,
2749			shouldFail:         true,
2750			expectedError:      ":DATA_LENGTH_TOO_LONG:",
2751			expectedLocalError: "remote error: record overflow",
2752		},
2753		{
2754			name: "LargePlaintext-TLS13-Padded-16383-1",
2755			config: Config{
2756				MinVersion: VersionTLS13,
2757				MaxVersion: VersionTLS13,
2758				Bugs: ProtocolBugs{
2759					RecordPadding:    1,
2760					SendLargeRecords: true,
2761				},
2762			},
2763			messageLen: 16383,
2764		},
2765		{
2766			name: "LargePlaintext-TLS13-Padded-16384-1",
2767			config: Config{
2768				MinVersion: VersionTLS13,
2769				MaxVersion: VersionTLS13,
2770				Bugs: ProtocolBugs{
2771					RecordPadding:    1,
2772					SendLargeRecords: true,
2773				},
2774			},
2775			messageLen:         16384,
2776			shouldFail:         true,
2777			expectedError:      ":DATA_LENGTH_TOO_LONG:",
2778			expectedLocalError: "remote error: record overflow",
2779		},
2780		{
2781			name: "LargeCiphertext",
2782			config: Config{
2783				Bugs: ProtocolBugs{
2784					SendLargeRecords: true,
2785				},
2786			},
2787			messageLen:    maxPlaintext * 2,
2788			shouldFail:    true,
2789			expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2790		},
2791		{
2792			protocol: dtls,
2793			name:     "LargeCiphertext-DTLS",
2794			config: Config{
2795				Bugs: ProtocolBugs{
2796					SendLargeRecords: true,
2797				},
2798			},
2799			messageLen: maxPlaintext * 2,
2800			// Unlike the other four cases, DTLS drops records which
2801			// are invalid before authentication, so the connection
2802			// does not fail.
2803			expectMessageDropped: true,
2804		},
2805		{
2806			name:        "BadHelloRequest-1",
2807			renegotiate: 1,
2808			config: Config{
2809				MaxVersion: VersionTLS12,
2810				Bugs: ProtocolBugs{
2811					BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2812				},
2813			},
2814			flags: []string{
2815				"-renegotiate-freely",
2816				"-expect-total-renegotiations", "1",
2817			},
2818			shouldFail:    true,
2819			expectedError: ":BAD_HELLO_REQUEST:",
2820		},
2821		{
2822			name:        "BadHelloRequest-2",
2823			renegotiate: 1,
2824			config: Config{
2825				MaxVersion: VersionTLS12,
2826				Bugs: ProtocolBugs{
2827					BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2828				},
2829			},
2830			flags: []string{
2831				"-renegotiate-freely",
2832				"-expect-total-renegotiations", "1",
2833			},
2834			shouldFail:    true,
2835			expectedError: ":BAD_HELLO_REQUEST:",
2836		},
2837		{
2838			testType: serverTest,
2839			name:     "SupportTicketsWithSessionID",
2840			config: Config{
2841				MaxVersion:             VersionTLS12,
2842				SessionTicketsDisabled: true,
2843			},
2844			resumeConfig: &Config{
2845				MaxVersion: VersionTLS12,
2846			},
2847			resumeSession: true,
2848		},
2849		{
2850			protocol: dtls,
2851			name:     "DTLS-SendExtraFinished",
2852			config: Config{
2853				Bugs: ProtocolBugs{
2854					SendExtraFinished: true,
2855				},
2856			},
2857			shouldFail:    true,
2858			expectedError: ":UNEXPECTED_RECORD:",
2859		},
2860		{
2861			protocol: dtls,
2862			name:     "DTLS-SendExtraFinished-Reordered",
2863			config: Config{
2864				Bugs: ProtocolBugs{
2865					MaxHandshakeRecordLength:  2,
2866					ReorderHandshakeFragments: true,
2867					SendExtraFinished:         true,
2868				},
2869			},
2870			shouldFail:    true,
2871			expectedError: ":UNEXPECTED_RECORD:",
2872		},
2873		{
2874			testType: serverTest,
2875			name:     "V2ClientHello-EmptyRecordPrefix",
2876			config: Config{
2877				// Choose a cipher suite that does not involve
2878				// elliptic curves, so no extensions are
2879				// involved.
2880				MaxVersion:   VersionTLS12,
2881				CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
2882				Bugs: ProtocolBugs{
2883					SendV2ClientHello: true,
2884				},
2885			},
2886			sendPrefix: string([]byte{
2887				byte(recordTypeHandshake),
2888				3, 1, // version
2889				0, 0, // length
2890			}),
2891			// A no-op empty record may not be sent before V2ClientHello.
2892			shouldFail:    true,
2893			expectedError: ":WRONG_VERSION_NUMBER:",
2894		},
2895		{
2896			testType: serverTest,
2897			name:     "V2ClientHello-WarningAlertPrefix",
2898			config: Config{
2899				// Choose a cipher suite that does not involve
2900				// elliptic curves, so no extensions are
2901				// involved.
2902				MaxVersion:   VersionTLS12,
2903				CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
2904				Bugs: ProtocolBugs{
2905					SendV2ClientHello: true,
2906				},
2907			},
2908			sendPrefix: string([]byte{
2909				byte(recordTypeAlert),
2910				3, 1, // version
2911				0, 2, // length
2912				alertLevelWarning, byte(alertDecompressionFailure),
2913			}),
2914			// A no-op warning alert may not be sent before V2ClientHello.
2915			shouldFail:    true,
2916			expectedError: ":WRONG_VERSION_NUMBER:",
2917		},
2918		{
2919			name: "KeyUpdate-ToClient",
2920			config: Config{
2921				MaxVersion: VersionTLS13,
2922			},
2923			sendKeyUpdates:   1,
2924			keyUpdateRequest: keyUpdateNotRequested,
2925		},
2926		{
2927			testType: serverTest,
2928			name:     "KeyUpdate-ToServer",
2929			config: Config{
2930				MaxVersion: VersionTLS13,
2931			},
2932			sendKeyUpdates:   1,
2933			keyUpdateRequest: keyUpdateNotRequested,
2934		},
2935		{
2936			name: "KeyUpdate-FromClient",
2937			config: Config{
2938				MaxVersion: VersionTLS13,
2939			},
2940			expectUnsolicitedKeyUpdate: true,
2941			flags:                      []string{"-key-update"},
2942		},
2943		{
2944			testType: serverTest,
2945			name:     "KeyUpdate-FromServer",
2946			config: Config{
2947				MaxVersion: VersionTLS13,
2948			},
2949			expectUnsolicitedKeyUpdate: true,
2950			flags:                      []string{"-key-update"},
2951		},
2952		{
2953			name: "KeyUpdate-InvalidRequestMode",
2954			config: Config{
2955				MaxVersion: VersionTLS13,
2956			},
2957			sendKeyUpdates:   1,
2958			keyUpdateRequest: 42,
2959			shouldFail:       true,
2960			expectedError:    ":DECODE_ERROR:",
2961		},
2962		{
2963			// Test that KeyUpdates are acknowledged properly.
2964			name: "KeyUpdate-RequestACK",
2965			config: Config{
2966				MaxVersion: VersionTLS13,
2967				Bugs: ProtocolBugs{
2968					RejectUnsolicitedKeyUpdate: true,
2969				},
2970			},
2971			// Test the shim receiving many KeyUpdates in a row.
2972			sendKeyUpdates:   5,
2973			messageCount:     5,
2974			keyUpdateRequest: keyUpdateRequested,
2975		},
2976		{
2977			// Test that KeyUpdates are acknowledged properly if the
2978			// peer's KeyUpdate is discovered while a write is
2979			// pending.
2980			name: "KeyUpdate-RequestACK-UnfinishedWrite",
2981			config: Config{
2982				MaxVersion: VersionTLS13,
2983				Bugs: ProtocolBugs{
2984					RejectUnsolicitedKeyUpdate: true,
2985				},
2986			},
2987			// Test the shim receiving many KeyUpdates in a row.
2988			sendKeyUpdates:          5,
2989			messageCount:            5,
2990			keyUpdateRequest:        keyUpdateRequested,
2991			readWithUnfinishedWrite: true,
2992			flags:                   []string{"-async"},
2993		},
2994		{
2995			name: "SendSNIWarningAlert",
2996			config: Config{
2997				MaxVersion: VersionTLS12,
2998				Bugs: ProtocolBugs{
2999					SendSNIWarningAlert: true,
3000				},
3001			},
3002		},
3003		{
3004			testType: serverTest,
3005			name:     "ExtraCompressionMethods-TLS12",
3006			config: Config{
3007				MaxVersion: VersionTLS12,
3008				Bugs: ProtocolBugs{
3009					SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
3010				},
3011			},
3012		},
3013		{
3014			testType: serverTest,
3015			name:     "ExtraCompressionMethods-TLS13",
3016			config: Config{
3017				MaxVersion: VersionTLS13,
3018				Bugs: ProtocolBugs{
3019					SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
3020				},
3021			},
3022			shouldFail:         true,
3023			expectedError:      ":INVALID_COMPRESSION_LIST:",
3024			expectedLocalError: "remote error: illegal parameter",
3025		},
3026		{
3027			testType: serverTest,
3028			name:     "NoNullCompression-TLS12",
3029			config: Config{
3030				MaxVersion: VersionTLS12,
3031				Bugs: ProtocolBugs{
3032					SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
3033				},
3034			},
3035			shouldFail:         true,
3036			expectedError:      ":INVALID_COMPRESSION_LIST:",
3037			expectedLocalError: "remote error: illegal parameter",
3038		},
3039		{
3040			testType: serverTest,
3041			name:     "NoNullCompression-TLS13",
3042			config: Config{
3043				MaxVersion: VersionTLS13,
3044				Bugs: ProtocolBugs{
3045					SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
3046				},
3047			},
3048			shouldFail:         true,
3049			expectedError:      ":INVALID_COMPRESSION_LIST:",
3050			expectedLocalError: "remote error: illegal parameter",
3051		},
3052		// Test that the client rejects invalid compression methods
3053		// from the server.
3054		{
3055			testType: clientTest,
3056			name:     "InvalidCompressionMethod",
3057			config: Config{
3058				MaxVersion: VersionTLS12,
3059				Bugs: ProtocolBugs{
3060					SendCompressionMethod: 1,
3061				},
3062			},
3063			shouldFail:         true,
3064			expectedError:      ":UNSUPPORTED_COMPRESSION_ALGORITHM:",
3065			expectedLocalError: "remote error: illegal parameter",
3066		},
3067		{
3068			testType: clientTest,
3069			name:     "TLS13-InvalidCompressionMethod",
3070			config: Config{
3071				MaxVersion: VersionTLS13,
3072				Bugs: ProtocolBugs{
3073					SendCompressionMethod: 1,
3074				},
3075			},
3076			shouldFail:    true,
3077			expectedError: ":DECODE_ERROR:",
3078		},
3079		{
3080			testType: clientTest,
3081			name:     "TLS13-HRR-InvalidCompressionMethod",
3082			config: Config{
3083				MaxVersion:       VersionTLS13,
3084				CurvePreferences: []CurveID{CurveP384},
3085				Bugs: ProtocolBugs{
3086					SendCompressionMethod: 1,
3087				},
3088			},
3089			shouldFail:         true,
3090			expectedError:      ":DECODE_ERROR:",
3091			expectedLocalError: "remote error: error decoding message",
3092		},
3093		{
3094			name: "GREASE-Client-TLS12",
3095			config: Config{
3096				MaxVersion: VersionTLS12,
3097				Bugs: ProtocolBugs{
3098					ExpectGREASE: true,
3099				},
3100			},
3101			flags: []string{"-enable-grease"},
3102		},
3103		{
3104			name: "GREASE-Client-TLS13",
3105			config: Config{
3106				MaxVersion: VersionTLS13,
3107				Bugs: ProtocolBugs{
3108					ExpectGREASE: true,
3109				},
3110			},
3111			flags: []string{"-enable-grease"},
3112		},
3113		{
3114			testType: serverTest,
3115			name:     "GREASE-Server-TLS13",
3116			config: Config{
3117				MaxVersion: VersionTLS13,
3118				Bugs: ProtocolBugs{
3119					// TLS 1.3 servers are expected to
3120					// always enable GREASE. TLS 1.3 is new,
3121					// so there is no existing ecosystem to
3122					// worry about.
3123					ExpectGREASE: true,
3124				},
3125			},
3126		},
3127		{
3128			// Test the TLS 1.2 server so there is a large
3129			// unencrypted certificate as well as application data.
3130			testType: serverTest,
3131			name:     "MaxSendFragment-TLS12",
3132			config: Config{
3133				MaxVersion: VersionTLS12,
3134				Bugs: ProtocolBugs{
3135					MaxReceivePlaintext: 512,
3136				},
3137			},
3138			messageLen: 1024,
3139			flags: []string{
3140				"-max-send-fragment", "512",
3141				"-read-size", "1024",
3142			},
3143		},
3144		{
3145			// Test the TLS 1.2 server so there is a large
3146			// unencrypted certificate as well as application data.
3147			testType: serverTest,
3148			name:     "MaxSendFragment-TLS12-TooLarge",
3149			config: Config{
3150				MaxVersion: VersionTLS12,
3151				Bugs: ProtocolBugs{
3152					// Ensure that some of the records are
3153					// 512.
3154					MaxReceivePlaintext: 511,
3155				},
3156			},
3157			messageLen: 1024,
3158			flags: []string{
3159				"-max-send-fragment", "512",
3160				"-read-size", "1024",
3161			},
3162			shouldFail:         true,
3163			expectedLocalError: "local error: record overflow",
3164		},
3165		{
3166			// Test the TLS 1.3 server so there is a large encrypted
3167			// certificate as well as application data.
3168			testType: serverTest,
3169			name:     "MaxSendFragment-TLS13",
3170			config: Config{
3171				MaxVersion: VersionTLS13,
3172				Bugs: ProtocolBugs{
3173					MaxReceivePlaintext:            512,
3174					ExpectPackedEncryptedHandshake: 512,
3175				},
3176			},
3177			messageLen: 1024,
3178			flags: []string{
3179				"-max-send-fragment", "512",
3180				"-read-size", "1024",
3181			},
3182		},
3183		{
3184			// Test the TLS 1.3 server so there is a large encrypted
3185			// certificate as well as application data.
3186			testType: serverTest,
3187			name:     "MaxSendFragment-TLS13-TooLarge",
3188			config: Config{
3189				MaxVersion: VersionTLS13,
3190				Bugs: ProtocolBugs{
3191					// Ensure that some of the records are
3192					// 512.
3193					MaxReceivePlaintext: 511,
3194				},
3195			},
3196			messageLen: 1024,
3197			flags: []string{
3198				"-max-send-fragment", "512",
3199				"-read-size", "1024",
3200			},
3201			shouldFail:         true,
3202			expectedLocalError: "local error: record overflow",
3203		},
3204		{
3205			// Test that handshake data is tightly packed in TLS 1.3.
3206			testType: serverTest,
3207			name:     "PackedEncryptedHandshake-TLS13",
3208			config: Config{
3209				MaxVersion: VersionTLS13,
3210				Bugs: ProtocolBugs{
3211					ExpectPackedEncryptedHandshake: 16384,
3212				},
3213			},
3214		},
3215		{
3216			// Test that DTLS can handle multiple application data
3217			// records in a single packet.
3218			protocol: dtls,
3219			name:     "SplitAndPackAppData-DTLS",
3220			config: Config{
3221				Bugs: ProtocolBugs{
3222					SplitAndPackAppData: true,
3223				},
3224			},
3225		},
3226		{
3227			protocol: dtls,
3228			name:     "SplitAndPackAppData-DTLS-Async",
3229			config: Config{
3230				Bugs: ProtocolBugs{
3231					SplitAndPackAppData: true,
3232				},
3233			},
3234			flags: []string{"-async"},
3235		},
3236	}
3237	testCases = append(testCases, basicTests...)
3238
3239	// Test that very large messages can be received.
3240	cert := rsaCertificate
3241	for i := 0; i < 50; i++ {
3242		cert.Certificate = append(cert.Certificate, cert.Certificate[0])
3243	}
3244	testCases = append(testCases, testCase{
3245		name: "LargeMessage",
3246		config: Config{
3247			Certificates: []Certificate{cert},
3248		},
3249	})
3250	testCases = append(testCases, testCase{
3251		protocol: dtls,
3252		name:     "LargeMessage-DTLS",
3253		config: Config{
3254			Certificates: []Certificate{cert},
3255		},
3256	})
3257
3258	// They are rejected if the maximum certificate chain length is capped.
3259	testCases = append(testCases, testCase{
3260		name: "LargeMessage-Reject",
3261		config: Config{
3262			Certificates: []Certificate{cert},
3263		},
3264		flags:         []string{"-max-cert-list", "16384"},
3265		shouldFail:    true,
3266		expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
3267	})
3268	testCases = append(testCases, testCase{
3269		protocol: dtls,
3270		name:     "LargeMessage-Reject-DTLS",
3271		config: Config{
3272			Certificates: []Certificate{cert},
3273		},
3274		flags:         []string{"-max-cert-list", "16384"},
3275		shouldFail:    true,
3276		expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
3277	})
3278
3279	// Servers echoing the TLS 1.3 compatibility mode session ID should be
3280	// rejected.
3281	testCases = append(testCases, testCase{
3282		name: "EchoTLS13CompatibilitySessionID",
3283		config: Config{
3284			MaxVersion: VersionTLS12,
3285			Bugs: ProtocolBugs{
3286				EchoSessionIDInFullHandshake: true,
3287			},
3288		},
3289		shouldFail:         true,
3290		expectedError:      ":SERVER_ECHOED_INVALID_SESSION_ID:",
3291		expectedLocalError: "remote error: illegal parameter",
3292	})
3293}
3294
3295func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
3296	const psk = "12345"
3297	const pskIdentity = "luggage combo"
3298
3299	var prefix string
3300	if protocol == dtls {
3301		if !ver.hasDTLS {
3302			return
3303		}
3304		prefix = "D"
3305	}
3306
3307	var cert Certificate
3308	var certFile string
3309	var keyFile string
3310	if hasComponent(suite.name, "ECDSA") {
3311		cert = ecdsaP256Certificate
3312		certFile = ecdsaP256CertificateFile
3313		keyFile = ecdsaP256KeyFile
3314	} else {
3315		cert = rsaCertificate
3316		certFile = rsaCertificateFile
3317		keyFile = rsaKeyFile
3318	}
3319
3320	var flags []string
3321	if hasComponent(suite.name, "PSK") {
3322		flags = append(flags,
3323			"-psk", psk,
3324			"-psk-identity", pskIdentity)
3325	}
3326	if hasComponent(suite.name, "NULL") {
3327		// NULL ciphers must be explicitly enabled.
3328		flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
3329	}
3330
3331	var shouldFail bool
3332	if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
3333		shouldFail = true
3334	}
3335	if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
3336		shouldFail = true
3337	}
3338	if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
3339		shouldFail = true
3340	}
3341
3342	var sendCipherSuite uint16
3343	var expectedServerError, expectedClientError string
3344	serverCipherSuites := []uint16{suite.id}
3345	if shouldFail {
3346		expectedServerError = ":NO_SHARED_CIPHER:"
3347		expectedClientError = ":WRONG_CIPHER_RETURNED:"
3348		// Configure the server to select ciphers as normal but
3349		// select an incompatible cipher in ServerHello.
3350		serverCipherSuites = nil
3351		sendCipherSuite = suite.id
3352	}
3353
3354	// Verify exporters interoperate.
3355	exportKeyingMaterial := 1024
3356
3357	testCases = append(testCases, testCase{
3358		testType: serverTest,
3359		protocol: protocol,
3360		name:     prefix + ver.name + "-" + suite.name + "-server",
3361		config: Config{
3362			MinVersion:           ver.version,
3363			MaxVersion:           ver.version,
3364			CipherSuites:         []uint16{suite.id},
3365			Certificates:         []Certificate{cert},
3366			PreSharedKey:         []byte(psk),
3367			PreSharedKeyIdentity: pskIdentity,
3368			Bugs: ProtocolBugs{
3369				AdvertiseAllConfiguredCiphers: true,
3370			},
3371		},
3372		certFile:             certFile,
3373		keyFile:              keyFile,
3374		flags:                flags,
3375		resumeSession:        true,
3376		shouldFail:           shouldFail,
3377		expectedError:        expectedServerError,
3378		exportKeyingMaterial: exportKeyingMaterial,
3379	})
3380
3381	testCases = append(testCases, testCase{
3382		testType: clientTest,
3383		protocol: protocol,
3384		name:     prefix + ver.name + "-" + suite.name + "-client",
3385		config: Config{
3386			MinVersion:           ver.version,
3387			MaxVersion:           ver.version,
3388			CipherSuites:         serverCipherSuites,
3389			Certificates:         []Certificate{cert},
3390			PreSharedKey:         []byte(psk),
3391			PreSharedKeyIdentity: pskIdentity,
3392			Bugs: ProtocolBugs{
3393				IgnorePeerCipherPreferences: shouldFail,
3394				SendCipherSuite:             sendCipherSuite,
3395			},
3396		},
3397		flags:                flags,
3398		resumeSession:        true,
3399		shouldFail:           shouldFail,
3400		expectedError:        expectedClientError,
3401		exportKeyingMaterial: exportKeyingMaterial,
3402	})
3403
3404	if shouldFail {
3405		return
3406	}
3407
3408	// Ensure the maximum record size is accepted.
3409	testCases = append(testCases, testCase{
3410		protocol: protocol,
3411		name:     prefix + ver.name + "-" + suite.name + "-LargeRecord",
3412		config: Config{
3413			MinVersion:           ver.version,
3414			MaxVersion:           ver.version,
3415			CipherSuites:         []uint16{suite.id},
3416			Certificates:         []Certificate{cert},
3417			PreSharedKey:         []byte(psk),
3418			PreSharedKeyIdentity: pskIdentity,
3419		},
3420		flags:      flags,
3421		messageLen: maxPlaintext,
3422	})
3423
3424	// Test bad records for all ciphers. Bad records are fatal in TLS
3425	// and ignored in DTLS.
3426	shouldFail = protocol == tls
3427	var expectedError string
3428	if shouldFail {
3429		expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
3430	}
3431
3432	testCases = append(testCases, testCase{
3433		protocol: protocol,
3434		name:     prefix + ver.name + "-" + suite.name + "-BadRecord",
3435		config: Config{
3436			MinVersion:           ver.version,
3437			MaxVersion:           ver.version,
3438			CipherSuites:         []uint16{suite.id},
3439			Certificates:         []Certificate{cert},
3440			PreSharedKey:         []byte(psk),
3441			PreSharedKeyIdentity: pskIdentity,
3442		},
3443		flags:            flags,
3444		damageFirstWrite: true,
3445		messageLen:       maxPlaintext,
3446		shouldFail:       shouldFail,
3447		expectedError:    expectedError,
3448	})
3449}
3450
3451func addCipherSuiteTests() {
3452	const bogusCipher = 0xfe00
3453
3454	for _, suite := range testCipherSuites {
3455		for _, ver := range tlsVersions {
3456			for _, protocol := range []protocol{tls, dtls} {
3457				addTestForCipherSuite(suite, ver, protocol)
3458			}
3459		}
3460	}
3461
3462	testCases = append(testCases, testCase{
3463		name: "NoSharedCipher",
3464		config: Config{
3465			MaxVersion:   VersionTLS12,
3466			CipherSuites: []uint16{},
3467		},
3468		shouldFail:    true,
3469		expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
3470	})
3471
3472	testCases = append(testCases, testCase{
3473		name: "NoSharedCipher-TLS13",
3474		config: Config{
3475			MaxVersion:   VersionTLS13,
3476			CipherSuites: []uint16{},
3477		},
3478		shouldFail:    true,
3479		expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
3480	})
3481
3482	testCases = append(testCases, testCase{
3483		name: "UnsupportedCipherSuite",
3484		config: Config{
3485			MaxVersion:   VersionTLS12,
3486			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
3487			Bugs: ProtocolBugs{
3488				IgnorePeerCipherPreferences: true,
3489			},
3490		},
3491		flags:         []string{"-cipher", "DEFAULT:!AES"},
3492		shouldFail:    true,
3493		expectedError: ":WRONG_CIPHER_RETURNED:",
3494	})
3495
3496	testCases = append(testCases, testCase{
3497		name: "ServerHelloBogusCipher",
3498		config: Config{
3499			MaxVersion: VersionTLS12,
3500			Bugs: ProtocolBugs{
3501				SendCipherSuite: bogusCipher,
3502			},
3503		},
3504		shouldFail:    true,
3505		expectedError: ":UNKNOWN_CIPHER_RETURNED:",
3506	})
3507	testCases = append(testCases, testCase{
3508		name: "ServerHelloBogusCipher-TLS13",
3509		config: Config{
3510			MaxVersion: VersionTLS13,
3511			Bugs: ProtocolBugs{
3512				SendCipherSuite: bogusCipher,
3513			},
3514		},
3515		shouldFail:    true,
3516		expectedError: ":WRONG_CIPHER_RETURNED:",
3517	})
3518
3519	// The server must be tolerant to bogus ciphers.
3520	testCases = append(testCases, testCase{
3521		testType: serverTest,
3522		name:     "UnknownCipher",
3523		config: Config{
3524			MaxVersion:   VersionTLS12,
3525			CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3526			Bugs: ProtocolBugs{
3527				AdvertiseAllConfiguredCiphers: true,
3528			},
3529		},
3530	})
3531
3532	// The server must be tolerant to bogus ciphers.
3533	testCases = append(testCases, testCase{
3534		testType: serverTest,
3535		name:     "UnknownCipher-TLS13",
3536		config: Config{
3537			MaxVersion:   VersionTLS13,
3538			CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
3539			Bugs: ProtocolBugs{
3540				AdvertiseAllConfiguredCiphers: true,
3541			},
3542		},
3543	})
3544
3545	// Test empty ECDHE_PSK identity hints work as expected.
3546	testCases = append(testCases, testCase{
3547		name: "EmptyECDHEPSKHint",
3548		config: Config{
3549			MaxVersion:   VersionTLS12,
3550			CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3551			PreSharedKey: []byte("secret"),
3552		},
3553		flags: []string{"-psk", "secret"},
3554	})
3555
3556	// Test empty PSK identity hints work as expected, even if an explicit
3557	// ServerKeyExchange is sent.
3558	testCases = append(testCases, testCase{
3559		name: "ExplicitEmptyPSKHint",
3560		config: Config{
3561			MaxVersion:   VersionTLS12,
3562			CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3563			PreSharedKey: []byte("secret"),
3564			Bugs: ProtocolBugs{
3565				AlwaysSendPreSharedKeyIdentityHint: true,
3566			},
3567		},
3568		flags: []string{"-psk", "secret"},
3569	})
3570
3571	// Test that clients enforce that the server-sent certificate and cipher
3572	// suite match in TLS 1.2.
3573	testCases = append(testCases, testCase{
3574		name: "CertificateCipherMismatch-RSA",
3575		config: Config{
3576			MaxVersion:   VersionTLS12,
3577			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3578			Certificates: []Certificate{rsaCertificate},
3579			Bugs: ProtocolBugs{
3580				SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
3581			},
3582		},
3583		shouldFail:    true,
3584		expectedError: ":WRONG_CERTIFICATE_TYPE:",
3585	})
3586	testCases = append(testCases, testCase{
3587		name: "CertificateCipherMismatch-ECDSA",
3588		config: Config{
3589			MaxVersion:   VersionTLS12,
3590			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3591			Certificates: []Certificate{ecdsaP256Certificate},
3592			Bugs: ProtocolBugs{
3593				SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3594			},
3595		},
3596		shouldFail:    true,
3597		expectedError: ":WRONG_CERTIFICATE_TYPE:",
3598	})
3599	testCases = append(testCases, testCase{
3600		name: "CertificateCipherMismatch-Ed25519",
3601		config: Config{
3602			MaxVersion:   VersionTLS12,
3603			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3604			Certificates: []Certificate{ed25519Certificate},
3605			Bugs: ProtocolBugs{
3606				SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3607			},
3608		},
3609		shouldFail:    true,
3610		expectedError: ":WRONG_CERTIFICATE_TYPE:",
3611	})
3612
3613	// Test that servers decline to select a cipher suite which is
3614	// inconsistent with their configured certificate.
3615	testCases = append(testCases, testCase{
3616		testType: serverTest,
3617		name:     "ServerCipherFilter-RSA",
3618		config: Config{
3619			MaxVersion:   VersionTLS12,
3620			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3621		},
3622		flags: []string{
3623			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3624			"-key-file", path.Join(*resourceDir, rsaKeyFile),
3625		},
3626		shouldFail:    true,
3627		expectedError: ":NO_SHARED_CIPHER:",
3628	})
3629	testCases = append(testCases, testCase{
3630		testType: serverTest,
3631		name:     "ServerCipherFilter-ECDSA",
3632		config: Config{
3633			MaxVersion:   VersionTLS12,
3634			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3635		},
3636		flags: []string{
3637			"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3638			"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3639		},
3640		shouldFail:    true,
3641		expectedError: ":NO_SHARED_CIPHER:",
3642	})
3643	testCases = append(testCases, testCase{
3644		testType: serverTest,
3645		name:     "ServerCipherFilter-Ed25519",
3646		config: Config{
3647			MaxVersion:   VersionTLS12,
3648			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3649		},
3650		flags: []string{
3651			"-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
3652			"-key-file", path.Join(*resourceDir, ed25519KeyFile),
3653		},
3654		shouldFail:    true,
3655		expectedError: ":NO_SHARED_CIPHER:",
3656	})
3657
3658	// Test cipher suite negotiation works as expected. Configure a
3659	// complicated cipher suite configuration.
3660	const negotiationTestCiphers = "" +
3661		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:" +
3662		"[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]:" +
3663		"TLS_RSA_WITH_AES_128_GCM_SHA256:" +
3664		"TLS_RSA_WITH_AES_128_CBC_SHA:" +
3665		"[TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_CBC_SHA]"
3666	negotiationTests := []struct {
3667		ciphers  []uint16
3668		expected uint16
3669	}{
3670		// Server preferences are honored, including when
3671		// equipreference groups are involved.
3672		{
3673			[]uint16{
3674				TLS_RSA_WITH_AES_256_GCM_SHA384,
3675				TLS_RSA_WITH_AES_128_CBC_SHA,
3676				TLS_RSA_WITH_AES_128_GCM_SHA256,
3677				TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3678				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3679			},
3680			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
3681		},
3682		{
3683			[]uint16{
3684				TLS_RSA_WITH_AES_256_GCM_SHA384,
3685				TLS_RSA_WITH_AES_128_CBC_SHA,
3686				TLS_RSA_WITH_AES_128_GCM_SHA256,
3687				TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3688			},
3689			TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3690		},
3691		{
3692			[]uint16{
3693				TLS_RSA_WITH_AES_256_GCM_SHA384,
3694				TLS_RSA_WITH_AES_128_CBC_SHA,
3695				TLS_RSA_WITH_AES_128_GCM_SHA256,
3696			},
3697			TLS_RSA_WITH_AES_128_GCM_SHA256,
3698		},
3699		{
3700			[]uint16{
3701				TLS_RSA_WITH_AES_256_GCM_SHA384,
3702				TLS_RSA_WITH_AES_128_CBC_SHA,
3703			},
3704			TLS_RSA_WITH_AES_128_CBC_SHA,
3705		},
3706		// Equipreference groups use the client preference.
3707		{
3708			[]uint16{
3709				TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3710				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3711				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3712			},
3713			TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
3714		},
3715		{
3716			[]uint16{
3717				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3718				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3719			},
3720			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3721		},
3722		{
3723			[]uint16{
3724				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3725				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3726			},
3727			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3728		},
3729		{
3730			[]uint16{
3731				TLS_RSA_WITH_AES_256_GCM_SHA384,
3732				TLS_RSA_WITH_AES_256_CBC_SHA,
3733			},
3734			TLS_RSA_WITH_AES_256_GCM_SHA384,
3735		},
3736		{
3737			[]uint16{
3738				TLS_RSA_WITH_AES_256_CBC_SHA,
3739				TLS_RSA_WITH_AES_256_GCM_SHA384,
3740			},
3741			TLS_RSA_WITH_AES_256_CBC_SHA,
3742		},
3743		// If there are two equipreference groups, the preferred one
3744		// takes precedence.
3745		{
3746			[]uint16{
3747				TLS_RSA_WITH_AES_256_GCM_SHA384,
3748				TLS_RSA_WITH_AES_256_CBC_SHA,
3749				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3750				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
3751			},
3752			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3753		},
3754	}
3755	for i, t := range negotiationTests {
3756		testCases = append(testCases, testCase{
3757			testType: serverTest,
3758			name:     "CipherNegotiation-" + strconv.Itoa(i),
3759			config: Config{
3760				MaxVersion:   VersionTLS12,
3761				CipherSuites: t.ciphers,
3762			},
3763			flags:          []string{"-cipher", negotiationTestCiphers},
3764			expectedCipher: t.expected,
3765		})
3766	}
3767}
3768
3769func addBadECDSASignatureTests() {
3770	for badR := BadValue(1); badR < NumBadValues; badR++ {
3771		for badS := BadValue(1); badS < NumBadValues; badS++ {
3772			testCases = append(testCases, testCase{
3773				name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
3774				config: Config{
3775					MaxVersion:   VersionTLS12,
3776					CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3777					Certificates: []Certificate{ecdsaP256Certificate},
3778					Bugs: ProtocolBugs{
3779						BadECDSAR: badR,
3780						BadECDSAS: badS,
3781					},
3782				},
3783				shouldFail:    true,
3784				expectedError: ":BAD_SIGNATURE:",
3785			})
3786			testCases = append(testCases, testCase{
3787				name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
3788				config: Config{
3789					MaxVersion:   VersionTLS13,
3790					Certificates: []Certificate{ecdsaP256Certificate},
3791					Bugs: ProtocolBugs{
3792						BadECDSAR: badR,
3793						BadECDSAS: badS,
3794					},
3795				},
3796				shouldFail:    true,
3797				expectedError: ":BAD_SIGNATURE:",
3798			})
3799		}
3800	}
3801}
3802
3803func addCBCPaddingTests() {
3804	testCases = append(testCases, testCase{
3805		name: "MaxCBCPadding",
3806		config: Config{
3807			MaxVersion:   VersionTLS12,
3808			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3809			Bugs: ProtocolBugs{
3810				MaxPadding: true,
3811			},
3812		},
3813		messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
3814	})
3815	testCases = append(testCases, testCase{
3816		name: "BadCBCPadding",
3817		config: Config{
3818			MaxVersion:   VersionTLS12,
3819			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3820			Bugs: ProtocolBugs{
3821				PaddingFirstByteBad: true,
3822			},
3823		},
3824		shouldFail:    true,
3825		expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
3826	})
3827	// OpenSSL previously had an issue where the first byte of padding in
3828	// 255 bytes of padding wasn't checked.
3829	testCases = append(testCases, testCase{
3830		name: "BadCBCPadding255",
3831		config: Config{
3832			MaxVersion:   VersionTLS12,
3833			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3834			Bugs: ProtocolBugs{
3835				MaxPadding:               true,
3836				PaddingFirstByteBadIf255: true,
3837			},
3838		},
3839		messageLen:    12, // 20 bytes of SHA-1 + 12 == 0 % block size
3840		shouldFail:    true,
3841		expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
3842	})
3843}
3844
3845func addCBCSplittingTests() {
3846	var cbcCiphers = []struct {
3847		name   string
3848		cipher uint16
3849	}{
3850		{"3DES", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
3851		{"AES128", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
3852		{"AES256", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
3853	}
3854	for _, t := range cbcCiphers {
3855		testCases = append(testCases, testCase{
3856			name: "CBCRecordSplitting-" + t.name,
3857			config: Config{
3858				MaxVersion:   VersionTLS10,
3859				MinVersion:   VersionTLS10,
3860				CipherSuites: []uint16{t.cipher},
3861				Bugs: ProtocolBugs{
3862					ExpectRecordSplitting: true,
3863				},
3864			},
3865			messageLen:    -1, // read until EOF
3866			resumeSession: true,
3867			flags: []string{
3868				"-async",
3869				"-write-different-record-sizes",
3870				"-cbc-record-splitting",
3871			},
3872		})
3873		testCases = append(testCases, testCase{
3874			name: "CBCRecordSplittingPartialWrite-" + t.name,
3875			config: Config{
3876				MaxVersion:   VersionTLS10,
3877				MinVersion:   VersionTLS10,
3878				CipherSuites: []uint16{t.cipher},
3879				Bugs: ProtocolBugs{
3880					ExpectRecordSplitting: true,
3881				},
3882			},
3883			messageLen: -1, // read until EOF
3884			flags: []string{
3885				"-async",
3886				"-write-different-record-sizes",
3887				"-cbc-record-splitting",
3888				"-partial-write",
3889			},
3890		})
3891	}
3892}
3893
3894func addClientAuthTests() {
3895	// Add a dummy cert pool to stress certificate authority parsing.
3896	certPool := x509.NewCertPool()
3897	for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
3898		cert, err := x509.ParseCertificate(cert.Certificate[0])
3899		if err != nil {
3900			panic(err)
3901		}
3902		certPool.AddCert(cert)
3903	}
3904	caNames := certPool.Subjects()
3905
3906	for _, ver := range tlsVersions {
3907		testCases = append(testCases, testCase{
3908			testType: clientTest,
3909			name:     ver.name + "-Client-ClientAuth-RSA",
3910			config: Config{
3911				MinVersion: ver.version,
3912				MaxVersion: ver.version,
3913				ClientAuth: RequireAnyClientCert,
3914				ClientCAs:  certPool,
3915			},
3916			flags: []string{
3917				"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3918				"-key-file", path.Join(*resourceDir, rsaKeyFile),
3919			},
3920		})
3921		testCases = append(testCases, testCase{
3922			testType: serverTest,
3923			name:     ver.name + "-Server-ClientAuth-RSA",
3924			config: Config{
3925				MinVersion:   ver.version,
3926				MaxVersion:   ver.version,
3927				Certificates: []Certificate{rsaCertificate},
3928			},
3929			flags: []string{"-require-any-client-certificate"},
3930		})
3931		testCases = append(testCases, testCase{
3932			testType: serverTest,
3933			name:     ver.name + "-Server-ClientAuth-ECDSA",
3934			config: Config{
3935				MinVersion:   ver.version,
3936				MaxVersion:   ver.version,
3937				Certificates: []Certificate{ecdsaP256Certificate},
3938			},
3939			flags: []string{"-require-any-client-certificate"},
3940		})
3941		testCases = append(testCases, testCase{
3942			testType: clientTest,
3943			name:     ver.name + "-Client-ClientAuth-ECDSA",
3944			config: Config{
3945				MinVersion: ver.version,
3946				MaxVersion: ver.version,
3947				ClientAuth: RequireAnyClientCert,
3948				ClientCAs:  certPool,
3949			},
3950			flags: []string{
3951				"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3952				"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3953			},
3954		})
3955
3956		testCases = append(testCases, testCase{
3957			name: "NoClientCertificate-" + ver.name,
3958			config: Config{
3959				MinVersion: ver.version,
3960				MaxVersion: ver.version,
3961				ClientAuth: RequireAnyClientCert,
3962			},
3963			shouldFail:         true,
3964			expectedLocalError: "client didn't provide a certificate",
3965		})
3966
3967		testCases = append(testCases, testCase{
3968			// Even if not configured to expect a certificate, OpenSSL will
3969			// return X509_V_OK as the verify_result.
3970			testType: serverTest,
3971			name:     "NoClientCertificateRequested-Server-" + ver.name,
3972			config: Config{
3973				MinVersion: ver.version,
3974				MaxVersion: ver.version,
3975			},
3976			flags: []string{
3977				"-expect-verify-result",
3978			},
3979			resumeSession: true,
3980		})
3981
3982		testCases = append(testCases, testCase{
3983			// If a client certificate is not provided, OpenSSL will still
3984			// return X509_V_OK as the verify_result.
3985			testType: serverTest,
3986			name:     "NoClientCertificate-Server-" + ver.name,
3987			config: Config{
3988				MinVersion: ver.version,
3989				MaxVersion: ver.version,
3990			},
3991			flags: []string{
3992				"-expect-verify-result",
3993				"-verify-peer",
3994			},
3995			resumeSession: true,
3996		})
3997
3998		certificateRequired := "remote error: certificate required"
3999		if ver.version < VersionTLS13 {
4000			// Prior to TLS 1.3, the generic handshake_failure alert
4001			// was used.
4002			certificateRequired = "remote error: handshake failure"
4003		}
4004		testCases = append(testCases, testCase{
4005			testType: serverTest,
4006			name:     "RequireAnyClientCertificate-" + ver.name,
4007			config: Config{
4008				MinVersion: ver.version,
4009				MaxVersion: ver.version,
4010			},
4011			flags:              []string{"-require-any-client-certificate"},
4012			shouldFail:         true,
4013			expectedError:      ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
4014			expectedLocalError: certificateRequired,
4015		})
4016
4017		testCases = append(testCases, testCase{
4018			testType: serverTest,
4019			name:     "SkipClientCertificate-" + ver.name,
4020			config: Config{
4021				MinVersion: ver.version,
4022				MaxVersion: ver.version,
4023				Bugs: ProtocolBugs{
4024					SkipClientCertificate: true,
4025				},
4026			},
4027			// Setting SSL_VERIFY_PEER allows anonymous clients.
4028			flags:         []string{"-verify-peer"},
4029			shouldFail:    true,
4030			expectedError: ":UNEXPECTED_MESSAGE:",
4031		})
4032
4033		testCases = append(testCases, testCase{
4034			testType: serverTest,
4035			name:     "VerifyPeerIfNoOBC-NoChannelID-" + ver.name,
4036			config: Config{
4037				MinVersion: ver.version,
4038				MaxVersion: ver.version,
4039			},
4040			flags: []string{
4041				"-enable-channel-id",
4042				"-verify-peer-if-no-obc",
4043			},
4044			shouldFail:         true,
4045			expectedError:      ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
4046			expectedLocalError: certificateRequired,
4047		})
4048
4049		testCases = append(testCases, testCase{
4050			testType: serverTest,
4051			name:     "VerifyPeerIfNoOBC-ChannelID-" + ver.name,
4052			config: Config{
4053				MinVersion: ver.version,
4054				MaxVersion: ver.version,
4055				ChannelID:  channelIDKey,
4056			},
4057			expectChannelID: true,
4058			flags: []string{
4059				"-enable-channel-id",
4060				"-verify-peer-if-no-obc",
4061			},
4062		})
4063
4064		testCases = append(testCases, testCase{
4065			testType: serverTest,
4066			name:     ver.name + "-Server-CertReq-CA-List",
4067			config: Config{
4068				MinVersion:   ver.version,
4069				MaxVersion:   ver.version,
4070				Certificates: []Certificate{rsaCertificate},
4071				Bugs: ProtocolBugs{
4072					ExpectCertificateReqNames: caNames,
4073				},
4074			},
4075			flags: []string{
4076				"-require-any-client-certificate",
4077				"-use-client-ca-list", encodeDERValues(caNames),
4078			},
4079		})
4080
4081		testCases = append(testCases, testCase{
4082			testType: clientTest,
4083			name:     ver.name + "-Client-CertReq-CA-List",
4084			config: Config{
4085				MinVersion:   ver.version,
4086				MaxVersion:   ver.version,
4087				Certificates: []Certificate{rsaCertificate},
4088				ClientAuth:   RequireAnyClientCert,
4089				ClientCAs:    certPool,
4090			},
4091			flags: []string{
4092				"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4093				"-key-file", path.Join(*resourceDir, rsaKeyFile),
4094				"-expect-client-ca-list", encodeDERValues(caNames),
4095			},
4096		})
4097	}
4098
4099	// Client auth is only legal in certificate-based ciphers.
4100	testCases = append(testCases, testCase{
4101		testType: clientTest,
4102		name:     "ClientAuth-PSK",
4103		config: Config{
4104			MaxVersion:   VersionTLS12,
4105			CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
4106			PreSharedKey: []byte("secret"),
4107			ClientAuth:   RequireAnyClientCert,
4108		},
4109		flags: []string{
4110			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4111			"-key-file", path.Join(*resourceDir, rsaKeyFile),
4112			"-psk", "secret",
4113		},
4114		shouldFail:    true,
4115		expectedError: ":UNEXPECTED_MESSAGE:",
4116	})
4117	testCases = append(testCases, testCase{
4118		testType: clientTest,
4119		name:     "ClientAuth-ECDHE_PSK",
4120		config: Config{
4121			MaxVersion:   VersionTLS12,
4122			CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
4123			PreSharedKey: []byte("secret"),
4124			ClientAuth:   RequireAnyClientCert,
4125		},
4126		flags: []string{
4127			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4128			"-key-file", path.Join(*resourceDir, rsaKeyFile),
4129			"-psk", "secret",
4130		},
4131		shouldFail:    true,
4132		expectedError: ":UNEXPECTED_MESSAGE:",
4133	})
4134
4135	// Regression test for a bug where the client CA list, if explicitly
4136	// set to NULL, was mis-encoded.
4137	testCases = append(testCases, testCase{
4138		testType: serverTest,
4139		name:     "Null-Client-CA-List",
4140		config: Config{
4141			MaxVersion:   VersionTLS12,
4142			Certificates: []Certificate{rsaCertificate},
4143			Bugs: ProtocolBugs{
4144				ExpectCertificateReqNames: [][]byte{},
4145			},
4146		},
4147		flags: []string{
4148			"-require-any-client-certificate",
4149			"-use-client-ca-list", "<NULL>",
4150		},
4151	})
4152
4153	// Test that an empty client CA list doesn't send a CA extension.
4154	testCases = append(testCases, testCase{
4155		testType: serverTest,
4156		name:     "TLS13-Empty-Client-CA-List",
4157		config: Config{
4158			MaxVersion:   VersionTLS13,
4159			Certificates: []Certificate{rsaCertificate},
4160			Bugs: ProtocolBugs{
4161				ExpectNoCertificateAuthoritiesExtension: true,
4162			},
4163		},
4164		flags: []string{
4165			"-require-any-client-certificate",
4166			"-use-client-ca-list", "<EMPTY>",
4167		},
4168	})
4169
4170}
4171
4172func addExtendedMasterSecretTests() {
4173	const expectEMSFlag = "-expect-extended-master-secret"
4174
4175	for _, with := range []bool{false, true} {
4176		prefix := "No"
4177		if with {
4178			prefix = ""
4179		}
4180
4181		for _, isClient := range []bool{false, true} {
4182			suffix := "-Server"
4183			testType := serverTest
4184			if isClient {
4185				suffix = "-Client"
4186				testType = clientTest
4187			}
4188
4189			for _, ver := range tlsVersions {
4190				// In TLS 1.3, the extension is irrelevant and
4191				// always reports as enabled.
4192				var flags []string
4193				if with || ver.version >= VersionTLS13 {
4194					flags = []string{expectEMSFlag}
4195				}
4196
4197				testCases = append(testCases, testCase{
4198					testType: testType,
4199					name:     prefix + "ExtendedMasterSecret-" + ver.name + suffix,
4200					config: Config{
4201						MinVersion: ver.version,
4202						MaxVersion: ver.version,
4203						Bugs: ProtocolBugs{
4204							NoExtendedMasterSecret:      !with,
4205							RequireExtendedMasterSecret: with,
4206						},
4207					},
4208					flags: flags,
4209				})
4210			}
4211		}
4212	}
4213
4214	for _, isClient := range []bool{false, true} {
4215		for _, supportedInFirstConnection := range []bool{false, true} {
4216			for _, supportedInResumeConnection := range []bool{false, true} {
4217				boolToWord := func(b bool) string {
4218					if b {
4219						return "Yes"
4220					}
4221					return "No"
4222				}
4223				suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
4224				if isClient {
4225					suffix += "Client"
4226				} else {
4227					suffix += "Server"
4228				}
4229
4230				supportedConfig := Config{
4231					MaxVersion: VersionTLS12,
4232					Bugs: ProtocolBugs{
4233						RequireExtendedMasterSecret: true,
4234					},
4235				}
4236
4237				noSupportConfig := Config{
4238					MaxVersion: VersionTLS12,
4239					Bugs: ProtocolBugs{
4240						NoExtendedMasterSecret: true,
4241					},
4242				}
4243
4244				test := testCase{
4245					name:          "ExtendedMasterSecret-" + suffix,
4246					resumeSession: true,
4247				}
4248
4249				if !isClient {
4250					test.testType = serverTest
4251				}
4252
4253				if supportedInFirstConnection {
4254					test.config = supportedConfig
4255				} else {
4256					test.config = noSupportConfig
4257				}
4258
4259				if supportedInResumeConnection {
4260					test.resumeConfig = &supportedConfig
4261				} else {
4262					test.resumeConfig = &noSupportConfig
4263				}
4264
4265				switch suffix {
4266				case "YesToYes-Client", "YesToYes-Server":
4267					// When a session is resumed, it should
4268					// still be aware that its master
4269					// secret was generated via EMS and
4270					// thus it's safe to use tls-unique.
4271					test.flags = []string{expectEMSFlag}
4272				case "NoToYes-Server":
4273					// If an original connection did not
4274					// contain EMS, but a resumption
4275					// handshake does, then a server should
4276					// not resume the session.
4277					test.expectResumeRejected = true
4278				case "YesToNo-Server":
4279					// Resuming an EMS session without the
4280					// EMS extension should cause the
4281					// server to abort the connection.
4282					test.shouldFail = true
4283					test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
4284				case "NoToYes-Client":
4285					// A client should abort a connection
4286					// where the server resumed a non-EMS
4287					// session but echoed the EMS
4288					// extension.
4289					test.shouldFail = true
4290					test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
4291				case "YesToNo-Client":
4292					// A client should abort a connection
4293					// where the server didn't echo EMS
4294					// when the session used it.
4295					test.shouldFail = true
4296					test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
4297				}
4298
4299				testCases = append(testCases, test)
4300			}
4301		}
4302	}
4303
4304	// Switching EMS on renegotiation is forbidden.
4305	testCases = append(testCases, testCase{
4306		name: "ExtendedMasterSecret-Renego-NoEMS",
4307		config: Config{
4308			MaxVersion: VersionTLS12,
4309			Bugs: ProtocolBugs{
4310				NoExtendedMasterSecret:                true,
4311				NoExtendedMasterSecretOnRenegotiation: true,
4312			},
4313		},
4314		renegotiate: 1,
4315		flags: []string{
4316			"-renegotiate-freely",
4317			"-expect-total-renegotiations", "1",
4318		},
4319	})
4320
4321	testCases = append(testCases, testCase{
4322		name: "ExtendedMasterSecret-Renego-Upgrade",
4323		config: Config{
4324			MaxVersion: VersionTLS12,
4325			Bugs: ProtocolBugs{
4326				NoExtendedMasterSecret: true,
4327			},
4328		},
4329		renegotiate: 1,
4330		flags: []string{
4331			"-renegotiate-freely",
4332			"-expect-total-renegotiations", "1",
4333		},
4334		shouldFail:    true,
4335		expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
4336	})
4337
4338	testCases = append(testCases, testCase{
4339		name: "ExtendedMasterSecret-Renego-Downgrade",
4340		config: Config{
4341			MaxVersion: VersionTLS12,
4342			Bugs: ProtocolBugs{
4343				NoExtendedMasterSecretOnRenegotiation: true,
4344			},
4345		},
4346		renegotiate: 1,
4347		flags: []string{
4348			"-renegotiate-freely",
4349			"-expect-total-renegotiations", "1",
4350		},
4351		shouldFail:    true,
4352		expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
4353	})
4354}
4355
4356type stateMachineTestConfig struct {
4357	protocol          protocol
4358	async             bool
4359	splitHandshake    bool
4360	packHandshake     bool
4361	implicitHandshake bool
4362}
4363
4364// Adds tests that try to cover the range of the handshake state machine, under
4365// various conditions. Some of these are redundant with other tests, but they
4366// only cover the synchronous case.
4367func addAllStateMachineCoverageTests() {
4368	for _, async := range []bool{false, true} {
4369		for _, protocol := range []protocol{tls, dtls} {
4370			addStateMachineCoverageTests(stateMachineTestConfig{
4371				protocol: protocol,
4372				async:    async,
4373			})
4374			addStateMachineCoverageTests(stateMachineTestConfig{
4375				protocol:          protocol,
4376				async:             async,
4377				implicitHandshake: true,
4378			})
4379			addStateMachineCoverageTests(stateMachineTestConfig{
4380				protocol:       protocol,
4381				async:          async,
4382				splitHandshake: true,
4383			})
4384			addStateMachineCoverageTests(stateMachineTestConfig{
4385				protocol:      protocol,
4386				async:         async,
4387				packHandshake: true,
4388			})
4389		}
4390	}
4391}
4392
4393func addStateMachineCoverageTests(config stateMachineTestConfig) {
4394	var tests []testCase
4395
4396	// Basic handshake, with resumption. Client and server,
4397	// session ID and session ticket.
4398	tests = append(tests, testCase{
4399		name: "Basic-Client",
4400		config: Config{
4401			MaxVersion: VersionTLS12,
4402		},
4403		resumeSession: true,
4404		// Ensure session tickets are used, not session IDs.
4405		noSessionCache: true,
4406	})
4407	tests = append(tests, testCase{
4408		name: "Basic-Client-RenewTicket",
4409		config: Config{
4410			MaxVersion: VersionTLS12,
4411			Bugs: ProtocolBugs{
4412				RenewTicketOnResume: true,
4413			},
4414		},
4415		flags:                []string{"-expect-ticket-renewal"},
4416		resumeSession:        true,
4417		resumeRenewedSession: true,
4418	})
4419	tests = append(tests, testCase{
4420		name: "Basic-Client-NoTicket",
4421		config: Config{
4422			MaxVersion:             VersionTLS12,
4423			SessionTicketsDisabled: true,
4424		},
4425		resumeSession: true,
4426	})
4427	tests = append(tests, testCase{
4428		testType: serverTest,
4429		name:     "Basic-Server",
4430		config: Config{
4431			MaxVersion: VersionTLS12,
4432			Bugs: ProtocolBugs{
4433				RequireSessionTickets: true,
4434			},
4435		},
4436		resumeSession: true,
4437		flags:         []string{"-expect-no-session-id"},
4438	})
4439	tests = append(tests, testCase{
4440		testType: serverTest,
4441		name:     "Basic-Server-NoTickets",
4442		config: Config{
4443			MaxVersion:             VersionTLS12,
4444			SessionTicketsDisabled: true,
4445		},
4446		resumeSession: true,
4447		flags:         []string{"-expect-session-id"},
4448	})
4449	tests = append(tests, testCase{
4450		testType: serverTest,
4451		name:     "Basic-Server-EarlyCallback",
4452		config: Config{
4453			MaxVersion: VersionTLS12,
4454		},
4455		flags:         []string{"-use-early-callback"},
4456		resumeSession: true,
4457	})
4458
4459	// TLS 1.3 basic handshake shapes.
4460	if config.protocol == tls {
4461		tests = append(tests, testCase{
4462			name: "TLS13-1RTT-Client",
4463			config: Config{
4464				MaxVersion: VersionTLS13,
4465				MinVersion: VersionTLS13,
4466			},
4467			resumeSession:        true,
4468			resumeRenewedSession: true,
4469		})
4470
4471		tests = append(tests, testCase{
4472			testType: serverTest,
4473			name:     "TLS13-1RTT-Server",
4474			config: Config{
4475				MaxVersion: VersionTLS13,
4476				MinVersion: VersionTLS13,
4477			},
4478			resumeSession:        true,
4479			resumeRenewedSession: true,
4480			// TLS 1.3 uses tickets, so the session should not be
4481			// cached statefully.
4482			flags: []string{"-expect-no-session-id"},
4483		})
4484
4485		tests = append(tests, testCase{
4486			name: "TLS13-HelloRetryRequest-Client",
4487			config: Config{
4488				MaxVersion: VersionTLS13,
4489				MinVersion: VersionTLS13,
4490				// P-384 requires a HelloRetryRequest against BoringSSL's default
4491				// configuration. Assert this with ExpectMissingKeyShare.
4492				CurvePreferences: []CurveID{CurveP384},
4493				Bugs: ProtocolBugs{
4494					ExpectMissingKeyShare: true,
4495				},
4496			},
4497			// Cover HelloRetryRequest during an ECDHE-PSK resumption.
4498			resumeSession: true,
4499		})
4500
4501		tests = append(tests, testCase{
4502			testType: serverTest,
4503			name:     "TLS13-HelloRetryRequest-Server",
4504			config: Config{
4505				MaxVersion: VersionTLS13,
4506				MinVersion: VersionTLS13,
4507				// Require a HelloRetryRequest for every curve.
4508				DefaultCurves: []CurveID{},
4509			},
4510			// Cover HelloRetryRequest during an ECDHE-PSK resumption.
4511			resumeSession: true,
4512		})
4513
4514		tests = append(tests, testCase{
4515			testType: clientTest,
4516			name:     "TLS13-EarlyData-TooMuchData-Client",
4517			config: Config{
4518				MaxVersion:       VersionTLS13,
4519				MinVersion:       VersionTLS13,
4520				MaxEarlyDataSize: 2,
4521			},
4522			resumeConfig: &Config{
4523				MaxVersion:       VersionTLS13,
4524				MinVersion:       VersionTLS13,
4525				MaxEarlyDataSize: 2,
4526				Bugs: ProtocolBugs{
4527					ExpectEarlyData: [][]byte{{'h', 'e'}},
4528				},
4529			},
4530			resumeShimPrefix: "llo",
4531			resumeSession:    true,
4532			flags: []string{
4533				"-enable-early-data",
4534				"-expect-ticket-supports-early-data",
4535				"-expect-accept-early-data",
4536				"-on-resume-shim-writes-first",
4537			},
4538		})
4539
4540		// Unfinished writes can only be tested when operations are async. EarlyData
4541		// can't be tested as part of an ImplicitHandshake in this case since
4542		// otherwise the early data will be sent as normal data.
4543		if config.async && !config.implicitHandshake {
4544			tests = append(tests, testCase{
4545				testType: clientTest,
4546				name:     "TLS13-EarlyData-UnfinishedWrite-Client",
4547				config: Config{
4548					MaxVersion:       VersionTLS13,
4549					MinVersion:       VersionTLS13,
4550					MaxEarlyDataSize: 16384,
4551				},
4552				resumeConfig: &Config{
4553					MaxVersion:       VersionTLS13,
4554					MinVersion:       VersionTLS13,
4555					MaxEarlyDataSize: 16384,
4556					Bugs: ProtocolBugs{
4557						ExpectLateEarlyData: [][]byte{{'h', 'e', 'l', 'l', 'o'}},
4558					},
4559				},
4560				resumeSession: true,
4561				flags: []string{
4562					"-enable-early-data",
4563					"-expect-ticket-supports-early-data",
4564					"-expect-accept-early-data",
4565					"-on-resume-read-with-unfinished-write",
4566					"-on-resume-shim-writes-first",
4567				},
4568			})
4569
4570			// Rejected unfinished writes are discarded (from the
4571			// perspective of the calling application) on 0-RTT
4572			// reject.
4573			tests = append(tests, testCase{
4574				testType: clientTest,
4575				name:     "TLS13-EarlyData-RejectUnfinishedWrite-Client",
4576				config: Config{
4577					MaxVersion:       VersionTLS13,
4578					MinVersion:       VersionTLS13,
4579					MaxEarlyDataSize: 16384,
4580				},
4581				resumeConfig: &Config{
4582					MaxVersion:       VersionTLS13,
4583					MinVersion:       VersionTLS13,
4584					MaxEarlyDataSize: 16384,
4585					Bugs: ProtocolBugs{
4586						AlwaysRejectEarlyData: true,
4587					},
4588				},
4589				resumeSession: true,
4590				flags: []string{
4591					"-enable-early-data",
4592					"-expect-ticket-supports-early-data",
4593					"-expect-reject-early-data",
4594					"-on-resume-read-with-unfinished-write",
4595					"-on-resume-shim-writes-first",
4596				},
4597			})
4598		}
4599
4600		tests = append(tests, testCase{
4601			testType: serverTest,
4602			name:     "TLS13-MaxEarlyData-Server",
4603			config: Config{
4604				MaxVersion: VersionTLS13,
4605				MinVersion: VersionTLS13,
4606				Bugs: ProtocolBugs{
4607					SendEarlyData:           [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
4608					ExpectEarlyDataAccepted: true,
4609				},
4610			},
4611			messageCount:  2,
4612			resumeSession: true,
4613			flags: []string{
4614				"-enable-early-data",
4615				"-expect-accept-early-data",
4616			},
4617			shouldFail:    true,
4618			expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
4619		})
4620	}
4621
4622	// TLS client auth.
4623	tests = append(tests, testCase{
4624		testType: clientTest,
4625		name:     "ClientAuth-NoCertificate-Client",
4626		config: Config{
4627			MaxVersion: VersionTLS12,
4628			ClientAuth: RequestClientCert,
4629		},
4630	})
4631	tests = append(tests, testCase{
4632		testType: serverTest,
4633		name:     "ClientAuth-NoCertificate-Server",
4634		config: Config{
4635			MaxVersion: VersionTLS12,
4636		},
4637		// Setting SSL_VERIFY_PEER allows anonymous clients.
4638		flags: []string{"-verify-peer"},
4639	})
4640	if config.protocol == tls {
4641		tests = append(tests, testCase{
4642			testType: clientTest,
4643			name:     "ClientAuth-NoCertificate-Client-TLS13",
4644			config: Config{
4645				MaxVersion: VersionTLS13,
4646				ClientAuth: RequestClientCert,
4647			},
4648		})
4649		tests = append(tests, testCase{
4650			testType: serverTest,
4651			name:     "ClientAuth-NoCertificate-Server-TLS13",
4652			config: Config{
4653				MaxVersion: VersionTLS13,
4654			},
4655			// Setting SSL_VERIFY_PEER allows anonymous clients.
4656			flags: []string{"-verify-peer"},
4657		})
4658	}
4659	tests = append(tests, testCase{
4660		testType: clientTest,
4661		name:     "ClientAuth-RSA-Client",
4662		config: Config{
4663			MaxVersion: VersionTLS12,
4664			ClientAuth: RequireAnyClientCert,
4665		},
4666		flags: []string{
4667			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4668			"-key-file", path.Join(*resourceDir, rsaKeyFile),
4669		},
4670	})
4671	tests = append(tests, testCase{
4672		testType: clientTest,
4673		name:     "ClientAuth-RSA-Client-TLS13",
4674		config: Config{
4675			MaxVersion: VersionTLS13,
4676			ClientAuth: RequireAnyClientCert,
4677		},
4678		flags: []string{
4679			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4680			"-key-file", path.Join(*resourceDir, rsaKeyFile),
4681		},
4682	})
4683	tests = append(tests, testCase{
4684		testType: clientTest,
4685		name:     "ClientAuth-ECDSA-Client",
4686		config: Config{
4687			MaxVersion: VersionTLS12,
4688			ClientAuth: RequireAnyClientCert,
4689		},
4690		flags: []string{
4691			"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4692			"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
4693		},
4694	})
4695	tests = append(tests, testCase{
4696		testType: clientTest,
4697		name:     "ClientAuth-ECDSA-Client-TLS13",
4698		config: Config{
4699			MaxVersion: VersionTLS13,
4700			ClientAuth: RequireAnyClientCert,
4701		},
4702		flags: []string{
4703			"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4704			"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
4705		},
4706	})
4707	tests = append(tests, testCase{
4708		testType: clientTest,
4709		name:     "ClientAuth-NoCertificate-OldCallback",
4710		config: Config{
4711			MaxVersion: VersionTLS12,
4712			ClientAuth: RequestClientCert,
4713		},
4714		flags: []string{"-use-old-client-cert-callback"},
4715	})
4716	tests = append(tests, testCase{
4717		testType: clientTest,
4718		name:     "ClientAuth-NoCertificate-OldCallback-TLS13",
4719		config: Config{
4720			MaxVersion: VersionTLS13,
4721			ClientAuth: RequestClientCert,
4722		},
4723		flags: []string{"-use-old-client-cert-callback"},
4724	})
4725	tests = append(tests, testCase{
4726		testType: clientTest,
4727		name:     "ClientAuth-OldCallback",
4728		config: Config{
4729			MaxVersion: VersionTLS12,
4730			ClientAuth: RequireAnyClientCert,
4731		},
4732		flags: []string{
4733			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4734			"-key-file", path.Join(*resourceDir, rsaKeyFile),
4735			"-use-old-client-cert-callback",
4736		},
4737	})
4738	tests = append(tests, testCase{
4739		testType: clientTest,
4740		name:     "ClientAuth-OldCallback-TLS13",
4741		config: Config{
4742			MaxVersion: VersionTLS13,
4743			ClientAuth: RequireAnyClientCert,
4744		},
4745		flags: []string{
4746			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4747			"-key-file", path.Join(*resourceDir, rsaKeyFile),
4748			"-use-old-client-cert-callback",
4749		},
4750	})
4751	tests = append(tests, testCase{
4752		testType: serverTest,
4753		name:     "ClientAuth-Server",
4754		config: Config{
4755			MaxVersion:   VersionTLS12,
4756			Certificates: []Certificate{rsaCertificate},
4757		},
4758		flags: []string{"-require-any-client-certificate"},
4759	})
4760	tests = append(tests, testCase{
4761		testType: serverTest,
4762		name:     "ClientAuth-Server-TLS13",
4763		config: Config{
4764			MaxVersion:   VersionTLS13,
4765			Certificates: []Certificate{rsaCertificate},
4766		},
4767		flags: []string{"-require-any-client-certificate"},
4768	})
4769
4770	// Test each key exchange on the server side for async keys.
4771	tests = append(tests, testCase{
4772		testType: serverTest,
4773		name:     "Basic-Server-RSA",
4774		config: Config{
4775			MaxVersion:   VersionTLS12,
4776			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
4777		},
4778		flags: []string{
4779			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4780			"-key-file", path.Join(*resourceDir, rsaKeyFile),
4781		},
4782	})
4783	tests = append(tests, testCase{
4784		testType: serverTest,
4785		name:     "Basic-Server-ECDHE-RSA",
4786		config: Config{
4787			MaxVersion:   VersionTLS12,
4788			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4789		},
4790		flags: []string{
4791			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
4792			"-key-file", path.Join(*resourceDir, rsaKeyFile),
4793		},
4794	})
4795	tests = append(tests, testCase{
4796		testType: serverTest,
4797		name:     "Basic-Server-ECDHE-ECDSA",
4798		config: Config{
4799			MaxVersion:   VersionTLS12,
4800			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
4801		},
4802		flags: []string{
4803			"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
4804			"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
4805		},
4806	})
4807	tests = append(tests, testCase{
4808		testType: serverTest,
4809		name:     "Basic-Server-Ed25519",
4810		config: Config{
4811			MaxVersion:   VersionTLS12,
4812			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
4813		},
4814		flags: []string{
4815			"-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
4816			"-key-file", path.Join(*resourceDir, ed25519KeyFile),
4817			"-enable-ed25519",
4818		},
4819	})
4820
4821	// No session ticket support; server doesn't send NewSessionTicket.
4822	tests = append(tests, testCase{
4823		name: "SessionTicketsDisabled-Client",
4824		config: Config{
4825			MaxVersion:             VersionTLS12,
4826			SessionTicketsDisabled: true,
4827		},
4828	})
4829	tests = append(tests, testCase{
4830		testType: serverTest,
4831		name:     "SessionTicketsDisabled-Server",
4832		config: Config{
4833			MaxVersion:             VersionTLS12,
4834			SessionTicketsDisabled: true,
4835		},
4836	})
4837
4838	// Skip ServerKeyExchange in PSK key exchange if there's no
4839	// identity hint.
4840	tests = append(tests, testCase{
4841		name: "EmptyPSKHint-Client",
4842		config: Config{
4843			MaxVersion:   VersionTLS12,
4844			CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
4845			PreSharedKey: []byte("secret"),
4846		},
4847		flags: []string{"-psk", "secret"},
4848	})
4849	tests = append(tests, testCase{
4850		testType: serverTest,
4851		name:     "EmptyPSKHint-Server",
4852		config: Config{
4853			MaxVersion:   VersionTLS12,
4854			CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
4855			PreSharedKey: []byte("secret"),
4856		},
4857		flags: []string{"-psk", "secret"},
4858	})
4859
4860	// OCSP stapling tests.
4861	for _, vers := range tlsVersions {
4862		if config.protocol == dtls && !vers.hasDTLS {
4863			continue
4864		}
4865		tests = append(tests, testCase{
4866			testType: clientTest,
4867			name:     "OCSPStapling-Client-" + vers.name,
4868			config: Config{
4869				MaxVersion: vers.version,
4870			},
4871			flags: []string{
4872				"-enable-ocsp-stapling",
4873				"-expect-ocsp-response",
4874				base64.StdEncoding.EncodeToString(testOCSPResponse),
4875				"-verify-peer",
4876			},
4877			resumeSession: true,
4878		})
4879		tests = append(tests, testCase{
4880			testType: serverTest,
4881			name:     "OCSPStapling-Server-" + vers.name,
4882			config: Config{
4883				MaxVersion: vers.version,
4884			},
4885			expectedOCSPResponse: testOCSPResponse,
4886			flags: []string{
4887				"-ocsp-response",
4888				base64.StdEncoding.EncodeToString(testOCSPResponse),
4889			},
4890			resumeSession: true,
4891		})
4892
4893		// The client OCSP callback is an alternate certificate
4894		// verification callback.
4895		tests = append(tests, testCase{
4896			testType: clientTest,
4897			name:     "ClientOCSPCallback-Pass-" + vers.name,
4898			config: Config{
4899				MaxVersion:   vers.version,
4900				Certificates: []Certificate{rsaCertificate},
4901			},
4902			flags: []string{
4903				"-enable-ocsp-stapling",
4904				"-use-ocsp-callback",
4905			},
4906		})
4907		var expectedLocalError string
4908		if !config.async {
4909			// TODO(davidben): Asynchronous fatal alerts are never
4910			// sent. https://crbug.com/boringssl/130.
4911			expectedLocalError = "remote error: bad certificate status response"
4912		}
4913		tests = append(tests, testCase{
4914			testType: clientTest,
4915			name:     "ClientOCSPCallback-Fail-" + vers.name,
4916			config: Config{
4917				MaxVersion:   vers.version,
4918				Certificates: []Certificate{rsaCertificate},
4919			},
4920			flags: []string{
4921				"-enable-ocsp-stapling",
4922				"-use-ocsp-callback",
4923				"-fail-ocsp-callback",
4924			},
4925			shouldFail:         true,
4926			expectedLocalError: expectedLocalError,
4927			expectedError:      ":OCSP_CB_ERROR:",
4928		})
4929		// The callback still runs if the server does not send an OCSP
4930		// response.
4931		certNoStaple := rsaCertificate
4932		certNoStaple.OCSPStaple = nil
4933		tests = append(tests, testCase{
4934			testType: clientTest,
4935			name:     "ClientOCSPCallback-FailNoStaple-" + vers.name,
4936			config: Config{
4937				MaxVersion:   vers.version,
4938				Certificates: []Certificate{certNoStaple},
4939			},
4940			flags: []string{
4941				"-enable-ocsp-stapling",
4942				"-use-ocsp-callback",
4943				"-fail-ocsp-callback",
4944			},
4945			shouldFail:         true,
4946			expectedLocalError: expectedLocalError,
4947			expectedError:      ":OCSP_CB_ERROR:",
4948		})
4949
4950		// The server OCSP callback is a legacy mechanism for
4951		// configuring OCSP, used by unreliable server software.
4952		tests = append(tests, testCase{
4953			testType: serverTest,
4954			name:     "ServerOCSPCallback-SetInCallback-" + vers.name,
4955			config: Config{
4956				MaxVersion: vers.version,
4957			},
4958			expectedOCSPResponse: testOCSPResponse,
4959			flags: []string{
4960				"-use-ocsp-callback",
4961				"-set-ocsp-in-callback",
4962				"-ocsp-response",
4963				base64.StdEncoding.EncodeToString(testOCSPResponse),
4964			},
4965			resumeSession: true,
4966		})
4967
4968		// The callback may decline OCSP, in which case  we act as if
4969		// the client did not support it, even if a response was
4970		// configured.
4971		tests = append(tests, testCase{
4972			testType: serverTest,
4973			name:     "ServerOCSPCallback-Decline-" + vers.name,
4974			config: Config{
4975				MaxVersion: vers.version,
4976			},
4977			expectedOCSPResponse: []byte{},
4978			flags: []string{
4979				"-use-ocsp-callback",
4980				"-decline-ocsp-callback",
4981				"-ocsp-response",
4982				base64.StdEncoding.EncodeToString(testOCSPResponse),
4983			},
4984			resumeSession: true,
4985		})
4986
4987		// The callback may also signal an internal error.
4988		tests = append(tests, testCase{
4989			testType: serverTest,
4990			name:     "ServerOCSPCallback-Fail-" + vers.name,
4991			config: Config{
4992				MaxVersion: vers.version,
4993			},
4994			flags: []string{
4995				"-use-ocsp-callback",
4996				"-fail-ocsp-callback",
4997				"-ocsp-response",
4998				base64.StdEncoding.EncodeToString(testOCSPResponse),
4999			},
5000			shouldFail:    true,
5001			expectedError: ":OCSP_CB_ERROR:",
5002		})
5003	}
5004
5005	// Certificate verification tests.
5006	for _, vers := range tlsVersions {
5007		if config.protocol == dtls && !vers.hasDTLS {
5008			continue
5009		}
5010		for _, useCustomCallback := range []bool{false, true} {
5011			for _, testType := range []testType{clientTest, serverTest} {
5012				suffix := "-Client"
5013				if testType == serverTest {
5014					suffix = "-Server"
5015				}
5016				suffix += "-" + vers.name
5017				if useCustomCallback {
5018					suffix += "-CustomCallback"
5019				}
5020
5021				flags := []string{"-verify-peer"}
5022				if testType == serverTest {
5023					flags = append(flags, "-require-any-client-certificate")
5024				}
5025				if useCustomCallback {
5026					flags = append(flags, "-use-custom-verify-callback")
5027				}
5028
5029				tests = append(tests, testCase{
5030					testType: testType,
5031					name:     "CertificateVerificationSucceed" + suffix,
5032					config: Config{
5033						MaxVersion:   vers.version,
5034						Certificates: []Certificate{rsaCertificate},
5035					},
5036					flags:         append([]string{"-expect-verify-result"}, flags...),
5037					resumeSession: true,
5038				})
5039				tests = append(tests, testCase{
5040					testType: testType,
5041					name:     "CertificateVerificationFail" + suffix,
5042					config: Config{
5043						MaxVersion:   vers.version,
5044						Certificates: []Certificate{rsaCertificate},
5045					},
5046					flags:         append([]string{"-verify-fail"}, flags...),
5047					shouldFail:    true,
5048					expectedError: ":CERTIFICATE_VERIFY_FAILED:",
5049				})
5050				// Tests that although the verify callback fails on resumption, by default we don't call it.
5051				tests = append(tests, testCase{
5052					testType: testType,
5053					name:     "CertificateVerificationDoesNotFailOnResume" + suffix,
5054					config: Config{
5055						MaxVersion:   vers.version,
5056						Certificates: []Certificate{rsaCertificate},
5057					},
5058					flags:         append([]string{"-on-resume-verify-fail"}, flags...),
5059					resumeSession: true,
5060				})
5061				if testType == clientTest && useCustomCallback {
5062					tests = append(tests, testCase{
5063						testType: testType,
5064						name:     "CertificateVerificationFailsOnResume" + suffix,
5065						config: Config{
5066							MaxVersion:   vers.version,
5067							Certificates: []Certificate{rsaCertificate},
5068						},
5069						flags: append([]string{
5070							"-on-resume-verify-fail",
5071							"-reverify-on-resume",
5072						}, flags...),
5073						resumeSession: true,
5074						shouldFail:    true,
5075						expectedError: ":CERTIFICATE_VERIFY_FAILED:",
5076					})
5077					tests = append(tests, testCase{
5078						testType: testType,
5079						name:     "CertificateVerificationPassesOnResume" + suffix,
5080						config: Config{
5081							MaxVersion:   vers.version,
5082							Certificates: []Certificate{rsaCertificate},
5083						},
5084						flags: append([]string{
5085							"-reverify-on-resume",
5086						}, flags...),
5087						resumeSession: true,
5088					})
5089					if vers.version >= VersionTLS13 {
5090						tests = append(tests, testCase{
5091							testType: testType,
5092							name:     "EarlyData-RejectTicket-Client-Reverify" + suffix,
5093							config: Config{
5094								MaxVersion:       vers.version,
5095								MaxEarlyDataSize: 16384,
5096							},
5097							resumeConfig: &Config{
5098								MaxVersion:             vers.version,
5099								MaxEarlyDataSize:       16384,
5100								SessionTicketsDisabled: true,
5101							},
5102							resumeSession:        true,
5103							expectResumeRejected: true,
5104							flags: append([]string{
5105								"-enable-early-data",
5106								"-expect-ticket-supports-early-data",
5107								"-reverify-on-resume",
5108								"-on-resume-shim-writes-first",
5109								// Session tickets are disabled, so the runner will not send a ticket.
5110								"-on-retry-expect-no-session",
5111								"-expect-reject-early-data",
5112							}, flags...),
5113						})
5114						tests = append(tests, testCase{
5115							testType: testType,
5116							name:     "EarlyData-Reject0RTT-Client-Reverify" + suffix,
5117							config: Config{
5118								MaxVersion:       vers.version,
5119								MaxEarlyDataSize: 16384,
5120							},
5121							resumeConfig: &Config{
5122								MaxVersion:       vers.version,
5123								MaxEarlyDataSize: 16384,
5124								Bugs: ProtocolBugs{
5125									AlwaysRejectEarlyData: true,
5126								},
5127							},
5128							resumeSession:        true,
5129							expectResumeRejected: false,
5130							flags: append([]string{
5131								"-enable-early-data",
5132								"-expect-reject-early-data",
5133								"-expect-ticket-supports-early-data",
5134								"-reverify-on-resume",
5135								"-on-resume-shim-writes-first",
5136							}, flags...),
5137						})
5138						tests = append(tests, testCase{
5139							testType: testType,
5140							name:     "EarlyData-RejectTicket-Client-ReverifyFails" + suffix,
5141							config: Config{
5142								MaxVersion:       vers.version,
5143								MaxEarlyDataSize: 16384,
5144							},
5145							resumeConfig: &Config{
5146								MaxVersion:             vers.version,
5147								MaxEarlyDataSize:       16384,
5148								SessionTicketsDisabled: true,
5149							},
5150							resumeSession:        true,
5151							expectResumeRejected: true,
5152							shouldFail:           true,
5153							expectedError:        ":CERTIFICATE_VERIFY_FAILED:",
5154							flags: append([]string{
5155								"-enable-early-data",
5156								"-expect-ticket-supports-early-data",
5157								"-reverify-on-resume",
5158								"-on-resume-shim-writes-first",
5159								// Session tickets are disabled, so the runner will not send a ticket.
5160								"-on-retry-expect-no-session",
5161								"-on-retry-verify-fail",
5162								"-expect-reject-early-data",
5163							}, flags...),
5164						})
5165						tests = append(tests, testCase{
5166							testType: testType,
5167							name:     "EarlyData-Reject0RTT-Client-ReverifyFails" + suffix,
5168							config: Config{
5169								MaxVersion:       vers.version,
5170								MaxEarlyDataSize: 16384,
5171							},
5172							resumeConfig: &Config{
5173								MaxVersion:       vers.version,
5174								MaxEarlyDataSize: 16384,
5175								Bugs: ProtocolBugs{
5176									AlwaysRejectEarlyData: true,
5177								},
5178							},
5179							resumeSession:        true,
5180							expectResumeRejected: false,
5181							shouldFail:           true,
5182							expectedError:        ":CERTIFICATE_VERIFY_FAILED:",
5183							flags: append([]string{
5184								"-enable-early-data",
5185								"-expect-reject-early-data",
5186								"-expect-ticket-supports-early-data",
5187								"-reverify-on-resume",
5188								"-on-resume-shim-writes-first",
5189								"-on-retry-verify-fail",
5190							}, flags...),
5191						})
5192						// This tests that we only call the verify callback once.
5193						tests = append(tests, testCase{
5194							testType: testType,
5195							name:     "EarlyData-Accept0RTT-Client-Reverify" + suffix,
5196							config: Config{
5197								MaxVersion:       vers.version,
5198								MaxEarlyDataSize: 16384,
5199							},
5200							resumeConfig: &Config{
5201								MaxVersion:       vers.version,
5202								MaxEarlyDataSize: 16384,
5203								Bugs: ProtocolBugs{
5204									ExpectEarlyData: [][]byte{[]byte("hello")},
5205								},
5206							},
5207							resumeSession:        true,
5208							expectResumeRejected: false,
5209							flags: append([]string{
5210								"-enable-early-data",
5211								"-expect-ticket-supports-early-data",
5212								"-reverify-on-resume",
5213								"-on-resume-shim-writes-first",
5214							}, flags...),
5215						})
5216						tests = append(tests, testCase{
5217							testType: testType,
5218							name:     "EarlyData-Accept0RTT-Client-ReverifyFails" + suffix,
5219							config: Config{
5220								MaxVersion:       vers.version,
5221								MaxEarlyDataSize: 16384,
5222							},
5223							resumeConfig: &Config{
5224								MaxVersion:       vers.version,
5225								MaxEarlyDataSize: 16384,
5226								Bugs: ProtocolBugs{
5227									ExpectEarlyData: [][]byte{[]byte("hello")},
5228								},
5229							},
5230							resumeSession: true,
5231							shouldFail:    true,
5232							expectedError: ":CERTIFICATE_VERIFY_FAILED:",
5233							flags: append([]string{
5234								"-enable-early-data",
5235								"-expect-ticket-supports-early-data",
5236								"-reverify-on-resume",
5237								"-on-resume-verify-fail",
5238								"-on-resume-shim-writes-first",
5239							}, flags...),
5240						})
5241					}
5242				}
5243			}
5244		}
5245
5246		// By default, the client is in a soft fail mode where the peer
5247		// certificate is verified but failures are non-fatal.
5248		tests = append(tests, testCase{
5249			testType: clientTest,
5250			name:     "CertificateVerificationSoftFail-" + vers.name,
5251			config: Config{
5252				MaxVersion:   vers.version,
5253				Certificates: []Certificate{rsaCertificate},
5254			},
5255			flags: []string{
5256				"-verify-fail",
5257				"-expect-verify-result",
5258			},
5259			resumeSession: true,
5260		})
5261	}
5262
5263	tests = append(tests, testCase{
5264		name:               "ShimSendAlert",
5265		flags:              []string{"-send-alert"},
5266		shimWritesFirst:    true,
5267		shouldFail:         true,
5268		expectedLocalError: "remote error: decompression failure",
5269	})
5270
5271	if config.protocol == tls {
5272		tests = append(tests, testCase{
5273			name: "Renegotiate-Client",
5274			config: Config{
5275				MaxVersion: VersionTLS12,
5276			},
5277			renegotiate: 1,
5278			flags: []string{
5279				"-renegotiate-freely",
5280				"-expect-total-renegotiations", "1",
5281			},
5282		})
5283
5284		tests = append(tests, testCase{
5285			name: "SendHalfHelloRequest",
5286			config: Config{
5287				MaxVersion: VersionTLS12,
5288				Bugs: ProtocolBugs{
5289					PackHelloRequestWithFinished: config.packHandshake,
5290				},
5291			},
5292			sendHalfHelloRequest: true,
5293			flags:                []string{"-renegotiate-ignore"},
5294			shouldFail:           true,
5295			expectedError:        ":UNEXPECTED_RECORD:",
5296		})
5297
5298		// NPN on client and server; results in post-handshake message.
5299		tests = append(tests, testCase{
5300			name: "NPN-Client",
5301			config: Config{
5302				MaxVersion: VersionTLS12,
5303				NextProtos: []string{"foo"},
5304			},
5305			flags:                 []string{"-select-next-proto", "foo"},
5306			resumeSession:         true,
5307			expectedNextProto:     "foo",
5308			expectedNextProtoType: npn,
5309		})
5310		tests = append(tests, testCase{
5311			testType: serverTest,
5312			name:     "NPN-Server",
5313			config: Config{
5314				MaxVersion: VersionTLS12,
5315				NextProtos: []string{"bar"},
5316			},
5317			flags: []string{
5318				"-advertise-npn", "\x03foo\x03bar\x03baz",
5319				"-expect-next-proto", "bar",
5320			},
5321			resumeSession:         true,
5322			expectedNextProto:     "bar",
5323			expectedNextProtoType: npn,
5324		})
5325
5326		// Client does False Start and negotiates NPN.
5327		tests = append(tests, testCase{
5328			name: "FalseStart",
5329			config: Config{
5330				MaxVersion:   VersionTLS12,
5331				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5332				NextProtos:   []string{"foo"},
5333				Bugs: ProtocolBugs{
5334					ExpectFalseStart: true,
5335				},
5336			},
5337			flags: []string{
5338				"-false-start",
5339				"-select-next-proto", "foo",
5340			},
5341			shimWritesFirst: true,
5342			resumeSession:   true,
5343		})
5344
5345		// Client does False Start and negotiates ALPN.
5346		tests = append(tests, testCase{
5347			name: "FalseStart-ALPN",
5348			config: Config{
5349				MaxVersion:   VersionTLS12,
5350				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5351				NextProtos:   []string{"foo"},
5352				Bugs: ProtocolBugs{
5353					ExpectFalseStart: true,
5354				},
5355			},
5356			flags: []string{
5357				"-false-start",
5358				"-advertise-alpn", "\x03foo",
5359				"-expect-alpn", "foo",
5360			},
5361			shimWritesFirst: true,
5362			resumeSession:   true,
5363		})
5364
5365		// False Start without session tickets.
5366		tests = append(tests, testCase{
5367			name: "FalseStart-SessionTicketsDisabled",
5368			config: Config{
5369				MaxVersion:             VersionTLS12,
5370				CipherSuites:           []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5371				NextProtos:             []string{"foo"},
5372				SessionTicketsDisabled: true,
5373				Bugs: ProtocolBugs{
5374					ExpectFalseStart: true,
5375				},
5376			},
5377			flags: []string{
5378				"-false-start",
5379				"-select-next-proto", "foo",
5380			},
5381			shimWritesFirst: true,
5382		})
5383
5384		// Server parses a V2ClientHello.
5385		tests = append(tests, testCase{
5386			testType: serverTest,
5387			name:     "SendV2ClientHello",
5388			config: Config{
5389				// Choose a cipher suite that does not involve
5390				// elliptic curves, so no extensions are
5391				// involved.
5392				MaxVersion:   VersionTLS12,
5393				CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
5394				Bugs: ProtocolBugs{
5395					SendV2ClientHello: true,
5396				},
5397			},
5398			flags: []string{
5399				"-expect-msg-callback",
5400				`read v2clienthello
5401write hs 2
5402write hs 11
5403write hs 14
5404read hs 16
5405read ccs
5406read hs 20
5407write ccs
5408write hs 20
5409read alert 1 0
5410`,
5411			},
5412		})
5413
5414		// Test Channel ID
5415		for _, ver := range tlsVersions {
5416			if ver.version < VersionTLS10 {
5417				continue
5418			}
5419			// Client sends a Channel ID.
5420			tests = append(tests, testCase{
5421				name: "ChannelID-Client-" + ver.name,
5422				config: Config{
5423					MaxVersion:       ver.version,
5424					RequestChannelID: true,
5425				},
5426				flags:           []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
5427				resumeSession:   true,
5428				expectChannelID: true,
5429			})
5430
5431			// Server accepts a Channel ID.
5432			tests = append(tests, testCase{
5433				testType: serverTest,
5434				name:     "ChannelID-Server-" + ver.name,
5435				config: Config{
5436					MaxVersion: ver.version,
5437					ChannelID:  channelIDKey,
5438				},
5439				flags: []string{
5440					"-expect-channel-id",
5441					base64.StdEncoding.EncodeToString(channelIDBytes),
5442				},
5443				resumeSession:   true,
5444				expectChannelID: true,
5445			})
5446
5447			tests = append(tests, testCase{
5448				testType: serverTest,
5449				name:     "InvalidChannelIDSignature-" + ver.name,
5450				config: Config{
5451					MaxVersion: ver.version,
5452					ChannelID:  channelIDKey,
5453					Bugs: ProtocolBugs{
5454						InvalidChannelIDSignature: true,
5455					},
5456				},
5457				flags:         []string{"-enable-channel-id"},
5458				shouldFail:    true,
5459				expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
5460			})
5461
5462			if ver.version < VersionTLS13 {
5463				// Channel ID requires ECDHE ciphers.
5464				tests = append(tests, testCase{
5465					testType: serverTest,
5466					name:     "ChannelID-NoECDHE-" + ver.name,
5467					config: Config{
5468						MaxVersion:   ver.version,
5469						CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
5470						ChannelID:    channelIDKey,
5471					},
5472					expectChannelID: false,
5473					flags:           []string{"-enable-channel-id"},
5474				})
5475
5476				// Sanity-check setting expectChannelID false works.
5477				tests = append(tests, testCase{
5478					testType: serverTest,
5479					name:     "ChannelID-ECDHE-" + ver.name,
5480					config: Config{
5481						MaxVersion:   ver.version,
5482						CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
5483						ChannelID:    channelIDKey,
5484					},
5485					expectChannelID:    false,
5486					flags:              []string{"-enable-channel-id"},
5487					shouldFail:         true,
5488					expectedLocalError: "channel ID unexpectedly negotiated",
5489				})
5490			}
5491		}
5492
5493		// Channel ID and NPN at the same time, to ensure their relative
5494		// ordering is correct.
5495		tests = append(tests, testCase{
5496			name: "ChannelID-NPN-Client",
5497			config: Config{
5498				MaxVersion:       VersionTLS12,
5499				RequestChannelID: true,
5500				NextProtos:       []string{"foo"},
5501			},
5502			flags: []string{
5503				"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
5504				"-select-next-proto", "foo",
5505			},
5506			resumeSession:         true,
5507			expectChannelID:       true,
5508			expectedNextProto:     "foo",
5509			expectedNextProtoType: npn,
5510		})
5511		tests = append(tests, testCase{
5512			testType: serverTest,
5513			name:     "ChannelID-NPN-Server",
5514			config: Config{
5515				MaxVersion: VersionTLS12,
5516				ChannelID:  channelIDKey,
5517				NextProtos: []string{"bar"},
5518			},
5519			flags: []string{
5520				"-expect-channel-id",
5521				base64.StdEncoding.EncodeToString(channelIDBytes),
5522				"-advertise-npn", "\x03foo\x03bar\x03baz",
5523				"-expect-next-proto", "bar",
5524			},
5525			resumeSession:         true,
5526			expectChannelID:       true,
5527			expectedNextProto:     "bar",
5528			expectedNextProtoType: npn,
5529		})
5530
5531		// Bidirectional shutdown with the runner initiating.
5532		tests = append(tests, testCase{
5533			name: "Shutdown-Runner",
5534			config: Config{
5535				Bugs: ProtocolBugs{
5536					ExpectCloseNotify: true,
5537				},
5538			},
5539			flags: []string{"-check-close-notify"},
5540		})
5541
5542		if !config.implicitHandshake {
5543			// Bidirectional shutdown with the shim initiating. The runner,
5544			// in the meantime, sends garbage before the close_notify which
5545			// the shim must ignore. This test is disabled under implicit
5546			// handshake tests because the shim never reads or writes.
5547			tests = append(tests, testCase{
5548				name: "Shutdown-Shim",
5549				config: Config{
5550					MaxVersion: VersionTLS12,
5551					Bugs: ProtocolBugs{
5552						ExpectCloseNotify: true,
5553					},
5554				},
5555				shimShutsDown:     true,
5556				sendEmptyRecords:  1,
5557				sendWarningAlerts: 1,
5558				flags:             []string{"-check-close-notify"},
5559			})
5560
5561			// The shim should reject unexpected application data
5562			// when shutting down.
5563			tests = append(tests, testCase{
5564				name: "Shutdown-Shim-ApplicationData",
5565				config: Config{
5566					MaxVersion: VersionTLS12,
5567					Bugs: ProtocolBugs{
5568						ExpectCloseNotify: true,
5569					},
5570				},
5571				shimShutsDown:     true,
5572				messageCount:      1,
5573				sendEmptyRecords:  1,
5574				sendWarningAlerts: 1,
5575				flags:             []string{"-check-close-notify"},
5576				shouldFail:        true,
5577				expectedError:     ":APPLICATION_DATA_ON_SHUTDOWN:",
5578			})
5579
5580			// Test that SSL_shutdown still processes KeyUpdate.
5581			tests = append(tests, testCase{
5582				name: "Shutdown-Shim-KeyUpdate",
5583				config: Config{
5584					MinVersion: VersionTLS13,
5585					MaxVersion: VersionTLS13,
5586					Bugs: ProtocolBugs{
5587						ExpectCloseNotify: true,
5588					},
5589				},
5590				shimShutsDown:    true,
5591				sendKeyUpdates:   1,
5592				keyUpdateRequest: keyUpdateRequested,
5593				flags:            []string{"-check-close-notify"},
5594			})
5595
5596			// Test that SSL_shutdown processes HelloRequest
5597			// correctly.
5598			tests = append(tests, testCase{
5599				name: "Shutdown-Shim-HelloRequest-Ignore",
5600				config: Config{
5601					MinVersion: VersionTLS12,
5602					MaxVersion: VersionTLS12,
5603					Bugs: ProtocolBugs{
5604						SendHelloRequestBeforeEveryAppDataRecord: true,
5605						ExpectCloseNotify:                        true,
5606					},
5607				},
5608				shimShutsDown: true,
5609				flags: []string{
5610					"-renegotiate-ignore",
5611					"-check-close-notify",
5612				},
5613			})
5614			tests = append(tests, testCase{
5615				name: "Shutdown-Shim-HelloRequest-Reject",
5616				config: Config{
5617					MinVersion: VersionTLS12,
5618					MaxVersion: VersionTLS12,
5619					Bugs: ProtocolBugs{
5620						ExpectCloseNotify: true,
5621					},
5622				},
5623				shimShutsDown: true,
5624				renegotiate:   1,
5625				shouldFail:    true,
5626				expectedError: ":NO_RENEGOTIATION:",
5627				flags:         []string{"-check-close-notify"},
5628			})
5629			tests = append(tests, testCase{
5630				name: "Shutdown-Shim-HelloRequest-CannotHandshake",
5631				config: Config{
5632					MinVersion: VersionTLS12,
5633					MaxVersion: VersionTLS12,
5634					Bugs: ProtocolBugs{
5635						ExpectCloseNotify: true,
5636					},
5637				},
5638				shimShutsDown: true,
5639				renegotiate:   1,
5640				shouldFail:    true,
5641				expectedError: ":NO_RENEGOTIATION:",
5642				flags: []string{
5643					"-check-close-notify",
5644					"-renegotiate-freely",
5645				},
5646			})
5647
5648			tests = append(tests, testCase{
5649				testType: serverTest,
5650				name:     "Shutdown-Shim-Renegotiate-Server-Forbidden",
5651				config: Config{
5652					MaxVersion: VersionTLS12,
5653					Bugs: ProtocolBugs{
5654						ExpectCloseNotify: true,
5655					},
5656				},
5657				shimShutsDown: true,
5658				renegotiate:   1,
5659				shouldFail:    true,
5660				expectedError: ":NO_RENEGOTIATION:",
5661				flags: []string{
5662					"-check-close-notify",
5663				},
5664			})
5665		}
5666	} else {
5667		// TODO(davidben): DTLS 1.3 will want a similar thing for
5668		// HelloRetryRequest.
5669		tests = append(tests, testCase{
5670			name: "SkipHelloVerifyRequest",
5671			config: Config{
5672				MaxVersion: VersionTLS12,
5673				Bugs: ProtocolBugs{
5674					SkipHelloVerifyRequest: true,
5675				},
5676			},
5677		})
5678	}
5679
5680	for _, test := range tests {
5681		test.protocol = config.protocol
5682		if config.protocol == dtls {
5683			test.name += "-DTLS"
5684		}
5685		if config.async {
5686			test.name += "-Async"
5687			test.flags = append(test.flags, "-async")
5688		} else {
5689			test.name += "-Sync"
5690		}
5691		if config.splitHandshake {
5692			test.name += "-SplitHandshakeRecords"
5693			test.config.Bugs.MaxHandshakeRecordLength = 1
5694			if config.protocol == dtls {
5695				test.config.Bugs.MaxPacketLength = 256
5696				test.flags = append(test.flags, "-mtu", "256")
5697			}
5698		}
5699		if config.packHandshake {
5700			test.name += "-PackHandshake"
5701			if config.protocol == dtls {
5702				test.config.Bugs.MaxHandshakeRecordLength = 2
5703				test.config.Bugs.PackHandshakeFragments = 20
5704				test.config.Bugs.PackHandshakeRecords = 1500
5705				test.config.Bugs.PackAppDataWithHandshake = true
5706			} else {
5707				test.config.Bugs.PackHandshakeFlight = true
5708			}
5709		}
5710		if config.implicitHandshake {
5711			test.name += "-ImplicitHandshake"
5712			test.flags = append(test.flags, "-implicit-handshake")
5713		}
5714		testCases = append(testCases, test)
5715	}
5716}
5717
5718func addDDoSCallbackTests() {
5719	// DDoS callback.
5720	for _, resume := range []bool{false, true} {
5721		suffix := "Resume"
5722		if resume {
5723			suffix = "No" + suffix
5724		}
5725
5726		testCases = append(testCases, testCase{
5727			testType: serverTest,
5728			name:     "Server-DDoS-OK-" + suffix,
5729			config: Config{
5730				MaxVersion: VersionTLS12,
5731			},
5732			flags:         []string{"-install-ddos-callback"},
5733			resumeSession: resume,
5734		})
5735		testCases = append(testCases, testCase{
5736			testType: serverTest,
5737			name:     "Server-DDoS-OK-" + suffix + "-TLS13",
5738			config: Config{
5739				MaxVersion: VersionTLS13,
5740			},
5741			flags:         []string{"-install-ddos-callback"},
5742			resumeSession: resume,
5743		})
5744
5745		failFlag := "-fail-ddos-callback"
5746		if resume {
5747			failFlag = "-on-resume-fail-ddos-callback"
5748		}
5749		testCases = append(testCases, testCase{
5750			testType: serverTest,
5751			name:     "Server-DDoS-Reject-" + suffix,
5752			config: Config{
5753				MaxVersion: VersionTLS12,
5754			},
5755			flags:              []string{"-install-ddos-callback", failFlag},
5756			resumeSession:      resume,
5757			shouldFail:         true,
5758			expectedError:      ":CONNECTION_REJECTED:",
5759			expectedLocalError: "remote error: internal error",
5760		})
5761		testCases = append(testCases, testCase{
5762			testType: serverTest,
5763			name:     "Server-DDoS-Reject-" + suffix + "-TLS13",
5764			config: Config{
5765				MaxVersion: VersionTLS13,
5766			},
5767			flags:              []string{"-install-ddos-callback", failFlag},
5768			resumeSession:      resume,
5769			shouldFail:         true,
5770			expectedError:      ":CONNECTION_REJECTED:",
5771			expectedLocalError: "remote error: internal error",
5772		})
5773	}
5774}
5775
5776func addVersionNegotiationTests() {
5777	for _, protocol := range []protocol{tls, dtls} {
5778		for _, shimVers := range allVersions(protocol) {
5779			// Assemble flags to disable all newer versions on the shim.
5780			var flags []string
5781			for _, vers := range allVersions(protocol) {
5782				if vers.version > shimVers.version {
5783					flags = append(flags, vers.excludeFlag)
5784				}
5785			}
5786
5787			flags2 := []string{"-max-version", shimVers.shimFlag(protocol)}
5788
5789			// Test configuring the runner's maximum version.
5790			for _, runnerVers := range allVersions(protocol) {
5791				expectedVersion := shimVers.version
5792				if runnerVers.version < shimVers.version {
5793					expectedVersion = runnerVers.version
5794				}
5795
5796				suffix := shimVers.name + "-" + runnerVers.name
5797				if protocol == dtls {
5798					suffix += "-DTLS"
5799				}
5800
5801				// Determine the expected initial record-layer versions.
5802				clientVers := shimVers.version
5803				if clientVers > VersionTLS10 {
5804					clientVers = VersionTLS10
5805				}
5806				clientVers = recordVersionToWire(clientVers, protocol)
5807				serverVers := expectedVersion
5808				if expectedVersion >= VersionTLS13 {
5809					serverVers = VersionTLS12
5810				}
5811				serverVers = recordVersionToWire(serverVers, protocol)
5812
5813				testCases = append(testCases, testCase{
5814					protocol: protocol,
5815					testType: clientTest,
5816					name:     "VersionNegotiation-Client-" + suffix,
5817					config: Config{
5818						MaxVersion: runnerVers.version,
5819						Bugs: ProtocolBugs{
5820							ExpectInitialRecordVersion: clientVers,
5821						},
5822					},
5823					flags:           flags,
5824					expectedVersion: expectedVersion,
5825				})
5826				testCases = append(testCases, testCase{
5827					protocol: protocol,
5828					testType: clientTest,
5829					name:     "VersionNegotiation-Client2-" + suffix,
5830					config: Config{
5831						MaxVersion: runnerVers.version,
5832						Bugs: ProtocolBugs{
5833							ExpectInitialRecordVersion: clientVers,
5834						},
5835					},
5836					flags:           flags2,
5837					expectedVersion: expectedVersion,
5838				})
5839
5840				testCases = append(testCases, testCase{
5841					protocol: protocol,
5842					testType: serverTest,
5843					name:     "VersionNegotiation-Server-" + suffix,
5844					config: Config{
5845						MaxVersion: runnerVers.version,
5846						Bugs: ProtocolBugs{
5847							ExpectInitialRecordVersion: serverVers,
5848						},
5849					},
5850					flags:           flags,
5851					expectedVersion: expectedVersion,
5852				})
5853				testCases = append(testCases, testCase{
5854					protocol: protocol,
5855					testType: serverTest,
5856					name:     "VersionNegotiation-Server2-" + suffix,
5857					config: Config{
5858						MaxVersion: runnerVers.version,
5859						Bugs: ProtocolBugs{
5860							ExpectInitialRecordVersion: serverVers,
5861						},
5862					},
5863					flags:           flags2,
5864					expectedVersion: expectedVersion,
5865				})
5866			}
5867		}
5868	}
5869
5870	// Test the version extension at all versions.
5871	for _, vers := range tlsVersions {
5872		protocols := []protocol{tls}
5873		if vers.hasDTLS {
5874			protocols = append(protocols, dtls)
5875		}
5876		for _, protocol := range protocols {
5877			suffix := vers.name
5878			if protocol == dtls {
5879				suffix += "-DTLS"
5880			}
5881
5882			testCases = append(testCases, testCase{
5883				protocol: protocol,
5884				testType: serverTest,
5885				name:     "VersionNegotiationExtension-" + suffix,
5886				config: Config{
5887					Bugs: ProtocolBugs{
5888						SendSupportedVersions:      []uint16{0x1111, vers.wire(protocol), 0x2222},
5889						IgnoreTLS13DowngradeRandom: true,
5890					},
5891				},
5892				expectedVersion: vers.version,
5893			})
5894		}
5895	}
5896
5897	// If all versions are unknown, negotiation fails.
5898	testCases = append(testCases, testCase{
5899		testType: serverTest,
5900		name:     "NoSupportedVersions",
5901		config: Config{
5902			Bugs: ProtocolBugs{
5903				SendSupportedVersions: []uint16{0x1111},
5904			},
5905		},
5906		shouldFail:    true,
5907		expectedError: ":UNSUPPORTED_PROTOCOL:",
5908	})
5909	testCases = append(testCases, testCase{
5910		protocol: dtls,
5911		testType: serverTest,
5912		name:     "NoSupportedVersions-DTLS",
5913		config: Config{
5914			Bugs: ProtocolBugs{
5915				SendSupportedVersions: []uint16{0x1111},
5916			},
5917		},
5918		shouldFail:    true,
5919		expectedError: ":UNSUPPORTED_PROTOCOL:",
5920	})
5921
5922	testCases = append(testCases, testCase{
5923		testType: serverTest,
5924		name:     "ClientHelloVersionTooHigh",
5925		config: Config{
5926			MaxVersion: VersionTLS13,
5927			Bugs: ProtocolBugs{
5928				SendClientVersion:          0x0304,
5929				OmitSupportedVersions:      true,
5930				IgnoreTLS13DowngradeRandom: true,
5931			},
5932		},
5933		expectedVersion: VersionTLS12,
5934	})
5935
5936	testCases = append(testCases, testCase{
5937		testType: serverTest,
5938		name:     "ConflictingVersionNegotiation",
5939		config: Config{
5940			Bugs: ProtocolBugs{
5941				SendClientVersion:          VersionTLS12,
5942				SendSupportedVersions:      []uint16{VersionTLS11},
5943				IgnoreTLS13DowngradeRandom: true,
5944			},
5945		},
5946		// The extension takes precedence over the ClientHello version.
5947		expectedVersion: VersionTLS11,
5948	})
5949
5950	testCases = append(testCases, testCase{
5951		testType: serverTest,
5952		name:     "ConflictingVersionNegotiation-2",
5953		config: Config{
5954			Bugs: ProtocolBugs{
5955				SendClientVersion:          VersionTLS11,
5956				SendSupportedVersions:      []uint16{VersionTLS12},
5957				IgnoreTLS13DowngradeRandom: true,
5958			},
5959		},
5960		// The extension takes precedence over the ClientHello version.
5961		expectedVersion: VersionTLS12,
5962	})
5963
5964	// Test that TLS 1.2 isn't negotiated by the supported_versions extension in
5965	// the ServerHello.
5966	testCases = append(testCases, testCase{
5967		testType: clientTest,
5968		name:     "SupportedVersionSelection-TLS12",
5969		config: Config{
5970			MaxVersion: VersionTLS12,
5971			Bugs: ProtocolBugs{
5972				SendServerSupportedVersionExtension: VersionTLS12,
5973			},
5974		},
5975		shouldFail:    true,
5976		expectedError: ":UNEXPECTED_EXTENSION:",
5977	})
5978
5979	// Test that the maximum version is selected regardless of the
5980	// client-sent order.
5981	testCases = append(testCases, testCase{
5982		testType: serverTest,
5983		name:     "IgnoreClientVersionOrder",
5984		config: Config{
5985			Bugs: ProtocolBugs{
5986				SendSupportedVersions: []uint16{VersionTLS12, VersionTLS13},
5987			},
5988		},
5989		expectedVersion: VersionTLS13,
5990	})
5991
5992	// Test for version tolerance.
5993	testCases = append(testCases, testCase{
5994		testType: serverTest,
5995		name:     "MinorVersionTolerance",
5996		config: Config{
5997			Bugs: ProtocolBugs{
5998				SendClientVersion:          0x03ff,
5999				OmitSupportedVersions:      true,
6000				IgnoreTLS13DowngradeRandom: true,
6001			},
6002		},
6003		expectedVersion: VersionTLS12,
6004	})
6005	testCases = append(testCases, testCase{
6006		testType: serverTest,
6007		name:     "MajorVersionTolerance",
6008		config: Config{
6009			Bugs: ProtocolBugs{
6010				SendClientVersion:          0x0400,
6011				OmitSupportedVersions:      true,
6012				IgnoreTLS13DowngradeRandom: true,
6013			},
6014		},
6015		// TLS 1.3 must be negotiated with the supported_versions
6016		// extension, not ClientHello.version.
6017		expectedVersion: VersionTLS12,
6018	})
6019	testCases = append(testCases, testCase{
6020		testType: serverTest,
6021		name:     "VersionTolerance-TLS13",
6022		config: Config{
6023			Bugs: ProtocolBugs{
6024				// Although TLS 1.3 does not use
6025				// ClientHello.version, it still tolerates high
6026				// values there.
6027				SendClientVersion: 0x0400,
6028			},
6029		},
6030		expectedVersion: VersionTLS13,
6031	})
6032
6033	testCases = append(testCases, testCase{
6034		protocol: dtls,
6035		testType: serverTest,
6036		name:     "MinorVersionTolerance-DTLS",
6037		config: Config{
6038			Bugs: ProtocolBugs{
6039				SendClientVersion:     0xfe00,
6040				OmitSupportedVersions: true,
6041			},
6042		},
6043		expectedVersion: VersionTLS12,
6044	})
6045	testCases = append(testCases, testCase{
6046		protocol: dtls,
6047		testType: serverTest,
6048		name:     "MajorVersionTolerance-DTLS",
6049		config: Config{
6050			Bugs: ProtocolBugs{
6051				SendClientVersion:     0xfdff,
6052				OmitSupportedVersions: true,
6053			},
6054		},
6055		expectedVersion: VersionTLS12,
6056	})
6057
6058	// Test that versions below 3.0 are rejected.
6059	testCases = append(testCases, testCase{
6060		testType: serverTest,
6061		name:     "VersionTooLow",
6062		config: Config{
6063			Bugs: ProtocolBugs{
6064				SendClientVersion:     0x0200,
6065				OmitSupportedVersions: true,
6066			},
6067		},
6068		shouldFail:    true,
6069		expectedError: ":UNSUPPORTED_PROTOCOL:",
6070	})
6071	testCases = append(testCases, testCase{
6072		protocol: dtls,
6073		testType: serverTest,
6074		name:     "VersionTooLow-DTLS",
6075		config: Config{
6076			Bugs: ProtocolBugs{
6077				SendClientVersion: 0xffff,
6078			},
6079		},
6080		shouldFail:    true,
6081		expectedError: ":UNSUPPORTED_PROTOCOL:",
6082	})
6083
6084	testCases = append(testCases, testCase{
6085		name: "ServerBogusVersion",
6086		config: Config{
6087			Bugs: ProtocolBugs{
6088				SendServerHelloVersion: 0x1234,
6089			},
6090		},
6091		shouldFail:    true,
6092		expectedError: ":UNSUPPORTED_PROTOCOL:",
6093	})
6094
6095	// Test TLS 1.3's downgrade signal.
6096	var downgradeTests = []struct {
6097		name            string
6098		version         uint16
6099		clientShimError string
6100	}{
6101		{"TLS12", VersionTLS12, "tls: downgrade from TLS 1.3 detected"},
6102		{"TLS11", VersionTLS11, "tls: downgrade from TLS 1.2 detected"},
6103		// TLS 1.0 does not have a dedicated value.
6104		{"TLS10", VersionTLS10, "tls: downgrade from TLS 1.2 detected"},
6105	}
6106
6107	for _, test := range downgradeTests {
6108		// The client should enforce the downgrade sentinel.
6109		testCases = append(testCases, testCase{
6110			name: "Downgrade-" + test.name + "-Client",
6111			config: Config{
6112				Bugs: ProtocolBugs{
6113					NegotiateVersion: test.version,
6114				},
6115			},
6116			expectedVersion:    test.version,
6117			shouldFail:         true,
6118			expectedError:      ":TLS13_DOWNGRADE:",
6119			expectedLocalError: "remote error: illegal parameter",
6120		})
6121
6122		// The client should ignore the downgrade sentinel if
6123		// configured.
6124		testCases = append(testCases, testCase{
6125			name: "Downgrade-" + test.name + "-Client-Ignore",
6126			config: Config{
6127				Bugs: ProtocolBugs{
6128					NegotiateVersion: test.version,
6129				},
6130			},
6131			expectedVersion: test.version,
6132			flags: []string{
6133				"-ignore-tls13-downgrade",
6134				"-expect-tls13-downgrade",
6135			},
6136		})
6137
6138		// The server should emit the downgrade signal.
6139		testCases = append(testCases, testCase{
6140			testType: serverTest,
6141			name:     "Downgrade-" + test.name + "-Server",
6142			config: Config{
6143				Bugs: ProtocolBugs{
6144					SendSupportedVersions: []uint16{test.version},
6145				},
6146			},
6147			expectedVersion:    test.version,
6148			shouldFail:         true,
6149			expectedLocalError: test.clientShimError,
6150		})
6151	}
6152
6153	// Test that False Start is disabled when the downgrade logic triggers.
6154	testCases = append(testCases, testCase{
6155		name: "Downgrade-FalseStart",
6156		config: Config{
6157			NextProtos: []string{"foo"},
6158			Bugs: ProtocolBugs{
6159				NegotiateVersion:          VersionTLS12,
6160				ExpectFalseStart:          true,
6161				AlertBeforeFalseStartTest: alertAccessDenied,
6162			},
6163		},
6164		expectedVersion: VersionTLS12,
6165		flags: []string{
6166			"-false-start",
6167			"-advertise-alpn", "\x03foo",
6168			"-ignore-tls13-downgrade",
6169		},
6170		shimWritesFirst:    true,
6171		shouldFail:         true,
6172		expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
6173		expectedLocalError: "tls: peer did not false start: EOF",
6174	})
6175
6176	// SSL 3.0 support has been removed. Test that the shim does not
6177	// support it.
6178	testCases = append(testCases, testCase{
6179		name: "NoSSL3-Client",
6180		config: Config{
6181			MinVersion: VersionSSL30,
6182			MaxVersion: VersionSSL30,
6183		},
6184		shouldFail:         true,
6185		expectedLocalError: "tls: client did not offer any supported protocol versions",
6186	})
6187	testCases = append(testCases, testCase{
6188		name: "NoSSL3-Client-Unsolicited",
6189		config: Config{
6190			MinVersion: VersionSSL30,
6191			MaxVersion: VersionSSL30,
6192			Bugs: ProtocolBugs{
6193				// The above test asserts the client does not
6194				// offer SSL 3.0 in the supported_versions
6195				// list. Additionally assert that it rejects an
6196				// unsolicited SSL 3.0 ServerHello.
6197				NegotiateVersion: VersionSSL30,
6198			},
6199		},
6200		shouldFail:         true,
6201		expectedError:      ":UNSUPPORTED_PROTOCOL:",
6202		expectedLocalError: "remote error: protocol version not supported",
6203	})
6204	testCases = append(testCases, testCase{
6205		testType: serverTest,
6206		name:     "NoSSL3-Server",
6207		config: Config{
6208			MinVersion: VersionSSL30,
6209			MaxVersion: VersionSSL30,
6210		},
6211		shouldFail:         true,
6212		expectedError:      ":UNSUPPORTED_PROTOCOL:",
6213		expectedLocalError: "remote error: protocol version not supported",
6214	})
6215}
6216
6217func addMinimumVersionTests() {
6218	for _, protocol := range []protocol{tls, dtls} {
6219		for _, shimVers := range allVersions(protocol) {
6220			// Assemble flags to disable all older versions on the shim.
6221			var flags []string
6222			for _, vers := range allVersions(protocol) {
6223				if vers.version < shimVers.version {
6224					flags = append(flags, vers.excludeFlag)
6225				}
6226			}
6227
6228			flags2 := []string{"-min-version", shimVers.shimFlag(protocol)}
6229
6230			for _, runnerVers := range allVersions(protocol) {
6231				suffix := shimVers.name + "-" + runnerVers.name
6232				if protocol == dtls {
6233					suffix += "-DTLS"
6234				}
6235
6236				var expectedVersion uint16
6237				var shouldFail bool
6238				var expectedError, expectedLocalError string
6239				if runnerVers.version >= shimVers.version {
6240					expectedVersion = runnerVers.version
6241				} else {
6242					shouldFail = true
6243					expectedError = ":UNSUPPORTED_PROTOCOL:"
6244					expectedLocalError = "remote error: protocol version not supported"
6245				}
6246
6247				testCases = append(testCases, testCase{
6248					protocol: protocol,
6249					testType: clientTest,
6250					name:     "MinimumVersion-Client-" + suffix,
6251					config: Config{
6252						MaxVersion: runnerVers.version,
6253						Bugs: ProtocolBugs{
6254							// Ensure the server does not decline to
6255							// select a version (versions extension) or
6256							// cipher (some ciphers depend on versions).
6257							NegotiateVersion:            runnerVers.wire(protocol),
6258							IgnorePeerCipherPreferences: shouldFail,
6259						},
6260					},
6261					flags:              flags,
6262					expectedVersion:    expectedVersion,
6263					shouldFail:         shouldFail,
6264					expectedError:      expectedError,
6265					expectedLocalError: expectedLocalError,
6266				})
6267				testCases = append(testCases, testCase{
6268					protocol: protocol,
6269					testType: clientTest,
6270					name:     "MinimumVersion-Client2-" + suffix,
6271					config: Config{
6272						MaxVersion: runnerVers.version,
6273						Bugs: ProtocolBugs{
6274							// Ensure the server does not decline to
6275							// select a version (versions extension) or
6276							// cipher (some ciphers depend on versions).
6277							NegotiateVersion:            runnerVers.wire(protocol),
6278							IgnorePeerCipherPreferences: shouldFail,
6279						},
6280					},
6281					flags:              flags2,
6282					expectedVersion:    expectedVersion,
6283					shouldFail:         shouldFail,
6284					expectedError:      expectedError,
6285					expectedLocalError: expectedLocalError,
6286				})
6287
6288				testCases = append(testCases, testCase{
6289					protocol: protocol,
6290					testType: serverTest,
6291					name:     "MinimumVersion-Server-" + suffix,
6292					config: Config{
6293						MaxVersion: runnerVers.version,
6294					},
6295					flags:              flags,
6296					expectedVersion:    expectedVersion,
6297					shouldFail:         shouldFail,
6298					expectedError:      expectedError,
6299					expectedLocalError: expectedLocalError,
6300				})
6301				testCases = append(testCases, testCase{
6302					protocol: protocol,
6303					testType: serverTest,
6304					name:     "MinimumVersion-Server2-" + suffix,
6305					config: Config{
6306						MaxVersion: runnerVers.version,
6307					},
6308					flags:              flags2,
6309					expectedVersion:    expectedVersion,
6310					shouldFail:         shouldFail,
6311					expectedError:      expectedError,
6312					expectedLocalError: expectedLocalError,
6313				})
6314			}
6315		}
6316	}
6317}
6318
6319func addExtensionTests() {
6320	// TODO(davidben): Extensions, where applicable, all move their server
6321	// halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
6322	// tests for both. Also test interaction with 0-RTT when implemented.
6323
6324	// Repeat extensions tests at all versions.
6325	for _, ver := range tlsVersions {
6326		// Test that duplicate extensions are rejected.
6327		testCases = append(testCases, testCase{
6328			testType: clientTest,
6329			name:     "DuplicateExtensionClient-" + ver.name,
6330			config: Config{
6331				MaxVersion: ver.version,
6332				Bugs: ProtocolBugs{
6333					DuplicateExtension: true,
6334				},
6335			},
6336			shouldFail:         true,
6337			expectedLocalError: "remote error: error decoding message",
6338		})
6339		testCases = append(testCases, testCase{
6340			testType: serverTest,
6341			name:     "DuplicateExtensionServer-" + ver.name,
6342			config: Config{
6343				MaxVersion: ver.version,
6344				Bugs: ProtocolBugs{
6345					DuplicateExtension: true,
6346				},
6347			},
6348			shouldFail:         true,
6349			expectedLocalError: "remote error: error decoding message",
6350		})
6351
6352		// Test SNI.
6353		testCases = append(testCases, testCase{
6354			testType: clientTest,
6355			name:     "ServerNameExtensionClient-" + ver.name,
6356			config: Config{
6357				MaxVersion: ver.version,
6358				Bugs: ProtocolBugs{
6359					ExpectServerName: "example.com",
6360				},
6361			},
6362			flags: []string{"-host-name", "example.com"},
6363		})
6364		testCases = append(testCases, testCase{
6365			testType: clientTest,
6366			name:     "ServerNameExtensionClientMismatch-" + ver.name,
6367			config: Config{
6368				MaxVersion: ver.version,
6369				Bugs: ProtocolBugs{
6370					ExpectServerName: "mismatch.com",
6371				},
6372			},
6373			flags:              []string{"-host-name", "example.com"},
6374			shouldFail:         true,
6375			expectedLocalError: "tls: unexpected server name",
6376		})
6377		testCases = append(testCases, testCase{
6378			testType: clientTest,
6379			name:     "ServerNameExtensionClientMissing-" + ver.name,
6380			config: Config{
6381				MaxVersion: ver.version,
6382				Bugs: ProtocolBugs{
6383					ExpectServerName: "missing.com",
6384				},
6385			},
6386			shouldFail:         true,
6387			expectedLocalError: "tls: unexpected server name",
6388		})
6389		testCases = append(testCases, testCase{
6390			testType: clientTest,
6391			name:     "TolerateServerNameAck-" + ver.name,
6392			config: Config{
6393				MaxVersion: ver.version,
6394				Bugs: ProtocolBugs{
6395					SendServerNameAck: true,
6396				},
6397			},
6398			flags:         []string{"-host-name", "example.com"},
6399			resumeSession: true,
6400		})
6401		testCases = append(testCases, testCase{
6402			testType: clientTest,
6403			name:     "UnsolicitedServerNameAck-" + ver.name,
6404			config: Config{
6405				MaxVersion: ver.version,
6406				Bugs: ProtocolBugs{
6407					SendServerNameAck: true,
6408				},
6409			},
6410			shouldFail:         true,
6411			expectedError:      ":UNEXPECTED_EXTENSION:",
6412			expectedLocalError: "remote error: unsupported extension",
6413		})
6414		testCases = append(testCases, testCase{
6415			testType: serverTest,
6416			name:     "ServerNameExtensionServer-" + ver.name,
6417			config: Config{
6418				MaxVersion: ver.version,
6419				ServerName: "example.com",
6420			},
6421			flags:         []string{"-expect-server-name", "example.com"},
6422			resumeSession: true,
6423		})
6424
6425		// Test ALPN.
6426		testCases = append(testCases, testCase{
6427			testType: clientTest,
6428			name:     "ALPNClient-" + ver.name,
6429			config: Config{
6430				MaxVersion: ver.version,
6431				NextProtos: []string{"foo"},
6432			},
6433			flags: []string{
6434				"-advertise-alpn", "\x03foo\x03bar\x03baz",
6435				"-expect-alpn", "foo",
6436			},
6437			expectedNextProto:     "foo",
6438			expectedNextProtoType: alpn,
6439			resumeSession:         true,
6440		})
6441		testCases = append(testCases, testCase{
6442			testType: clientTest,
6443			name:     "ALPNClient-RejectUnknown-" + ver.name,
6444			config: Config{
6445				MaxVersion: ver.version,
6446				Bugs: ProtocolBugs{
6447					SendALPN: "baz",
6448				},
6449			},
6450			flags: []string{
6451				"-advertise-alpn", "\x03foo\x03bar",
6452			},
6453			shouldFail:         true,
6454			expectedError:      ":INVALID_ALPN_PROTOCOL:",
6455			expectedLocalError: "remote error: illegal parameter",
6456		})
6457		testCases = append(testCases, testCase{
6458			testType: clientTest,
6459			name:     "ALPNClient-AllowUnknown-" + ver.name,
6460			config: Config{
6461				MaxVersion: ver.version,
6462				Bugs: ProtocolBugs{
6463					SendALPN: "baz",
6464				},
6465			},
6466			flags: []string{
6467				"-advertise-alpn", "\x03foo\x03bar",
6468				"-allow-unknown-alpn-protos",
6469				"-expect-alpn", "baz",
6470			},
6471		})
6472		testCases = append(testCases, testCase{
6473			testType: serverTest,
6474			name:     "ALPNServer-" + ver.name,
6475			config: Config{
6476				MaxVersion: ver.version,
6477				NextProtos: []string{"foo", "bar", "baz"},
6478			},
6479			flags: []string{
6480				"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6481				"-select-alpn", "foo",
6482			},
6483			expectedNextProto:     "foo",
6484			expectedNextProtoType: alpn,
6485			resumeSession:         true,
6486		})
6487		testCases = append(testCases, testCase{
6488			testType: serverTest,
6489			name:     "ALPNServer-Decline-" + ver.name,
6490			config: Config{
6491				MaxVersion: ver.version,
6492				NextProtos: []string{"foo", "bar", "baz"},
6493			},
6494			flags:             []string{"-decline-alpn"},
6495			expectNoNextProto: true,
6496			resumeSession:     true,
6497		})
6498		// Test that the server implementation catches itself if the
6499		// callback tries to return an invalid empty ALPN protocol.
6500		testCases = append(testCases, testCase{
6501			testType: serverTest,
6502			name:     "ALPNServer-SelectEmpty-" + ver.name,
6503			config: Config{
6504				MaxVersion: ver.version,
6505				NextProtos: []string{"foo", "bar", "baz"},
6506			},
6507			flags: []string{
6508				"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6509				"-select-empty-alpn",
6510			},
6511			shouldFail:         true,
6512			expectedLocalError: "remote error: internal error",
6513			expectedError:      ":INVALID_ALPN_PROTOCOL:",
6514		})
6515
6516		// Test ALPN in async mode as well to ensure that extensions callbacks are only
6517		// called once.
6518		testCases = append(testCases, testCase{
6519			testType: serverTest,
6520			name:     "ALPNServer-Async-" + ver.name,
6521			config: Config{
6522				MaxVersion: ver.version,
6523				NextProtos: []string{"foo", "bar", "baz"},
6524				// Prior to TLS 1.3, exercise the asynchronous session callback.
6525				SessionTicketsDisabled: ver.version < VersionTLS13,
6526			},
6527			flags: []string{
6528				"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6529				"-select-alpn", "foo",
6530				"-async",
6531			},
6532			expectedNextProto:     "foo",
6533			expectedNextProtoType: alpn,
6534			resumeSession:         true,
6535		})
6536
6537		var emptyString string
6538		testCases = append(testCases, testCase{
6539			testType: clientTest,
6540			name:     "ALPNClient-EmptyProtocolName-" + ver.name,
6541			config: Config{
6542				MaxVersion: ver.version,
6543				NextProtos: []string{""},
6544				Bugs: ProtocolBugs{
6545					// A server returning an empty ALPN protocol
6546					// should be rejected.
6547					ALPNProtocol: &emptyString,
6548				},
6549			},
6550			flags: []string{
6551				"-advertise-alpn", "\x03foo",
6552			},
6553			shouldFail:    true,
6554			expectedError: ":PARSE_TLSEXT:",
6555		})
6556		testCases = append(testCases, testCase{
6557			testType: serverTest,
6558			name:     "ALPNServer-EmptyProtocolName-" + ver.name,
6559			config: Config{
6560				MaxVersion: ver.version,
6561				// A ClientHello containing an empty ALPN protocol
6562				// should be rejected.
6563				NextProtos: []string{"foo", "", "baz"},
6564			},
6565			flags: []string{
6566				"-select-alpn", "foo",
6567			},
6568			shouldFail:    true,
6569			expectedError: ":PARSE_TLSEXT:",
6570		})
6571
6572		// Test NPN and the interaction with ALPN.
6573		if ver.version < VersionTLS13 {
6574			// Test that the server prefers ALPN over NPN.
6575			testCases = append(testCases, testCase{
6576				testType: serverTest,
6577				name:     "ALPNServer-Preferred-" + ver.name,
6578				config: Config{
6579					MaxVersion: ver.version,
6580					NextProtos: []string{"foo", "bar", "baz"},
6581				},
6582				flags: []string{
6583					"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6584					"-select-alpn", "foo",
6585					"-advertise-npn", "\x03foo\x03bar\x03baz",
6586				},
6587				expectedNextProto:     "foo",
6588				expectedNextProtoType: alpn,
6589				resumeSession:         true,
6590			})
6591			testCases = append(testCases, testCase{
6592				testType: serverTest,
6593				name:     "ALPNServer-Preferred-Swapped-" + ver.name,
6594				config: Config{
6595					MaxVersion: ver.version,
6596					NextProtos: []string{"foo", "bar", "baz"},
6597					Bugs: ProtocolBugs{
6598						SwapNPNAndALPN: true,
6599					},
6600				},
6601				flags: []string{
6602					"-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
6603					"-select-alpn", "foo",
6604					"-advertise-npn", "\x03foo\x03bar\x03baz",
6605				},
6606				expectedNextProto:     "foo",
6607				expectedNextProtoType: alpn,
6608				resumeSession:         true,
6609			})
6610
6611			// Test that negotiating both NPN and ALPN is forbidden.
6612			testCases = append(testCases, testCase{
6613				name: "NegotiateALPNAndNPN-" + ver.name,
6614				config: Config{
6615					MaxVersion: ver.version,
6616					NextProtos: []string{"foo", "bar", "baz"},
6617					Bugs: ProtocolBugs{
6618						NegotiateALPNAndNPN: true,
6619					},
6620				},
6621				flags: []string{
6622					"-advertise-alpn", "\x03foo",
6623					"-select-next-proto", "foo",
6624				},
6625				shouldFail:    true,
6626				expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
6627			})
6628			testCases = append(testCases, testCase{
6629				name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
6630				config: Config{
6631					MaxVersion: ver.version,
6632					NextProtos: []string{"foo", "bar", "baz"},
6633					Bugs: ProtocolBugs{
6634						NegotiateALPNAndNPN: true,
6635						SwapNPNAndALPN:      true,
6636					},
6637				},
6638				flags: []string{
6639					"-advertise-alpn", "\x03foo",
6640					"-select-next-proto", "foo",
6641				},
6642				shouldFail:    true,
6643				expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
6644			})
6645		}
6646
6647		// Test Token Binding.
6648
6649		const maxTokenBindingVersion = 16
6650		const minTokenBindingVersion = 13
6651		testCases = append(testCases, testCase{
6652			testType: serverTest,
6653			name:     "TokenBinding-Server-" + ver.name,
6654
6655			config: Config{
6656				MinVersion:          ver.version,
6657				MaxVersion:          ver.version,
6658				TokenBindingParams:  []byte{0, 1, 2},
6659				TokenBindingVersion: maxTokenBindingVersion,
6660			},
6661			expectTokenBinding:        true,
6662			expectedTokenBindingParam: 2,
6663			flags: []string{
6664				"-token-binding-params",
6665				base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6666				"-expected-token-binding-param",
6667				"2",
6668			},
6669		})
6670		testCases = append(testCases, testCase{
6671			testType: serverTest,
6672			name:     "TokenBinding-Server-UnsupportedParam-" + ver.name,
6673
6674			config: Config{
6675				MinVersion:          ver.version,
6676				MaxVersion:          ver.version,
6677				TokenBindingParams:  []byte{3},
6678				TokenBindingVersion: maxTokenBindingVersion,
6679			},
6680			flags: []string{
6681				"-token-binding-params",
6682				base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6683			},
6684		})
6685		testCases = append(testCases, testCase{
6686			testType: serverTest,
6687			name:     "TokenBinding-Server-OldVersion-" + ver.name,
6688
6689			config: Config{
6690				MinVersion:          ver.version,
6691				MaxVersion:          ver.version,
6692				TokenBindingParams:  []byte{0, 1, 2},
6693				TokenBindingVersion: minTokenBindingVersion - 1,
6694			},
6695			flags: []string{
6696				"-token-binding-params",
6697				base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6698			},
6699		})
6700		testCases = append(testCases, testCase{
6701			testType: serverTest,
6702			name:     "TokenBinding-Server-NewVersion-" + ver.name,
6703
6704			config: Config{
6705				MinVersion:          ver.version,
6706				MaxVersion:          ver.version,
6707				TokenBindingParams:  []byte{0, 1, 2},
6708				TokenBindingVersion: maxTokenBindingVersion + 1,
6709			},
6710			expectTokenBinding:        true,
6711			expectedTokenBindingParam: 2,
6712			flags: []string{
6713				"-token-binding-params",
6714				base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6715				"-expected-token-binding-param",
6716				"2",
6717			},
6718		})
6719		testCases = append(testCases, testCase{
6720			testType: serverTest,
6721			name:     "TokenBinding-Server-NoParams-" + ver.name,
6722
6723			config: Config{
6724				MinVersion:          ver.version,
6725				MaxVersion:          ver.version,
6726				TokenBindingParams:  []byte{},
6727				TokenBindingVersion: maxTokenBindingVersion,
6728			},
6729			flags: []string{
6730				"-token-binding-params",
6731				base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6732			},
6733			shouldFail:    true,
6734			expectedError: ":ERROR_PARSING_EXTENSION:",
6735		})
6736		testCases = append(testCases, testCase{
6737			testType: serverTest,
6738			name:     "TokenBinding-Server-RepeatedParam" + ver.name,
6739
6740			config: Config{
6741				MinVersion:          ver.version,
6742				MaxVersion:          ver.version,
6743				TokenBindingParams:  []byte{0, 1, 2, 2},
6744				TokenBindingVersion: maxTokenBindingVersion,
6745			},
6746			expectTokenBinding:        true,
6747			expectedTokenBindingParam: 2,
6748			flags: []string{
6749				"-token-binding-params",
6750				base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6751				"-expected-token-binding-param",
6752				"2",
6753			},
6754		})
6755		testCases = append(testCases, testCase{
6756			testType: clientTest,
6757			name:     "TokenBinding-Client-" + ver.name,
6758
6759			config: Config{
6760				MinVersion:               ver.version,
6761				MaxVersion:               ver.version,
6762				TokenBindingParams:       []byte{2},
6763				TokenBindingVersion:      maxTokenBindingVersion,
6764				ExpectTokenBindingParams: []byte{0, 1, 2},
6765			},
6766			flags: []string{
6767				"-token-binding-params",
6768				base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6769				"-expected-token-binding-param",
6770				"2",
6771			},
6772		})
6773		testCases = append(testCases, testCase{
6774			testType: clientTest,
6775			name:     "TokenBinding-Client-Unexpected-" + ver.name,
6776
6777			config: Config{
6778				MinVersion:          ver.version,
6779				MaxVersion:          ver.version,
6780				TokenBindingParams:  []byte{2},
6781				TokenBindingVersion: maxTokenBindingVersion,
6782			},
6783			shouldFail:    true,
6784			expectedError: ":UNEXPECTED_EXTENSION:",
6785		})
6786		testCases = append(testCases, testCase{
6787			testType: clientTest,
6788			name:     "TokenBinding-Client-ExtraParams-" + ver.name,
6789
6790			config: Config{
6791				MinVersion:               ver.version,
6792				MaxVersion:               ver.version,
6793				TokenBindingParams:       []byte{2, 1},
6794				TokenBindingVersion:      maxTokenBindingVersion,
6795				ExpectTokenBindingParams: []byte{0, 1, 2},
6796			},
6797			flags: []string{
6798				"-token-binding-params",
6799				base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6800				"-expected-token-binding-param",
6801				"2",
6802			},
6803			shouldFail:    true,
6804			expectedError: ":ERROR_PARSING_EXTENSION:",
6805		})
6806		testCases = append(testCases, testCase{
6807			testType: clientTest,
6808			name:     "TokenBinding-Client-NoParams-" + ver.name,
6809
6810			config: Config{
6811				MinVersion:               ver.version,
6812				MaxVersion:               ver.version,
6813				TokenBindingParams:       []byte{},
6814				TokenBindingVersion:      maxTokenBindingVersion,
6815				ExpectTokenBindingParams: []byte{0, 1, 2},
6816			},
6817			flags: []string{
6818				"-token-binding-params",
6819				base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6820				"-expected-token-binding-param",
6821				"2",
6822			},
6823			shouldFail:    true,
6824			expectedError: ":ERROR_PARSING_EXTENSION:",
6825		})
6826		testCases = append(testCases, testCase{
6827			testType: clientTest,
6828			name:     "TokenBinding-Client-WrongParam-" + ver.name,
6829
6830			config: Config{
6831				MinVersion:               ver.version,
6832				MaxVersion:               ver.version,
6833				TokenBindingParams:       []byte{3},
6834				TokenBindingVersion:      maxTokenBindingVersion,
6835				ExpectTokenBindingParams: []byte{0, 1, 2},
6836			},
6837			flags: []string{
6838				"-token-binding-params",
6839				base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6840				"-expected-token-binding-param",
6841				"2",
6842			},
6843			shouldFail:    true,
6844			expectedError: ":ERROR_PARSING_EXTENSION:",
6845		})
6846		testCases = append(testCases, testCase{
6847			testType: clientTest,
6848			name:     "TokenBinding-Client-OldVersion-" + ver.name,
6849
6850			config: Config{
6851				MinVersion:               ver.version,
6852				MaxVersion:               ver.version,
6853				TokenBindingParams:       []byte{2},
6854				TokenBindingVersion:      minTokenBindingVersion - 1,
6855				ExpectTokenBindingParams: []byte{0, 1, 2},
6856			},
6857			flags: []string{
6858				"-token-binding-params",
6859				base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6860			},
6861		})
6862		testCases = append(testCases, testCase{
6863			testType: clientTest,
6864			name:     "TokenBinding-Client-MinVersion-" + ver.name,
6865
6866			config: Config{
6867				MinVersion:               ver.version,
6868				MaxVersion:               ver.version,
6869				TokenBindingParams:       []byte{2},
6870				TokenBindingVersion:      minTokenBindingVersion,
6871				ExpectTokenBindingParams: []byte{0, 1, 2},
6872			},
6873			flags: []string{
6874				"-token-binding-params",
6875				base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6876				"-expected-token-binding-param",
6877				"2",
6878			},
6879		})
6880		testCases = append(testCases, testCase{
6881			testType: clientTest,
6882			name:     "TokenBinding-Client-VersionTooNew-" + ver.name,
6883
6884			config: Config{
6885				MinVersion:               ver.version,
6886				MaxVersion:               ver.version,
6887				TokenBindingParams:       []byte{2},
6888				TokenBindingVersion:      maxTokenBindingVersion + 1,
6889				ExpectTokenBindingParams: []byte{0, 1, 2},
6890			},
6891			flags: []string{
6892				"-token-binding-params",
6893				base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
6894			},
6895			shouldFail:    true,
6896			expectedError: "ERROR_PARSING_EXTENSION",
6897		})
6898		if ver.version < VersionTLS13 {
6899			testCases = append(testCases, testCase{
6900				testType: clientTest,
6901				name:     "TokenBinding-Client-NoEMS-" + ver.name,
6902
6903				config: Config{
6904					MinVersion:               ver.version,
6905					MaxVersion:               ver.version,
6906					TokenBindingParams:       []byte{2},
6907					TokenBindingVersion:      maxTokenBindingVersion,
6908					ExpectTokenBindingParams: []byte{2, 1, 0},
6909					Bugs: ProtocolBugs{
6910						NoExtendedMasterSecret: true,
6911					},
6912				},
6913				flags: []string{
6914					"-token-binding-params",
6915					base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6916				},
6917				shouldFail:    true,
6918				expectedError: ":NEGOTIATED_TB_WITHOUT_EMS_OR_RI:",
6919			})
6920			testCases = append(testCases, testCase{
6921				testType: serverTest,
6922				name:     "TokenBinding-Server-NoEMS-" + ver.name,
6923
6924				config: Config{
6925					MinVersion:          ver.version,
6926					MaxVersion:          ver.version,
6927					TokenBindingParams:  []byte{0, 1, 2},
6928					TokenBindingVersion: maxTokenBindingVersion,
6929					Bugs: ProtocolBugs{
6930						NoExtendedMasterSecret: true,
6931					},
6932				},
6933				flags: []string{
6934					"-token-binding-params",
6935					base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6936				},
6937				shouldFail:    true,
6938				expectedError: ":NEGOTIATED_TB_WITHOUT_EMS_OR_RI:",
6939			})
6940			testCases = append(testCases, testCase{
6941				testType: clientTest,
6942				name:     "TokenBinding-Client-NoRI-" + ver.name,
6943
6944				config: Config{
6945					MinVersion:               ver.version,
6946					MaxVersion:               ver.version,
6947					TokenBindingParams:       []byte{2},
6948					TokenBindingVersion:      maxTokenBindingVersion,
6949					ExpectTokenBindingParams: []byte{2, 1, 0},
6950					Bugs: ProtocolBugs{
6951						NoRenegotiationInfo: true,
6952					},
6953				},
6954				flags: []string{
6955					"-token-binding-params",
6956					base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6957				},
6958				shouldFail:    true,
6959				expectedError: ":NEGOTIATED_TB_WITHOUT_EMS_OR_RI:",
6960			})
6961			testCases = append(testCases, testCase{
6962				testType: serverTest,
6963				name:     "TokenBinding-Server-NoRI-" + ver.name,
6964
6965				config: Config{
6966					MinVersion:          ver.version,
6967					MaxVersion:          ver.version,
6968					TokenBindingParams:  []byte{0, 1, 2},
6969					TokenBindingVersion: maxTokenBindingVersion,
6970					Bugs: ProtocolBugs{
6971						NoRenegotiationInfo: true,
6972					},
6973				},
6974				flags: []string{
6975					"-token-binding-params",
6976					base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6977				},
6978				shouldFail:    true,
6979				expectedError: ":NEGOTIATED_TB_WITHOUT_EMS_OR_RI:",
6980			})
6981		} else {
6982			testCases = append(testCases, testCase{
6983				testType: clientTest,
6984				name:     "TokenBinding-WithEarlyDataFails-" + ver.name,
6985				config: Config{
6986					MinVersion:               ver.version,
6987					MaxVersion:               ver.version,
6988					TokenBindingParams:       []byte{2},
6989					TokenBindingVersion:      maxTokenBindingVersion,
6990					ExpectTokenBindingParams: []byte{2, 1, 0},
6991					MaxEarlyDataSize:         16384,
6992				},
6993				resumeSession: true,
6994				flags: []string{
6995					"-enable-early-data",
6996					"-expect-ticket-supports-early-data",
6997					"-token-binding-params",
6998					base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
6999				},
7000				shouldFail:    true,
7001				expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:",
7002			})
7003			testCases = append(testCases, testCase{
7004				testType: serverTest,
7005				name:     "TokenBinding-EarlyDataRejected-" + ver.name,
7006				config: Config{
7007					MinVersion:          ver.version,
7008					MaxVersion:          ver.version,
7009					TokenBindingParams:  []byte{0, 1, 2},
7010					TokenBindingVersion: maxTokenBindingVersion,
7011					MaxEarlyDataSize:    16384,
7012				},
7013				resumeSession:             true,
7014				expectTokenBinding:        true,
7015				expectedTokenBindingParam: 2,
7016				flags: []string{
7017					"-enable-early-data",
7018					"-expect-ticket-supports-early-data",
7019					"-token-binding-params",
7020					base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
7021				},
7022			})
7023		}
7024
7025		// Test QUIC transport params
7026		if ver.version >= VersionTLS13 {
7027			// Client sends params
7028			testCases = append(testCases, testCase{
7029				testType: clientTest,
7030				name:     "QUICTransportParams-Client-" + ver.name,
7031				config: Config{
7032					MinVersion:          ver.version,
7033					MaxVersion:          ver.version,
7034					QUICTransportParams: []byte{1, 2},
7035				},
7036				flags: []string{
7037					"-quic-transport-params",
7038					base64.StdEncoding.EncodeToString([]byte{3, 4}),
7039					"-expected-quic-transport-params",
7040					base64.StdEncoding.EncodeToString([]byte{1, 2}),
7041				},
7042				expectedQUICTransportParams: []byte{3, 4},
7043			})
7044			// Server sends params
7045			testCases = append(testCases, testCase{
7046				testType: serverTest,
7047				name:     "QUICTransportParams-Server-" + ver.name,
7048				config: Config{
7049					MinVersion:          ver.version,
7050					MaxVersion:          ver.version,
7051					QUICTransportParams: []byte{1, 2},
7052				},
7053				flags: []string{
7054					"-quic-transport-params",
7055					base64.StdEncoding.EncodeToString([]byte{3, 4}),
7056					"-expected-quic-transport-params",
7057					base64.StdEncoding.EncodeToString([]byte{1, 2}),
7058				},
7059				expectedQUICTransportParams: []byte{3, 4},
7060			})
7061		} else {
7062			testCases = append(testCases, testCase{
7063				testType: clientTest,
7064				name:     "QUICTransportParams-Client-NotSent-" + ver.name,
7065				config: Config{
7066					MinVersion: ver.version,
7067					MaxVersion: ver.version,
7068				},
7069				flags: []string{
7070					"-max-version",
7071					strconv.Itoa(int(ver.version)),
7072					"-quic-transport-params",
7073					base64.StdEncoding.EncodeToString([]byte{3, 4}),
7074				},
7075			})
7076			testCases = append(testCases, testCase{
7077				testType: clientTest,
7078				name:     "QUICTransportParams-Client-Rejected-" + ver.name,
7079				config: Config{
7080					MinVersion:          ver.version,
7081					MaxVersion:          ver.version,
7082					QUICTransportParams: []byte{1, 2},
7083				},
7084				flags: []string{
7085					"-quic-transport-params",
7086					base64.StdEncoding.EncodeToString([]byte{3, 4}),
7087				},
7088				shouldFail:    true,
7089				expectedError: ":ERROR_PARSING_EXTENSION:",
7090			})
7091			testCases = append(testCases, testCase{
7092				testType: serverTest,
7093				name:     "QUICTransportParams-Server-Rejected-" + ver.name,
7094				config: Config{
7095					MinVersion:          ver.version,
7096					MaxVersion:          ver.version,
7097					QUICTransportParams: []byte{1, 2},
7098				},
7099				flags: []string{
7100					"-expected-quic-transport-params",
7101					base64.StdEncoding.EncodeToString([]byte{1, 2}),
7102				},
7103				shouldFail:    true,
7104				expectedError: "QUIC transport params mismatch",
7105			})
7106			testCases = append(testCases, testCase{
7107				testType: serverTest,
7108				name:     "QUICTransportParams-OldServerIgnores-" + ver.name,
7109				config: Config{
7110					MaxVersion:          VersionTLS13,
7111					QUICTransportParams: []byte{1, 2},
7112				},
7113				flags: []string{
7114					"-min-version", ver.shimFlag(tls),
7115					"-max-version", ver.shimFlag(tls),
7116				},
7117			})
7118		}
7119
7120		// Test ticket behavior.
7121
7122		// Resume with a corrupt ticket.
7123		testCases = append(testCases, testCase{
7124			testType: serverTest,
7125			name:     "CorruptTicket-" + ver.name,
7126			config: Config{
7127				MaxVersion: ver.version,
7128				Bugs: ProtocolBugs{
7129					FilterTicket: func(in []byte) ([]byte, error) {
7130						in[len(in)-1] ^= 1
7131						return in, nil
7132					},
7133				},
7134			},
7135			resumeSession:        true,
7136			expectResumeRejected: true,
7137		})
7138		// Test the ticket callback, with and without renewal.
7139		testCases = append(testCases, testCase{
7140			testType: serverTest,
7141			name:     "TicketCallback-" + ver.name,
7142			config: Config{
7143				MaxVersion: ver.version,
7144			},
7145			resumeSession: true,
7146			flags:         []string{"-use-ticket-callback"},
7147		})
7148		testCases = append(testCases, testCase{
7149			testType: serverTest,
7150			name:     "TicketCallback-Renew-" + ver.name,
7151			config: Config{
7152				MaxVersion: ver.version,
7153				Bugs: ProtocolBugs{
7154					ExpectNewTicket: true,
7155				},
7156			},
7157			flags:         []string{"-use-ticket-callback", "-renew-ticket"},
7158			resumeSession: true,
7159		})
7160
7161		// Test that the ticket callback is only called once when everything before
7162		// it in the ClientHello is asynchronous. This corrupts the ticket so
7163		// certificate selection callbacks run.
7164		testCases = append(testCases, testCase{
7165			testType: serverTest,
7166			name:     "TicketCallback-SingleCall-" + ver.name,
7167			config: Config{
7168				MaxVersion: ver.version,
7169				Bugs: ProtocolBugs{
7170					FilterTicket: func(in []byte) ([]byte, error) {
7171						in[len(in)-1] ^= 1
7172						return in, nil
7173					},
7174				},
7175			},
7176			resumeSession:        true,
7177			expectResumeRejected: true,
7178			flags: []string{
7179				"-use-ticket-callback",
7180				"-async",
7181			},
7182		})
7183
7184		// Resume with various lengths of ticket session id.
7185		if ver.version < VersionTLS13 {
7186			testCases = append(testCases, testCase{
7187				testType: serverTest,
7188				name:     "TicketSessionIDLength-0-" + ver.name,
7189				config: Config{
7190					MaxVersion: ver.version,
7191					Bugs: ProtocolBugs{
7192						EmptyTicketSessionID: true,
7193					},
7194				},
7195				resumeSession: true,
7196			})
7197			testCases = append(testCases, testCase{
7198				testType: serverTest,
7199				name:     "TicketSessionIDLength-16-" + ver.name,
7200				config: Config{
7201					MaxVersion: ver.version,
7202					Bugs: ProtocolBugs{
7203						TicketSessionIDLength: 16,
7204					},
7205				},
7206				resumeSession: true,
7207			})
7208			testCases = append(testCases, testCase{
7209				testType: serverTest,
7210				name:     "TicketSessionIDLength-32-" + ver.name,
7211				config: Config{
7212					MaxVersion: ver.version,
7213					Bugs: ProtocolBugs{
7214						TicketSessionIDLength: 32,
7215					},
7216				},
7217				resumeSession: true,
7218			})
7219			testCases = append(testCases, testCase{
7220				testType: serverTest,
7221				name:     "TicketSessionIDLength-33-" + ver.name,
7222				config: Config{
7223					MaxVersion: ver.version,
7224					Bugs: ProtocolBugs{
7225						TicketSessionIDLength: 33,
7226					},
7227				},
7228				resumeSession: true,
7229				shouldFail:    true,
7230				// The maximum session ID length is 32.
7231				expectedError: ":DECODE_ERROR:",
7232			})
7233		}
7234
7235		// Basic DTLS-SRTP tests. Include fake profiles to ensure they
7236		// are ignored.
7237		if ver.hasDTLS {
7238			testCases = append(testCases, testCase{
7239				protocol: dtls,
7240				name:     "SRTP-Client-" + ver.name,
7241				config: Config{
7242					MaxVersion:             ver.version,
7243					SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
7244				},
7245				flags: []string{
7246					"-srtp-profiles",
7247					"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
7248				},
7249				expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
7250			})
7251			testCases = append(testCases, testCase{
7252				protocol: dtls,
7253				testType: serverTest,
7254				name:     "SRTP-Server-" + ver.name,
7255				config: Config{
7256					MaxVersion:             ver.version,
7257					SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
7258				},
7259				flags: []string{
7260					"-srtp-profiles",
7261					"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
7262				},
7263				expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
7264			})
7265			// Test that the MKI is ignored.
7266			testCases = append(testCases, testCase{
7267				protocol: dtls,
7268				testType: serverTest,
7269				name:     "SRTP-Server-IgnoreMKI-" + ver.name,
7270				config: Config{
7271					MaxVersion:             ver.version,
7272					SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
7273					Bugs: ProtocolBugs{
7274						SRTPMasterKeyIdentifer: "bogus",
7275					},
7276				},
7277				flags: []string{
7278					"-srtp-profiles",
7279					"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
7280				},
7281				expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
7282			})
7283			// Test that SRTP isn't negotiated on the server if there were
7284			// no matching profiles.
7285			testCases = append(testCases, testCase{
7286				protocol: dtls,
7287				testType: serverTest,
7288				name:     "SRTP-Server-NoMatch-" + ver.name,
7289				config: Config{
7290					MaxVersion:             ver.version,
7291					SRTPProtectionProfiles: []uint16{100, 101, 102},
7292				},
7293				flags: []string{
7294					"-srtp-profiles",
7295					"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
7296				},
7297				expectedSRTPProtectionProfile: 0,
7298			})
7299			// Test that the server returning an invalid SRTP profile is
7300			// flagged as an error by the client.
7301			testCases = append(testCases, testCase{
7302				protocol: dtls,
7303				name:     "SRTP-Client-NoMatch-" + ver.name,
7304				config: Config{
7305					MaxVersion: ver.version,
7306					Bugs: ProtocolBugs{
7307						SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
7308					},
7309				},
7310				flags: []string{
7311					"-srtp-profiles",
7312					"SRTP_AES128_CM_SHA1_80",
7313				},
7314				shouldFail:    true,
7315				expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
7316			})
7317		}
7318
7319		// Test SCT list.
7320		testCases = append(testCases, testCase{
7321			name:     "SignedCertificateTimestampList-Client-" + ver.name,
7322			testType: clientTest,
7323			config: Config{
7324				MaxVersion: ver.version,
7325			},
7326			flags: []string{
7327				"-enable-signed-cert-timestamps",
7328				"-expect-signed-cert-timestamps",
7329				base64.StdEncoding.EncodeToString(testSCTList),
7330			},
7331			resumeSession: true,
7332		})
7333
7334		var differentSCTList []byte
7335		differentSCTList = append(differentSCTList, testSCTList...)
7336		differentSCTList[len(differentSCTList)-1] ^= 1
7337
7338		// The SCT extension did not specify that it must only be sent on resumption as it
7339		// should have, so test that we tolerate but ignore it.
7340		testCases = append(testCases, testCase{
7341			name: "SendSCTListOnResume-" + ver.name,
7342			config: Config{
7343				MaxVersion: ver.version,
7344				Bugs: ProtocolBugs{
7345					SendSCTListOnResume: differentSCTList,
7346				},
7347			},
7348			flags: []string{
7349				"-enable-signed-cert-timestamps",
7350				"-expect-signed-cert-timestamps",
7351				base64.StdEncoding.EncodeToString(testSCTList),
7352			},
7353			resumeSession: true,
7354		})
7355
7356		testCases = append(testCases, testCase{
7357			name:     "SignedCertificateTimestampList-Server-" + ver.name,
7358			testType: serverTest,
7359			config: Config{
7360				MaxVersion: ver.version,
7361			},
7362			flags: []string{
7363				"-signed-cert-timestamps",
7364				base64.StdEncoding.EncodeToString(testSCTList),
7365			},
7366			expectedSCTList: testSCTList,
7367			resumeSession:   true,
7368		})
7369
7370		emptySCTListCert := *testCerts[0].cert
7371		emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
7372
7373		// Test empty SCT list.
7374		testCases = append(testCases, testCase{
7375			name:     "SignedCertificateTimestampListEmpty-Client-" + ver.name,
7376			testType: clientTest,
7377			config: Config{
7378				MaxVersion:   ver.version,
7379				Certificates: []Certificate{emptySCTListCert},
7380			},
7381			flags: []string{
7382				"-enable-signed-cert-timestamps",
7383			},
7384			shouldFail:    true,
7385			expectedError: ":ERROR_PARSING_EXTENSION:",
7386		})
7387
7388		emptySCTCert := *testCerts[0].cert
7389		emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
7390
7391		// Test empty SCT in non-empty list.
7392		testCases = append(testCases, testCase{
7393			name:     "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
7394			testType: clientTest,
7395			config: Config{
7396				MaxVersion:   ver.version,
7397				Certificates: []Certificate{emptySCTCert},
7398			},
7399			flags: []string{
7400				"-enable-signed-cert-timestamps",
7401			},
7402			shouldFail:    true,
7403			expectedError: ":ERROR_PARSING_EXTENSION:",
7404		})
7405
7406		// Test that certificate-related extensions are not sent unsolicited.
7407		testCases = append(testCases, testCase{
7408			testType: serverTest,
7409			name:     "UnsolicitedCertificateExtensions-" + ver.name,
7410			config: Config{
7411				MaxVersion: ver.version,
7412				Bugs: ProtocolBugs{
7413					NoOCSPStapling:                true,
7414					NoSignedCertificateTimestamps: true,
7415				},
7416			},
7417			flags: []string{
7418				"-ocsp-response",
7419				base64.StdEncoding.EncodeToString(testOCSPResponse),
7420				"-signed-cert-timestamps",
7421				base64.StdEncoding.EncodeToString(testSCTList),
7422			},
7423		})
7424	}
7425
7426	testCases = append(testCases, testCase{
7427		testType: clientTest,
7428		name:     "ClientHelloPadding",
7429		config: Config{
7430			Bugs: ProtocolBugs{
7431				RequireClientHelloSize: 512,
7432			},
7433		},
7434		// This hostname just needs to be long enough to push the
7435		// ClientHello into F5's danger zone between 256 and 511 bytes
7436		// long.
7437		flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
7438	})
7439
7440	// Test that illegal extensions in TLS 1.3 are rejected by the client if
7441	// in ServerHello.
7442	testCases = append(testCases, testCase{
7443		name: "NPN-Forbidden-TLS13",
7444		config: Config{
7445			MaxVersion: VersionTLS13,
7446			NextProtos: []string{"foo"},
7447			Bugs: ProtocolBugs{
7448				NegotiateNPNAtAllVersions: true,
7449			},
7450		},
7451		flags:         []string{"-select-next-proto", "foo"},
7452		shouldFail:    true,
7453		expectedError: ":ERROR_PARSING_EXTENSION:",
7454	})
7455	testCases = append(testCases, testCase{
7456		name: "EMS-Forbidden-TLS13",
7457		config: Config{
7458			MaxVersion: VersionTLS13,
7459			Bugs: ProtocolBugs{
7460				NegotiateEMSAtAllVersions: true,
7461			},
7462		},
7463		shouldFail:    true,
7464		expectedError: ":ERROR_PARSING_EXTENSION:",
7465	})
7466	testCases = append(testCases, testCase{
7467		name: "RenegotiationInfo-Forbidden-TLS13",
7468		config: Config{
7469			MaxVersion: VersionTLS13,
7470			Bugs: ProtocolBugs{
7471				NegotiateRenegotiationInfoAtAllVersions: true,
7472			},
7473		},
7474		shouldFail:    true,
7475		expectedError: ":ERROR_PARSING_EXTENSION:",
7476	})
7477	testCases = append(testCases, testCase{
7478		name: "Ticket-Forbidden-TLS13",
7479		config: Config{
7480			MaxVersion: VersionTLS12,
7481		},
7482		resumeConfig: &Config{
7483			MaxVersion: VersionTLS13,
7484			Bugs: ProtocolBugs{
7485				AdvertiseTicketExtension: true,
7486			},
7487		},
7488		resumeSession: true,
7489		shouldFail:    true,
7490		expectedError: ":ERROR_PARSING_EXTENSION:",
7491	})
7492
7493	// Test that illegal extensions in TLS 1.3 are declined by the server if
7494	// offered in ClientHello. The runner's server will fail if this occurs,
7495	// so we exercise the offering path. (EMS and Renegotiation Info are
7496	// implicit in every test.)
7497	testCases = append(testCases, testCase{
7498		testType: serverTest,
7499		name:     "NPN-Declined-TLS13",
7500		config: Config{
7501			MaxVersion: VersionTLS13,
7502			NextProtos: []string{"bar"},
7503		},
7504		flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
7505	})
7506
7507	// OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
7508	// tolerated.
7509	testCases = append(testCases, testCase{
7510		name: "SendOCSPResponseOnResume-TLS12",
7511		config: Config{
7512			MaxVersion: VersionTLS12,
7513			Bugs: ProtocolBugs{
7514				SendOCSPResponseOnResume: []byte("bogus"),
7515			},
7516		},
7517		flags: []string{
7518			"-enable-ocsp-stapling",
7519			"-expect-ocsp-response",
7520			base64.StdEncoding.EncodeToString(testOCSPResponse),
7521		},
7522		resumeSession: true,
7523	})
7524
7525	testCases = append(testCases, testCase{
7526		name: "SendUnsolicitedOCSPOnCertificate-TLS13",
7527		config: Config{
7528			MaxVersion: VersionTLS13,
7529			Bugs: ProtocolBugs{
7530				SendExtensionOnCertificate: testOCSPExtension,
7531			},
7532		},
7533		shouldFail:    true,
7534		expectedError: ":UNEXPECTED_EXTENSION:",
7535	})
7536
7537	testCases = append(testCases, testCase{
7538		name: "SendUnsolicitedSCTOnCertificate-TLS13",
7539		config: Config{
7540			MaxVersion: VersionTLS13,
7541			Bugs: ProtocolBugs{
7542				SendExtensionOnCertificate: testSCTExtension,
7543			},
7544		},
7545		shouldFail:    true,
7546		expectedError: ":UNEXPECTED_EXTENSION:",
7547	})
7548
7549	// Test that extensions on client certificates are never accepted.
7550	testCases = append(testCases, testCase{
7551		name:     "SendExtensionOnClientCertificate-TLS13",
7552		testType: serverTest,
7553		config: Config{
7554			MaxVersion:   VersionTLS13,
7555			Certificates: []Certificate{rsaCertificate},
7556			Bugs: ProtocolBugs{
7557				SendExtensionOnCertificate: testOCSPExtension,
7558			},
7559		},
7560		flags: []string{
7561			"-enable-ocsp-stapling",
7562			"-require-any-client-certificate",
7563		},
7564		shouldFail:    true,
7565		expectedError: ":UNEXPECTED_EXTENSION:",
7566	})
7567
7568	testCases = append(testCases, testCase{
7569		name: "SendUnknownExtensionOnCertificate-TLS13",
7570		config: Config{
7571			MaxVersion: VersionTLS13,
7572			Bugs: ProtocolBugs{
7573				SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
7574			},
7575		},
7576		shouldFail:    true,
7577		expectedError: ":UNEXPECTED_EXTENSION:",
7578	})
7579
7580	// Test that extensions on intermediates are allowed but ignored.
7581	testCases = append(testCases, testCase{
7582		name: "IgnoreExtensionsOnIntermediates-TLS13",
7583		config: Config{
7584			MaxVersion:   VersionTLS13,
7585			Certificates: []Certificate{rsaChainCertificate},
7586			Bugs: ProtocolBugs{
7587				// Send different values on the intermediate. This tests
7588				// the intermediate's extensions do not override the
7589				// leaf's.
7590				SendOCSPOnIntermediates: testOCSPResponse2,
7591				SendSCTOnIntermediates:  testSCTList2,
7592			},
7593		},
7594		flags: []string{
7595			"-enable-ocsp-stapling",
7596			"-expect-ocsp-response",
7597			base64.StdEncoding.EncodeToString(testOCSPResponse),
7598			"-enable-signed-cert-timestamps",
7599			"-expect-signed-cert-timestamps",
7600			base64.StdEncoding.EncodeToString(testSCTList),
7601		},
7602		resumeSession: true,
7603	})
7604
7605	// Test that extensions are not sent on intermediates when configured
7606	// only for a leaf.
7607	testCases = append(testCases, testCase{
7608		testType: serverTest,
7609		name:     "SendNoExtensionsOnIntermediate-TLS13",
7610		config: Config{
7611			MaxVersion: VersionTLS13,
7612			Bugs: ProtocolBugs{
7613				ExpectNoExtensionsOnIntermediate: true,
7614			},
7615		},
7616		flags: []string{
7617			"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
7618			"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
7619			"-ocsp-response",
7620			base64.StdEncoding.EncodeToString(testOCSPResponse),
7621			"-signed-cert-timestamps",
7622			base64.StdEncoding.EncodeToString(testSCTList),
7623		},
7624	})
7625
7626	// Test that extensions are not sent on client certificates.
7627	testCases = append(testCases, testCase{
7628		name: "SendNoClientCertificateExtensions-TLS13",
7629		config: Config{
7630			MaxVersion: VersionTLS13,
7631			ClientAuth: RequireAnyClientCert,
7632		},
7633		flags: []string{
7634			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7635			"-key-file", path.Join(*resourceDir, rsaKeyFile),
7636			"-ocsp-response",
7637			base64.StdEncoding.EncodeToString(testOCSPResponse),
7638			"-signed-cert-timestamps",
7639			base64.StdEncoding.EncodeToString(testSCTList),
7640		},
7641	})
7642
7643	testCases = append(testCases, testCase{
7644		name: "SendDuplicateExtensionsOnCerts-TLS13",
7645		config: Config{
7646			MaxVersion: VersionTLS13,
7647			Bugs: ProtocolBugs{
7648				SendDuplicateCertExtensions: true,
7649			},
7650		},
7651		flags: []string{
7652			"-enable-ocsp-stapling",
7653			"-enable-signed-cert-timestamps",
7654		},
7655		resumeSession: true,
7656		shouldFail:    true,
7657		expectedError: ":DUPLICATE_EXTENSION:",
7658	})
7659
7660	testCases = append(testCases, testCase{
7661		name:     "SignedCertificateTimestampListInvalid-Server",
7662		testType: serverTest,
7663		flags: []string{
7664			"-signed-cert-timestamps",
7665			base64.StdEncoding.EncodeToString([]byte{0, 0}),
7666		},
7667		shouldFail:    true,
7668		expectedError: ":INVALID_SCT_LIST:",
7669	})
7670}
7671
7672func addResumptionVersionTests() {
7673	for _, sessionVers := range tlsVersions {
7674		for _, resumeVers := range tlsVersions {
7675			protocols := []protocol{tls}
7676			if sessionVers.hasDTLS && resumeVers.hasDTLS {
7677				protocols = append(protocols, dtls)
7678			}
7679			for _, protocol := range protocols {
7680				suffix := "-" + sessionVers.name + "-" + resumeVers.name
7681				if protocol == dtls {
7682					suffix += "-DTLS"
7683				}
7684
7685				if sessionVers.version == resumeVers.version {
7686					testCases = append(testCases, testCase{
7687						protocol:      protocol,
7688						name:          "Resume-Client" + suffix,
7689						resumeSession: true,
7690						config: Config{
7691							MaxVersion: sessionVers.version,
7692							Bugs: ProtocolBugs{
7693								ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
7694							},
7695						},
7696						expectedVersion:       sessionVers.version,
7697						expectedResumeVersion: resumeVers.version,
7698					})
7699				} else {
7700					testCases = append(testCases, testCase{
7701						protocol:      protocol,
7702						name:          "Resume-Client-Mismatch" + suffix,
7703						resumeSession: true,
7704						config: Config{
7705							MaxVersion: sessionVers.version,
7706						},
7707						expectedVersion: sessionVers.version,
7708						resumeConfig: &Config{
7709							MaxVersion: resumeVers.version,
7710							Bugs: ProtocolBugs{
7711								AcceptAnySession: true,
7712							},
7713						},
7714						expectedResumeVersion: resumeVers.version,
7715						shouldFail:            true,
7716						expectedError:         ":OLD_SESSION_VERSION_NOT_RETURNED:",
7717					})
7718				}
7719
7720				testCases = append(testCases, testCase{
7721					protocol:      protocol,
7722					name:          "Resume-Client-NoResume" + suffix,
7723					resumeSession: true,
7724					config: Config{
7725						MaxVersion: sessionVers.version,
7726					},
7727					expectedVersion: sessionVers.version,
7728					resumeConfig: &Config{
7729						MaxVersion: resumeVers.version,
7730					},
7731					newSessionsOnResume:   true,
7732					expectResumeRejected:  true,
7733					expectedResumeVersion: resumeVers.version,
7734				})
7735
7736				testCases = append(testCases, testCase{
7737					protocol:      protocol,
7738					testType:      serverTest,
7739					name:          "Resume-Server" + suffix,
7740					resumeSession: true,
7741					config: Config{
7742						MaxVersion: sessionVers.version,
7743					},
7744					expectedVersion:      sessionVers.version,
7745					expectResumeRejected: sessionVers != resumeVers,
7746					resumeConfig: &Config{
7747						MaxVersion: resumeVers.version,
7748						Bugs: ProtocolBugs{
7749							SendBothTickets: true,
7750						},
7751					},
7752					expectedResumeVersion: resumeVers.version,
7753				})
7754
7755				// Repeat the test using session IDs, rather than tickets.
7756				if sessionVers.version < VersionTLS13 && resumeVers.version < VersionTLS13 {
7757					testCases = append(testCases, testCase{
7758						protocol:      protocol,
7759						testType:      serverTest,
7760						name:          "Resume-Server-NoTickets" + suffix,
7761						resumeSession: true,
7762						config: Config{
7763							MaxVersion:             sessionVers.version,
7764							SessionTicketsDisabled: true,
7765						},
7766						expectedVersion:      sessionVers.version,
7767						expectResumeRejected: sessionVers != resumeVers,
7768						resumeConfig: &Config{
7769							MaxVersion:             resumeVers.version,
7770							SessionTicketsDisabled: true,
7771						},
7772						expectedResumeVersion: resumeVers.version,
7773					})
7774				}
7775			}
7776		}
7777	}
7778
7779	// Make sure shim ticket mutations are functional.
7780	testCases = append(testCases, testCase{
7781		testType:      serverTest,
7782		name:          "ShimTicketRewritable",
7783		resumeSession: true,
7784		config: Config{
7785			MaxVersion:   VersionTLS12,
7786			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7787			Bugs: ProtocolBugs{
7788				FilterTicket: func(in []byte) ([]byte, error) {
7789					in, err := SetShimTicketVersion(in, VersionTLS12)
7790					if err != nil {
7791						return nil, err
7792					}
7793					return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
7794				},
7795			},
7796		},
7797		flags: []string{
7798			"-ticket-key",
7799			base64.StdEncoding.EncodeToString(TestShimTicketKey),
7800		},
7801	})
7802
7803	// Resumptions are declined if the version does not match.
7804	testCases = append(testCases, testCase{
7805		testType:      serverTest,
7806		name:          "Resume-Server-DeclineCrossVersion",
7807		resumeSession: true,
7808		config: Config{
7809			MaxVersion: VersionTLS12,
7810			Bugs: ProtocolBugs{
7811				ExpectNewTicket: true,
7812				FilterTicket: func(in []byte) ([]byte, error) {
7813					return SetShimTicketVersion(in, VersionTLS13)
7814				},
7815			},
7816		},
7817		flags: []string{
7818			"-ticket-key",
7819			base64.StdEncoding.EncodeToString(TestShimTicketKey),
7820		},
7821		expectResumeRejected: true,
7822	})
7823
7824	testCases = append(testCases, testCase{
7825		testType:      serverTest,
7826		name:          "Resume-Server-DeclineCrossVersion-TLS13",
7827		resumeSession: true,
7828		config: Config{
7829			MaxVersion: VersionTLS13,
7830			Bugs: ProtocolBugs{
7831				FilterTicket: func(in []byte) ([]byte, error) {
7832					return SetShimTicketVersion(in, VersionTLS12)
7833				},
7834			},
7835		},
7836		flags: []string{
7837			"-ticket-key",
7838			base64.StdEncoding.EncodeToString(TestShimTicketKey),
7839		},
7840		expectResumeRejected: true,
7841	})
7842
7843	// Resumptions are declined if the cipher is invalid or disabled.
7844	testCases = append(testCases, testCase{
7845		testType:      serverTest,
7846		name:          "Resume-Server-DeclineBadCipher",
7847		resumeSession: true,
7848		config: Config{
7849			MaxVersion: VersionTLS12,
7850			Bugs: ProtocolBugs{
7851				ExpectNewTicket: true,
7852				FilterTicket: func(in []byte) ([]byte, error) {
7853					return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
7854				},
7855			},
7856		},
7857		flags: []string{
7858			"-ticket-key",
7859			base64.StdEncoding.EncodeToString(TestShimTicketKey),
7860		},
7861		expectResumeRejected: true,
7862	})
7863
7864	testCases = append(testCases, testCase{
7865		testType:      serverTest,
7866		name:          "Resume-Server-DeclineBadCipher-2",
7867		resumeSession: true,
7868		config: Config{
7869			MaxVersion: VersionTLS12,
7870			Bugs: ProtocolBugs{
7871				ExpectNewTicket: true,
7872				FilterTicket: func(in []byte) ([]byte, error) {
7873					return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
7874				},
7875			},
7876		},
7877		flags: []string{
7878			"-cipher", "AES128",
7879			"-ticket-key",
7880			base64.StdEncoding.EncodeToString(TestShimTicketKey),
7881		},
7882		expectResumeRejected: true,
7883	})
7884
7885	// Sessions are not resumed if they do not use the preferred cipher.
7886	testCases = append(testCases, testCase{
7887		testType:      serverTest,
7888		name:          "Resume-Server-CipherNotPreferred",
7889		resumeSession: true,
7890		config: Config{
7891			MaxVersion: VersionTLS12,
7892			Bugs: ProtocolBugs{
7893				ExpectNewTicket: true,
7894				FilterTicket: func(in []byte) ([]byte, error) {
7895					return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
7896				},
7897			},
7898		},
7899		flags: []string{
7900			"-ticket-key",
7901			base64.StdEncoding.EncodeToString(TestShimTicketKey),
7902		},
7903		shouldFail:           false,
7904		expectResumeRejected: true,
7905	})
7906
7907	// TLS 1.3 allows sessions to be resumed at a different cipher if their
7908	// PRF hashes match, but BoringSSL will always decline such resumptions.
7909	testCases = append(testCases, testCase{
7910		testType:      serverTest,
7911		name:          "Resume-Server-CipherNotPreferred-TLS13",
7912		resumeSession: true,
7913		config: Config{
7914			MaxVersion:   VersionTLS13,
7915			CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
7916			Bugs: ProtocolBugs{
7917				FilterTicket: func(in []byte) ([]byte, error) {
7918					// If the client (runner) offers ChaCha20-Poly1305 first, the
7919					// server (shim) always prefers it. Switch it to AES-GCM.
7920					return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
7921				},
7922			},
7923		},
7924		flags: []string{
7925			"-ticket-key",
7926			base64.StdEncoding.EncodeToString(TestShimTicketKey),
7927		},
7928		shouldFail:           false,
7929		expectResumeRejected: true,
7930	})
7931
7932	// Sessions may not be resumed if they contain another version's cipher.
7933	testCases = append(testCases, testCase{
7934		testType:      serverTest,
7935		name:          "Resume-Server-DeclineBadCipher-TLS13",
7936		resumeSession: true,
7937		config: Config{
7938			MaxVersion: VersionTLS13,
7939			Bugs: ProtocolBugs{
7940				FilterTicket: func(in []byte) ([]byte, error) {
7941					return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
7942				},
7943			},
7944		},
7945		flags: []string{
7946			"-ticket-key",
7947			base64.StdEncoding.EncodeToString(TestShimTicketKey),
7948		},
7949		expectResumeRejected: true,
7950	})
7951
7952	// If the client does not offer the cipher from the session, decline to
7953	// resume. Clients are forbidden from doing this, but BoringSSL selects
7954	// the cipher first, so we only decline.
7955	testCases = append(testCases, testCase{
7956		testType:      serverTest,
7957		name:          "Resume-Server-UnofferedCipher",
7958		resumeSession: true,
7959		config: Config{
7960			MaxVersion:   VersionTLS12,
7961			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
7962		},
7963		resumeConfig: &Config{
7964			MaxVersion:   VersionTLS12,
7965			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
7966			Bugs: ProtocolBugs{
7967				SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7968			},
7969		},
7970		expectResumeRejected: true,
7971	})
7972
7973	// In TLS 1.3, clients may advertise a cipher list which does not
7974	// include the selected cipher. Test that we tolerate this. Servers may
7975	// resume at another cipher if the PRF matches and are not doing 0-RTT, but
7976	// BoringSSL will always decline.
7977	testCases = append(testCases, testCase{
7978		testType:      serverTest,
7979		name:          "Resume-Server-UnofferedCipher-TLS13",
7980		resumeSession: true,
7981		config: Config{
7982			MaxVersion:   VersionTLS13,
7983			CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
7984		},
7985		resumeConfig: &Config{
7986			MaxVersion:   VersionTLS13,
7987			CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
7988			Bugs: ProtocolBugs{
7989				SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
7990			},
7991		},
7992		expectResumeRejected: true,
7993	})
7994
7995	// Sessions may not be resumed at a different cipher.
7996	testCases = append(testCases, testCase{
7997		name:          "Resume-Client-CipherMismatch",
7998		resumeSession: true,
7999		config: Config{
8000			MaxVersion:   VersionTLS12,
8001			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8002		},
8003		resumeConfig: &Config{
8004			MaxVersion:   VersionTLS12,
8005			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8006			Bugs: ProtocolBugs{
8007				SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
8008			},
8009		},
8010		shouldFail:    true,
8011		expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
8012	})
8013
8014	// Session resumption in TLS 1.3 may change the cipher suite if the PRF
8015	// matches.
8016	testCases = append(testCases, testCase{
8017		name:          "Resume-Client-CipherMismatch-TLS13",
8018		resumeSession: true,
8019		config: Config{
8020			MaxVersion:   VersionTLS13,
8021			CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
8022		},
8023		resumeConfig: &Config{
8024			MaxVersion:   VersionTLS13,
8025			CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
8026		},
8027	})
8028
8029	// Session resumption in TLS 1.3 is forbidden if the PRF does not match.
8030	testCases = append(testCases, testCase{
8031		name:          "Resume-Client-PRFMismatch-TLS13",
8032		resumeSession: true,
8033		config: Config{
8034			MaxVersion:   VersionTLS13,
8035			CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
8036		},
8037		resumeConfig: &Config{
8038			MaxVersion:   VersionTLS13,
8039			CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
8040			Bugs: ProtocolBugs{
8041				SendCipherSuite: TLS_AES_256_GCM_SHA384,
8042			},
8043		},
8044		shouldFail:    true,
8045		expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
8046	})
8047
8048	testCases = append(testCases, testCase{
8049		testType:      serverTest,
8050		name:          "Resume-Server-BinderWrongLength",
8051		resumeSession: true,
8052		config: Config{
8053			MaxVersion: VersionTLS13,
8054			Bugs: ProtocolBugs{
8055				SendShortPSKBinder: true,
8056			},
8057		},
8058		shouldFail:         true,
8059		expectedLocalError: "remote error: error decrypting message",
8060		expectedError:      ":DIGEST_CHECK_FAILED:",
8061	})
8062
8063	testCases = append(testCases, testCase{
8064		testType:      serverTest,
8065		name:          "Resume-Server-NoPSKBinder",
8066		resumeSession: true,
8067		config: Config{
8068			MaxVersion: VersionTLS13,
8069			Bugs: ProtocolBugs{
8070				SendNoPSKBinder: true,
8071			},
8072		},
8073		shouldFail:         true,
8074		expectedLocalError: "remote error: error decoding message",
8075		expectedError:      ":DECODE_ERROR:",
8076	})
8077
8078	testCases = append(testCases, testCase{
8079		testType:      serverTest,
8080		name:          "Resume-Server-ExtraPSKBinder",
8081		resumeSession: true,
8082		config: Config{
8083			MaxVersion: VersionTLS13,
8084			Bugs: ProtocolBugs{
8085				SendExtraPSKBinder: true,
8086			},
8087		},
8088		shouldFail:         true,
8089		expectedLocalError: "remote error: illegal parameter",
8090		expectedError:      ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
8091	})
8092
8093	testCases = append(testCases, testCase{
8094		testType:      serverTest,
8095		name:          "Resume-Server-ExtraIdentityNoBinder",
8096		resumeSession: true,
8097		config: Config{
8098			MaxVersion: VersionTLS13,
8099			Bugs: ProtocolBugs{
8100				ExtraPSKIdentity: true,
8101			},
8102		},
8103		shouldFail:         true,
8104		expectedLocalError: "remote error: illegal parameter",
8105		expectedError:      ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
8106	})
8107
8108	testCases = append(testCases, testCase{
8109		testType:      serverTest,
8110		name:          "Resume-Server-InvalidPSKBinder",
8111		resumeSession: true,
8112		config: Config{
8113			MaxVersion: VersionTLS13,
8114			Bugs: ProtocolBugs{
8115				SendInvalidPSKBinder: true,
8116			},
8117		},
8118		shouldFail:         true,
8119		expectedLocalError: "remote error: error decrypting message",
8120		expectedError:      ":DIGEST_CHECK_FAILED:",
8121	})
8122
8123	testCases = append(testCases, testCase{
8124		testType:      serverTest,
8125		name:          "Resume-Server-PSKBinderFirstExtension",
8126		resumeSession: true,
8127		config: Config{
8128			MaxVersion: VersionTLS13,
8129			Bugs: ProtocolBugs{
8130				PSKBinderFirst: true,
8131			},
8132		},
8133		shouldFail:         true,
8134		expectedLocalError: "remote error: illegal parameter",
8135		expectedError:      ":PRE_SHARED_KEY_MUST_BE_LAST:",
8136	})
8137}
8138
8139func addRenegotiationTests() {
8140	// Servers cannot renegotiate.
8141	testCases = append(testCases, testCase{
8142		testType: serverTest,
8143		name:     "Renegotiate-Server-Forbidden",
8144		config: Config{
8145			MaxVersion: VersionTLS12,
8146		},
8147		renegotiate:        1,
8148		shouldFail:         true,
8149		expectedError:      ":NO_RENEGOTIATION:",
8150		expectedLocalError: "remote error: no renegotiation",
8151	})
8152	// The server shouldn't echo the renegotiation extension unless
8153	// requested by the client.
8154	testCases = append(testCases, testCase{
8155		testType: serverTest,
8156		name:     "Renegotiate-Server-NoExt",
8157		config: Config{
8158			MaxVersion: VersionTLS12,
8159			Bugs: ProtocolBugs{
8160				NoRenegotiationInfo:      true,
8161				RequireRenegotiationInfo: true,
8162			},
8163		},
8164		shouldFail:         true,
8165		expectedLocalError: "renegotiation extension missing",
8166	})
8167	// The renegotiation SCSV should be sufficient for the server to echo
8168	// the extension.
8169	testCases = append(testCases, testCase{
8170		testType: serverTest,
8171		name:     "Renegotiate-Server-NoExt-SCSV",
8172		config: Config{
8173			MaxVersion: VersionTLS12,
8174			Bugs: ProtocolBugs{
8175				NoRenegotiationInfo:      true,
8176				SendRenegotiationSCSV:    true,
8177				RequireRenegotiationInfo: true,
8178			},
8179		},
8180	})
8181	testCases = append(testCases, testCase{
8182		name: "Renegotiate-Client",
8183		config: Config{
8184			MaxVersion: VersionTLS12,
8185			Bugs: ProtocolBugs{
8186				FailIfResumeOnRenego: true,
8187			},
8188		},
8189		renegotiate: 1,
8190		// Test renegotiation after both an initial and resumption
8191		// handshake.
8192		resumeSession: true,
8193		flags: []string{
8194			"-renegotiate-freely",
8195			"-expect-total-renegotiations", "1",
8196			"-expect-secure-renegotiation",
8197		},
8198	})
8199	testCases = append(testCases, testCase{
8200		name: "Renegotiate-Client-TLS12",
8201		config: Config{
8202			MaxVersion: VersionTLS12,
8203			Bugs: ProtocolBugs{
8204				FailIfResumeOnRenego: true,
8205			},
8206		},
8207		renegotiate: 1,
8208		// Test renegotiation after both an initial and resumption
8209		// handshake.
8210		resumeSession: true,
8211		flags: []string{
8212			"-renegotiate-freely",
8213			"-expect-total-renegotiations", "1",
8214			"-expect-secure-renegotiation",
8215		},
8216	})
8217	testCases = append(testCases, testCase{
8218		name:        "Renegotiate-Client-EmptyExt",
8219		renegotiate: 1,
8220		config: Config{
8221			MaxVersion: VersionTLS12,
8222			Bugs: ProtocolBugs{
8223				EmptyRenegotiationInfo: true,
8224			},
8225		},
8226		flags:              []string{"-renegotiate-freely"},
8227		shouldFail:         true,
8228		expectedError:      ":RENEGOTIATION_MISMATCH:",
8229		expectedLocalError: "handshake failure",
8230	})
8231	testCases = append(testCases, testCase{
8232		name:        "Renegotiate-Client-BadExt",
8233		renegotiate: 1,
8234		config: Config{
8235			MaxVersion: VersionTLS12,
8236			Bugs: ProtocolBugs{
8237				BadRenegotiationInfo: true,
8238			},
8239		},
8240		flags:              []string{"-renegotiate-freely"},
8241		shouldFail:         true,
8242		expectedError:      ":RENEGOTIATION_MISMATCH:",
8243		expectedLocalError: "handshake failure",
8244	})
8245	testCases = append(testCases, testCase{
8246		name:        "Renegotiate-Client-BadExt2",
8247		renegotiate: 1,
8248		config: Config{
8249			MaxVersion: VersionTLS12,
8250			Bugs: ProtocolBugs{
8251				BadRenegotiationInfoEnd: true,
8252			},
8253		},
8254		flags:              []string{"-renegotiate-freely"},
8255		shouldFail:         true,
8256		expectedError:      ":RENEGOTIATION_MISMATCH:",
8257		expectedLocalError: "handshake failure",
8258	})
8259	testCases = append(testCases, testCase{
8260		name:        "Renegotiate-Client-Downgrade",
8261		renegotiate: 1,
8262		config: Config{
8263			MaxVersion: VersionTLS12,
8264			Bugs: ProtocolBugs{
8265				NoRenegotiationInfoAfterInitial: true,
8266			},
8267		},
8268		flags:              []string{"-renegotiate-freely"},
8269		shouldFail:         true,
8270		expectedError:      ":RENEGOTIATION_MISMATCH:",
8271		expectedLocalError: "handshake failure",
8272	})
8273	testCases = append(testCases, testCase{
8274		name:        "Renegotiate-Client-Upgrade",
8275		renegotiate: 1,
8276		config: Config{
8277			MaxVersion: VersionTLS12,
8278			Bugs: ProtocolBugs{
8279				NoRenegotiationInfoInInitial: true,
8280			},
8281		},
8282		flags:              []string{"-renegotiate-freely"},
8283		shouldFail:         true,
8284		expectedError:      ":RENEGOTIATION_MISMATCH:",
8285		expectedLocalError: "handshake failure",
8286	})
8287	testCases = append(testCases, testCase{
8288		name:        "Renegotiate-Client-NoExt-Allowed",
8289		renegotiate: 1,
8290		config: Config{
8291			MaxVersion: VersionTLS12,
8292			Bugs: ProtocolBugs{
8293				NoRenegotiationInfo: true,
8294			},
8295		},
8296		flags: []string{
8297			"-renegotiate-freely",
8298			"-expect-total-renegotiations", "1",
8299			"-expect-no-secure-renegotiation",
8300		},
8301	})
8302
8303	// Test that the server may switch ciphers on renegotiation without
8304	// problems.
8305	testCases = append(testCases, testCase{
8306		name:        "Renegotiate-Client-SwitchCiphers",
8307		renegotiate: 1,
8308		config: Config{
8309			MaxVersion:   VersionTLS12,
8310			CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
8311		},
8312		renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8313		flags: []string{
8314			"-renegotiate-freely",
8315			"-expect-total-renegotiations", "1",
8316		},
8317	})
8318	testCases = append(testCases, testCase{
8319		name:        "Renegotiate-Client-SwitchCiphers2",
8320		renegotiate: 1,
8321		config: Config{
8322			MaxVersion:   VersionTLS12,
8323			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8324		},
8325		renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
8326		flags: []string{
8327			"-renegotiate-freely",
8328			"-expect-total-renegotiations", "1",
8329		},
8330	})
8331
8332	// Test that the server may not switch versions on renegotiation.
8333	testCases = append(testCases, testCase{
8334		name: "Renegotiate-Client-SwitchVersion",
8335		config: Config{
8336			MaxVersion: VersionTLS12,
8337			// Pick a cipher which exists at both versions.
8338			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
8339			Bugs: ProtocolBugs{
8340				NegotiateVersionOnRenego: VersionTLS11,
8341				// Avoid failing early at the record layer.
8342				SendRecordVersion: VersionTLS12,
8343			},
8344		},
8345		renegotiate: 1,
8346		flags: []string{
8347			"-renegotiate-freely",
8348			"-expect-total-renegotiations", "1",
8349		},
8350		shouldFail:    true,
8351		expectedError: ":WRONG_SSL_VERSION:",
8352	})
8353
8354	testCases = append(testCases, testCase{
8355		name:        "Renegotiate-SameClientVersion",
8356		renegotiate: 1,
8357		config: Config{
8358			MaxVersion: VersionTLS10,
8359			Bugs: ProtocolBugs{
8360				RequireSameRenegoClientVersion: true,
8361			},
8362		},
8363		flags: []string{
8364			"-renegotiate-freely",
8365			"-expect-total-renegotiations", "1",
8366		},
8367	})
8368	testCases = append(testCases, testCase{
8369		name:        "Renegotiate-FalseStart",
8370		renegotiate: 1,
8371		config: Config{
8372			MaxVersion:   VersionTLS12,
8373			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8374			NextProtos:   []string{"foo"},
8375		},
8376		flags: []string{
8377			"-false-start",
8378			"-select-next-proto", "foo",
8379			"-renegotiate-freely",
8380			"-expect-total-renegotiations", "1",
8381		},
8382		shimWritesFirst: true,
8383	})
8384
8385	// Client-side renegotiation controls.
8386	testCases = append(testCases, testCase{
8387		name: "Renegotiate-Client-Forbidden-1",
8388		config: Config{
8389			MaxVersion: VersionTLS12,
8390		},
8391		renegotiate:        1,
8392		shouldFail:         true,
8393		expectedError:      ":NO_RENEGOTIATION:",
8394		expectedLocalError: "remote error: no renegotiation",
8395	})
8396	testCases = append(testCases, testCase{
8397		name: "Renegotiate-Client-Once-1",
8398		config: Config{
8399			MaxVersion: VersionTLS12,
8400		},
8401		renegotiate: 1,
8402		flags: []string{
8403			"-renegotiate-once",
8404			"-expect-total-renegotiations", "1",
8405		},
8406	})
8407	testCases = append(testCases, testCase{
8408		name: "Renegotiate-Client-Freely-1",
8409		config: Config{
8410			MaxVersion: VersionTLS12,
8411		},
8412		renegotiate: 1,
8413		flags: []string{
8414			"-renegotiate-freely",
8415			"-expect-total-renegotiations", "1",
8416		},
8417	})
8418	testCases = append(testCases, testCase{
8419		name: "Renegotiate-Client-Once-2",
8420		config: Config{
8421			MaxVersion: VersionTLS12,
8422		},
8423		renegotiate:        2,
8424		flags:              []string{"-renegotiate-once"},
8425		shouldFail:         true,
8426		expectedError:      ":NO_RENEGOTIATION:",
8427		expectedLocalError: "remote error: no renegotiation",
8428	})
8429	testCases = append(testCases, testCase{
8430		name: "Renegotiate-Client-Freely-2",
8431		config: Config{
8432			MaxVersion: VersionTLS12,
8433		},
8434		renegotiate: 2,
8435		flags: []string{
8436			"-renegotiate-freely",
8437			"-expect-total-renegotiations", "2",
8438		},
8439	})
8440	testCases = append(testCases, testCase{
8441		name: "Renegotiate-Client-NoIgnore",
8442		config: Config{
8443			MaxVersion: VersionTLS12,
8444			Bugs: ProtocolBugs{
8445				SendHelloRequestBeforeEveryAppDataRecord: true,
8446			},
8447		},
8448		shouldFail:    true,
8449		expectedError: ":NO_RENEGOTIATION:",
8450	})
8451	testCases = append(testCases, testCase{
8452		name: "Renegotiate-Client-Ignore",
8453		config: Config{
8454			MaxVersion: VersionTLS12,
8455			Bugs: ProtocolBugs{
8456				SendHelloRequestBeforeEveryAppDataRecord: true,
8457			},
8458		},
8459		flags: []string{
8460			"-renegotiate-ignore",
8461			"-expect-total-renegotiations", "0",
8462		},
8463	})
8464
8465	// Renegotiation may be enabled and then disabled immediately after the
8466	// handshake.
8467	testCases = append(testCases, testCase{
8468		name: "Renegotiate-ForbidAfterHandshake",
8469		config: Config{
8470			MaxVersion: VersionTLS12,
8471		},
8472		renegotiate:        1,
8473		flags:              []string{"-forbid-renegotiation-after-handshake"},
8474		shouldFail:         true,
8475		expectedError:      ":NO_RENEGOTIATION:",
8476		expectedLocalError: "remote error: no renegotiation",
8477	})
8478
8479	// Renegotiation is not allowed when there is an unfinished write.
8480	testCases = append(testCases, testCase{
8481		name: "Renegotiate-Client-UnfinishedWrite",
8482		config: Config{
8483			MaxVersion: VersionTLS12,
8484		},
8485		renegotiate:             1,
8486		readWithUnfinishedWrite: true,
8487		flags: []string{
8488			"-async",
8489			"-renegotiate-freely",
8490		},
8491		shouldFail:    true,
8492		expectedError: ":NO_RENEGOTIATION:",
8493		// We do not successfully send the no_renegotiation alert in
8494		// this case. https://crbug.com/boringssl/130
8495	})
8496
8497	// We reject stray HelloRequests during the handshake in TLS 1.2.
8498	testCases = append(testCases, testCase{
8499		name: "StrayHelloRequest",
8500		config: Config{
8501			MaxVersion: VersionTLS12,
8502			Bugs: ProtocolBugs{
8503				SendHelloRequestBeforeEveryHandshakeMessage: true,
8504			},
8505		},
8506		shouldFail:    true,
8507		expectedError: ":UNEXPECTED_MESSAGE:",
8508	})
8509	testCases = append(testCases, testCase{
8510		name: "StrayHelloRequest-Packed",
8511		config: Config{
8512			MaxVersion: VersionTLS12,
8513			Bugs: ProtocolBugs{
8514				PackHandshakeFlight:                         true,
8515				SendHelloRequestBeforeEveryHandshakeMessage: true,
8516			},
8517		},
8518		shouldFail:    true,
8519		expectedError: ":UNEXPECTED_MESSAGE:",
8520	})
8521
8522	// Test renegotiation works if HelloRequest and server Finished come in
8523	// the same record.
8524	testCases = append(testCases, testCase{
8525		name: "Renegotiate-Client-Packed",
8526		config: Config{
8527			MaxVersion: VersionTLS12,
8528			Bugs: ProtocolBugs{
8529				PackHandshakeFlight:          true,
8530				PackHelloRequestWithFinished: true,
8531			},
8532		},
8533		renegotiate: 1,
8534		flags: []string{
8535			"-renegotiate-freely",
8536			"-expect-total-renegotiations", "1",
8537		},
8538	})
8539
8540	// Renegotiation is forbidden in TLS 1.3.
8541	testCases = append(testCases, testCase{
8542		name: "Renegotiate-Client-TLS13",
8543		config: Config{
8544			MaxVersion: VersionTLS13,
8545			Bugs: ProtocolBugs{
8546				SendHelloRequestBeforeEveryAppDataRecord: true,
8547			},
8548		},
8549		flags: []string{
8550			"-renegotiate-freely",
8551		},
8552		shouldFail:    true,
8553		expectedError: ":UNEXPECTED_MESSAGE:",
8554	})
8555
8556	// Stray HelloRequests during the handshake are forbidden in TLS 1.3.
8557	testCases = append(testCases, testCase{
8558		name: "StrayHelloRequest-TLS13",
8559		config: Config{
8560			MaxVersion: VersionTLS13,
8561			Bugs: ProtocolBugs{
8562				SendHelloRequestBeforeEveryHandshakeMessage: true,
8563			},
8564		},
8565		shouldFail:    true,
8566		expectedError: ":UNEXPECTED_MESSAGE:",
8567	})
8568
8569	// The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
8570	// always reads as supporting it, regardless of whether it was
8571	// negotiated.
8572	testCases = append(testCases, testCase{
8573		name: "AlwaysReportRenegotiationInfo-TLS13",
8574		config: Config{
8575			MaxVersion: VersionTLS13,
8576			Bugs: ProtocolBugs{
8577				NoRenegotiationInfo: true,
8578			},
8579		},
8580		flags: []string{
8581			"-expect-secure-renegotiation",
8582		},
8583	})
8584
8585	// Certificates may not change on renegotiation.
8586	testCases = append(testCases, testCase{
8587		name: "Renegotiation-CertificateChange",
8588		config: Config{
8589			MaxVersion:   VersionTLS12,
8590			Certificates: []Certificate{rsaCertificate},
8591			Bugs: ProtocolBugs{
8592				RenegotiationCertificate: &rsaChainCertificate,
8593			},
8594		},
8595		renegotiate:   1,
8596		flags:         []string{"-renegotiate-freely"},
8597		shouldFail:    true,
8598		expectedError: ":SERVER_CERT_CHANGED:",
8599	})
8600	testCases = append(testCases, testCase{
8601		name: "Renegotiation-CertificateChange-2",
8602		config: Config{
8603			MaxVersion:   VersionTLS12,
8604			Certificates: []Certificate{rsaCertificate},
8605			Bugs: ProtocolBugs{
8606				RenegotiationCertificate: &rsa1024Certificate,
8607			},
8608		},
8609		renegotiate:   1,
8610		flags:         []string{"-renegotiate-freely"},
8611		shouldFail:    true,
8612		expectedError: ":SERVER_CERT_CHANGED:",
8613	})
8614
8615	// We do not negotiate ALPN after the initial handshake. This is
8616	// error-prone and only risks bugs in consumers.
8617	testCases = append(testCases, testCase{
8618		testType: clientTest,
8619		name:     "Renegotiation-ForbidALPN",
8620		config: Config{
8621			MaxVersion: VersionTLS12,
8622			Bugs: ProtocolBugs{
8623				// Forcibly negotiate ALPN on both initial and
8624				// renegotiation handshakes. The test stack will
8625				// internally check the client does not offer
8626				// it.
8627				SendALPN: "foo",
8628			},
8629		},
8630		flags: []string{
8631			"-advertise-alpn", "\x03foo\x03bar\x03baz",
8632			"-expect-alpn", "foo",
8633			"-renegotiate-freely",
8634		},
8635		renegotiate:   1,
8636		shouldFail:    true,
8637		expectedError: ":UNEXPECTED_EXTENSION:",
8638	})
8639
8640	// The server may send different stapled OCSP responses or SCT lists on
8641	// renegotiation, but BoringSSL ignores this and reports the old values.
8642	// Also test that non-fatal verify results are preserved.
8643	testCases = append(testCases, testCase{
8644		testType: clientTest,
8645		name:     "Renegotiation-ChangeAuthProperties",
8646		config: Config{
8647			MaxVersion: VersionTLS12,
8648			Bugs: ProtocolBugs{
8649				SendOCSPResponseOnRenegotiation: testOCSPResponse2,
8650				SendSCTListOnRenegotiation:      testSCTList2,
8651			},
8652		},
8653		renegotiate: 1,
8654		flags: []string{
8655			"-renegotiate-freely",
8656			"-expect-total-renegotiations", "1",
8657			"-enable-ocsp-stapling",
8658			"-expect-ocsp-response",
8659			base64.StdEncoding.EncodeToString(testOCSPResponse),
8660			"-enable-signed-cert-timestamps",
8661			"-expect-signed-cert-timestamps",
8662			base64.StdEncoding.EncodeToString(testSCTList),
8663			"-verify-fail",
8664			"-expect-verify-result",
8665		},
8666	})
8667}
8668
8669func addDTLSReplayTests() {
8670	// Test that sequence number replays are detected.
8671	testCases = append(testCases, testCase{
8672		protocol:     dtls,
8673		name:         "DTLS-Replay",
8674		messageCount: 200,
8675		replayWrites: true,
8676	})
8677
8678	// Test the incoming sequence number skipping by values larger
8679	// than the retransmit window.
8680	testCases = append(testCases, testCase{
8681		protocol: dtls,
8682		name:     "DTLS-Replay-LargeGaps",
8683		config: Config{
8684			Bugs: ProtocolBugs{
8685				SequenceNumberMapping: func(in uint64) uint64 {
8686					return in * 127
8687				},
8688			},
8689		},
8690		messageCount: 200,
8691		replayWrites: true,
8692	})
8693
8694	// Test the incoming sequence number changing non-monotonically.
8695	testCases = append(testCases, testCase{
8696		protocol: dtls,
8697		name:     "DTLS-Replay-NonMonotonic",
8698		config: Config{
8699			Bugs: ProtocolBugs{
8700				SequenceNumberMapping: func(in uint64) uint64 {
8701					return in ^ 31
8702				},
8703			},
8704		},
8705		messageCount: 200,
8706		replayWrites: true,
8707	})
8708}
8709
8710var testSignatureAlgorithms = []struct {
8711	name string
8712	id   signatureAlgorithm
8713	cert testCert
8714}{
8715	{"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
8716	{"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
8717	{"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
8718	{"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
8719	{"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
8720	// The “P256” in the following line is not a mistake. In TLS 1.2 the
8721	// hash function doesn't have to match the curve and so the same
8722	// signature algorithm works with P-224.
8723	{"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
8724	{"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
8725	{"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
8726	{"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
8727	{"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
8728	{"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
8729	{"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
8730	{"Ed25519", signatureEd25519, testCertEd25519},
8731	// Tests for key types prior to TLS 1.2.
8732	{"RSA", 0, testCertRSA},
8733	{"ECDSA", 0, testCertECDSAP256},
8734}
8735
8736const fakeSigAlg1 signatureAlgorithm = 0x2a01
8737const fakeSigAlg2 signatureAlgorithm = 0xff01
8738
8739func addSignatureAlgorithmTests() {
8740	// Not all ciphers involve a signature. Advertise a list which gives all
8741	// versions a signing cipher.
8742	signingCiphers := []uint16{
8743		TLS_AES_256_GCM_SHA384,
8744		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
8745		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
8746		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
8747		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
8748	}
8749
8750	var allAlgorithms []signatureAlgorithm
8751	for _, alg := range testSignatureAlgorithms {
8752		if alg.id != 0 {
8753			allAlgorithms = append(allAlgorithms, alg.id)
8754		}
8755	}
8756
8757	// Make sure each signature algorithm works. Include some fake values in
8758	// the list and ensure they're ignored.
8759	for _, alg := range testSignatureAlgorithms {
8760		for _, ver := range tlsVersions {
8761			if (ver.version < VersionTLS12) != (alg.id == 0) {
8762				continue
8763			}
8764
8765			var shouldSignFail, shouldVerifyFail bool
8766			// ecdsa_sha1 does not exist in TLS 1.3.
8767			if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
8768				shouldSignFail = true
8769				shouldVerifyFail = true
8770			}
8771			// RSA-PKCS1 does not exist in TLS 1.3.
8772			if ver.version >= VersionTLS13 && hasComponent(alg.name, "PKCS1") {
8773				shouldSignFail = true
8774				shouldVerifyFail = true
8775			}
8776			// SHA-224 has been removed from TLS 1.3 and, in 1.3,
8777			// the curve has to match the hash size.
8778			if ver.version >= VersionTLS13 && alg.cert == testCertECDSAP224 {
8779				shouldSignFail = true
8780				shouldVerifyFail = true
8781			}
8782
8783			// BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
8784			if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
8785				shouldVerifyFail = true
8786			}
8787
8788			var signError, signLocalError, verifyError, verifyLocalError string
8789			if shouldSignFail {
8790				signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
8791				signLocalError = "remote error: handshake failure"
8792			}
8793			if shouldVerifyFail {
8794				verifyError = ":WRONG_SIGNATURE_TYPE:"
8795				verifyLocalError = "remote error"
8796			}
8797
8798			suffix := "-" + alg.name + "-" + ver.name
8799
8800			testCases = append(testCases, testCase{
8801				name: "ClientAuth-Sign" + suffix,
8802				config: Config{
8803					MaxVersion: ver.version,
8804					ClientAuth: RequireAnyClientCert,
8805					VerifySignatureAlgorithms: []signatureAlgorithm{
8806						fakeSigAlg1,
8807						alg.id,
8808						fakeSigAlg2,
8809					},
8810				},
8811				flags: []string{
8812					"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
8813					"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
8814					"-enable-all-curves",
8815					"-enable-ed25519",
8816				},
8817				shouldFail:                     shouldSignFail,
8818				expectedError:                  signError,
8819				expectedLocalError:             signLocalError,
8820				expectedPeerSignatureAlgorithm: alg.id,
8821			})
8822
8823			testCases = append(testCases, testCase{
8824				testType: serverTest,
8825				name:     "ClientAuth-Verify" + suffix,
8826				config: Config{
8827					MaxVersion:   ver.version,
8828					Certificates: []Certificate{getRunnerCertificate(alg.cert)},
8829					SignSignatureAlgorithms: []signatureAlgorithm{
8830						alg.id,
8831					},
8832					Bugs: ProtocolBugs{
8833						SkipECDSACurveCheck:          shouldVerifyFail,
8834						IgnoreSignatureVersionChecks: shouldVerifyFail,
8835						// Some signature algorithms may not be advertised.
8836						IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
8837					},
8838				},
8839				flags: []string{
8840					"-require-any-client-certificate",
8841					"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
8842					"-enable-all-curves",
8843					"-enable-ed25519",
8844				},
8845				// Resume the session to assert the peer signature
8846				// algorithm is reported on both handshakes.
8847				resumeSession:      !shouldVerifyFail,
8848				shouldFail:         shouldVerifyFail,
8849				expectedError:      verifyError,
8850				expectedLocalError: verifyLocalError,
8851			})
8852
8853			testCases = append(testCases, testCase{
8854				testType: serverTest,
8855				name:     "ServerAuth-Sign" + suffix,
8856				config: Config{
8857					MaxVersion:   ver.version,
8858					CipherSuites: signingCiphers,
8859					VerifySignatureAlgorithms: []signatureAlgorithm{
8860						fakeSigAlg1,
8861						alg.id,
8862						fakeSigAlg2,
8863					},
8864				},
8865				flags: []string{
8866					"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
8867					"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
8868					"-enable-all-curves",
8869					"-enable-ed25519",
8870				},
8871				shouldFail:                     shouldSignFail,
8872				expectedError:                  signError,
8873				expectedLocalError:             signLocalError,
8874				expectedPeerSignatureAlgorithm: alg.id,
8875			})
8876
8877			testCases = append(testCases, testCase{
8878				name: "ServerAuth-Verify" + suffix,
8879				config: Config{
8880					MaxVersion:   ver.version,
8881					Certificates: []Certificate{getRunnerCertificate(alg.cert)},
8882					CipherSuites: signingCiphers,
8883					SignSignatureAlgorithms: []signatureAlgorithm{
8884						alg.id,
8885					},
8886					Bugs: ProtocolBugs{
8887						SkipECDSACurveCheck:          shouldVerifyFail,
8888						IgnoreSignatureVersionChecks: shouldVerifyFail,
8889						// Some signature algorithms may not be advertised.
8890						IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
8891					},
8892				},
8893				flags: []string{
8894					"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
8895					"-enable-all-curves",
8896					"-enable-ed25519",
8897				},
8898				// Resume the session to assert the peer signature
8899				// algorithm is reported on both handshakes.
8900				resumeSession:      !shouldVerifyFail,
8901				shouldFail:         shouldVerifyFail,
8902				expectedError:      verifyError,
8903				expectedLocalError: verifyLocalError,
8904			})
8905
8906			if !shouldVerifyFail {
8907				testCases = append(testCases, testCase{
8908					testType: serverTest,
8909					name:     "ClientAuth-InvalidSignature" + suffix,
8910					config: Config{
8911						MaxVersion:   ver.version,
8912						Certificates: []Certificate{getRunnerCertificate(alg.cert)},
8913						SignSignatureAlgorithms: []signatureAlgorithm{
8914							alg.id,
8915						},
8916						Bugs: ProtocolBugs{
8917							InvalidSignature: true,
8918						},
8919					},
8920					flags: []string{
8921						"-require-any-client-certificate",
8922						"-enable-all-curves",
8923						"-enable-ed25519",
8924					},
8925					shouldFail:    true,
8926					expectedError: ":BAD_SIGNATURE:",
8927				})
8928
8929				testCases = append(testCases, testCase{
8930					name: "ServerAuth-InvalidSignature" + suffix,
8931					config: Config{
8932						MaxVersion:   ver.version,
8933						Certificates: []Certificate{getRunnerCertificate(alg.cert)},
8934						CipherSuites: signingCiphers,
8935						SignSignatureAlgorithms: []signatureAlgorithm{
8936							alg.id,
8937						},
8938						Bugs: ProtocolBugs{
8939							InvalidSignature: true,
8940						},
8941					},
8942					flags: []string{
8943						"-enable-all-curves",
8944						"-enable-ed25519",
8945					},
8946					shouldFail:    true,
8947					expectedError: ":BAD_SIGNATURE:",
8948				})
8949			}
8950
8951			if ver.version >= VersionTLS12 && !shouldSignFail {
8952				testCases = append(testCases, testCase{
8953					name: "ClientAuth-Sign-Negotiate" + suffix,
8954					config: Config{
8955						MaxVersion:                ver.version,
8956						ClientAuth:                RequireAnyClientCert,
8957						VerifySignatureAlgorithms: allAlgorithms,
8958					},
8959					flags: []string{
8960						"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
8961						"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
8962						"-enable-all-curves",
8963						"-enable-ed25519",
8964						"-signing-prefs", strconv.Itoa(int(alg.id)),
8965					},
8966					expectedPeerSignatureAlgorithm: alg.id,
8967				})
8968
8969				testCases = append(testCases, testCase{
8970					testType: serverTest,
8971					name:     "ServerAuth-Sign-Negotiate" + suffix,
8972					config: Config{
8973						MaxVersion:                ver.version,
8974						CipherSuites:              signingCiphers,
8975						VerifySignatureAlgorithms: allAlgorithms,
8976					},
8977					flags: []string{
8978						"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
8979						"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
8980						"-enable-all-curves",
8981						"-enable-ed25519",
8982						"-signing-prefs", strconv.Itoa(int(alg.id)),
8983					},
8984					expectedPeerSignatureAlgorithm: alg.id,
8985				})
8986			}
8987		}
8988	}
8989
8990	// Test the peer's verify preferences are available.
8991	for _, ver := range tlsVersions {
8992		if ver.version < VersionTLS12 {
8993			continue
8994		}
8995		testCases = append(testCases, testCase{
8996			name: "ClientAuth-PeerVerifyPrefs-" + ver.name,
8997			config: Config{
8998				MaxVersion: ver.version,
8999				ClientAuth: RequireAnyClientCert,
9000				VerifySignatureAlgorithms: []signatureAlgorithm{
9001					signatureRSAPSSWithSHA256,
9002					signatureEd25519,
9003					signatureECDSAWithP256AndSHA256,
9004				},
9005			},
9006			flags: []string{
9007				"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9008				"-key-file", path.Join(*resourceDir, rsaKeyFile),
9009				"-expect-peer-verify-pref", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
9010				"-expect-peer-verify-pref", strconv.Itoa(int(signatureEd25519)),
9011				"-expect-peer-verify-pref", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
9012			},
9013		})
9014
9015		testCases = append(testCases, testCase{
9016			testType: serverTest,
9017			name:     "ServerAuth-PeerVerifyPrefs-" + ver.name,
9018			config: Config{
9019				MaxVersion: ver.version,
9020				VerifySignatureAlgorithms: []signatureAlgorithm{
9021					signatureRSAPSSWithSHA256,
9022					signatureEd25519,
9023					signatureECDSAWithP256AndSHA256,
9024				},
9025			},
9026			flags: []string{
9027				"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9028				"-key-file", path.Join(*resourceDir, rsaKeyFile),
9029				"-expect-peer-verify-pref", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
9030				"-expect-peer-verify-pref", strconv.Itoa(int(signatureEd25519)),
9031				"-expect-peer-verify-pref", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
9032			},
9033		})
9034
9035	}
9036
9037	// Test that algorithm selection takes the key type into account.
9038	testCases = append(testCases, testCase{
9039		name: "ClientAuth-SignatureType",
9040		config: Config{
9041			ClientAuth: RequireAnyClientCert,
9042			MaxVersion: VersionTLS12,
9043			VerifySignatureAlgorithms: []signatureAlgorithm{
9044				signatureECDSAWithP521AndSHA512,
9045				signatureRSAPKCS1WithSHA384,
9046				signatureECDSAWithSHA1,
9047			},
9048		},
9049		flags: []string{
9050			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9051			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9052		},
9053		expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
9054	})
9055
9056	testCases = append(testCases, testCase{
9057		name: "ClientAuth-SignatureType-TLS13",
9058		config: Config{
9059			ClientAuth: RequireAnyClientCert,
9060			MaxVersion: VersionTLS13,
9061			VerifySignatureAlgorithms: []signatureAlgorithm{
9062				signatureECDSAWithP521AndSHA512,
9063				signatureRSAPKCS1WithSHA384,
9064				signatureRSAPSSWithSHA384,
9065				signatureECDSAWithSHA1,
9066			},
9067		},
9068		flags: []string{
9069			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9070			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9071		},
9072		expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
9073	})
9074
9075	testCases = append(testCases, testCase{
9076		testType: serverTest,
9077		name:     "ServerAuth-SignatureType",
9078		config: Config{
9079			MaxVersion:   VersionTLS12,
9080			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9081			VerifySignatureAlgorithms: []signatureAlgorithm{
9082				signatureECDSAWithP521AndSHA512,
9083				signatureRSAPKCS1WithSHA384,
9084				signatureECDSAWithSHA1,
9085			},
9086		},
9087		expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
9088	})
9089
9090	testCases = append(testCases, testCase{
9091		testType: serverTest,
9092		name:     "ServerAuth-SignatureType-TLS13",
9093		config: Config{
9094			MaxVersion: VersionTLS13,
9095			VerifySignatureAlgorithms: []signatureAlgorithm{
9096				signatureECDSAWithP521AndSHA512,
9097				signatureRSAPKCS1WithSHA384,
9098				signatureRSAPSSWithSHA384,
9099				signatureECDSAWithSHA1,
9100			},
9101		},
9102		expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
9103	})
9104
9105	// Test that signature verification takes the key type into account.
9106	testCases = append(testCases, testCase{
9107		testType: serverTest,
9108		name:     "Verify-ClientAuth-SignatureType",
9109		config: Config{
9110			MaxVersion:   VersionTLS12,
9111			Certificates: []Certificate{rsaCertificate},
9112			SignSignatureAlgorithms: []signatureAlgorithm{
9113				signatureRSAPKCS1WithSHA256,
9114			},
9115			Bugs: ProtocolBugs{
9116				SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9117			},
9118		},
9119		flags: []string{
9120			"-require-any-client-certificate",
9121		},
9122		shouldFail:    true,
9123		expectedError: ":WRONG_SIGNATURE_TYPE:",
9124	})
9125
9126	testCases = append(testCases, testCase{
9127		testType: serverTest,
9128		name:     "Verify-ClientAuth-SignatureType-TLS13",
9129		config: Config{
9130			MaxVersion:   VersionTLS13,
9131			Certificates: []Certificate{rsaCertificate},
9132			SignSignatureAlgorithms: []signatureAlgorithm{
9133				signatureRSAPSSWithSHA256,
9134			},
9135			Bugs: ProtocolBugs{
9136				SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9137			},
9138		},
9139		flags: []string{
9140			"-require-any-client-certificate",
9141		},
9142		shouldFail:    true,
9143		expectedError: ":WRONG_SIGNATURE_TYPE:",
9144	})
9145
9146	testCases = append(testCases, testCase{
9147		name: "Verify-ServerAuth-SignatureType",
9148		config: Config{
9149			MaxVersion:   VersionTLS12,
9150			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9151			SignSignatureAlgorithms: []signatureAlgorithm{
9152				signatureRSAPKCS1WithSHA256,
9153			},
9154			Bugs: ProtocolBugs{
9155				SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9156			},
9157		},
9158		shouldFail:    true,
9159		expectedError: ":WRONG_SIGNATURE_TYPE:",
9160	})
9161
9162	testCases = append(testCases, testCase{
9163		name: "Verify-ServerAuth-SignatureType-TLS13",
9164		config: Config{
9165			MaxVersion: VersionTLS13,
9166			SignSignatureAlgorithms: []signatureAlgorithm{
9167				signatureRSAPSSWithSHA256,
9168			},
9169			Bugs: ProtocolBugs{
9170				SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9171			},
9172		},
9173		shouldFail:    true,
9174		expectedError: ":WRONG_SIGNATURE_TYPE:",
9175	})
9176
9177	// Test that, if the ClientHello list is missing, the server falls back
9178	// to SHA-1 in TLS 1.2, but not TLS 1.3.
9179	testCases = append(testCases, testCase{
9180		testType: serverTest,
9181		name:     "ServerAuth-SHA1-Fallback-RSA",
9182		config: Config{
9183			MaxVersion: VersionTLS12,
9184			VerifySignatureAlgorithms: []signatureAlgorithm{
9185				signatureRSAPKCS1WithSHA1,
9186			},
9187			Bugs: ProtocolBugs{
9188				NoSignatureAlgorithms: true,
9189			},
9190		},
9191		flags: []string{
9192			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9193			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9194		},
9195	})
9196
9197	testCases = append(testCases, testCase{
9198		testType: serverTest,
9199		name:     "ServerAuth-SHA1-Fallback-ECDSA",
9200		config: Config{
9201			MaxVersion: VersionTLS12,
9202			VerifySignatureAlgorithms: []signatureAlgorithm{
9203				signatureECDSAWithSHA1,
9204			},
9205			Bugs: ProtocolBugs{
9206				NoSignatureAlgorithms: true,
9207			},
9208		},
9209		flags: []string{
9210			"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
9211			"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
9212		},
9213	})
9214
9215	testCases = append(testCases, testCase{
9216		testType: serverTest,
9217		name:     "ServerAuth-NoFallback-TLS13",
9218		config: Config{
9219			MaxVersion: VersionTLS13,
9220			VerifySignatureAlgorithms: []signatureAlgorithm{
9221				signatureRSAPKCS1WithSHA1,
9222			},
9223			Bugs: ProtocolBugs{
9224				NoSignatureAlgorithms: true,
9225			},
9226		},
9227		shouldFail:    true,
9228		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9229	})
9230
9231	// The CertificateRequest list, however, may never be omitted. It is a
9232	// syntax error for it to be empty.
9233	testCases = append(testCases, testCase{
9234		name: "ClientAuth-NoFallback-RSA",
9235		config: Config{
9236			MaxVersion: VersionTLS12,
9237			ClientAuth: RequireAnyClientCert,
9238			VerifySignatureAlgorithms: []signatureAlgorithm{
9239				signatureRSAPKCS1WithSHA1,
9240			},
9241			Bugs: ProtocolBugs{
9242				NoSignatureAlgorithms: true,
9243			},
9244		},
9245		flags: []string{
9246			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9247			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9248		},
9249		shouldFail:         true,
9250		expectedError:      ":DECODE_ERROR:",
9251		expectedLocalError: "remote error: error decoding message",
9252	})
9253
9254	testCases = append(testCases, testCase{
9255		name: "ClientAuth-NoFallback-ECDSA",
9256		config: Config{
9257			MaxVersion: VersionTLS12,
9258			ClientAuth: RequireAnyClientCert,
9259			VerifySignatureAlgorithms: []signatureAlgorithm{
9260				signatureECDSAWithSHA1,
9261			},
9262			Bugs: ProtocolBugs{
9263				NoSignatureAlgorithms: true,
9264			},
9265		},
9266		flags: []string{
9267			"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
9268			"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
9269		},
9270		shouldFail:         true,
9271		expectedError:      ":DECODE_ERROR:",
9272		expectedLocalError: "remote error: error decoding message",
9273	})
9274
9275	testCases = append(testCases, testCase{
9276		name: "ClientAuth-NoFallback-TLS13",
9277		config: Config{
9278			MaxVersion: VersionTLS13,
9279			ClientAuth: RequireAnyClientCert,
9280			VerifySignatureAlgorithms: []signatureAlgorithm{
9281				signatureRSAPKCS1WithSHA1,
9282			},
9283			Bugs: ProtocolBugs{
9284				NoSignatureAlgorithms: true,
9285			},
9286		},
9287		flags: []string{
9288			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9289			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9290		},
9291		shouldFail:         true,
9292		expectedError:      ":DECODE_ERROR:",
9293		expectedLocalError: "remote error: error decoding message",
9294	})
9295
9296	// Test that signature preferences are enforced. BoringSSL does not
9297	// implement MD5 signatures.
9298	testCases = append(testCases, testCase{
9299		testType: serverTest,
9300		name:     "ClientAuth-Enforced",
9301		config: Config{
9302			MaxVersion:   VersionTLS12,
9303			Certificates: []Certificate{rsaCertificate},
9304			SignSignatureAlgorithms: []signatureAlgorithm{
9305				signatureRSAPKCS1WithMD5,
9306			},
9307			Bugs: ProtocolBugs{
9308				IgnorePeerSignatureAlgorithmPreferences: true,
9309			},
9310		},
9311		flags:         []string{"-require-any-client-certificate"},
9312		shouldFail:    true,
9313		expectedError: ":WRONG_SIGNATURE_TYPE:",
9314	})
9315
9316	testCases = append(testCases, testCase{
9317		name: "ServerAuth-Enforced",
9318		config: Config{
9319			MaxVersion:   VersionTLS12,
9320			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
9321			SignSignatureAlgorithms: []signatureAlgorithm{
9322				signatureRSAPKCS1WithMD5,
9323			},
9324			Bugs: ProtocolBugs{
9325				IgnorePeerSignatureAlgorithmPreferences: true,
9326			},
9327		},
9328		shouldFail:    true,
9329		expectedError: ":WRONG_SIGNATURE_TYPE:",
9330	})
9331	testCases = append(testCases, testCase{
9332		testType: serverTest,
9333		name:     "ClientAuth-Enforced-TLS13",
9334		config: Config{
9335			MaxVersion:   VersionTLS13,
9336			Certificates: []Certificate{rsaCertificate},
9337			SignSignatureAlgorithms: []signatureAlgorithm{
9338				signatureRSAPKCS1WithMD5,
9339			},
9340			Bugs: ProtocolBugs{
9341				IgnorePeerSignatureAlgorithmPreferences: true,
9342				IgnoreSignatureVersionChecks:            true,
9343			},
9344		},
9345		flags:         []string{"-require-any-client-certificate"},
9346		shouldFail:    true,
9347		expectedError: ":WRONG_SIGNATURE_TYPE:",
9348	})
9349
9350	testCases = append(testCases, testCase{
9351		name: "ServerAuth-Enforced-TLS13",
9352		config: Config{
9353			MaxVersion: VersionTLS13,
9354			SignSignatureAlgorithms: []signatureAlgorithm{
9355				signatureRSAPKCS1WithMD5,
9356			},
9357			Bugs: ProtocolBugs{
9358				IgnorePeerSignatureAlgorithmPreferences: true,
9359				IgnoreSignatureVersionChecks:            true,
9360			},
9361		},
9362		shouldFail:    true,
9363		expectedError: ":WRONG_SIGNATURE_TYPE:",
9364	})
9365
9366	// Test that the negotiated signature algorithm respects the client and
9367	// server preferences.
9368	testCases = append(testCases, testCase{
9369		name: "NoCommonAlgorithms",
9370		config: Config{
9371			MaxVersion: VersionTLS12,
9372			ClientAuth: RequireAnyClientCert,
9373			VerifySignatureAlgorithms: []signatureAlgorithm{
9374				signatureRSAPKCS1WithSHA512,
9375				signatureRSAPKCS1WithSHA1,
9376			},
9377		},
9378		flags: []string{
9379			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9380			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9381			"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
9382		},
9383		shouldFail:    true,
9384		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9385	})
9386	testCases = append(testCases, testCase{
9387		name: "NoCommonAlgorithms-TLS13",
9388		config: Config{
9389			MaxVersion: VersionTLS13,
9390			ClientAuth: RequireAnyClientCert,
9391			VerifySignatureAlgorithms: []signatureAlgorithm{
9392				signatureRSAPSSWithSHA512,
9393				signatureRSAPSSWithSHA384,
9394			},
9395		},
9396		flags: []string{
9397			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9398			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9399			"-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
9400		},
9401		shouldFail:    true,
9402		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9403	})
9404	testCases = append(testCases, testCase{
9405		name: "Agree-Digest-SHA256",
9406		config: Config{
9407			MaxVersion: VersionTLS12,
9408			ClientAuth: RequireAnyClientCert,
9409			VerifySignatureAlgorithms: []signatureAlgorithm{
9410				signatureRSAPKCS1WithSHA1,
9411				signatureRSAPKCS1WithSHA256,
9412			},
9413		},
9414		flags: []string{
9415			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9416			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9417			"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
9418			"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA1)),
9419		},
9420		expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
9421	})
9422	testCases = append(testCases, testCase{
9423		name: "Agree-Digest-SHA1",
9424		config: Config{
9425			MaxVersion: VersionTLS12,
9426			ClientAuth: RequireAnyClientCert,
9427			VerifySignatureAlgorithms: []signatureAlgorithm{
9428				signatureRSAPKCS1WithSHA1,
9429			},
9430		},
9431		flags: []string{
9432			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9433			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9434			"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA512)),
9435			"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
9436			"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA1)),
9437		},
9438		expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
9439	})
9440	testCases = append(testCases, testCase{
9441		name: "Agree-Digest-Default",
9442		config: Config{
9443			MaxVersion: VersionTLS12,
9444			ClientAuth: RequireAnyClientCert,
9445			VerifySignatureAlgorithms: []signatureAlgorithm{
9446				signatureRSAPKCS1WithSHA256,
9447				signatureECDSAWithP256AndSHA256,
9448				signatureRSAPKCS1WithSHA1,
9449				signatureECDSAWithSHA1,
9450			},
9451		},
9452		flags: []string{
9453			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9454			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9455		},
9456		expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
9457	})
9458
9459	// Test that the signing preference list may include extra algorithms
9460	// without negotiation problems.
9461	testCases = append(testCases, testCase{
9462		testType: serverTest,
9463		name:     "FilterExtraAlgorithms",
9464		config: Config{
9465			MaxVersion: VersionTLS12,
9466			VerifySignatureAlgorithms: []signatureAlgorithm{
9467				signatureRSAPKCS1WithSHA256,
9468			},
9469		},
9470		flags: []string{
9471			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9472			"-key-file", path.Join(*resourceDir, rsaKeyFile),
9473			"-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
9474			"-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
9475			"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
9476			"-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
9477		},
9478		expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
9479	})
9480
9481	// In TLS 1.2 and below, ECDSA uses the curve list rather than the
9482	// signature algorithms.
9483	testCases = append(testCases, testCase{
9484		name: "CheckLeafCurve",
9485		config: Config{
9486			MaxVersion:   VersionTLS12,
9487			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
9488			Certificates: []Certificate{ecdsaP256Certificate},
9489		},
9490		flags:         []string{"-curves", strconv.Itoa(int(CurveP384))},
9491		shouldFail:    true,
9492		expectedError: ":BAD_ECC_CERT:",
9493	})
9494
9495	// In TLS 1.3, ECDSA does not use the ECDHE curve list.
9496	testCases = append(testCases, testCase{
9497		name: "CheckLeafCurve-TLS13",
9498		config: Config{
9499			MaxVersion:   VersionTLS13,
9500			Certificates: []Certificate{ecdsaP256Certificate},
9501		},
9502		flags: []string{"-curves", strconv.Itoa(int(CurveP384))},
9503	})
9504
9505	// In TLS 1.2, the ECDSA curve is not in the signature algorithm.
9506	testCases = append(testCases, testCase{
9507		name: "ECDSACurveMismatch-Verify-TLS12",
9508		config: Config{
9509			MaxVersion:   VersionTLS12,
9510			CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
9511			Certificates: []Certificate{ecdsaP256Certificate},
9512			SignSignatureAlgorithms: []signatureAlgorithm{
9513				signatureECDSAWithP384AndSHA384,
9514			},
9515		},
9516	})
9517
9518	// In TLS 1.3, the ECDSA curve comes from the signature algorithm.
9519	testCases = append(testCases, testCase{
9520		name: "ECDSACurveMismatch-Verify-TLS13",
9521		config: Config{
9522			MaxVersion:   VersionTLS13,
9523			Certificates: []Certificate{ecdsaP256Certificate},
9524			SignSignatureAlgorithms: []signatureAlgorithm{
9525				signatureECDSAWithP384AndSHA384,
9526			},
9527			Bugs: ProtocolBugs{
9528				SkipECDSACurveCheck: true,
9529			},
9530		},
9531		shouldFail:    true,
9532		expectedError: ":WRONG_SIGNATURE_TYPE:",
9533	})
9534
9535	// Signature algorithm selection in TLS 1.3 should take the curve into
9536	// account.
9537	testCases = append(testCases, testCase{
9538		testType: serverTest,
9539		name:     "ECDSACurveMismatch-Sign-TLS13",
9540		config: Config{
9541			MaxVersion: VersionTLS13,
9542			VerifySignatureAlgorithms: []signatureAlgorithm{
9543				signatureECDSAWithP384AndSHA384,
9544				signatureECDSAWithP256AndSHA256,
9545			},
9546		},
9547		flags: []string{
9548			"-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
9549			"-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
9550		},
9551		expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
9552	})
9553
9554	// RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
9555	// server does not attempt to sign in that case.
9556	testCases = append(testCases, testCase{
9557		testType: serverTest,
9558		name:     "RSA-PSS-Large",
9559		config: Config{
9560			MaxVersion: VersionTLS13,
9561			VerifySignatureAlgorithms: []signatureAlgorithm{
9562				signatureRSAPSSWithSHA512,
9563			},
9564		},
9565		flags: []string{
9566			"-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
9567			"-key-file", path.Join(*resourceDir, rsa1024KeyFile),
9568		},
9569		shouldFail:    true,
9570		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9571	})
9572
9573	// Test that RSA-PSS is enabled by default for TLS 1.2.
9574	testCases = append(testCases, testCase{
9575		testType: clientTest,
9576		name:     "RSA-PSS-Default-Verify",
9577		config: Config{
9578			MaxVersion: VersionTLS12,
9579			SignSignatureAlgorithms: []signatureAlgorithm{
9580				signatureRSAPSSWithSHA256,
9581			},
9582		},
9583		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9584	})
9585
9586	testCases = append(testCases, testCase{
9587		testType: serverTest,
9588		name:     "RSA-PSS-Default-Sign",
9589		config: Config{
9590			MaxVersion: VersionTLS12,
9591			VerifySignatureAlgorithms: []signatureAlgorithm{
9592				signatureRSAPSSWithSHA256,
9593			},
9594		},
9595		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9596	})
9597
9598	// TLS 1.1 and below has no way to advertise support for or negotiate
9599	// Ed25519's signature algorithm.
9600	testCases = append(testCases, testCase{
9601		testType: clientTest,
9602		name:     "NoEd25519-TLS11-ServerAuth-Verify",
9603		config: Config{
9604			MaxVersion:   VersionTLS11,
9605			Certificates: []Certificate{ed25519Certificate},
9606			Bugs: ProtocolBugs{
9607				// Sign with Ed25519 even though it is TLS 1.1.
9608				UseLegacySigningAlgorithm: signatureEd25519,
9609			},
9610		},
9611		flags:         []string{"-enable-ed25519"},
9612		shouldFail:    true,
9613		expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
9614	})
9615	testCases = append(testCases, testCase{
9616		testType: serverTest,
9617		name:     "NoEd25519-TLS11-ServerAuth-Sign",
9618		config: Config{
9619			MaxVersion: VersionTLS11,
9620		},
9621		flags: []string{
9622			"-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
9623			"-key-file", path.Join(*resourceDir, ed25519KeyFile),
9624		},
9625		shouldFail:    true,
9626		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9627	})
9628	testCases = append(testCases, testCase{
9629		testType: serverTest,
9630		name:     "NoEd25519-TLS11-ClientAuth-Verify",
9631		config: Config{
9632			MaxVersion:   VersionTLS11,
9633			Certificates: []Certificate{ed25519Certificate},
9634			Bugs: ProtocolBugs{
9635				// Sign with Ed25519 even though it is TLS 1.1.
9636				UseLegacySigningAlgorithm: signatureEd25519,
9637			},
9638		},
9639		flags: []string{
9640			"-enable-ed25519",
9641			"-require-any-client-certificate",
9642		},
9643		shouldFail:    true,
9644		expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
9645	})
9646	testCases = append(testCases, testCase{
9647		testType: clientTest,
9648		name:     "NoEd25519-TLS11-ClientAuth-Sign",
9649		config: Config{
9650			MaxVersion: VersionTLS11,
9651			ClientAuth: RequireAnyClientCert,
9652		},
9653		flags: []string{
9654			"-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
9655			"-key-file", path.Join(*resourceDir, ed25519KeyFile),
9656		},
9657		shouldFail:    true,
9658		expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
9659	})
9660
9661	// Test Ed25519 is not advertised by default.
9662	testCases = append(testCases, testCase{
9663		testType: clientTest,
9664		name:     "Ed25519DefaultDisable-NoAdvertise",
9665		config: Config{
9666			Certificates: []Certificate{ed25519Certificate},
9667		},
9668		shouldFail:         true,
9669		expectedLocalError: "tls: no common signature algorithms",
9670	})
9671
9672	// Test Ed25519, when disabled, is not accepted if the peer ignores our
9673	// preferences.
9674	testCases = append(testCases, testCase{
9675		testType: clientTest,
9676		name:     "Ed25519DefaultDisable-NoAccept",
9677		config: Config{
9678			Certificates: []Certificate{ed25519Certificate},
9679			Bugs: ProtocolBugs{
9680				IgnorePeerSignatureAlgorithmPreferences: true,
9681			},
9682		},
9683		shouldFail:         true,
9684		expectedLocalError: "remote error: illegal parameter",
9685		expectedError:      ":WRONG_SIGNATURE_TYPE:",
9686	})
9687
9688	// Test that configuring verify preferences changes what the client
9689	// advertises.
9690	testCases = append(testCases, testCase{
9691		name: "VerifyPreferences-Advertised",
9692		config: Config{
9693			Certificates: []Certificate{rsaCertificate},
9694			SignSignatureAlgorithms: []signatureAlgorithm{
9695				signatureRSAPSSWithSHA256,
9696				signatureRSAPSSWithSHA384,
9697				signatureRSAPSSWithSHA512,
9698			},
9699		},
9700		flags: []string{
9701			"-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
9702			"-expect-peer-signature-algorithm", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
9703		},
9704	})
9705
9706	// Test that the client advertises a set which the runner can find
9707	// nothing in common with.
9708	testCases = append(testCases, testCase{
9709		name: "VerifyPreferences-NoCommonAlgorithms",
9710		config: Config{
9711			Certificates: []Certificate{rsaCertificate},
9712			SignSignatureAlgorithms: []signatureAlgorithm{
9713				signatureRSAPSSWithSHA256,
9714				signatureRSAPSSWithSHA512,
9715			},
9716		},
9717		flags: []string{
9718			"-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
9719		},
9720		shouldFail:         true,
9721		expectedLocalError: "tls: no common signature algorithms",
9722	})
9723
9724	// Test that the client enforces its preferences when configured.
9725	testCases = append(testCases, testCase{
9726		name: "VerifyPreferences-Enforced",
9727		config: Config{
9728			Certificates: []Certificate{rsaCertificate},
9729			SignSignatureAlgorithms: []signatureAlgorithm{
9730				signatureRSAPSSWithSHA256,
9731				signatureRSAPSSWithSHA512,
9732			},
9733			Bugs: ProtocolBugs{
9734				IgnorePeerSignatureAlgorithmPreferences: true,
9735			},
9736		},
9737		flags: []string{
9738			"-verify-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA384)),
9739		},
9740		shouldFail:         true,
9741		expectedLocalError: "remote error: illegal parameter",
9742		expectedError:      ":WRONG_SIGNATURE_TYPE:",
9743	})
9744
9745	// Test that explicitly configuring Ed25519 is as good as changing the
9746	// boolean toggle.
9747	testCases = append(testCases, testCase{
9748		name: "VerifyPreferences-Ed25519",
9749		config: Config{
9750			Certificates: []Certificate{ed25519Certificate},
9751		},
9752		flags: []string{
9753			"-verify-prefs", strconv.Itoa(int(signatureEd25519)),
9754		},
9755	})
9756
9757	rsaPSSSupportTests := []struct {
9758		name                string
9759		expectRSAPSSSupport RSAPSSSupport
9760		verifyPrefs         []signatureAlgorithm
9761		noCerts             bool
9762	}{
9763		// By default, RSA-PSS is fully advertised.
9764		{
9765			name:                "Default",
9766			expectRSAPSSSupport: RSAPSSSupportBoth,
9767		},
9768		// Disabling RSA-PSS certificates makes it online-signature-only.
9769		{
9770			name:                "Default-NoCerts",
9771			expectRSAPSSSupport: RSAPSSSupportOnlineSignatureOnly,
9772			noCerts:             true,
9773		},
9774		// The above also apply if verify preferences were explicitly configured.
9775		{
9776			name:                "ConfigPSS",
9777			expectRSAPSSSupport: RSAPSSSupportBoth,
9778			verifyPrefs:         []signatureAlgorithm{signatureRSAPSSWithSHA256, signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256},
9779		},
9780		{
9781			name:                "ConfigPSS-NoCerts",
9782			expectRSAPSSSupport: RSAPSSSupportOnlineSignatureOnly,
9783			verifyPrefs:         []signatureAlgorithm{signatureRSAPSSWithSHA256, signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256},
9784			noCerts:             true,
9785		},
9786		// If verify preferences were explicitly configured without RSA-PSS support,
9787		// NoCerts is a no-op and the shim correctly only sends one extension.
9788		// (This is checked internally in the runner.)
9789		{
9790			name:                "ConfigNoPSS",
9791			expectRSAPSSSupport: RSAPSSSupportNone,
9792			verifyPrefs:         []signatureAlgorithm{signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256},
9793		},
9794		{
9795			name:                "ConfigNoPSS-NoCerts",
9796			expectRSAPSSSupport: RSAPSSSupportNone,
9797			verifyPrefs:         []signatureAlgorithm{signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256},
9798			noCerts:             true,
9799		},
9800	}
9801
9802	for _, test := range rsaPSSSupportTests {
9803		var pssFlags []string
9804		for _, pref := range test.verifyPrefs {
9805			pssFlags = append(pssFlags, "-verify-prefs", strconv.Itoa(int(pref)))
9806		}
9807		if test.noCerts {
9808			pssFlags = append(pssFlags, "-no-rsa-pss-rsae-certs")
9809		}
9810		for _, ver := range tlsVersions {
9811			if ver.version < VersionTLS12 {
9812				continue
9813			}
9814
9815			// TLS 1.2 cannot express different RSAPSSSupportOnlineSignatureOnly,
9816			// so it decays to RSAPSSSupportNone.
9817			expect := test.expectRSAPSSSupport
9818			if ver.version < VersionTLS13 && expect == RSAPSSSupportOnlineSignatureOnly {
9819				expect = RSAPSSSupportNone
9820			}
9821
9822			// If the configuration results in no RSA-PSS support, the handshake won't complete.
9823			// (The test, however, still covers the RSA-PSS assertion.)
9824			var localError string
9825			var shouldFail bool
9826			if ver.version >= VersionTLS13 && expect == RSAPSSSupportNone {
9827				shouldFail = true
9828				localError = "tls: no common signature algorithms"
9829			}
9830
9831			flags := []string{"-max-version", ver.shimFlag(tls)}
9832			flags = append(flags, pssFlags...)
9833			testCases = append(testCases, testCase{
9834				name: fmt.Sprintf("RSAPSSSupport-%s-%s-Client", test.name, ver.name),
9835				config: Config{
9836					MinVersion:   ver.version,
9837					MaxVersion:   ver.version,
9838					Certificates: []Certificate{rsaCertificate},
9839					Bugs: ProtocolBugs{
9840						ExpectRSAPSSSupport: expect,
9841					},
9842				},
9843				flags:              flags,
9844				shouldFail:         shouldFail,
9845				expectedLocalError: localError,
9846			})
9847
9848			serverFlags := []string{"-require-any-client-certificate"}
9849			serverFlags = append(flags, serverFlags...)
9850			testCases = append(testCases, testCase{
9851				testType: serverTest,
9852				name:     fmt.Sprintf("RSAPSSSupport-%s-%s-Server", test.name, ver.name),
9853				config: Config{
9854					MinVersion:   ver.version,
9855					MaxVersion:   ver.version,
9856					Certificates: []Certificate{rsaCertificate},
9857					Bugs: ProtocolBugs{
9858						ExpectRSAPSSSupport: expect,
9859					},
9860				},
9861				flags:              serverFlags,
9862				shouldFail:         shouldFail,
9863				expectedLocalError: localError,
9864			})
9865		}
9866	}
9867}
9868
9869// timeouts is the retransmit schedule for BoringSSL. It doubles and
9870// caps at 60 seconds. On the 13th timeout, it gives up.
9871var timeouts = []time.Duration{
9872	1 * time.Second,
9873	2 * time.Second,
9874	4 * time.Second,
9875	8 * time.Second,
9876	16 * time.Second,
9877	32 * time.Second,
9878	60 * time.Second,
9879	60 * time.Second,
9880	60 * time.Second,
9881	60 * time.Second,
9882	60 * time.Second,
9883	60 * time.Second,
9884	60 * time.Second,
9885}
9886
9887// shortTimeouts is an alternate set of timeouts which would occur if the
9888// initial timeout duration was set to 250ms.
9889var shortTimeouts = []time.Duration{
9890	250 * time.Millisecond,
9891	500 * time.Millisecond,
9892	1 * time.Second,
9893	2 * time.Second,
9894	4 * time.Second,
9895	8 * time.Second,
9896	16 * time.Second,
9897	32 * time.Second,
9898	60 * time.Second,
9899	60 * time.Second,
9900	60 * time.Second,
9901	60 * time.Second,
9902	60 * time.Second,
9903}
9904
9905func addDTLSRetransmitTests() {
9906	// These tests work by coordinating some behavior on both the shim and
9907	// the runner.
9908	//
9909	// TimeoutSchedule configures the runner to send a series of timeout
9910	// opcodes to the shim (see packetAdaptor) immediately before reading
9911	// each peer handshake flight N. The timeout opcode both simulates a
9912	// timeout in the shim and acts as a synchronization point to help the
9913	// runner bracket each handshake flight.
9914	//
9915	// We assume the shim does not read from the channel eagerly. It must
9916	// first wait until it has sent flight N and is ready to receive
9917	// handshake flight N+1. At this point, it will process the timeout
9918	// opcode. It must then immediately respond with a timeout ACK and act
9919	// as if the shim was idle for the specified amount of time.
9920	//
9921	// The runner then drops all packets received before the ACK and
9922	// continues waiting for flight N. This ordering results in one attempt
9923	// at sending flight N to be dropped. For the test to complete, the
9924	// shim must send flight N again, testing that the shim implements DTLS
9925	// retransmit on a timeout.
9926
9927	// TODO(davidben): Add DTLS 1.3 versions of these tests. There will
9928	// likely be more epochs to cross and the final message's retransmit may
9929	// be more complex.
9930
9931	// Test that this is indeed the timeout schedule. Stress all
9932	// four patterns of handshake.
9933	for i := 1; i < len(timeouts); i++ {
9934		number := strconv.Itoa(i)
9935		testCases = append(testCases, testCase{
9936			protocol: dtls,
9937			name:     "DTLS-Retransmit-Client-" + number,
9938			config: Config{
9939				MaxVersion: VersionTLS12,
9940				Bugs: ProtocolBugs{
9941					TimeoutSchedule: timeouts[:i],
9942				},
9943			},
9944			resumeSession: true,
9945			flags:         []string{"-async"},
9946		})
9947		testCases = append(testCases, testCase{
9948			protocol: dtls,
9949			testType: serverTest,
9950			name:     "DTLS-Retransmit-Server-" + number,
9951			config: Config{
9952				MaxVersion: VersionTLS12,
9953				Bugs: ProtocolBugs{
9954					TimeoutSchedule: timeouts[:i],
9955				},
9956			},
9957			resumeSession: true,
9958			flags:         []string{"-async"},
9959		})
9960	}
9961
9962	// Test that exceeding the timeout schedule hits a read
9963	// timeout.
9964	testCases = append(testCases, testCase{
9965		protocol: dtls,
9966		name:     "DTLS-Retransmit-Timeout",
9967		config: Config{
9968			MaxVersion: VersionTLS12,
9969			Bugs: ProtocolBugs{
9970				TimeoutSchedule: timeouts,
9971			},
9972		},
9973		resumeSession: true,
9974		flags:         []string{"-async"},
9975		shouldFail:    true,
9976		expectedError: ":READ_TIMEOUT_EXPIRED:",
9977	})
9978
9979	// Test that timeout handling has a fudge factor, due to API
9980	// problems.
9981	testCases = append(testCases, testCase{
9982		protocol: dtls,
9983		name:     "DTLS-Retransmit-Fudge",
9984		config: Config{
9985			MaxVersion: VersionTLS12,
9986			Bugs: ProtocolBugs{
9987				TimeoutSchedule: []time.Duration{
9988					timeouts[0] - 10*time.Millisecond,
9989				},
9990			},
9991		},
9992		resumeSession: true,
9993		flags:         []string{"-async"},
9994	})
9995
9996	// Test that the final Finished retransmitting isn't
9997	// duplicated if the peer badly fragments everything.
9998	testCases = append(testCases, testCase{
9999		testType: serverTest,
10000		protocol: dtls,
10001		name:     "DTLS-Retransmit-Fragmented",
10002		config: Config{
10003			MaxVersion: VersionTLS12,
10004			Bugs: ProtocolBugs{
10005				TimeoutSchedule:          []time.Duration{timeouts[0]},
10006				MaxHandshakeRecordLength: 2,
10007			},
10008		},
10009		flags: []string{"-async"},
10010	})
10011
10012	// Test the timeout schedule when a shorter initial timeout duration is set.
10013	testCases = append(testCases, testCase{
10014		protocol: dtls,
10015		name:     "DTLS-Retransmit-Short-Client",
10016		config: Config{
10017			MaxVersion: VersionTLS12,
10018			Bugs: ProtocolBugs{
10019				TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
10020			},
10021		},
10022		resumeSession: true,
10023		flags: []string{
10024			"-async",
10025			"-initial-timeout-duration-ms", "250",
10026		},
10027	})
10028	testCases = append(testCases, testCase{
10029		protocol: dtls,
10030		testType: serverTest,
10031		name:     "DTLS-Retransmit-Short-Server",
10032		config: Config{
10033			MaxVersion: VersionTLS12,
10034			Bugs: ProtocolBugs{
10035				TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
10036			},
10037		},
10038		resumeSession: true,
10039		flags: []string{
10040			"-async",
10041			"-initial-timeout-duration-ms", "250",
10042		},
10043	})
10044
10045	// If the shim sends the last Finished (server full or client resume
10046	// handshakes), it must retransmit that Finished when it sees a
10047	// post-handshake penultimate Finished from the runner. The above tests
10048	// cover this. Conversely, if the shim sends the penultimate Finished
10049	// (client full or server resume), test that it does not retransmit.
10050	testCases = append(testCases, testCase{
10051		protocol: dtls,
10052		testType: clientTest,
10053		name:     "DTLS-StrayRetransmitFinished-ClientFull",
10054		config: Config{
10055			MaxVersion: VersionTLS12,
10056			Bugs: ProtocolBugs{
10057				RetransmitFinished: true,
10058			},
10059		},
10060	})
10061	testCases = append(testCases, testCase{
10062		protocol: dtls,
10063		testType: serverTest,
10064		name:     "DTLS-StrayRetransmitFinished-ServerResume",
10065		config: Config{
10066			MaxVersion: VersionTLS12,
10067		},
10068		resumeConfig: &Config{
10069			MaxVersion: VersionTLS12,
10070			Bugs: ProtocolBugs{
10071				RetransmitFinished: true,
10072			},
10073		},
10074		resumeSession: true,
10075	})
10076}
10077
10078func addExportKeyingMaterialTests() {
10079	for _, vers := range tlsVersions {
10080		testCases = append(testCases, testCase{
10081			name: "ExportKeyingMaterial-" + vers.name,
10082			config: Config{
10083				MaxVersion: vers.version,
10084			},
10085			// Test the exporter in both initial and resumption
10086			// handshakes.
10087			resumeSession:        true,
10088			exportKeyingMaterial: 1024,
10089			exportLabel:          "label",
10090			exportContext:        "context",
10091			useExportContext:     true,
10092		})
10093		testCases = append(testCases, testCase{
10094			name: "ExportKeyingMaterial-NoContext-" + vers.name,
10095			config: Config{
10096				MaxVersion: vers.version,
10097			},
10098			exportKeyingMaterial: 1024,
10099		})
10100		testCases = append(testCases, testCase{
10101			name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
10102			config: Config{
10103				MaxVersion: vers.version,
10104			},
10105			exportKeyingMaterial: 1024,
10106			useExportContext:     true,
10107		})
10108		testCases = append(testCases, testCase{
10109			name: "ExportKeyingMaterial-Small-" + vers.name,
10110			config: Config{
10111				MaxVersion: vers.version,
10112			},
10113			exportKeyingMaterial: 1,
10114			exportLabel:          "label",
10115			exportContext:        "context",
10116			useExportContext:     true,
10117		})
10118
10119		if vers.version >= VersionTLS13 {
10120			// Test the exporters do not work while the client is
10121			// sending 0-RTT data.
10122			testCases = append(testCases, testCase{
10123				name: "NoEarlyKeyingMaterial-Client-InEarlyData-" + vers.name,
10124				config: Config{
10125					MaxVersion:       vers.version,
10126					MaxEarlyDataSize: 16384,
10127				},
10128				resumeSession: true,
10129				flags: []string{
10130					"-enable-early-data",
10131					"-expect-ticket-supports-early-data",
10132					"-expect-accept-early-data",
10133					"-on-resume-export-keying-material", "1024",
10134					"-on-resume-export-label", "label",
10135					"-on-resume-export-context", "context",
10136				},
10137				shouldFail:    true,
10138				expectedError: ":HANDSHAKE_NOT_COMPLETE:",
10139			})
10140
10141			// Test the early exporter works while the client is
10142			// sending 0-RTT data. This data arrives during the
10143			// server handshake, so we test it with ProtocolBugs.
10144			testCases = append(testCases, testCase{
10145				name: "ExportEarlyKeyingMaterial-Client-InEarlyData-" + vers.name,
10146				config: Config{
10147					MaxVersion:       vers.version,
10148					MaxEarlyDataSize: 16384,
10149				},
10150				resumeConfig: &Config{
10151					MaxVersion:       vers.version,
10152					MaxEarlyDataSize: 16384,
10153					Bugs: ProtocolBugs{
10154						ExpectEarlyKeyingMaterial: 1024,
10155						ExpectEarlyKeyingLabel:    "label",
10156						ExpectEarlyKeyingContext:  "context",
10157					},
10158				},
10159				resumeSession: true,
10160				flags: []string{
10161					"-enable-early-data",
10162					"-expect-ticket-supports-early-data",
10163					"-expect-accept-early-data",
10164					"-on-resume-export-early-keying-material", "1024",
10165					"-on-resume-export-label", "label",
10166					"-on-resume-export-context", "context",
10167				},
10168			})
10169
10170			// Test the early exporter still works on the client
10171			// after the handshake is confirmed. This arrives after
10172			// the server handshake, so the normal hooks work.
10173			testCases = append(testCases, testCase{
10174				name: "ExportEarlyKeyingMaterial-Client-EarlyDataAccept-" + vers.name,
10175				config: Config{
10176					MaxVersion:       vers.version,
10177					MaxEarlyDataSize: 16384,
10178				},
10179				resumeConfig: &Config{
10180					MaxVersion:       vers.version,
10181					MaxEarlyDataSize: 16384,
10182				},
10183				resumeSession:             true,
10184				exportEarlyKeyingMaterial: 1024,
10185				exportLabel:               "label",
10186				exportContext:             "context",
10187				flags: []string{
10188					"-enable-early-data",
10189					"-expect-ticket-supports-early-data",
10190					"-expect-accept-early-data",
10191					// Handshake twice on the client to force
10192					// handshake confirmation.
10193					"-handshake-twice",
10194				},
10195			})
10196
10197			// Test the early exporter does not work on the client
10198			// if 0-RTT was not offered.
10199			testCases = append(testCases, testCase{
10200				name: "NoExportEarlyKeyingMaterial-Client-Initial-" + vers.name,
10201				config: Config{
10202					MaxVersion: vers.version,
10203				},
10204				flags:         []string{"-export-early-keying-material", "1024"},
10205				shouldFail:    true,
10206				expectedError: ":EARLY_DATA_NOT_IN_USE:",
10207			})
10208			testCases = append(testCases, testCase{
10209				name: "NoExportEarlyKeyingMaterial-Client-Resume-" + vers.name,
10210				config: Config{
10211					MaxVersion: vers.version,
10212				},
10213				resumeSession: true,
10214				flags:         []string{"-on-resume-export-early-keying-material", "1024"},
10215				shouldFail:    true,
10216				expectedError: ":EARLY_DATA_NOT_IN_USE:",
10217			})
10218
10219			// Test the early exporter does not work on the client
10220			// after a 0-RTT reject.
10221			testCases = append(testCases, testCase{
10222				name: "NoExportEarlyKeyingMaterial-Client-EarlyDataReject-" + vers.name,
10223				config: Config{
10224					MaxVersion:       vers.version,
10225					MaxEarlyDataSize: 16384,
10226					Bugs: ProtocolBugs{
10227						AlwaysRejectEarlyData: true,
10228					},
10229				},
10230				resumeSession: true,
10231				flags: []string{
10232					"-enable-early-data",
10233					"-expect-ticket-supports-early-data",
10234					"-expect-reject-early-data",
10235					"-on-retry-export-early-keying-material", "1024",
10236				},
10237				shouldFail:    true,
10238				expectedError: ":EARLY_DATA_NOT_IN_USE:",
10239			})
10240
10241			// Test the normal exporter on the server in half-RTT.
10242			testCases = append(testCases, testCase{
10243				testType: serverTest,
10244				name:     "ExportKeyingMaterial-Server-HalfRTT-" + vers.name,
10245				config: Config{
10246					MaxVersion: vers.version,
10247					Bugs: ProtocolBugs{
10248						SendEarlyData:           [][]byte{},
10249						ExpectEarlyDataAccepted: true,
10250					},
10251				},
10252				resumeSession:        true,
10253				exportKeyingMaterial: 1024,
10254				exportLabel:          "label",
10255				exportContext:        "context",
10256				useExportContext:     true,
10257				flags:                []string{"-enable-early-data"},
10258			})
10259
10260			// Test the early exporter works on the server in half-RTT.
10261			testCases = append(testCases, testCase{
10262				testType: serverTest,
10263				name:     "ExportEarlyKeyingMaterial-Server-HalfRTT-" + vers.name,
10264				config: Config{
10265					MaxVersion: vers.version,
10266					Bugs: ProtocolBugs{
10267						SendEarlyData:           [][]byte{},
10268						ExpectEarlyDataAccepted: true,
10269					},
10270				},
10271				resumeSession:             true,
10272				exportEarlyKeyingMaterial: 1024,
10273				exportLabel:               "label",
10274				exportContext:             "context",
10275				flags:                     []string{"-enable-early-data"},
10276			})
10277
10278			// Test the early exporter does not work on the server
10279			// if 0-RTT was not offered.
10280			testCases = append(testCases, testCase{
10281				testType: serverTest,
10282				name:     "NoExportEarlyKeyingMaterial-Server-Initial-" + vers.name,
10283				config: Config{
10284					MaxVersion: vers.version,
10285				},
10286				flags:         []string{"-export-early-keying-material", "1024"},
10287				shouldFail:    true,
10288				expectedError: ":EARLY_DATA_NOT_IN_USE:",
10289			})
10290			testCases = append(testCases, testCase{
10291				testType: serverTest,
10292				name:     "NoExportEarlyKeyingMaterial-Server-Resume-" + vers.name,
10293				config: Config{
10294					MaxVersion: vers.version,
10295				},
10296				resumeSession: true,
10297				flags:         []string{"-on-resume-export-early-keying-material", "1024"},
10298				shouldFail:    true,
10299				expectedError: ":EARLY_DATA_NOT_IN_USE:",
10300			})
10301		} else {
10302			// Test the early exporter fails before TLS 1.3.
10303			testCases = append(testCases, testCase{
10304				name: "NoExportEarlyKeyingMaterial-Client-" + vers.name,
10305				config: Config{
10306					MaxVersion: vers.version,
10307				},
10308				resumeSession:             true,
10309				exportEarlyKeyingMaterial: 1024,
10310				exportLabel:               "label",
10311				exportContext:             "context",
10312				shouldFail:                true,
10313				expectedError:             ":WRONG_SSL_VERSION:",
10314			})
10315			testCases = append(testCases, testCase{
10316				testType: serverTest,
10317				name:     "NoExportEarlyKeyingMaterial-Server-" + vers.name,
10318				config: Config{
10319					MaxVersion: vers.version,
10320				},
10321				resumeSession:             true,
10322				exportEarlyKeyingMaterial: 1024,
10323				exportLabel:               "label",
10324				exportContext:             "context",
10325				shouldFail:                true,
10326				expectedError:             ":WRONG_SSL_VERSION:",
10327			})
10328		}
10329	}
10330
10331	// Exporters work during a False Start.
10332	testCases = append(testCases, testCase{
10333		name: "ExportKeyingMaterial-FalseStart",
10334		config: Config{
10335			MaxVersion:   VersionTLS12,
10336			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10337			NextProtos:   []string{"foo"},
10338			Bugs: ProtocolBugs{
10339				ExpectFalseStart: true,
10340			},
10341		},
10342		flags: []string{
10343			"-false-start",
10344			"-advertise-alpn", "\x03foo",
10345			"-expect-alpn", "foo",
10346		},
10347		shimWritesFirst:      true,
10348		exportKeyingMaterial: 1024,
10349		exportLabel:          "label",
10350		exportContext:        "context",
10351		useExportContext:     true,
10352	})
10353
10354	// Exporters do not work in the middle of a renegotiation. Test this by
10355	// triggering the exporter after every SSL_read call and configuring the
10356	// shim to run asynchronously.
10357	testCases = append(testCases, testCase{
10358		name: "ExportKeyingMaterial-Renegotiate",
10359		config: Config{
10360			MaxVersion: VersionTLS12,
10361		},
10362		renegotiate: 1,
10363		flags: []string{
10364			"-async",
10365			"-use-exporter-between-reads",
10366			"-renegotiate-freely",
10367			"-expect-total-renegotiations", "1",
10368		},
10369		shouldFail:    true,
10370		expectedError: "failed to export keying material",
10371	})
10372}
10373
10374func addExportTrafficSecretsTests() {
10375	for _, cipherSuite := range []testCipherSuite{
10376		// Test a SHA-256 and SHA-384 based cipher suite.
10377		{"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
10378		{"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
10379	} {
10380
10381		testCases = append(testCases, testCase{
10382			name: "ExportTrafficSecrets-" + cipherSuite.name,
10383			config: Config{
10384				MinVersion:   VersionTLS13,
10385				CipherSuites: []uint16{cipherSuite.id},
10386			},
10387			exportTrafficSecrets: true,
10388		})
10389	}
10390}
10391
10392func addTLSUniqueTests() {
10393	for _, isClient := range []bool{false, true} {
10394		for _, isResumption := range []bool{false, true} {
10395			for _, hasEMS := range []bool{false, true} {
10396				var suffix string
10397				if isResumption {
10398					suffix = "Resume-"
10399				} else {
10400					suffix = "Full-"
10401				}
10402
10403				if hasEMS {
10404					suffix += "EMS-"
10405				} else {
10406					suffix += "NoEMS-"
10407				}
10408
10409				if isClient {
10410					suffix += "Client"
10411				} else {
10412					suffix += "Server"
10413				}
10414
10415				test := testCase{
10416					name:          "TLSUnique-" + suffix,
10417					testTLSUnique: true,
10418					config: Config{
10419						MaxVersion: VersionTLS12,
10420						Bugs: ProtocolBugs{
10421							NoExtendedMasterSecret: !hasEMS,
10422						},
10423					},
10424				}
10425
10426				if isResumption {
10427					test.resumeSession = true
10428					test.resumeConfig = &Config{
10429						MaxVersion: VersionTLS12,
10430						Bugs: ProtocolBugs{
10431							NoExtendedMasterSecret: !hasEMS,
10432						},
10433					}
10434				}
10435
10436				if isResumption && !hasEMS {
10437					test.shouldFail = true
10438					test.expectedError = "failed to get tls-unique"
10439				}
10440
10441				testCases = append(testCases, test)
10442			}
10443		}
10444	}
10445}
10446
10447func addCustomExtensionTests() {
10448	// Test an unknown extension from the server.
10449	testCases = append(testCases, testCase{
10450		testType: clientTest,
10451		name:     "UnknownExtension-Client",
10452		config: Config{
10453			MaxVersion: VersionTLS12,
10454			Bugs: ProtocolBugs{
10455				CustomExtension: "custom extension",
10456			},
10457		},
10458		shouldFail:         true,
10459		expectedError:      ":UNEXPECTED_EXTENSION:",
10460		expectedLocalError: "remote error: unsupported extension",
10461	})
10462	testCases = append(testCases, testCase{
10463		testType: clientTest,
10464		name:     "UnknownExtension-Client-TLS13",
10465		config: Config{
10466			MaxVersion: VersionTLS13,
10467			Bugs: ProtocolBugs{
10468				CustomExtension: "custom extension",
10469			},
10470		},
10471		shouldFail:         true,
10472		expectedError:      ":UNEXPECTED_EXTENSION:",
10473		expectedLocalError: "remote error: unsupported extension",
10474	})
10475	testCases = append(testCases, testCase{
10476		testType: clientTest,
10477		name:     "UnknownUnencryptedExtension-Client-TLS13",
10478		config: Config{
10479			MaxVersion: VersionTLS13,
10480			Bugs: ProtocolBugs{
10481				CustomUnencryptedExtension: "custom extension",
10482			},
10483		},
10484		shouldFail:    true,
10485		expectedError: ":UNEXPECTED_EXTENSION:",
10486		// The shim must send an alert, but alerts at this point do not
10487		// get successfully decrypted by the runner.
10488		expectedLocalError: "local error: bad record MAC",
10489	})
10490	testCases = append(testCases, testCase{
10491		testType: clientTest,
10492		name:     "UnexpectedUnencryptedExtension-Client-TLS13",
10493		config: Config{
10494			MaxVersion: VersionTLS13,
10495			Bugs: ProtocolBugs{
10496				SendUnencryptedALPN: "foo",
10497			},
10498		},
10499		flags: []string{
10500			"-advertise-alpn", "\x03foo\x03bar",
10501		},
10502		shouldFail:    true,
10503		expectedError: ":UNEXPECTED_EXTENSION:",
10504		// The shim must send an alert, but alerts at this point do not
10505		// get successfully decrypted by the runner.
10506		expectedLocalError: "local error: bad record MAC",
10507	})
10508
10509	// Test a known but unoffered extension from the server.
10510	testCases = append(testCases, testCase{
10511		testType: clientTest,
10512		name:     "UnofferedExtension-Client",
10513		config: Config{
10514			MaxVersion: VersionTLS12,
10515			Bugs: ProtocolBugs{
10516				SendALPN: "alpn",
10517			},
10518		},
10519		shouldFail:         true,
10520		expectedError:      ":UNEXPECTED_EXTENSION:",
10521		expectedLocalError: "remote error: unsupported extension",
10522	})
10523	testCases = append(testCases, testCase{
10524		testType: clientTest,
10525		name:     "UnofferedExtension-Client-TLS13",
10526		config: Config{
10527			MaxVersion: VersionTLS13,
10528			Bugs: ProtocolBugs{
10529				SendALPN: "alpn",
10530			},
10531		},
10532		shouldFail:         true,
10533		expectedError:      ":UNEXPECTED_EXTENSION:",
10534		expectedLocalError: "remote error: unsupported extension",
10535	})
10536}
10537
10538func addRSAClientKeyExchangeTests() {
10539	for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
10540		testCases = append(testCases, testCase{
10541			testType: serverTest,
10542			name:     fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
10543			config: Config{
10544				// Ensure the ClientHello version and final
10545				// version are different, to detect if the
10546				// server uses the wrong one.
10547				MaxVersion:   VersionTLS11,
10548				CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
10549				Bugs: ProtocolBugs{
10550					BadRSAClientKeyExchange: bad,
10551				},
10552			},
10553			shouldFail:    true,
10554			expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
10555		})
10556	}
10557
10558	// The server must compare whatever was in ClientHello.version for the
10559	// RSA premaster.
10560	testCases = append(testCases, testCase{
10561		testType: serverTest,
10562		name:     "SendClientVersion-RSA",
10563		config: Config{
10564			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
10565			Bugs: ProtocolBugs{
10566				SendClientVersion: 0x1234,
10567			},
10568		},
10569		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
10570	})
10571}
10572
10573var testCurves = []struct {
10574	name string
10575	id   CurveID
10576}{
10577	{"P-224", CurveP224},
10578	{"P-256", CurveP256},
10579	{"P-384", CurveP384},
10580	{"P-521", CurveP521},
10581	{"X25519", CurveX25519},
10582	{"CECPQ2", CurveCECPQ2},
10583}
10584
10585const bogusCurve = 0x1234
10586
10587func addCurveTests() {
10588	for _, curve := range testCurves {
10589		for _, ver := range tlsVersions {
10590			if curve.id == CurveCECPQ2 && ver.version < VersionTLS13 {
10591				continue
10592			}
10593
10594			suffix := curve.name + "-" + ver.name
10595
10596			testCases = append(testCases, testCase{
10597				name: "CurveTest-Client-" + suffix,
10598				config: Config{
10599					MaxVersion: ver.version,
10600					CipherSuites: []uint16{
10601						TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10602						TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
10603						TLS_AES_256_GCM_SHA384,
10604					},
10605					CurvePreferences: []CurveID{curve.id},
10606				},
10607				flags: []string{
10608					"-enable-all-curves",
10609					"-expect-curve-id", strconv.Itoa(int(curve.id)),
10610				},
10611				expectedCurveID: curve.id,
10612			})
10613			testCases = append(testCases, testCase{
10614				testType: serverTest,
10615				name:     "CurveTest-Server-" + suffix,
10616				config: Config{
10617					MaxVersion: ver.version,
10618					CipherSuites: []uint16{
10619						TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10620						TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
10621						TLS_AES_256_GCM_SHA384,
10622					},
10623					CurvePreferences: []CurveID{curve.id},
10624				},
10625				flags: []string{
10626					"-enable-all-curves",
10627					"-expect-curve-id", strconv.Itoa(int(curve.id)),
10628				},
10629				expectedCurveID: curve.id,
10630			})
10631
10632			if curve.id != CurveX25519 && curve.id != CurveCECPQ2 {
10633				testCases = append(testCases, testCase{
10634					name: "CurveTest-Client-Compressed-" + suffix,
10635					config: Config{
10636						MaxVersion: ver.version,
10637						CipherSuites: []uint16{
10638							TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10639							TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
10640							TLS_AES_256_GCM_SHA384,
10641						},
10642						CurvePreferences: []CurveID{curve.id},
10643						Bugs: ProtocolBugs{
10644							SendCompressedCoordinates: true,
10645						},
10646					},
10647					flags:         []string{"-enable-all-curves"},
10648					shouldFail:    true,
10649					expectedError: ":BAD_ECPOINT:",
10650				})
10651				testCases = append(testCases, testCase{
10652					testType: serverTest,
10653					name:     "CurveTest-Server-Compressed-" + suffix,
10654					config: Config{
10655						MaxVersion: ver.version,
10656						CipherSuites: []uint16{
10657							TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10658							TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
10659							TLS_AES_256_GCM_SHA384,
10660						},
10661						CurvePreferences: []CurveID{curve.id},
10662						Bugs: ProtocolBugs{
10663							SendCompressedCoordinates: true,
10664						},
10665					},
10666					flags:         []string{"-enable-all-curves"},
10667					shouldFail:    true,
10668					expectedError: ":BAD_ECPOINT:",
10669				})
10670			}
10671		}
10672	}
10673
10674	// The server must be tolerant to bogus curves.
10675	testCases = append(testCases, testCase{
10676		testType: serverTest,
10677		name:     "UnknownCurve",
10678		config: Config{
10679			MaxVersion:       VersionTLS12,
10680			CipherSuites:     []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10681			CurvePreferences: []CurveID{bogusCurve, CurveP256},
10682		},
10683	})
10684
10685	// The server must be tolerant to bogus curves.
10686	testCases = append(testCases, testCase{
10687		testType: serverTest,
10688		name:     "UnknownCurve-TLS13",
10689		config: Config{
10690			MaxVersion:       VersionTLS13,
10691			CurvePreferences: []CurveID{bogusCurve, CurveP256},
10692		},
10693	})
10694
10695	// The server must not consider ECDHE ciphers when there are no
10696	// supported curves.
10697	testCases = append(testCases, testCase{
10698		testType: serverTest,
10699		name:     "NoSupportedCurves",
10700		config: Config{
10701			MaxVersion:   VersionTLS12,
10702			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10703			Bugs: ProtocolBugs{
10704				NoSupportedCurves: true,
10705			},
10706		},
10707		shouldFail:    true,
10708		expectedError: ":NO_SHARED_CIPHER:",
10709	})
10710	testCases = append(testCases, testCase{
10711		testType: serverTest,
10712		name:     "NoSupportedCurves-TLS13",
10713		config: Config{
10714			MaxVersion: VersionTLS13,
10715			Bugs: ProtocolBugs{
10716				NoSupportedCurves: true,
10717			},
10718		},
10719		shouldFail:    true,
10720		expectedError: ":NO_SHARED_GROUP:",
10721	})
10722
10723	// The server must fall back to another cipher when there are no
10724	// supported curves.
10725	testCases = append(testCases, testCase{
10726		testType: serverTest,
10727		name:     "NoCommonCurves",
10728		config: Config{
10729			MaxVersion: VersionTLS12,
10730			CipherSuites: []uint16{
10731				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
10732				TLS_RSA_WITH_AES_128_GCM_SHA256,
10733			},
10734			CurvePreferences: []CurveID{CurveP224},
10735		},
10736		expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
10737	})
10738
10739	// The client must reject bogus curves and disabled curves.
10740	testCases = append(testCases, testCase{
10741		name: "BadECDHECurve",
10742		config: Config{
10743			MaxVersion:   VersionTLS12,
10744			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10745			Bugs: ProtocolBugs{
10746				SendCurve: bogusCurve,
10747			},
10748		},
10749		shouldFail:    true,
10750		expectedError: ":WRONG_CURVE:",
10751	})
10752	testCases = append(testCases, testCase{
10753		name: "BadECDHECurve-TLS13",
10754		config: Config{
10755			MaxVersion: VersionTLS13,
10756			Bugs: ProtocolBugs{
10757				SendCurve: bogusCurve,
10758			},
10759		},
10760		shouldFail:    true,
10761		expectedError: ":WRONG_CURVE:",
10762	})
10763
10764	testCases = append(testCases, testCase{
10765		name: "UnsupportedCurve",
10766		config: Config{
10767			MaxVersion:       VersionTLS12,
10768			CipherSuites:     []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10769			CurvePreferences: []CurveID{CurveP256},
10770			Bugs: ProtocolBugs{
10771				IgnorePeerCurvePreferences: true,
10772			},
10773		},
10774		flags:         []string{"-curves", strconv.Itoa(int(CurveP384))},
10775		shouldFail:    true,
10776		expectedError: ":WRONG_CURVE:",
10777	})
10778
10779	testCases = append(testCases, testCase{
10780		// TODO(davidben): Add a TLS 1.3 version where
10781		// HelloRetryRequest requests an unsupported curve.
10782		name: "UnsupportedCurve-ServerHello-TLS13",
10783		config: Config{
10784			MaxVersion:       VersionTLS13,
10785			CurvePreferences: []CurveID{CurveP384},
10786			Bugs: ProtocolBugs{
10787				SendCurve: CurveP256,
10788			},
10789		},
10790		flags:         []string{"-curves", strconv.Itoa(int(CurveP384))},
10791		shouldFail:    true,
10792		expectedError: ":WRONG_CURVE:",
10793	})
10794
10795	// Test invalid curve points.
10796	testCases = append(testCases, testCase{
10797		name: "InvalidECDHPoint-Client",
10798		config: Config{
10799			MaxVersion:       VersionTLS12,
10800			CipherSuites:     []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10801			CurvePreferences: []CurveID{CurveP256},
10802			Bugs: ProtocolBugs{
10803				InvalidECDHPoint: true,
10804			},
10805		},
10806		shouldFail:    true,
10807		expectedError: ":BAD_ECPOINT:",
10808	})
10809	testCases = append(testCases, testCase{
10810		name: "InvalidECDHPoint-Client-TLS13",
10811		config: Config{
10812			MaxVersion:       VersionTLS13,
10813			CurvePreferences: []CurveID{CurveP256},
10814			Bugs: ProtocolBugs{
10815				InvalidECDHPoint: true,
10816			},
10817		},
10818		shouldFail:    true,
10819		expectedError: ":BAD_ECPOINT:",
10820	})
10821	testCases = append(testCases, testCase{
10822		testType: serverTest,
10823		name:     "InvalidECDHPoint-Server",
10824		config: Config{
10825			MaxVersion:       VersionTLS12,
10826			CipherSuites:     []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10827			CurvePreferences: []CurveID{CurveP256},
10828			Bugs: ProtocolBugs{
10829				InvalidECDHPoint: true,
10830			},
10831		},
10832		shouldFail:    true,
10833		expectedError: ":BAD_ECPOINT:",
10834	})
10835	testCases = append(testCases, testCase{
10836		testType: serverTest,
10837		name:     "InvalidECDHPoint-Server-TLS13",
10838		config: Config{
10839			MaxVersion:       VersionTLS13,
10840			CurvePreferences: []CurveID{CurveP256},
10841			Bugs: ProtocolBugs{
10842				InvalidECDHPoint: true,
10843			},
10844		},
10845		shouldFail:    true,
10846		expectedError: ":BAD_ECPOINT:",
10847	})
10848
10849	// The previous curve ID should be reported on TLS 1.2 resumption.
10850	testCases = append(testCases, testCase{
10851		name: "CurveID-Resume-Client",
10852		config: Config{
10853			MaxVersion:       VersionTLS12,
10854			CipherSuites:     []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10855			CurvePreferences: []CurveID{CurveX25519},
10856		},
10857		flags:         []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
10858		resumeSession: true,
10859	})
10860	testCases = append(testCases, testCase{
10861		testType: serverTest,
10862		name:     "CurveID-Resume-Server",
10863		config: Config{
10864			MaxVersion:       VersionTLS12,
10865			CipherSuites:     []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
10866			CurvePreferences: []CurveID{CurveX25519},
10867		},
10868		flags:         []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
10869		resumeSession: true,
10870	})
10871
10872	// TLS 1.3 allows resuming at a differet curve. If this happens, the new
10873	// one should be reported.
10874	testCases = append(testCases, testCase{
10875		name: "CurveID-Resume-Client-TLS13",
10876		config: Config{
10877			MaxVersion:       VersionTLS13,
10878			CurvePreferences: []CurveID{CurveX25519},
10879		},
10880		resumeConfig: &Config{
10881			MaxVersion:       VersionTLS13,
10882			CurvePreferences: []CurveID{CurveP256},
10883		},
10884		flags: []string{
10885			"-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
10886			"-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
10887		},
10888		resumeSession: true,
10889	})
10890	testCases = append(testCases, testCase{
10891		testType: serverTest,
10892		name:     "CurveID-Resume-Server-TLS13",
10893		config: Config{
10894			MaxVersion:       VersionTLS13,
10895			CurvePreferences: []CurveID{CurveX25519},
10896		},
10897		resumeConfig: &Config{
10898			MaxVersion:       VersionTLS13,
10899			CurvePreferences: []CurveID{CurveP256},
10900		},
10901		flags: []string{
10902			"-on-initial-expect-curve-id", strconv.Itoa(int(CurveX25519)),
10903			"-on-resume-expect-curve-id", strconv.Itoa(int(CurveP256)),
10904		},
10905		resumeSession: true,
10906	})
10907
10908	// Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
10909	testCases = append(testCases, testCase{
10910		name: "PointFormat-ServerHello-TLS12",
10911		config: Config{
10912			MaxVersion: VersionTLS12,
10913			Bugs: ProtocolBugs{
10914				SendSupportedPointFormats: []byte{pointFormatUncompressed},
10915			},
10916		},
10917	})
10918	testCases = append(testCases, testCase{
10919		name: "PointFormat-EncryptedExtensions-TLS13",
10920		config: Config{
10921			MaxVersion: VersionTLS13,
10922			Bugs: ProtocolBugs{
10923				SendSupportedPointFormats: []byte{pointFormatUncompressed},
10924			},
10925		},
10926		shouldFail:    true,
10927		expectedError: ":ERROR_PARSING_EXTENSION:",
10928	})
10929
10930	// Server-sent supported groups/curves are legal in TLS 1.3. They are
10931	// illegal in TLS 1.2, but some servers send them anyway, so we must
10932	// tolerate them.
10933	testCases = append(testCases, testCase{
10934		name: "SupportedCurves-ServerHello-TLS12",
10935		config: Config{
10936			MaxVersion: VersionTLS12,
10937			Bugs: ProtocolBugs{
10938				SendServerSupportedCurves: true,
10939			},
10940		},
10941	})
10942	testCases = append(testCases, testCase{
10943		name: "SupportedCurves-EncryptedExtensions-TLS13",
10944		config: Config{
10945			MaxVersion: VersionTLS13,
10946			Bugs: ProtocolBugs{
10947				SendServerSupportedCurves: true,
10948			},
10949		},
10950	})
10951
10952	// Test that we tolerate unknown point formats, as long as
10953	// pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
10954	// check they are still functional.
10955	testCases = append(testCases, testCase{
10956		name: "PointFormat-Client-Tolerance",
10957		config: Config{
10958			MaxVersion: VersionTLS12,
10959			Bugs: ProtocolBugs{
10960				SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
10961			},
10962		},
10963	})
10964	testCases = append(testCases, testCase{
10965		testType: serverTest,
10966		name:     "PointFormat-Server-Tolerance",
10967		config: Config{
10968			MaxVersion:   VersionTLS12,
10969			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
10970			Bugs: ProtocolBugs{
10971				SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
10972			},
10973		},
10974	})
10975
10976	// Test TLS 1.2 does not require the point format extension to be
10977	// present.
10978	testCases = append(testCases, testCase{
10979		name: "PointFormat-Client-Missing",
10980		config: Config{
10981			MaxVersion:   VersionTLS12,
10982			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
10983			Bugs: ProtocolBugs{
10984				SendSupportedPointFormats: []byte{},
10985			},
10986		},
10987	})
10988	testCases = append(testCases, testCase{
10989		testType: serverTest,
10990		name:     "PointFormat-Server-Missing",
10991		config: Config{
10992			MaxVersion:   VersionTLS12,
10993			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
10994			Bugs: ProtocolBugs{
10995				SendSupportedPointFormats: []byte{},
10996			},
10997		},
10998	})
10999
11000	// If the point format extension is present, uncompressed points must be
11001	// offered. BoringSSL requires this whether or not ECDHE is used.
11002	testCases = append(testCases, testCase{
11003		name: "PointFormat-Client-MissingUncompressed",
11004		config: Config{
11005			MaxVersion: VersionTLS12,
11006			Bugs: ProtocolBugs{
11007				SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
11008			},
11009		},
11010		shouldFail:    true,
11011		expectedError: ":ERROR_PARSING_EXTENSION:",
11012	})
11013	testCases = append(testCases, testCase{
11014		testType: serverTest,
11015		name:     "PointFormat-Server-MissingUncompressed",
11016		config: Config{
11017			MaxVersion: VersionTLS12,
11018			Bugs: ProtocolBugs{
11019				SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
11020			},
11021		},
11022		shouldFail:    true,
11023		expectedError: ":ERROR_PARSING_EXTENSION:",
11024	})
11025
11026	// Implementations should mask off the high order bit in X25519.
11027	testCases = append(testCases, testCase{
11028		name: "SetX25519HighBit",
11029		config: Config{
11030			CipherSuites: []uint16{
11031				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
11032				TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
11033				TLS_AES_128_GCM_SHA256,
11034			},
11035			CurvePreferences: []CurveID{CurveX25519},
11036			Bugs: ProtocolBugs{
11037				SetX25519HighBit: true,
11038			},
11039		},
11040	})
11041
11042	// CECPQ2 should not be offered by a TLS < 1.3 client.
11043	testCases = append(testCases, testCase{
11044		name: "CECPQ2NotInTLS12",
11045		config: Config{
11046			Bugs: ProtocolBugs{
11047				FailIfCECPQ2Offered: true,
11048			},
11049		},
11050		flags: []string{
11051			"-max-version", strconv.Itoa(VersionTLS12),
11052			"-curves", strconv.Itoa(int(CurveCECPQ2)),
11053			"-curves", strconv.Itoa(int(CurveX25519)),
11054		},
11055	})
11056
11057	// CECPQ2 should not crash a TLS < 1.3 client if the server mistakenly
11058	// selects it.
11059	testCases = append(testCases, testCase{
11060		name: "CECPQ2NotAcceptedByTLS12Client",
11061		config: Config{
11062			Bugs: ProtocolBugs{
11063				SendCurve: CurveCECPQ2,
11064			},
11065		},
11066		flags: []string{
11067			"-max-version", strconv.Itoa(VersionTLS12),
11068			"-curves", strconv.Itoa(int(CurveCECPQ2)),
11069			"-curves", strconv.Itoa(int(CurveX25519)),
11070		},
11071		shouldFail:    true,
11072		expectedError: ":WRONG_CURVE:",
11073	})
11074
11075	// CECPQ2 should not be offered by default as a client.
11076	testCases = append(testCases, testCase{
11077		name: "CECPQ2NotEnabledByDefaultInClients",
11078		config: Config{
11079			MinVersion: VersionTLS13,
11080			Bugs: ProtocolBugs{
11081				FailIfCECPQ2Offered: true,
11082			},
11083		},
11084	})
11085
11086	// If CECPQ2 is offered, both X25519 and CECPQ2 should have a key-share.
11087	testCases = append(testCases, testCase{
11088		name: "NotJustCECPQ2KeyShare",
11089		config: Config{
11090			MinVersion: VersionTLS13,
11091			Bugs: ProtocolBugs{
11092				ExpectedKeyShares: []CurveID{CurveCECPQ2, CurveX25519},
11093			},
11094		},
11095		flags: []string{
11096			"-curves", strconv.Itoa(int(CurveCECPQ2)),
11097			"-curves", strconv.Itoa(int(CurveX25519)),
11098			"-expect-curve-id", strconv.Itoa(int(CurveCECPQ2)),
11099		},
11100	})
11101
11102	// ... but only if CECPQ2 is listed first.
11103	testCases = append(testCases, testCase{
11104		name: "CECPQ2KeyShareNotIncludedSecond",
11105		config: Config{
11106			MinVersion: VersionTLS13,
11107			Bugs: ProtocolBugs{
11108				ExpectedKeyShares: []CurveID{CurveX25519},
11109			},
11110		},
11111		flags: []string{
11112			"-curves", strconv.Itoa(int(CurveX25519)),
11113			"-curves", strconv.Itoa(int(CurveCECPQ2)),
11114			"-expect-curve-id", strconv.Itoa(int(CurveX25519)),
11115		},
11116	})
11117
11118	// If CECPQ2 is the only configured curve, the key share is sent.
11119	testCases = append(testCases, testCase{
11120		name: "JustConfiguringCECPQ2Works",
11121		config: Config{
11122			MinVersion: VersionTLS13,
11123			Bugs: ProtocolBugs{
11124				ExpectedKeyShares: []CurveID{CurveCECPQ2},
11125			},
11126		},
11127		flags: []string{
11128			"-curves", strconv.Itoa(int(CurveCECPQ2)),
11129			"-expect-curve-id", strconv.Itoa(int(CurveCECPQ2)),
11130		},
11131	})
11132
11133	// As a server, CECPQ2 is not yet supported by default.
11134	testCases = append(testCases, testCase{
11135		testType: serverTest,
11136		name:     "CECPQ2NotEnabledByDefaultForAServer",
11137		config: Config{
11138			MinVersion:       VersionTLS13,
11139			CurvePreferences: []CurveID{CurveCECPQ2, CurveX25519},
11140			DefaultCurves:    []CurveID{CurveCECPQ2},
11141		},
11142		flags: []string{
11143			"-server-preference",
11144			"-expect-curve-id", strconv.Itoa(int(CurveX25519)),
11145		},
11146	})
11147}
11148
11149func addTLS13RecordTests() {
11150	testCases = append(testCases, testCase{
11151		name: "TLS13-RecordPadding",
11152		config: Config{
11153			MaxVersion: VersionTLS13,
11154			MinVersion: VersionTLS13,
11155			Bugs: ProtocolBugs{
11156				RecordPadding: 10,
11157			},
11158		},
11159	})
11160
11161	testCases = append(testCases, testCase{
11162		name: "TLS13-EmptyRecords",
11163		config: Config{
11164			MaxVersion: VersionTLS13,
11165			MinVersion: VersionTLS13,
11166			Bugs: ProtocolBugs{
11167				OmitRecordContents: true,
11168			},
11169		},
11170		shouldFail:    true,
11171		expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
11172	})
11173
11174	testCases = append(testCases, testCase{
11175		name: "TLS13-OnlyPadding",
11176		config: Config{
11177			MaxVersion: VersionTLS13,
11178			MinVersion: VersionTLS13,
11179			Bugs: ProtocolBugs{
11180				OmitRecordContents: true,
11181				RecordPadding:      10,
11182			},
11183		},
11184		shouldFail:    true,
11185		expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
11186	})
11187
11188	testCases = append(testCases, testCase{
11189		name: "TLS13-WrongOuterRecord",
11190		config: Config{
11191			MaxVersion: VersionTLS13,
11192			MinVersion: VersionTLS13,
11193			Bugs: ProtocolBugs{
11194				OuterRecordType: recordTypeHandshake,
11195			},
11196		},
11197		shouldFail:    true,
11198		expectedError: ":INVALID_OUTER_RECORD_TYPE:",
11199	})
11200}
11201
11202func addSessionTicketTests() {
11203	testCases = append(testCases, testCase{
11204		// In TLS 1.2 and below, empty NewSessionTicket messages
11205		// mean the server changed its mind on sending a ticket.
11206		name: "SendEmptySessionTicket",
11207		config: Config{
11208			MaxVersion: VersionTLS12,
11209			Bugs: ProtocolBugs{
11210				SendEmptySessionTicket: true,
11211			},
11212		},
11213		flags: []string{"-expect-no-session"},
11214	})
11215
11216	// Test that the server ignores unknown PSK modes.
11217	testCases = append(testCases, testCase{
11218		testType: serverTest,
11219		name:     "TLS13-SendUnknownModeSessionTicket-Server",
11220		config: Config{
11221			MaxVersion: VersionTLS13,
11222			Bugs: ProtocolBugs{
11223				SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
11224			},
11225		},
11226		resumeSession:         true,
11227		expectedResumeVersion: VersionTLS13,
11228	})
11229
11230	// Test that the server does not send session tickets with no matching key exchange mode.
11231	testCases = append(testCases, testCase{
11232		testType: serverTest,
11233		name:     "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
11234		config: Config{
11235			MaxVersion: VersionTLS13,
11236			Bugs: ProtocolBugs{
11237				SendPSKKeyExchangeModes:  []byte{0x1a},
11238				ExpectNoNewSessionTicket: true,
11239			},
11240		},
11241	})
11242
11243	// Test that the server does not accept a session with no matching key exchange mode.
11244	testCases = append(testCases, testCase{
11245		testType: serverTest,
11246		name:     "TLS13-SendBadKEModeSessionTicket-Server",
11247		config: Config{
11248			MaxVersion: VersionTLS13,
11249		},
11250		resumeConfig: &Config{
11251			MaxVersion: VersionTLS13,
11252			Bugs: ProtocolBugs{
11253				SendPSKKeyExchangeModes: []byte{0x1a},
11254			},
11255		},
11256		resumeSession:        true,
11257		expectResumeRejected: true,
11258	})
11259
11260	// Test that the client ticket age is sent correctly.
11261	testCases = append(testCases, testCase{
11262		testType: clientTest,
11263		name:     "TLS13-TestValidTicketAge-Client",
11264		config: Config{
11265			MaxVersion: VersionTLS13,
11266			Bugs: ProtocolBugs{
11267				ExpectTicketAge: 10 * time.Second,
11268			},
11269		},
11270		resumeSession: true,
11271		flags: []string{
11272			"-resumption-delay", "10",
11273		},
11274	})
11275
11276	// Test that the client ticket age is enforced.
11277	testCases = append(testCases, testCase{
11278		testType: clientTest,
11279		name:     "TLS13-TestBadTicketAge-Client",
11280		config: Config{
11281			MaxVersion: VersionTLS13,
11282			Bugs: ProtocolBugs{
11283				ExpectTicketAge: 1000 * time.Second,
11284			},
11285		},
11286		resumeSession:      true,
11287		shouldFail:         true,
11288		expectedLocalError: "tls: invalid ticket age",
11289	})
11290
11291	// Test that the server's ticket age skew reporting works.
11292	testCases = append(testCases, testCase{
11293		testType: serverTest,
11294		name:     "TLS13-TicketAgeSkew-Forward",
11295		config: Config{
11296			MaxVersion: VersionTLS13,
11297			Bugs: ProtocolBugs{
11298				SendTicketAge: 15 * time.Second,
11299			},
11300		},
11301		resumeSession:        true,
11302		resumeRenewedSession: true,
11303		flags: []string{
11304			"-resumption-delay", "10",
11305			"-expect-ticket-age-skew", "5",
11306		},
11307	})
11308	testCases = append(testCases, testCase{
11309		testType: serverTest,
11310		name:     "TLS13-TicketAgeSkew-Backward",
11311		config: Config{
11312			MaxVersion: VersionTLS13,
11313			Bugs: ProtocolBugs{
11314				SendTicketAge: 5 * time.Second,
11315			},
11316		},
11317		resumeSession:        true,
11318		resumeRenewedSession: true,
11319		flags: []string{
11320			"-resumption-delay", "10",
11321			"-expect-ticket-age-skew", "-5",
11322		},
11323	})
11324
11325	testCases = append(testCases, testCase{
11326		testType: clientTest,
11327		name:     "TLS13-SendTicketEarlyDataInfo",
11328		config: Config{
11329			MaxVersion:       VersionTLS13,
11330			MaxEarlyDataSize: 16384,
11331		},
11332		flags: []string{
11333			"-enable-early-data",
11334			"-expect-ticket-supports-early-data",
11335		},
11336	})
11337
11338	// Test that 0-RTT tickets are ignored in clients unless opted in.
11339	testCases = append(testCases, testCase{
11340		testType: clientTest,
11341		name:     "TLS13-SendTicketEarlyDataInfo-Disabled",
11342		config: Config{
11343			MaxVersion:       VersionTLS13,
11344			MaxEarlyDataSize: 16384,
11345		},
11346	})
11347
11348	testCases = append(testCases, testCase{
11349		testType: clientTest,
11350		name:     "TLS13-DuplicateTicketEarlyDataInfo",
11351		config: Config{
11352			MaxVersion:       VersionTLS13,
11353			MaxEarlyDataSize: 16384,
11354			Bugs: ProtocolBugs{
11355				DuplicateTicketEarlyData: true,
11356			},
11357		},
11358		shouldFail:         true,
11359		expectedError:      ":DUPLICATE_EXTENSION:",
11360		expectedLocalError: "remote error: illegal parameter",
11361	})
11362
11363	testCases = append(testCases, testCase{
11364		testType: serverTest,
11365		name:     "TLS13-ExpectTicketEarlyDataInfo",
11366		config: Config{
11367			MaxVersion: VersionTLS13,
11368			Bugs: ProtocolBugs{
11369				ExpectTicketEarlyData: true,
11370			},
11371		},
11372		flags: []string{
11373			"-enable-early-data",
11374		},
11375	})
11376
11377	// Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
11378	// is honored.
11379	testCases = append(testCases, testCase{
11380		testType: clientTest,
11381		name:     "TLS13-HonorServerSessionTicketLifetime",
11382		config: Config{
11383			MaxVersion: VersionTLS13,
11384			Bugs: ProtocolBugs{
11385				SendTicketLifetime: 20 * time.Second,
11386			},
11387		},
11388		flags: []string{
11389			"-resumption-delay", "19",
11390		},
11391		resumeSession: true,
11392	})
11393	testCases = append(testCases, testCase{
11394		testType: clientTest,
11395		name:     "TLS13-HonorServerSessionTicketLifetime-2",
11396		config: Config{
11397			MaxVersion: VersionTLS13,
11398			Bugs: ProtocolBugs{
11399				SendTicketLifetime: 20 * time.Second,
11400				// The client should not offer the expired session.
11401				ExpectNoTLS13PSK: true,
11402			},
11403		},
11404		flags: []string{
11405			"-resumption-delay", "21",
11406		},
11407		resumeSession:        true,
11408		expectResumeRejected: true,
11409	})
11410
11411	for _, ver := range tlsVersions {
11412		// Prior to TLS 1.3, disabling session tickets enables session IDs.
11413		useStatefulResumption := ver.version < VersionTLS13
11414
11415		// SSL_OP_NO_TICKET implies the server must not mint any tickets.
11416		testCases = append(testCases, testCase{
11417			testType: serverTest,
11418			name:     ver.name + "-NoTicket-NoMint",
11419			config: Config{
11420				MinVersion: ver.version,
11421				MaxVersion: ver.version,
11422				Bugs: ProtocolBugs{
11423					ExpectNoNewSessionTicket: true,
11424					RequireSessionIDs:        useStatefulResumption,
11425				},
11426			},
11427			resumeSession: useStatefulResumption,
11428			flags:         []string{"-no-ticket"},
11429		})
11430
11431		// SSL_OP_NO_TICKET implies the server must not accept any tickets.
11432		testCases = append(testCases, testCase{
11433			testType: serverTest,
11434			name:     ver.name + "-NoTicket-NoAccept",
11435			config: Config{
11436				MinVersion: ver.version,
11437				MaxVersion: ver.version,
11438			},
11439			resumeSession:        true,
11440			expectResumeRejected: true,
11441			// Set SSL_OP_NO_TICKET on the second connection, after the first
11442			// has established tickets.
11443			flags: []string{"-on-resume-no-ticket"},
11444		})
11445	}
11446}
11447
11448func addChangeCipherSpecTests() {
11449	// Test missing ChangeCipherSpecs.
11450	testCases = append(testCases, testCase{
11451		name: "SkipChangeCipherSpec-Client",
11452		config: Config{
11453			MaxVersion: VersionTLS12,
11454			Bugs: ProtocolBugs{
11455				SkipChangeCipherSpec: true,
11456			},
11457		},
11458		shouldFail:    true,
11459		expectedError: ":UNEXPECTED_RECORD:",
11460	})
11461	testCases = append(testCases, testCase{
11462		testType: serverTest,
11463		name:     "SkipChangeCipherSpec-Server",
11464		config: Config{
11465			MaxVersion: VersionTLS12,
11466			Bugs: ProtocolBugs{
11467				SkipChangeCipherSpec: true,
11468			},
11469		},
11470		shouldFail:    true,
11471		expectedError: ":UNEXPECTED_RECORD:",
11472	})
11473	testCases = append(testCases, testCase{
11474		testType: serverTest,
11475		name:     "SkipChangeCipherSpec-Server-NPN",
11476		config: Config{
11477			MaxVersion: VersionTLS12,
11478			NextProtos: []string{"bar"},
11479			Bugs: ProtocolBugs{
11480				SkipChangeCipherSpec: true,
11481			},
11482		},
11483		flags: []string{
11484			"-advertise-npn", "\x03foo\x03bar\x03baz",
11485		},
11486		shouldFail:    true,
11487		expectedError: ":UNEXPECTED_RECORD:",
11488	})
11489
11490	// Test synchronization between the handshake and ChangeCipherSpec.
11491	// Partial post-CCS handshake messages before ChangeCipherSpec should be
11492	// rejected. Test both with and without handshake packing to handle both
11493	// when the partial post-CCS message is in its own record and when it is
11494	// attached to the pre-CCS message.
11495	for _, packed := range []bool{false, true} {
11496		var suffix string
11497		if packed {
11498			suffix = "-Packed"
11499		}
11500
11501		testCases = append(testCases, testCase{
11502			name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
11503			config: Config{
11504				MaxVersion: VersionTLS12,
11505				Bugs: ProtocolBugs{
11506					FragmentAcrossChangeCipherSpec: true,
11507					PackHandshakeFlight:            packed,
11508				},
11509			},
11510			shouldFail:    true,
11511			expectedError: ":UNEXPECTED_RECORD:",
11512		})
11513		testCases = append(testCases, testCase{
11514			name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
11515			config: Config{
11516				MaxVersion: VersionTLS12,
11517			},
11518			resumeSession: true,
11519			resumeConfig: &Config{
11520				MaxVersion: VersionTLS12,
11521				Bugs: ProtocolBugs{
11522					FragmentAcrossChangeCipherSpec: true,
11523					PackHandshakeFlight:            packed,
11524				},
11525			},
11526			shouldFail:    true,
11527			expectedError: ":UNEXPECTED_RECORD:",
11528		})
11529		testCases = append(testCases, testCase{
11530			testType: serverTest,
11531			name:     "FragmentAcrossChangeCipherSpec-Server" + suffix,
11532			config: Config{
11533				MaxVersion: VersionTLS12,
11534				Bugs: ProtocolBugs{
11535					FragmentAcrossChangeCipherSpec: true,
11536					PackHandshakeFlight:            packed,
11537				},
11538			},
11539			shouldFail:    true,
11540			expectedError: ":UNEXPECTED_RECORD:",
11541		})
11542		testCases = append(testCases, testCase{
11543			testType: serverTest,
11544			name:     "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
11545			config: Config{
11546				MaxVersion: VersionTLS12,
11547			},
11548			resumeSession: true,
11549			resumeConfig: &Config{
11550				MaxVersion: VersionTLS12,
11551				Bugs: ProtocolBugs{
11552					FragmentAcrossChangeCipherSpec: true,
11553					PackHandshakeFlight:            packed,
11554				},
11555			},
11556			shouldFail:    true,
11557			expectedError: ":UNEXPECTED_RECORD:",
11558		})
11559		testCases = append(testCases, testCase{
11560			testType: serverTest,
11561			name:     "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
11562			config: Config{
11563				MaxVersion: VersionTLS12,
11564				NextProtos: []string{"bar"},
11565				Bugs: ProtocolBugs{
11566					FragmentAcrossChangeCipherSpec: true,
11567					PackHandshakeFlight:            packed,
11568				},
11569			},
11570			flags: []string{
11571				"-advertise-npn", "\x03foo\x03bar\x03baz",
11572			},
11573			shouldFail:    true,
11574			expectedError: ":UNEXPECTED_RECORD:",
11575		})
11576	}
11577
11578	// Test that, in DTLS, ChangeCipherSpec is not allowed when there are
11579	// messages in the handshake queue. Do this by testing the server
11580	// reading the client Finished, reversing the flight so Finished comes
11581	// first.
11582	testCases = append(testCases, testCase{
11583		protocol: dtls,
11584		testType: serverTest,
11585		name:     "SendUnencryptedFinished-DTLS",
11586		config: Config{
11587			MaxVersion: VersionTLS12,
11588			Bugs: ProtocolBugs{
11589				SendUnencryptedFinished:   true,
11590				ReverseHandshakeFragments: true,
11591			},
11592		},
11593		shouldFail:    true,
11594		expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
11595	})
11596
11597	// Test synchronization between encryption changes and the handshake in
11598	// TLS 1.3, where ChangeCipherSpec is implicit.
11599	testCases = append(testCases, testCase{
11600		name: "PartialEncryptedExtensionsWithServerHello",
11601		config: Config{
11602			MaxVersion: VersionTLS13,
11603			Bugs: ProtocolBugs{
11604				PartialEncryptedExtensionsWithServerHello: true,
11605			},
11606		},
11607		shouldFail:    true,
11608		expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
11609	})
11610	testCases = append(testCases, testCase{
11611		testType: serverTest,
11612		name:     "PartialClientFinishedWithClientHello",
11613		config: Config{
11614			MaxVersion: VersionTLS13,
11615			Bugs: ProtocolBugs{
11616				PartialClientFinishedWithClientHello: true,
11617			},
11618		},
11619		shouldFail:    true,
11620		expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
11621	})
11622
11623	// Test that early ChangeCipherSpecs are handled correctly.
11624	testCases = append(testCases, testCase{
11625		testType: serverTest,
11626		name:     "EarlyChangeCipherSpec-server-1",
11627		config: Config{
11628			MaxVersion: VersionTLS12,
11629			Bugs: ProtocolBugs{
11630				EarlyChangeCipherSpec: 1,
11631			},
11632		},
11633		shouldFail:    true,
11634		expectedError: ":UNEXPECTED_RECORD:",
11635	})
11636	testCases = append(testCases, testCase{
11637		testType: serverTest,
11638		name:     "EarlyChangeCipherSpec-server-2",
11639		config: Config{
11640			MaxVersion: VersionTLS12,
11641			Bugs: ProtocolBugs{
11642				EarlyChangeCipherSpec: 2,
11643			},
11644		},
11645		shouldFail:    true,
11646		expectedError: ":UNEXPECTED_RECORD:",
11647	})
11648	testCases = append(testCases, testCase{
11649		protocol: dtls,
11650		name:     "StrayChangeCipherSpec",
11651		config: Config{
11652			// TODO(davidben): Once DTLS 1.3 exists, test
11653			// that stray ChangeCipherSpec messages are
11654			// rejected.
11655			MaxVersion: VersionTLS12,
11656			Bugs: ProtocolBugs{
11657				StrayChangeCipherSpec: true,
11658			},
11659		},
11660	})
11661
11662	// Test that reordered ChangeCipherSpecs are tolerated.
11663	testCases = append(testCases, testCase{
11664		protocol: dtls,
11665		name:     "ReorderChangeCipherSpec-DTLS-Client",
11666		config: Config{
11667			MaxVersion: VersionTLS12,
11668			Bugs: ProtocolBugs{
11669				ReorderChangeCipherSpec: true,
11670			},
11671		},
11672		resumeSession: true,
11673	})
11674	testCases = append(testCases, testCase{
11675		testType: serverTest,
11676		protocol: dtls,
11677		name:     "ReorderChangeCipherSpec-DTLS-Server",
11678		config: Config{
11679			MaxVersion: VersionTLS12,
11680			Bugs: ProtocolBugs{
11681				ReorderChangeCipherSpec: true,
11682			},
11683		},
11684		resumeSession: true,
11685	})
11686
11687	// Test that the contents of ChangeCipherSpec are checked.
11688	testCases = append(testCases, testCase{
11689		name: "BadChangeCipherSpec-1",
11690		config: Config{
11691			MaxVersion: VersionTLS12,
11692			Bugs: ProtocolBugs{
11693				BadChangeCipherSpec: []byte{2},
11694			},
11695		},
11696		shouldFail:    true,
11697		expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
11698	})
11699	testCases = append(testCases, testCase{
11700		name: "BadChangeCipherSpec-2",
11701		config: Config{
11702			MaxVersion: VersionTLS12,
11703			Bugs: ProtocolBugs{
11704				BadChangeCipherSpec: []byte{1, 1},
11705			},
11706		},
11707		shouldFail:    true,
11708		expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
11709	})
11710	testCases = append(testCases, testCase{
11711		protocol: dtls,
11712		name:     "BadChangeCipherSpec-DTLS-1",
11713		config: Config{
11714			MaxVersion: VersionTLS12,
11715			Bugs: ProtocolBugs{
11716				BadChangeCipherSpec: []byte{2},
11717			},
11718		},
11719		shouldFail:    true,
11720		expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
11721	})
11722	testCases = append(testCases, testCase{
11723		protocol: dtls,
11724		name:     "BadChangeCipherSpec-DTLS-2",
11725		config: Config{
11726			MaxVersion: VersionTLS12,
11727			Bugs: ProtocolBugs{
11728				BadChangeCipherSpec: []byte{1, 1},
11729			},
11730		},
11731		shouldFail:    true,
11732		expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
11733	})
11734}
11735
11736type perMessageTest struct {
11737	messageType uint8
11738	test        testCase
11739}
11740
11741// makePerMessageTests returns a series of test templates which cover each
11742// message in the TLS handshake. These may be used with bugs like
11743// WrongMessageType to fully test a per-message bug.
11744func makePerMessageTests() []perMessageTest {
11745	var ret []perMessageTest
11746	for _, protocol := range []protocol{tls, dtls} {
11747		var suffix string
11748		if protocol == dtls {
11749			suffix = "-DTLS"
11750		}
11751
11752		ret = append(ret, perMessageTest{
11753			messageType: typeClientHello,
11754			test: testCase{
11755				protocol: protocol,
11756				testType: serverTest,
11757				name:     "ClientHello" + suffix,
11758				config: Config{
11759					MaxVersion: VersionTLS12,
11760				},
11761			},
11762		})
11763
11764		if protocol == dtls {
11765			ret = append(ret, perMessageTest{
11766				messageType: typeHelloVerifyRequest,
11767				test: testCase{
11768					protocol: protocol,
11769					name:     "HelloVerifyRequest" + suffix,
11770					config: Config{
11771						MaxVersion: VersionTLS12,
11772					},
11773				},
11774			})
11775		}
11776
11777		ret = append(ret, perMessageTest{
11778			messageType: typeServerHello,
11779			test: testCase{
11780				protocol: protocol,
11781				name:     "ServerHello" + suffix,
11782				config: Config{
11783					MaxVersion: VersionTLS12,
11784				},
11785			},
11786		})
11787
11788		ret = append(ret, perMessageTest{
11789			messageType: typeCertificate,
11790			test: testCase{
11791				protocol: protocol,
11792				name:     "ServerCertificate" + suffix,
11793				config: Config{
11794					MaxVersion: VersionTLS12,
11795				},
11796			},
11797		})
11798
11799		ret = append(ret, perMessageTest{
11800			messageType: typeCertificateStatus,
11801			test: testCase{
11802				protocol: protocol,
11803				name:     "CertificateStatus" + suffix,
11804				config: Config{
11805					MaxVersion: VersionTLS12,
11806				},
11807				flags: []string{"-enable-ocsp-stapling"},
11808			},
11809		})
11810
11811		ret = append(ret, perMessageTest{
11812			messageType: typeServerKeyExchange,
11813			test: testCase{
11814				protocol: protocol,
11815				name:     "ServerKeyExchange" + suffix,
11816				config: Config{
11817					MaxVersion:   VersionTLS12,
11818					CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
11819				},
11820			},
11821		})
11822
11823		ret = append(ret, perMessageTest{
11824			messageType: typeCertificateRequest,
11825			test: testCase{
11826				protocol: protocol,
11827				name:     "CertificateRequest" + suffix,
11828				config: Config{
11829					MaxVersion: VersionTLS12,
11830					ClientAuth: RequireAnyClientCert,
11831				},
11832			},
11833		})
11834
11835		ret = append(ret, perMessageTest{
11836			messageType: typeServerHelloDone,
11837			test: testCase{
11838				protocol: protocol,
11839				name:     "ServerHelloDone" + suffix,
11840				config: Config{
11841					MaxVersion: VersionTLS12,
11842				},
11843			},
11844		})
11845
11846		ret = append(ret, perMessageTest{
11847			messageType: typeCertificate,
11848			test: testCase{
11849				testType: serverTest,
11850				protocol: protocol,
11851				name:     "ClientCertificate" + suffix,
11852				config: Config{
11853					Certificates: []Certificate{rsaCertificate},
11854					MaxVersion:   VersionTLS12,
11855				},
11856				flags: []string{"-require-any-client-certificate"},
11857			},
11858		})
11859
11860		ret = append(ret, perMessageTest{
11861			messageType: typeCertificateVerify,
11862			test: testCase{
11863				testType: serverTest,
11864				protocol: protocol,
11865				name:     "CertificateVerify" + suffix,
11866				config: Config{
11867					Certificates: []Certificate{rsaCertificate},
11868					MaxVersion:   VersionTLS12,
11869				},
11870				flags: []string{"-require-any-client-certificate"},
11871			},
11872		})
11873
11874		ret = append(ret, perMessageTest{
11875			messageType: typeClientKeyExchange,
11876			test: testCase{
11877				testType: serverTest,
11878				protocol: protocol,
11879				name:     "ClientKeyExchange" + suffix,
11880				config: Config{
11881					MaxVersion: VersionTLS12,
11882				},
11883			},
11884		})
11885
11886		if protocol != dtls {
11887			ret = append(ret, perMessageTest{
11888				messageType: typeNextProtocol,
11889				test: testCase{
11890					testType: serverTest,
11891					protocol: protocol,
11892					name:     "NextProtocol" + suffix,
11893					config: Config{
11894						MaxVersion: VersionTLS12,
11895						NextProtos: []string{"bar"},
11896					},
11897					flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
11898				},
11899			})
11900
11901			ret = append(ret, perMessageTest{
11902				messageType: typeChannelID,
11903				test: testCase{
11904					testType: serverTest,
11905					protocol: protocol,
11906					name:     "ChannelID" + suffix,
11907					config: Config{
11908						MaxVersion: VersionTLS12,
11909						ChannelID:  channelIDKey,
11910					},
11911					flags: []string{
11912						"-expect-channel-id",
11913						base64.StdEncoding.EncodeToString(channelIDBytes),
11914					},
11915				},
11916			})
11917		}
11918
11919		ret = append(ret, perMessageTest{
11920			messageType: typeFinished,
11921			test: testCase{
11922				testType: serverTest,
11923				protocol: protocol,
11924				name:     "ClientFinished" + suffix,
11925				config: Config{
11926					MaxVersion: VersionTLS12,
11927				},
11928			},
11929		})
11930
11931		ret = append(ret, perMessageTest{
11932			messageType: typeNewSessionTicket,
11933			test: testCase{
11934				protocol: protocol,
11935				name:     "NewSessionTicket" + suffix,
11936				config: Config{
11937					MaxVersion: VersionTLS12,
11938				},
11939			},
11940		})
11941
11942		ret = append(ret, perMessageTest{
11943			messageType: typeFinished,
11944			test: testCase{
11945				protocol: protocol,
11946				name:     "ServerFinished" + suffix,
11947				config: Config{
11948					MaxVersion: VersionTLS12,
11949				},
11950			},
11951		})
11952
11953	}
11954
11955	ret = append(ret, perMessageTest{
11956		messageType: typeClientHello,
11957		test: testCase{
11958			testType: serverTest,
11959			name:     "TLS13-ClientHello",
11960			config: Config{
11961				MaxVersion: VersionTLS13,
11962			},
11963		},
11964	})
11965
11966	ret = append(ret, perMessageTest{
11967		messageType: typeServerHello,
11968		test: testCase{
11969			name: "TLS13-ServerHello",
11970			config: Config{
11971				MaxVersion: VersionTLS13,
11972			},
11973		},
11974	})
11975
11976	ret = append(ret, perMessageTest{
11977		messageType: typeEncryptedExtensions,
11978		test: testCase{
11979			name: "TLS13-EncryptedExtensions",
11980			config: Config{
11981				MaxVersion: VersionTLS13,
11982			},
11983		},
11984	})
11985
11986	ret = append(ret, perMessageTest{
11987		messageType: typeCertificateRequest,
11988		test: testCase{
11989			name: "TLS13-CertificateRequest",
11990			config: Config{
11991				MaxVersion: VersionTLS13,
11992				ClientAuth: RequireAnyClientCert,
11993			},
11994		},
11995	})
11996
11997	ret = append(ret, perMessageTest{
11998		messageType: typeCertificate,
11999		test: testCase{
12000			name: "TLS13-ServerCertificate",
12001			config: Config{
12002				MaxVersion: VersionTLS13,
12003			},
12004		},
12005	})
12006
12007	ret = append(ret, perMessageTest{
12008		messageType: typeCertificateVerify,
12009		test: testCase{
12010			name: "TLS13-ServerCertificateVerify",
12011			config: Config{
12012				MaxVersion: VersionTLS13,
12013			},
12014		},
12015	})
12016
12017	ret = append(ret, perMessageTest{
12018		messageType: typeFinished,
12019		test: testCase{
12020			name: "TLS13-ServerFinished",
12021			config: Config{
12022				MaxVersion: VersionTLS13,
12023			},
12024		},
12025	})
12026
12027	ret = append(ret, perMessageTest{
12028		messageType: typeCertificate,
12029		test: testCase{
12030			testType: serverTest,
12031			name:     "TLS13-ClientCertificate",
12032			config: Config{
12033				Certificates: []Certificate{rsaCertificate},
12034				MaxVersion:   VersionTLS13,
12035			},
12036			flags: []string{"-require-any-client-certificate"},
12037		},
12038	})
12039
12040	ret = append(ret, perMessageTest{
12041		messageType: typeCertificateVerify,
12042		test: testCase{
12043			testType: serverTest,
12044			name:     "TLS13-ClientCertificateVerify",
12045			config: Config{
12046				Certificates: []Certificate{rsaCertificate},
12047				MaxVersion:   VersionTLS13,
12048			},
12049			flags: []string{"-require-any-client-certificate"},
12050		},
12051	})
12052
12053	ret = append(ret, perMessageTest{
12054		messageType: typeFinished,
12055		test: testCase{
12056			testType: serverTest,
12057			name:     "TLS13-ClientFinished",
12058			config: Config{
12059				MaxVersion: VersionTLS13,
12060			},
12061		},
12062	})
12063
12064	ret = append(ret, perMessageTest{
12065		messageType: typeEndOfEarlyData,
12066		test: testCase{
12067			testType: serverTest,
12068			name:     "TLS13-EndOfEarlyData",
12069			config: Config{
12070				MaxVersion: VersionTLS13,
12071			},
12072			resumeConfig: &Config{
12073				MaxVersion: VersionTLS13,
12074				Bugs: ProtocolBugs{
12075					SendEarlyData:           [][]byte{{1, 2, 3, 4}},
12076					ExpectEarlyDataAccepted: true,
12077				},
12078			},
12079			resumeSession: true,
12080			flags:         []string{"-enable-early-data"},
12081		},
12082	})
12083
12084	return ret
12085}
12086
12087func addWrongMessageTypeTests() {
12088	for _, t := range makePerMessageTests() {
12089		t.test.name = "WrongMessageType-" + t.test.name
12090		if t.test.resumeConfig != nil {
12091			t.test.resumeConfig.Bugs.SendWrongMessageType = t.messageType
12092		} else {
12093			t.test.config.Bugs.SendWrongMessageType = t.messageType
12094		}
12095		t.test.shouldFail = true
12096		t.test.expectedError = ":UNEXPECTED_MESSAGE:"
12097		t.test.expectedLocalError = "remote error: unexpected message"
12098
12099		if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
12100			// In TLS 1.3, a bad ServerHello means the client sends
12101			// an unencrypted alert while the server expects
12102			// encryption, so the alert is not readable by runner.
12103			t.test.expectedLocalError = "local error: bad record MAC"
12104		}
12105
12106		testCases = append(testCases, t.test)
12107	}
12108
12109	// The processing order for TLS 1.3 version negotiation is such that one
12110	// may accidentally accept a HelloRetryRequest in lieu of ServerHello in
12111	// TLS 1.2. Test that we do not do this.
12112	testCases = append(testCases, testCase{
12113		name: "SendServerHelloAsHelloRetryRequest",
12114		config: Config{
12115			MaxVersion: VersionTLS12,
12116			Bugs: ProtocolBugs{
12117				SendServerHelloAsHelloRetryRequest: true,
12118			},
12119		},
12120		shouldFail:         true,
12121		expectedError:      ":UNEXPECTED_MESSAGE:",
12122		expectedLocalError: "remote error: unexpected message",
12123	})
12124}
12125
12126func addTrailingMessageDataTests() {
12127	for _, t := range makePerMessageTests() {
12128		t.test.name = "TrailingMessageData-" + t.test.name
12129		if t.test.resumeConfig != nil {
12130			t.test.resumeConfig.Bugs.SendTrailingMessageData = t.messageType
12131		} else {
12132			t.test.config.Bugs.SendTrailingMessageData = t.messageType
12133		}
12134		t.test.shouldFail = true
12135		t.test.expectedError = ":DECODE_ERROR:"
12136		t.test.expectedLocalError = "remote error: error decoding message"
12137
12138		if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
12139			// In TLS 1.3, a bad ServerHello means the client sends
12140			// an unencrypted alert while the server expects
12141			// encryption, so the alert is not readable by runner.
12142			t.test.expectedLocalError = "local error: bad record MAC"
12143		}
12144
12145		if t.messageType == typeFinished {
12146			// Bad Finished messages read as the verify data having
12147			// the wrong length.
12148			t.test.expectedError = ":DIGEST_CHECK_FAILED:"
12149			t.test.expectedLocalError = "remote error: error decrypting message"
12150		}
12151
12152		testCases = append(testCases, t.test)
12153	}
12154}
12155
12156func addTLS13HandshakeTests() {
12157	testCases = append(testCases, testCase{
12158		testType: clientTest,
12159		name:     "NegotiatePSKResumption-TLS13",
12160		config: Config{
12161			MaxVersion: VersionTLS13,
12162			Bugs: ProtocolBugs{
12163				NegotiatePSKResumption: true,
12164			},
12165		},
12166		resumeSession: true,
12167		shouldFail:    true,
12168		expectedError: ":MISSING_KEY_SHARE:",
12169	})
12170
12171	testCases = append(testCases, testCase{
12172		testType: clientTest,
12173		name:     "MissingKeyShare-Client-TLS13",
12174		config: Config{
12175			MaxVersion: VersionTLS13,
12176			Bugs: ProtocolBugs{
12177				MissingKeyShare: true,
12178			},
12179		},
12180		shouldFail:    true,
12181		expectedError: ":MISSING_KEY_SHARE:",
12182	})
12183
12184	testCases = append(testCases, testCase{
12185		testType: serverTest,
12186		name:     "MissingKeyShare-Server-TLS13",
12187		config: Config{
12188			MaxVersion: VersionTLS13,
12189			Bugs: ProtocolBugs{
12190				MissingKeyShare: true,
12191			},
12192		},
12193		shouldFail:    true,
12194		expectedError: ":MISSING_KEY_SHARE:",
12195	})
12196
12197	testCases = append(testCases, testCase{
12198		testType: serverTest,
12199		name:     "DuplicateKeyShares-TLS13",
12200		config: Config{
12201			MaxVersion: VersionTLS13,
12202			Bugs: ProtocolBugs{
12203				DuplicateKeyShares: true,
12204			},
12205		},
12206		shouldFail:    true,
12207		expectedError: ":DUPLICATE_KEY_SHARE:",
12208	})
12209
12210	testCases = append(testCases, testCase{
12211		testType: serverTest,
12212		name:     "SkipEarlyData-TLS13",
12213		config: Config{
12214			MaxVersion: VersionTLS13,
12215			Bugs: ProtocolBugs{
12216				SendFakeEarlyDataLength: 4,
12217			},
12218		},
12219	})
12220
12221	// Test that enabling TLS 1.3 does not interfere with TLS 1.2 session ID
12222	// resumption.
12223	testCases = append(testCases, testCase{
12224		testType: clientTest,
12225		name:     "ResumeTLS12SessionID-TLS13",
12226		config: Config{
12227			MaxVersion:             VersionTLS12,
12228			SessionTicketsDisabled: true,
12229		},
12230		resumeSession: true,
12231	})
12232
12233	// Test that the client correctly handles a TLS 1.3 ServerHello which echoes
12234	// a TLS 1.2 session ID.
12235	testCases = append(testCases, testCase{
12236		testType: clientTest,
12237		name:     "TLS12SessionID-TLS13",
12238		config: Config{
12239			MaxVersion:             VersionTLS12,
12240			SessionTicketsDisabled: true,
12241		},
12242		resumeConfig: &Config{
12243			MaxVersion: VersionTLS13,
12244		},
12245		resumeSession:        true,
12246		expectResumeRejected: true,
12247	})
12248
12249	// Test that the server correctly echoes back session IDs of
12250	// various lengths. The first test additionally asserts that
12251	// BoringSSL always sends the ChangeCipherSpec messages for
12252	// compatibility mode, rather than negotiating it based on the
12253	// ClientHello.
12254	testCases = append(testCases, testCase{
12255		testType: serverTest,
12256		name:     "EmptySessionID-TLS13",
12257		config: Config{
12258			MaxVersion: VersionTLS13,
12259			Bugs: ProtocolBugs{
12260				SendClientHelloSessionID: []byte{},
12261			},
12262		},
12263	})
12264
12265	testCases = append(testCases, testCase{
12266		testType: serverTest,
12267		name:     "ShortSessionID-TLS13",
12268		config: Config{
12269			MaxVersion: VersionTLS13,
12270			Bugs: ProtocolBugs{
12271				SendClientHelloSessionID: make([]byte, 16),
12272			},
12273		},
12274	})
12275
12276	testCases = append(testCases, testCase{
12277		testType: serverTest,
12278		name:     "FullSessionID-TLS13",
12279		config: Config{
12280			MaxVersion: VersionTLS13,
12281			Bugs: ProtocolBugs{
12282				SendClientHelloSessionID: make([]byte, 32),
12283			},
12284		},
12285	})
12286
12287	// Test that the client sends a fake session ID in TLS 1.3.
12288	testCases = append(testCases, testCase{
12289		testType: clientTest,
12290		name:     "TLS13SessionID-TLS13",
12291		config: Config{
12292			MaxVersion: VersionTLS13,
12293			Bugs: ProtocolBugs{
12294				ExpectClientHelloSessionID: true,
12295			},
12296		},
12297	})
12298
12299	// Test that the client omits the fake session ID when the max version is TLS 1.2 and below.
12300	testCases = append(testCases, testCase{
12301		testType: clientTest,
12302		name:     "TLS12NoSessionID-TLS13",
12303		config: Config{
12304			MaxVersion: VersionTLS13,
12305			Bugs: ProtocolBugs{
12306				ExpectNoTLS12Session: true,
12307			},
12308		},
12309		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
12310	})
12311
12312	testCases = append(testCases, testCase{
12313		testType: clientTest,
12314		name:     "EarlyData-Client-TLS13",
12315		config: Config{
12316			MaxVersion:       VersionTLS13,
12317			MinVersion:       VersionTLS13,
12318			MaxEarlyDataSize: 16384,
12319		},
12320		resumeConfig: &Config{
12321			MaxVersion:       VersionTLS13,
12322			MinVersion:       VersionTLS13,
12323			MaxEarlyDataSize: 16384,
12324			Bugs: ProtocolBugs{
12325				ExpectEarlyData: [][]byte{{'h', 'e', 'l', 'l', 'o'}},
12326			},
12327		},
12328		resumeSession: true,
12329		flags: []string{
12330			"-enable-early-data",
12331			"-expect-ticket-supports-early-data",
12332			"-expect-accept-early-data",
12333			"-on-resume-shim-writes-first",
12334		},
12335	})
12336
12337	testCases = append(testCases, testCase{
12338		testType: clientTest,
12339		name:     "EarlyData-Reject-Client-TLS13",
12340		config: Config{
12341			MaxVersion:       VersionTLS13,
12342			MaxEarlyDataSize: 16384,
12343		},
12344		resumeConfig: &Config{
12345			MaxVersion:       VersionTLS13,
12346			MaxEarlyDataSize: 16384,
12347			Bugs: ProtocolBugs{
12348				AlwaysRejectEarlyData: true,
12349			},
12350		},
12351		resumeSession: true,
12352		flags: []string{
12353			"-enable-early-data",
12354			"-expect-ticket-supports-early-data",
12355			"-expect-reject-early-data",
12356			"-on-resume-shim-writes-first",
12357		},
12358	})
12359
12360	testCases = append(testCases, testCase{
12361		testType: serverTest,
12362		name:     "EarlyData-Server-TLS13",
12363		config: Config{
12364			MaxVersion: VersionTLS13,
12365			MinVersion: VersionTLS13,
12366			Bugs: ProtocolBugs{
12367				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
12368				ExpectEarlyDataAccepted: true,
12369				ExpectHalfRTTData:       [][]byte{{254, 253, 252, 251}},
12370			},
12371		},
12372		messageCount:  2,
12373		resumeSession: true,
12374		flags: []string{
12375			"-enable-early-data",
12376			"-expect-accept-early-data",
12377		},
12378	})
12379
12380	testCases = append(testCases, testCase{
12381		testType: serverTest,
12382		name:     "EarlyData-FirstTicket-Server-TLS13",
12383		config: Config{
12384			MaxVersion: VersionTLS13,
12385			MinVersion: VersionTLS13,
12386			Bugs: ProtocolBugs{
12387				UseFirstSessionTicket:   true,
12388				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
12389				ExpectEarlyDataAccepted: true,
12390				ExpectHalfRTTData:       [][]byte{{254, 253, 252, 251}},
12391			},
12392		},
12393		messageCount:  2,
12394		resumeSession: true,
12395		flags: []string{
12396			"-enable-early-data",
12397			"-expect-accept-early-data",
12398		},
12399	})
12400
12401	testCases = append(testCases, testCase{
12402		testType: serverTest,
12403		name:     "SkipEarlyData-OmitEarlyDataExtension-TLS13",
12404		config: Config{
12405			MaxVersion: VersionTLS13,
12406			Bugs: ProtocolBugs{
12407				SendFakeEarlyDataLength: 4,
12408				OmitEarlyDataExtension:  true,
12409			},
12410		},
12411		shouldFail:    true,
12412		expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
12413	})
12414
12415	testCases = append(testCases, testCase{
12416		testType: serverTest,
12417		name:     "SkipEarlyData-TooMuchData-TLS13",
12418		config: Config{
12419			MaxVersion: VersionTLS13,
12420			Bugs: ProtocolBugs{
12421				SendFakeEarlyDataLength: 16384 + 1,
12422			},
12423		},
12424		shouldFail:    true,
12425		expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
12426	})
12427
12428	testCases = append(testCases, testCase{
12429		testType: serverTest,
12430		name:     "SkipEarlyData-Interleaved-TLS13",
12431		config: Config{
12432			MaxVersion: VersionTLS13,
12433			Bugs: ProtocolBugs{
12434				SendFakeEarlyDataLength: 4,
12435				InterleaveEarlyData:     true,
12436			},
12437		},
12438		shouldFail:    true,
12439		expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
12440	})
12441
12442	testCases = append(testCases, testCase{
12443		testType: serverTest,
12444		name:     "SkipEarlyData-EarlyDataInTLS12-TLS13",
12445		config: Config{
12446			MaxVersion: VersionTLS13,
12447			Bugs: ProtocolBugs{
12448				SendFakeEarlyDataLength: 4,
12449			},
12450		},
12451		shouldFail:    true,
12452		expectedError: ":UNEXPECTED_RECORD:",
12453		flags:         []string{"-max-version", strconv.Itoa(VersionTLS12)},
12454	})
12455
12456	testCases = append(testCases, testCase{
12457		testType: serverTest,
12458		name:     "SkipEarlyData-HRR-TLS13",
12459		config: Config{
12460			MaxVersion: VersionTLS13,
12461			Bugs: ProtocolBugs{
12462				SendFakeEarlyDataLength: 4,
12463			},
12464			DefaultCurves: []CurveID{},
12465		},
12466	})
12467
12468	testCases = append(testCases, testCase{
12469		testType: serverTest,
12470		name:     "SkipEarlyData-HRR-Interleaved-TLS13",
12471		config: Config{
12472			MaxVersion: VersionTLS13,
12473			Bugs: ProtocolBugs{
12474				SendFakeEarlyDataLength: 4,
12475				InterleaveEarlyData:     true,
12476			},
12477			DefaultCurves: []CurveID{},
12478		},
12479		shouldFail:    true,
12480		expectedError: ":UNEXPECTED_RECORD:",
12481	})
12482
12483	testCases = append(testCases, testCase{
12484		testType: serverTest,
12485		name:     "SkipEarlyData-HRR-TooMuchData-TLS13",
12486		config: Config{
12487			MaxVersion: VersionTLS13,
12488			Bugs: ProtocolBugs{
12489				SendFakeEarlyDataLength: 16384 + 1,
12490			},
12491			DefaultCurves: []CurveID{},
12492		},
12493		shouldFail:    true,
12494		expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
12495	})
12496
12497	// Test that skipping early data looking for cleartext correctly
12498	// processes an alert record.
12499	testCases = append(testCases, testCase{
12500		testType: serverTest,
12501		name:     "SkipEarlyData-HRR-FatalAlert-TLS13",
12502		config: Config{
12503			MaxVersion: VersionTLS13,
12504			Bugs: ProtocolBugs{
12505				SendEarlyAlert:          true,
12506				SendFakeEarlyDataLength: 4,
12507			},
12508			DefaultCurves: []CurveID{},
12509		},
12510		shouldFail:    true,
12511		expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
12512	})
12513
12514	testCases = append(testCases, testCase{
12515		testType: serverTest,
12516		name:     "SkipEarlyData-SecondClientHelloEarlyData-TLS13",
12517		config: Config{
12518			MaxVersion: VersionTLS13,
12519			Bugs: ProtocolBugs{
12520				SendEarlyDataOnSecondClientHello: true,
12521			},
12522			DefaultCurves: []CurveID{},
12523		},
12524		shouldFail:         true,
12525		expectedLocalError: "remote error: bad record MAC",
12526	})
12527
12528	testCases = append(testCases, testCase{
12529		testType: clientTest,
12530		name:     "EmptyEncryptedExtensions-TLS13",
12531		config: Config{
12532			MaxVersion: VersionTLS13,
12533			Bugs: ProtocolBugs{
12534				EmptyEncryptedExtensions: true,
12535			},
12536		},
12537		shouldFail:         true,
12538		expectedLocalError: "remote error: error decoding message",
12539	})
12540
12541	testCases = append(testCases, testCase{
12542		testType: clientTest,
12543		name:     "EncryptedExtensionsWithKeyShare-TLS13",
12544		config: Config{
12545			MaxVersion: VersionTLS13,
12546			Bugs: ProtocolBugs{
12547				EncryptedExtensionsWithKeyShare: true,
12548			},
12549		},
12550		shouldFail:         true,
12551		expectedLocalError: "remote error: unsupported extension",
12552	})
12553
12554	testCases = append(testCases, testCase{
12555		testType: serverTest,
12556		name:     "SendHelloRetryRequest-TLS13",
12557		config: Config{
12558			MaxVersion: VersionTLS13,
12559			// Require a HelloRetryRequest for every curve.
12560			DefaultCurves:    []CurveID{},
12561			CurvePreferences: []CurveID{CurveX25519},
12562		},
12563		expectedCurveID: CurveX25519,
12564	})
12565
12566	testCases = append(testCases, testCase{
12567		testType: serverTest,
12568		name:     "SendHelloRetryRequest-2-TLS13",
12569		config: Config{
12570			MaxVersion:       VersionTLS13,
12571			DefaultCurves:    []CurveID{CurveP384},
12572			CurvePreferences: []CurveID{CurveX25519, CurveP384},
12573		},
12574		// Although the ClientHello did not predict our preferred curve,
12575		// we always select it whether it is predicted or not.
12576		expectedCurveID: CurveX25519,
12577	})
12578
12579	testCases = append(testCases, testCase{
12580		name: "UnknownCurve-HelloRetryRequest-TLS13",
12581		config: Config{
12582			MaxVersion: VersionTLS13,
12583			// P-384 requires HelloRetryRequest in BoringSSL.
12584			CurvePreferences: []CurveID{CurveP384},
12585			Bugs: ProtocolBugs{
12586				SendHelloRetryRequestCurve: bogusCurve,
12587			},
12588		},
12589		shouldFail:    true,
12590		expectedError: ":WRONG_CURVE:",
12591	})
12592
12593	testCases = append(testCases, testCase{
12594		name: "HelloRetryRequest-CipherChange-TLS13",
12595		config: Config{
12596			MaxVersion: VersionTLS13,
12597			// P-384 requires HelloRetryRequest in BoringSSL.
12598			CurvePreferences: []CurveID{CurveP384},
12599			Bugs: ProtocolBugs{
12600				SendCipherSuite:                  TLS_AES_128_GCM_SHA256,
12601				SendHelloRetryRequestCipherSuite: TLS_CHACHA20_POLY1305_SHA256,
12602			},
12603		},
12604		shouldFail:    true,
12605		expectedError: ":WRONG_CIPHER_RETURNED:",
12606	})
12607
12608	// Test that the client does not offer a PSK in the second ClientHello if the
12609	// HelloRetryRequest is incompatible with it.
12610	testCases = append(testCases, testCase{
12611		testType: clientTest,
12612		name:     "HelloRetryRequest-NonResumableCipher-TLS13",
12613		config: Config{
12614			MaxVersion: VersionTLS13,
12615			CipherSuites: []uint16{
12616				TLS_AES_128_GCM_SHA256,
12617			},
12618		},
12619		resumeConfig: &Config{
12620			MaxVersion: VersionTLS13,
12621			// P-384 requires HelloRetryRequest in BoringSSL.
12622			CurvePreferences: []CurveID{CurveP384},
12623			Bugs: ProtocolBugs{
12624				ExpectNoTLS13PSKAfterHRR: true,
12625			},
12626			CipherSuites: []uint16{
12627				TLS_AES_256_GCM_SHA384,
12628			},
12629		},
12630		resumeSession:        true,
12631		expectResumeRejected: true,
12632	})
12633
12634	testCases = append(testCases, testCase{
12635		name: "DisabledCurve-HelloRetryRequest-TLS13",
12636		config: Config{
12637			MaxVersion:       VersionTLS13,
12638			CurvePreferences: []CurveID{CurveP256},
12639			Bugs: ProtocolBugs{
12640				IgnorePeerCurvePreferences: true,
12641			},
12642		},
12643		flags:         []string{"-curves", strconv.Itoa(int(CurveP384))},
12644		shouldFail:    true,
12645		expectedError: ":WRONG_CURVE:",
12646	})
12647
12648	testCases = append(testCases, testCase{
12649		name: "UnnecessaryHelloRetryRequest-TLS13",
12650		config: Config{
12651			MaxVersion:       VersionTLS13,
12652			CurvePreferences: []CurveID{CurveX25519},
12653			Bugs: ProtocolBugs{
12654				SendHelloRetryRequestCurve: CurveX25519,
12655			},
12656		},
12657		shouldFail:    true,
12658		expectedError: ":WRONG_CURVE:",
12659	})
12660
12661	testCases = append(testCases, testCase{
12662		name: "SecondHelloRetryRequest-TLS13",
12663		config: Config{
12664			MaxVersion: VersionTLS13,
12665			// P-384 requires HelloRetryRequest in BoringSSL.
12666			CurvePreferences: []CurveID{CurveP384},
12667			Bugs: ProtocolBugs{
12668				SecondHelloRetryRequest: true,
12669			},
12670		},
12671		shouldFail:    true,
12672		expectedError: ":UNEXPECTED_MESSAGE:",
12673	})
12674
12675	testCases = append(testCases, testCase{
12676		name: "HelloRetryRequest-Empty-TLS13",
12677		config: Config{
12678			MaxVersion: VersionTLS13,
12679			Bugs: ProtocolBugs{
12680				AlwaysSendHelloRetryRequest: true,
12681			},
12682		},
12683		shouldFail:         true,
12684		expectedError:      ":EMPTY_HELLO_RETRY_REQUEST:",
12685		expectedLocalError: "remote error: illegal parameter",
12686	})
12687
12688	testCases = append(testCases, testCase{
12689		name: "HelloRetryRequest-DuplicateCurve-TLS13",
12690		config: Config{
12691			MaxVersion: VersionTLS13,
12692			// P-384 requires a HelloRetryRequest against BoringSSL's default
12693			// configuration. Assert this ExpectMissingKeyShare.
12694			CurvePreferences: []CurveID{CurveP384},
12695			Bugs: ProtocolBugs{
12696				ExpectMissingKeyShare:                true,
12697				DuplicateHelloRetryRequestExtensions: true,
12698			},
12699		},
12700		shouldFail:         true,
12701		expectedError:      ":DUPLICATE_EXTENSION:",
12702		expectedLocalError: "remote error: illegal parameter",
12703	})
12704
12705	testCases = append(testCases, testCase{
12706		name: "HelloRetryRequest-Cookie-TLS13",
12707		config: Config{
12708			MaxVersion: VersionTLS13,
12709			Bugs: ProtocolBugs{
12710				SendHelloRetryRequestCookie: []byte("cookie"),
12711			},
12712		},
12713	})
12714
12715	testCases = append(testCases, testCase{
12716		name: "HelloRetryRequest-DuplicateCookie-TLS13",
12717		config: Config{
12718			MaxVersion: VersionTLS13,
12719			Bugs: ProtocolBugs{
12720				SendHelloRetryRequestCookie:          []byte("cookie"),
12721				DuplicateHelloRetryRequestExtensions: true,
12722			},
12723		},
12724		shouldFail:         true,
12725		expectedError:      ":DUPLICATE_EXTENSION:",
12726		expectedLocalError: "remote error: illegal parameter",
12727	})
12728
12729	testCases = append(testCases, testCase{
12730		name: "HelloRetryRequest-EmptyCookie-TLS13",
12731		config: Config{
12732			MaxVersion: VersionTLS13,
12733			Bugs: ProtocolBugs{
12734				SendHelloRetryRequestCookie: []byte{},
12735			},
12736		},
12737		shouldFail:    true,
12738		expectedError: ":DECODE_ERROR:",
12739	})
12740
12741	testCases = append(testCases, testCase{
12742		name: "HelloRetryRequest-Cookie-Curve-TLS13",
12743		config: Config{
12744			MaxVersion: VersionTLS13,
12745			// P-384 requires HelloRetryRequest in BoringSSL.
12746			CurvePreferences: []CurveID{CurveP384},
12747			Bugs: ProtocolBugs{
12748				SendHelloRetryRequestCookie: []byte("cookie"),
12749				ExpectMissingKeyShare:       true,
12750			},
12751		},
12752	})
12753
12754	testCases = append(testCases, testCase{
12755		name: "HelloRetryRequest-Unknown-TLS13",
12756		config: Config{
12757			MaxVersion: VersionTLS13,
12758			Bugs: ProtocolBugs{
12759				CustomHelloRetryRequestExtension: "extension",
12760			},
12761		},
12762		shouldFail:         true,
12763		expectedError:      ":UNEXPECTED_EXTENSION:",
12764		expectedLocalError: "remote error: unsupported extension",
12765	})
12766
12767	testCases = append(testCases, testCase{
12768		testType: serverTest,
12769		name:     "SecondClientHelloMissingKeyShare-TLS13",
12770		config: Config{
12771			MaxVersion:    VersionTLS13,
12772			DefaultCurves: []CurveID{},
12773			Bugs: ProtocolBugs{
12774				SecondClientHelloMissingKeyShare: true,
12775			},
12776		},
12777		shouldFail:    true,
12778		expectedError: ":MISSING_KEY_SHARE:",
12779	})
12780
12781	testCases = append(testCases, testCase{
12782		testType: serverTest,
12783		name:     "SecondClientHelloWrongCurve-TLS13",
12784		config: Config{
12785			MaxVersion:    VersionTLS13,
12786			DefaultCurves: []CurveID{},
12787			Bugs: ProtocolBugs{
12788				MisinterpretHelloRetryRequestCurve: CurveP521,
12789			},
12790		},
12791		shouldFail:    true,
12792		expectedError: ":WRONG_CURVE:",
12793	})
12794
12795	testCases = append(testCases, testCase{
12796		name: "HelloRetryRequestVersionMismatch-TLS13",
12797		config: Config{
12798			MaxVersion: VersionTLS13,
12799			// P-384 requires HelloRetryRequest in BoringSSL.
12800			CurvePreferences: []CurveID{CurveP384},
12801			Bugs: ProtocolBugs{
12802				SendServerHelloVersion: 0x0305,
12803			},
12804		},
12805		shouldFail:    true,
12806		expectedError: ":WRONG_VERSION_NUMBER:",
12807	})
12808
12809	testCases = append(testCases, testCase{
12810		name: "HelloRetryRequestCurveMismatch-TLS13",
12811		config: Config{
12812			MaxVersion: VersionTLS13,
12813			// P-384 requires HelloRetryRequest in BoringSSL.
12814			CurvePreferences: []CurveID{CurveP384},
12815			Bugs: ProtocolBugs{
12816				// Send P-384 (correct) in the HelloRetryRequest.
12817				SendHelloRetryRequestCurve: CurveP384,
12818				// But send P-256 in the ServerHello.
12819				SendCurve: CurveP256,
12820			},
12821		},
12822		shouldFail:    true,
12823		expectedError: ":WRONG_CURVE:",
12824	})
12825
12826	// Test the server selecting a curve that requires a HelloRetryRequest
12827	// without sending it.
12828	testCases = append(testCases, testCase{
12829		name: "SkipHelloRetryRequest-TLS13",
12830		config: Config{
12831			MaxVersion: VersionTLS13,
12832			// P-384 requires HelloRetryRequest in BoringSSL.
12833			CurvePreferences: []CurveID{CurveP384},
12834			Bugs: ProtocolBugs{
12835				SkipHelloRetryRequest: true,
12836			},
12837		},
12838		shouldFail:    true,
12839		expectedError: ":WRONG_CURVE:",
12840	})
12841
12842	testCases = append(testCases, testCase{
12843		name: "SecondServerHelloNoVersion-TLS13",
12844		config: Config{
12845			MaxVersion: VersionTLS13,
12846			// P-384 requires HelloRetryRequest in BoringSSL.
12847			CurvePreferences: []CurveID{CurveP384},
12848			Bugs: ProtocolBugs{
12849				OmitServerSupportedVersionExtension: true,
12850			},
12851		},
12852		shouldFail:    true,
12853		expectedError: ":SECOND_SERVERHELLO_VERSION_MISMATCH:",
12854	})
12855	testCases = append(testCases, testCase{
12856		name: "SecondServerHelloWrongVersion-TLS13",
12857		config: Config{
12858			MaxVersion: VersionTLS13,
12859			// P-384 requires HelloRetryRequest in BoringSSL.
12860			CurvePreferences: []CurveID{CurveP384},
12861			Bugs: ProtocolBugs{
12862				SendServerSupportedVersionExtension: 0x1234,
12863			},
12864		},
12865		shouldFail:    true,
12866		expectedError: ":SECOND_SERVERHELLO_VERSION_MISMATCH:",
12867	})
12868
12869	testCases = append(testCases, testCase{
12870		name: "RequestContextInHandshake-TLS13",
12871		config: Config{
12872			MaxVersion: VersionTLS13,
12873			MinVersion: VersionTLS13,
12874			ClientAuth: RequireAnyClientCert,
12875			Bugs: ProtocolBugs{
12876				SendRequestContext: []byte("request context"),
12877			},
12878		},
12879		flags: []string{
12880			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
12881			"-key-file", path.Join(*resourceDir, rsaKeyFile),
12882		},
12883		shouldFail:    true,
12884		expectedError: ":DECODE_ERROR:",
12885	})
12886
12887	testCases = append(testCases, testCase{
12888		name: "UnknownExtensionInCertificateRequest-TLS13",
12889		config: Config{
12890			MaxVersion: VersionTLS13,
12891			MinVersion: VersionTLS13,
12892			ClientAuth: RequireAnyClientCert,
12893			Bugs: ProtocolBugs{
12894				SendCustomCertificateRequest: 0x1212,
12895			},
12896		},
12897		flags: []string{
12898			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
12899			"-key-file", path.Join(*resourceDir, rsaKeyFile),
12900		},
12901	})
12902
12903	testCases = append(testCases, testCase{
12904		name: "MissingSignatureAlgorithmsInCertificateRequest-TLS13",
12905		config: Config{
12906			MaxVersion: VersionTLS13,
12907			MinVersion: VersionTLS13,
12908			ClientAuth: RequireAnyClientCert,
12909			Bugs: ProtocolBugs{
12910				OmitCertificateRequestAlgorithms: true,
12911			},
12912		},
12913		flags: []string{
12914			"-cert-file", path.Join(*resourceDir, rsaCertificateFile),
12915			"-key-file", path.Join(*resourceDir, rsaKeyFile),
12916		},
12917		shouldFail:    true,
12918		expectedError: ":DECODE_ERROR:",
12919	})
12920
12921	testCases = append(testCases, testCase{
12922		testType: serverTest,
12923		name:     "TrailingKeyShareData-TLS13",
12924		config: Config{
12925			MaxVersion: VersionTLS13,
12926			Bugs: ProtocolBugs{
12927				TrailingKeyShareData: true,
12928			},
12929		},
12930		shouldFail:    true,
12931		expectedError: ":DECODE_ERROR:",
12932	})
12933
12934	testCases = append(testCases, testCase{
12935		name: "AlwaysSelectPSKIdentity-TLS13",
12936		config: Config{
12937			MaxVersion: VersionTLS13,
12938			Bugs: ProtocolBugs{
12939				AlwaysSelectPSKIdentity: true,
12940			},
12941		},
12942		shouldFail:    true,
12943		expectedError: ":UNEXPECTED_EXTENSION:",
12944	})
12945
12946	testCases = append(testCases, testCase{
12947		name: "InvalidPSKIdentity-TLS13",
12948		config: Config{
12949			MaxVersion: VersionTLS13,
12950			Bugs: ProtocolBugs{
12951				SelectPSKIdentityOnResume: 1,
12952			},
12953		},
12954		resumeSession: true,
12955		shouldFail:    true,
12956		expectedError: ":PSK_IDENTITY_NOT_FOUND:",
12957	})
12958
12959	testCases = append(testCases, testCase{
12960		testType: serverTest,
12961		name:     "ExtraPSKIdentity-TLS13",
12962		config: Config{
12963			MaxVersion: VersionTLS13,
12964			Bugs: ProtocolBugs{
12965				ExtraPSKIdentity:   true,
12966				SendExtraPSKBinder: true,
12967			},
12968		},
12969		resumeSession: true,
12970	})
12971
12972	// Test that unknown NewSessionTicket extensions are tolerated.
12973	testCases = append(testCases, testCase{
12974		name: "CustomTicketExtension-TLS13",
12975		config: Config{
12976			MaxVersion: VersionTLS13,
12977			Bugs: ProtocolBugs{
12978				CustomTicketExtension: "1234",
12979			},
12980		},
12981	})
12982	testCases = append(testCases, testCase{
12983		testType: clientTest,
12984		name:     "EarlyData-RejectTicket-Client-TLS13",
12985		config: Config{
12986			MaxVersion:       VersionTLS13,
12987			MaxEarlyDataSize: 16384,
12988			Certificates:     []Certificate{rsaCertificate},
12989		},
12990		resumeConfig: &Config{
12991			MaxVersion:             VersionTLS13,
12992			MaxEarlyDataSize:       16384,
12993			Certificates:           []Certificate{ecdsaP256Certificate},
12994			SessionTicketsDisabled: true,
12995		},
12996		resumeSession:        true,
12997		expectResumeRejected: true,
12998		flags: []string{
12999			"-enable-early-data",
13000			"-expect-ticket-supports-early-data",
13001			"-expect-reject-early-data",
13002			"-on-resume-shim-writes-first",
13003			"-on-initial-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
13004			"-on-resume-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
13005			"-on-retry-expect-peer-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
13006			// Session tickets are disabled, so the runner will not send a ticket.
13007			"-on-retry-expect-no-session",
13008		},
13009	})
13010
13011	testCases = append(testCases, testCase{
13012		testType: clientTest,
13013		name:     "EarlyData-HRR-Client-TLS13",
13014		config: Config{
13015			MaxVersion:       VersionTLS13,
13016			MaxEarlyDataSize: 16384,
13017		},
13018		resumeConfig: &Config{
13019			MaxVersion:       VersionTLS13,
13020			MaxEarlyDataSize: 16384,
13021			Bugs: ProtocolBugs{
13022				SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
13023			},
13024		},
13025		resumeSession: true,
13026		flags: []string{
13027			"-enable-early-data",
13028			"-expect-ticket-supports-early-data",
13029			"-expect-reject-early-data",
13030		},
13031	})
13032
13033	// The client must check the server does not send the early_data
13034	// extension while rejecting the session.
13035	testCases = append(testCases, testCase{
13036		testType: clientTest,
13037		name:     "EarlyDataWithoutResume-Client-TLS13",
13038		config: Config{
13039			MaxVersion:       VersionTLS13,
13040			MaxEarlyDataSize: 16384,
13041		},
13042		resumeConfig: &Config{
13043			MaxVersion:             VersionTLS13,
13044			SessionTicketsDisabled: true,
13045			Bugs: ProtocolBugs{
13046				SendEarlyDataExtension: true,
13047			},
13048		},
13049		resumeSession: true,
13050		flags: []string{
13051			"-enable-early-data",
13052			"-expect-ticket-supports-early-data",
13053		},
13054		shouldFail:    true,
13055		expectedError: ":UNEXPECTED_EXTENSION:",
13056	})
13057
13058	// The client must fail with a dedicated error code if the server
13059	// responds with TLS 1.2 when offering 0-RTT.
13060	testCases = append(testCases, testCase{
13061		testType: clientTest,
13062		name:     "EarlyDataVersionDowngrade-Client-TLS13",
13063		config: Config{
13064			MaxVersion:       VersionTLS13,
13065			MaxEarlyDataSize: 16384,
13066		},
13067		resumeConfig: &Config{
13068			MaxVersion: VersionTLS12,
13069		},
13070		resumeSession: true,
13071		flags: []string{
13072			"-enable-early-data",
13073			"-expect-ticket-supports-early-data",
13074		},
13075		shouldFail:    true,
13076		expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
13077	})
13078
13079	// Test that the client rejects an (unsolicited) early_data extension if
13080	// the server sent an HRR.
13081	testCases = append(testCases, testCase{
13082		testType: clientTest,
13083		name:     "ServerAcceptsEarlyDataOnHRR-Client-TLS13",
13084		config: Config{
13085			MaxVersion:       VersionTLS13,
13086			MaxEarlyDataSize: 16384,
13087		},
13088		resumeConfig: &Config{
13089			MaxVersion:       VersionTLS13,
13090			MaxEarlyDataSize: 16384,
13091			Bugs: ProtocolBugs{
13092				SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
13093				SendEarlyDataExtension:      true,
13094			},
13095		},
13096		resumeSession: true,
13097		flags: []string{
13098			"-enable-early-data",
13099			"-expect-ticket-supports-early-data",
13100			"-expect-reject-early-data",
13101		},
13102		shouldFail:    true,
13103		expectedError: ":UNEXPECTED_EXTENSION:",
13104	})
13105
13106	testCases = append(testCases, testCase{
13107		testType: clientTest,
13108		name:     "SkipChangeCipherSpec-Client-TLS13",
13109		config: Config{
13110			MaxVersion: VersionTLS13,
13111			Bugs: ProtocolBugs{
13112				SkipChangeCipherSpec: true,
13113			},
13114		},
13115	})
13116
13117	testCases = append(testCases, testCase{
13118		testType: serverTest,
13119		name:     "SkipChangeCipherSpec-Server-TLS13",
13120		config: Config{
13121			MaxVersion: VersionTLS13,
13122			Bugs: ProtocolBugs{
13123				SkipChangeCipherSpec: true,
13124			},
13125		},
13126	})
13127
13128	testCases = append(testCases, testCase{
13129		testType: clientTest,
13130		name:     "TooManyChangeCipherSpec-Client-TLS13",
13131		config: Config{
13132			MaxVersion: VersionTLS13,
13133			Bugs: ProtocolBugs{
13134				SendExtraChangeCipherSpec: 33,
13135			},
13136		},
13137		shouldFail:    true,
13138		expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
13139	})
13140
13141	testCases = append(testCases, testCase{
13142		testType: serverTest,
13143		name:     "TooManyChangeCipherSpec-Server-TLS13",
13144		config: Config{
13145			MaxVersion: VersionTLS13,
13146			Bugs: ProtocolBugs{
13147				SendExtraChangeCipherSpec: 33,
13148			},
13149		},
13150		shouldFail:    true,
13151		expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
13152	})
13153
13154	testCases = append(testCases, testCase{
13155		name: "SendPostHandshakeChangeCipherSpec-TLS13",
13156		config: Config{
13157			MaxVersion: VersionTLS13,
13158			Bugs: ProtocolBugs{
13159				SendPostHandshakeChangeCipherSpec: true,
13160			},
13161		},
13162		shouldFail:         true,
13163		expectedError:      ":UNEXPECTED_RECORD:",
13164		expectedLocalError: "remote error: unexpected message",
13165	})
13166
13167	fooString := "foo"
13168	barString := "bar"
13169
13170	// Test that the client reports the correct ALPN after a 0-RTT reject
13171	// that changed it.
13172	testCases = append(testCases, testCase{
13173		testType: clientTest,
13174		name:     "EarlyData-ALPNMismatch-Client-TLS13",
13175		config: Config{
13176			MaxVersion:       VersionTLS13,
13177			MaxEarlyDataSize: 16384,
13178			Bugs: ProtocolBugs{
13179				ALPNProtocol: &fooString,
13180			},
13181		},
13182		resumeConfig: &Config{
13183			MaxVersion:       VersionTLS13,
13184			MaxEarlyDataSize: 16384,
13185			Bugs: ProtocolBugs{
13186				ALPNProtocol: &barString,
13187			},
13188		},
13189		resumeSession: true,
13190		flags: []string{
13191			"-advertise-alpn", "\x03foo\x03bar",
13192			"-enable-early-data",
13193			"-expect-ticket-supports-early-data",
13194			"-expect-reject-early-data",
13195			"-on-initial-expect-alpn", "foo",
13196			"-on-resume-expect-alpn", "foo",
13197			"-on-retry-expect-alpn", "bar",
13198		},
13199	})
13200
13201	// Test that the client reports the correct ALPN after a 0-RTT reject if
13202	// ALPN was omitted from the first connection.
13203	testCases = append(testCases, testCase{
13204		testType: clientTest,
13205		name:     "EarlyData-ALPNOmitted1-Client-TLS13",
13206		config: Config{
13207			MaxVersion:       VersionTLS13,
13208			MaxEarlyDataSize: 16384,
13209		},
13210		resumeConfig: &Config{
13211			MaxVersion:       VersionTLS13,
13212			MaxEarlyDataSize: 16384,
13213			NextProtos:       []string{"foo"},
13214		},
13215		resumeSession: true,
13216		flags: []string{
13217			"-advertise-alpn", "\x03foo\x03bar",
13218			"-enable-early-data",
13219			"-expect-ticket-supports-early-data",
13220			"-expect-reject-early-data",
13221			"-on-initial-expect-alpn", "",
13222			"-on-resume-expect-alpn", "",
13223			"-on-retry-expect-alpn", "foo",
13224			"-on-resume-shim-writes-first",
13225		},
13226	})
13227
13228	// Test that the client reports the correct ALPN after a 0-RTT reject if
13229	// ALPN was omitted from the second connection.
13230	testCases = append(testCases, testCase{
13231		testType: clientTest,
13232		name:     "EarlyData-ALPNOmitted2-Client-TLS13",
13233		config: Config{
13234			MaxVersion:       VersionTLS13,
13235			MaxEarlyDataSize: 16384,
13236			NextProtos:       []string{"foo"},
13237		},
13238		resumeConfig: &Config{
13239			MaxVersion:       VersionTLS13,
13240			MaxEarlyDataSize: 16384,
13241		},
13242		resumeSession: true,
13243		flags: []string{
13244			"-advertise-alpn", "\x03foo\x03bar",
13245			"-enable-early-data",
13246			"-expect-ticket-supports-early-data",
13247			"-expect-reject-early-data",
13248			"-on-initial-expect-alpn", "foo",
13249			"-on-resume-expect-alpn", "foo",
13250			"-on-retry-expect-alpn", "",
13251			"-on-resume-shim-writes-first",
13252		},
13253	})
13254
13255	// Test that the client enforces ALPN match on 0-RTT accept.
13256	testCases = append(testCases, testCase{
13257		testType: clientTest,
13258		name:     "EarlyData-BadALPNMismatch-Client-TLS13",
13259		config: Config{
13260			MaxVersion:       VersionTLS13,
13261			MaxEarlyDataSize: 16384,
13262			Bugs: ProtocolBugs{
13263				ALPNProtocol: &fooString,
13264			},
13265		},
13266		resumeConfig: &Config{
13267			MaxVersion:       VersionTLS13,
13268			MaxEarlyDataSize: 16384,
13269			Bugs: ProtocolBugs{
13270				AlwaysAcceptEarlyData: true,
13271				ALPNProtocol:          &barString,
13272			},
13273		},
13274		resumeSession: true,
13275		flags: []string{
13276			"-advertise-alpn", "\x03foo\x03bar",
13277			"-enable-early-data",
13278			"-expect-ticket-supports-early-data",
13279			"-on-initial-expect-alpn", "foo",
13280			"-on-resume-expect-alpn", "foo",
13281			"-on-retry-expect-alpn", "bar",
13282		},
13283		shouldFail:    true,
13284		expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
13285	})
13286
13287	// Test that the client does not offer early data if it is incompatible
13288	// with ALPN preferences.
13289	testCases = append(testCases, testCase{
13290		testType: clientTest,
13291		name:     "EarlyData-ALPNPreferenceChanged-TLS13",
13292		config: Config{
13293			MaxVersion:       VersionTLS13,
13294			MaxEarlyDataSize: 16384,
13295			NextProtos:       []string{"foo", "bar"},
13296		},
13297		resumeSession: true,
13298		flags: []string{
13299			"-enable-early-data",
13300			"-expect-ticket-supports-early-data",
13301			"-expect-no-offer-early-data",
13302			"-on-initial-advertise-alpn", "\x03foo",
13303			"-on-resume-advertise-alpn", "\x03bar",
13304			"-on-initial-expect-alpn", "foo",
13305			"-on-resume-expect-alpn", "bar",
13306		},
13307	})
13308
13309	// Test that the server correctly rejects 0-RTT when the previous
13310	// session did not allow early data on resumption.
13311	testCases = append(testCases, testCase{
13312		testType: serverTest,
13313		name:     "EarlyData-NonZeroRTTSession-Server-TLS13",
13314		config: Config{
13315			MaxVersion: VersionTLS13,
13316		},
13317		resumeConfig: &Config{
13318			MaxVersion: VersionTLS13,
13319			Bugs: ProtocolBugs{
13320				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13321				ExpectEarlyDataAccepted: false,
13322			},
13323		},
13324		resumeSession: true,
13325		flags: []string{
13326			"-on-resume-enable-early-data",
13327			"-expect-reject-early-data",
13328		},
13329	})
13330
13331	// Test that we reject early data where ALPN is omitted from the first
13332	// connection.
13333	testCases = append(testCases, testCase{
13334		testType: serverTest,
13335		name:     "EarlyData-ALPNOmitted1-Server-TLS13",
13336		config: Config{
13337			MaxVersion: VersionTLS13,
13338			NextProtos: []string{},
13339		},
13340		resumeConfig: &Config{
13341			MaxVersion: VersionTLS13,
13342			NextProtos: []string{"foo"},
13343			Bugs: ProtocolBugs{
13344				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13345				ExpectEarlyDataAccepted: false,
13346			},
13347		},
13348		resumeSession: true,
13349		flags: []string{
13350			"-enable-early-data",
13351			"-on-initial-select-alpn", "",
13352			"-on-resume-select-alpn", "foo",
13353		},
13354	})
13355
13356	// Test that we reject early data where ALPN is omitted from the second
13357	// connection.
13358	testCases = append(testCases, testCase{
13359		testType: serverTest,
13360		name:     "EarlyData-ALPNOmitted2-Server-TLS13",
13361		config: Config{
13362			MaxVersion: VersionTLS13,
13363			NextProtos: []string{"foo"},
13364		},
13365		resumeConfig: &Config{
13366			MaxVersion: VersionTLS13,
13367			NextProtos: []string{},
13368			Bugs: ProtocolBugs{
13369				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13370				ExpectEarlyDataAccepted: false,
13371			},
13372		},
13373		resumeSession: true,
13374		flags: []string{
13375			"-enable-early-data",
13376			"-on-initial-select-alpn", "foo",
13377			"-on-resume-select-alpn", "",
13378		},
13379	})
13380
13381	// Test that we reject early data with mismatched ALPN.
13382	testCases = append(testCases, testCase{
13383		testType: serverTest,
13384		name:     "EarlyData-ALPNMismatch-Server-TLS13",
13385		config: Config{
13386			MaxVersion: VersionTLS13,
13387			NextProtos: []string{"foo"},
13388		},
13389		resumeConfig: &Config{
13390			MaxVersion: VersionTLS13,
13391			NextProtos: []string{"bar"},
13392			Bugs: ProtocolBugs{
13393				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13394				ExpectEarlyDataAccepted: false,
13395			},
13396		},
13397		resumeSession: true,
13398		flags: []string{
13399			"-enable-early-data",
13400			"-on-initial-select-alpn", "foo",
13401			"-on-resume-select-alpn", "bar",
13402		},
13403	})
13404
13405	// Test that the client offering 0-RTT and Channel ID forbids the server
13406	// from accepting both.
13407	testCases = append(testCases, testCase{
13408		testType: clientTest,
13409		name:     "EarlyDataChannelID-AcceptBoth-Client-TLS13",
13410		config: Config{
13411			MaxVersion:       VersionTLS13,
13412			MaxEarlyDataSize: 16384,
13413			RequestChannelID: true,
13414		},
13415		resumeSession:   true,
13416		expectChannelID: true,
13417		shouldFail:      true,
13418		expectedError:   ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:",
13419		flags: []string{
13420			"-enable-early-data",
13421			"-expect-ticket-supports-early-data",
13422			"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
13423		},
13424	})
13425
13426	// Test that the client offering Channel ID and 0-RTT allows the server
13427	// to decline 0-RTT.
13428	testCases = append(testCases, testCase{
13429		testType: clientTest,
13430		name:     "EarlyDataChannelID-AcceptChannelID-Client-TLS13",
13431		config: Config{
13432			MaxVersion:       VersionTLS13,
13433			MaxEarlyDataSize: 16384,
13434			RequestChannelID: true,
13435			Bugs: ProtocolBugs{
13436				AlwaysRejectEarlyData: true,
13437			},
13438		},
13439		resumeSession:   true,
13440		expectChannelID: true,
13441		flags: []string{
13442			"-enable-early-data",
13443			"-expect-ticket-supports-early-data",
13444			"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
13445			"-expect-reject-early-data",
13446		},
13447	})
13448
13449	// Test that the client offering Channel ID and 0-RTT allows the server
13450	// to decline Channel ID.
13451	testCases = append(testCases, testCase{
13452		testType: clientTest,
13453		name:     "EarlyDataChannelID-AcceptEarlyData-Client-TLS13",
13454		config: Config{
13455			MaxVersion:       VersionTLS13,
13456			MaxEarlyDataSize: 16384,
13457		},
13458		resumeSession: true,
13459		flags: []string{
13460			"-enable-early-data",
13461			"-expect-ticket-supports-early-data",
13462			"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
13463			"-expect-accept-early-data",
13464		},
13465	})
13466
13467	// Test that the server supporting Channel ID and 0-RTT declines 0-RTT
13468	// if it would negotiate Channel ID.
13469	testCases = append(testCases, testCase{
13470		testType: serverTest,
13471		name:     "EarlyDataChannelID-OfferBoth-Server-TLS13",
13472		config: Config{
13473			MaxVersion: VersionTLS13,
13474			ChannelID:  channelIDKey,
13475			Bugs: ProtocolBugs{
13476				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13477				ExpectEarlyDataAccepted: false,
13478			},
13479		},
13480		resumeSession:   true,
13481		expectChannelID: true,
13482		flags: []string{
13483			"-enable-early-data",
13484			"-expect-reject-early-data",
13485			"-expect-channel-id",
13486			base64.StdEncoding.EncodeToString(channelIDBytes),
13487		},
13488	})
13489
13490	// Test that the server supporting Channel ID and 0-RTT accepts 0-RTT
13491	// if not offered Channel ID.
13492	testCases = append(testCases, testCase{
13493		testType: serverTest,
13494		name:     "EarlyDataChannelID-OfferEarlyData-Server-TLS13",
13495		config: Config{
13496			MaxVersion: VersionTLS13,
13497			Bugs: ProtocolBugs{
13498				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13499				ExpectEarlyDataAccepted: true,
13500				ExpectHalfRTTData:       [][]byte{{254, 253, 252, 251}},
13501			},
13502		},
13503		resumeSession:   true,
13504		expectChannelID: false,
13505		flags: []string{
13506			"-enable-early-data",
13507			"-expect-accept-early-data",
13508			"-enable-channel-id",
13509		},
13510	})
13511
13512	// Test that the server rejects 0-RTT streams without end_of_early_data.
13513	// The subsequent records should fail to decrypt.
13514	testCases = append(testCases, testCase{
13515		testType: serverTest,
13516		name:     "EarlyData-SkipEndOfEarlyData-TLS13",
13517		config: Config{
13518			MaxVersion: VersionTLS13,
13519			Bugs: ProtocolBugs{
13520				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13521				ExpectEarlyDataAccepted: true,
13522				SkipEndOfEarlyData:      true,
13523			},
13524		},
13525		resumeSession:      true,
13526		flags:              []string{"-enable-early-data"},
13527		shouldFail:         true,
13528		expectedLocalError: "remote error: bad record MAC",
13529		expectedError:      ":BAD_DECRYPT:",
13530	})
13531
13532	testCases = append(testCases, testCase{
13533		testType: serverTest,
13534		name:     "EarlyData-UnexpectedHandshake-Server-TLS13",
13535		config: Config{
13536			MaxVersion: VersionTLS13,
13537		},
13538		resumeConfig: &Config{
13539			MaxVersion: VersionTLS13,
13540			Bugs: ProtocolBugs{
13541				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13542				SendStrayEarlyHandshake: true,
13543				ExpectEarlyDataAccepted: true,
13544			},
13545		},
13546		resumeSession:      true,
13547		shouldFail:         true,
13548		expectedError:      ":UNEXPECTED_MESSAGE:",
13549		expectedLocalError: "remote error: unexpected message",
13550		flags: []string{
13551			"-enable-early-data",
13552		},
13553	})
13554
13555	// Test that the client reports TLS 1.3 as the version while sending
13556	// early data.
13557	testCases = append(testCases, testCase{
13558		testType: clientTest,
13559		name:     "EarlyData-Client-VersionAPI-TLS13",
13560		config: Config{
13561			MaxVersion:       VersionTLS13,
13562			MaxEarlyDataSize: 16384,
13563		},
13564		resumeSession: true,
13565		flags: []string{
13566			"-enable-early-data",
13567			"-expect-ticket-supports-early-data",
13568			"-expect-accept-early-data",
13569			"-expect-version", strconv.Itoa(VersionTLS13),
13570		},
13571	})
13572
13573	// Test that client and server both notice handshake errors after data
13574	// has started flowing.
13575	testCases = append(testCases, testCase{
13576		testType: clientTest,
13577		name:     "EarlyData-Client-BadFinished-TLS13",
13578		config: Config{
13579			MaxVersion:       VersionTLS13,
13580			MaxEarlyDataSize: 16384,
13581		},
13582		resumeConfig: &Config{
13583			MaxVersion:       VersionTLS13,
13584			MaxEarlyDataSize: 16384,
13585			Bugs: ProtocolBugs{
13586				BadFinished: true,
13587			},
13588		},
13589		resumeSession: true,
13590		flags: []string{
13591			"-enable-early-data",
13592			"-expect-ticket-supports-early-data",
13593			"-expect-accept-early-data",
13594		},
13595		shouldFail:         true,
13596		expectedError:      ":DIGEST_CHECK_FAILED:",
13597		expectedLocalError: "remote error: error decrypting message",
13598	})
13599	testCases = append(testCases, testCase{
13600		testType: serverTest,
13601		name:     "EarlyData-Server-BadFinished-TLS13",
13602		config: Config{
13603			MaxVersion: VersionTLS13,
13604		},
13605		resumeConfig: &Config{
13606			MaxVersion: VersionTLS13,
13607			Bugs: ProtocolBugs{
13608				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13609				ExpectEarlyDataAccepted: true,
13610				ExpectHalfRTTData:       [][]byte{{254, 253, 252, 251}},
13611				BadFinished:             true,
13612			},
13613		},
13614		resumeSession: true,
13615		flags: []string{
13616			"-enable-early-data",
13617			"-expect-accept-early-data",
13618		},
13619		shouldFail:         true,
13620		expectedError:      ":DIGEST_CHECK_FAILED:",
13621		expectedLocalError: "remote error: error decrypting message",
13622	})
13623
13624	testCases = append(testCases, testCase{
13625		testType: serverTest,
13626		name:     "Server-NonEmptyEndOfEarlyData-TLS13",
13627		config: Config{
13628			MaxVersion: VersionTLS13,
13629		},
13630		resumeConfig: &Config{
13631			MaxVersion: VersionTLS13,
13632			Bugs: ProtocolBugs{
13633				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
13634				ExpectEarlyDataAccepted: true,
13635				NonEmptyEndOfEarlyData:  true,
13636			},
13637		},
13638		resumeSession: true,
13639		flags: []string{
13640			"-enable-early-data",
13641			"-expect-ticket-supports-early-data",
13642			"-expect-accept-early-data",
13643		},
13644		shouldFail:    true,
13645		expectedError: ":DECODE_ERROR:",
13646	})
13647
13648	testCases = append(testCases, testCase{
13649		testType: serverTest,
13650		name:     "ServerSkipCertificateVerify-TLS13",
13651		config: Config{
13652			MinVersion:   VersionTLS13,
13653			MaxVersion:   VersionTLS13,
13654			Certificates: []Certificate{rsaChainCertificate},
13655			Bugs: ProtocolBugs{
13656				SkipCertificateVerify: true,
13657			},
13658		},
13659		expectPeerCertificate: &rsaChainCertificate,
13660		flags: []string{
13661			"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13662			"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
13663			"-require-any-client-certificate",
13664		},
13665		shouldFail:         true,
13666		expectedError:      ":UNEXPECTED_MESSAGE:",
13667		expectedLocalError: "remote error: unexpected message",
13668	})
13669	testCases = append(testCases, testCase{
13670		testType: clientTest,
13671		name:     "ClientSkipCertificateVerify-TLS13",
13672		config: Config{
13673			MinVersion:   VersionTLS13,
13674			MaxVersion:   VersionTLS13,
13675			Certificates: []Certificate{rsaChainCertificate},
13676			Bugs: ProtocolBugs{
13677				SkipCertificateVerify: true,
13678			},
13679		},
13680		expectPeerCertificate: &rsaChainCertificate,
13681		flags: []string{
13682			"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13683			"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
13684		},
13685		shouldFail:         true,
13686		expectedError:      ":UNEXPECTED_MESSAGE:",
13687		expectedLocalError: "remote error: unexpected message",
13688	})
13689
13690}
13691
13692func addTLS13CipherPreferenceTests() {
13693	// Test that client preference is honored if the shim has AES hardware
13694	// and ChaCha20-Poly1305 is preferred otherwise.
13695	testCases = append(testCases, testCase{
13696		testType: serverTest,
13697		name:     "TLS13-CipherPreference-Server-ChaCha20-AES",
13698		config: Config{
13699			MaxVersion: VersionTLS13,
13700			CipherSuites: []uint16{
13701				TLS_CHACHA20_POLY1305_SHA256,
13702				TLS_AES_128_GCM_SHA256,
13703			},
13704			CurvePreferences: []CurveID{CurveX25519},
13705		},
13706		flags: []string{
13707			"-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13708			"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13709		},
13710	})
13711
13712	testCases = append(testCases, testCase{
13713		testType: serverTest,
13714		name:     "TLS13-CipherPreference-Server-AES-ChaCha20",
13715		config: Config{
13716			MaxVersion: VersionTLS13,
13717			CipherSuites: []uint16{
13718				TLS_AES_128_GCM_SHA256,
13719				TLS_CHACHA20_POLY1305_SHA256,
13720			},
13721			CurvePreferences: []CurveID{CurveX25519},
13722		},
13723		flags: []string{
13724			"-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
13725			"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13726		},
13727	})
13728
13729	// Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
13730	// whether it has AES hardware.
13731	testCases = append(testCases, testCase{
13732		name: "TLS13-CipherPreference-Client",
13733		config: Config{
13734			MaxVersion: VersionTLS13,
13735			// Use the client cipher order. (This is the default but
13736			// is listed to be explicit.)
13737			PreferServerCipherSuites: false,
13738		},
13739		flags: []string{
13740			"-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
13741			"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13742		},
13743	})
13744
13745	// CECPQ2 prefers 256-bit ciphers but will use AES-128 if there's nothing else.
13746	testCases = append(testCases, testCase{
13747		testType: serverTest,
13748		name:     "TLS13-CipherPreference-CECPQ2-AES128Only",
13749		config: Config{
13750			MaxVersion: VersionTLS13,
13751			CipherSuites: []uint16{
13752				TLS_AES_128_GCM_SHA256,
13753			},
13754		},
13755		flags: []string{
13756			"-curves", strconv.Itoa(int(CurveCECPQ2)),
13757		},
13758	})
13759	// When a 256-bit cipher is offered, even if not in first place, it should be
13760	// picked.
13761	testCases = append(testCases, testCase{
13762		testType: serverTest,
13763		name:     "TLS13-CipherPreference-CECPQ2-AES256Preferred",
13764		config: Config{
13765			MaxVersion: VersionTLS13,
13766			CipherSuites: []uint16{
13767				TLS_AES_128_GCM_SHA256,
13768				TLS_AES_256_GCM_SHA384,
13769			},
13770		},
13771		flags: []string{
13772			"-curves", strconv.Itoa(int(CurveCECPQ2)),
13773		},
13774		expectedCipher: TLS_AES_256_GCM_SHA384,
13775	})
13776	// ... but when CECPQ2 isn't being used, the client's preference controls.
13777	testCases = append(testCases, testCase{
13778		testType: serverTest,
13779		name:     "TLS13-CipherPreference-CECPQ2-AES128PreferredOtherwise",
13780		config: Config{
13781			MaxVersion: VersionTLS13,
13782			CipherSuites: []uint16{
13783				TLS_AES_128_GCM_SHA256,
13784				TLS_AES_256_GCM_SHA384,
13785			},
13786		},
13787		flags: []string{
13788			"-curves", strconv.Itoa(int(CurveX25519)),
13789		},
13790		expectedCipher: TLS_AES_128_GCM_SHA256,
13791	})
13792
13793	// Test that CECPQ2 continues to honor AES vs ChaCha20 logic.
13794	testCases = append(testCases, testCase{
13795		testType: serverTest,
13796		name:     "TLS13-CipherPreference-CECPQ2-AES128-ChaCha20-AES256",
13797		config: Config{
13798			MaxVersion: VersionTLS13,
13799			CipherSuites: []uint16{
13800				TLS_AES_128_GCM_SHA256,
13801				TLS_CHACHA20_POLY1305_SHA256,
13802				TLS_AES_256_GCM_SHA384,
13803			},
13804		},
13805		flags: []string{
13806			"-curves", strconv.Itoa(int(CurveCECPQ2)),
13807			"-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13808			"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13809		},
13810	})
13811	testCases = append(testCases, testCase{
13812		testType: serverTest,
13813		name:     "TLS13-CipherPreference-CECPQ2-AES128-AES256-ChaCha20",
13814		config: Config{
13815			MaxVersion: VersionTLS13,
13816			CipherSuites: []uint16{
13817				TLS_AES_128_GCM_SHA256,
13818				TLS_AES_256_GCM_SHA384,
13819				TLS_CHACHA20_POLY1305_SHA256,
13820			},
13821		},
13822		flags: []string{
13823			"-curves", strconv.Itoa(int(CurveCECPQ2)),
13824			"-expect-cipher-aes", strconv.Itoa(int(TLS_AES_256_GCM_SHA384)),
13825			"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
13826		},
13827	})
13828}
13829
13830func addPeekTests() {
13831	// Test SSL_peek works, including on empty records.
13832	testCases = append(testCases, testCase{
13833		name:             "Peek-Basic",
13834		sendEmptyRecords: 1,
13835		flags:            []string{"-peek-then-read"},
13836	})
13837
13838	// Test SSL_peek can drive the initial handshake.
13839	testCases = append(testCases, testCase{
13840		name: "Peek-ImplicitHandshake",
13841		flags: []string{
13842			"-peek-then-read",
13843			"-implicit-handshake",
13844		},
13845	})
13846
13847	// Test SSL_peek can discover and drive a renegotiation.
13848	testCases = append(testCases, testCase{
13849		name: "Peek-Renegotiate",
13850		config: Config{
13851			MaxVersion: VersionTLS12,
13852		},
13853		renegotiate: 1,
13854		flags: []string{
13855			"-peek-then-read",
13856			"-renegotiate-freely",
13857			"-expect-total-renegotiations", "1",
13858		},
13859	})
13860
13861	// Test SSL_peek can discover a close_notify.
13862	testCases = append(testCases, testCase{
13863		name: "Peek-Shutdown",
13864		config: Config{
13865			Bugs: ProtocolBugs{
13866				ExpectCloseNotify: true,
13867			},
13868		},
13869		flags: []string{
13870			"-peek-then-read",
13871			"-check-close-notify",
13872		},
13873	})
13874
13875	// Test SSL_peek can discover an alert.
13876	testCases = append(testCases, testCase{
13877		name: "Peek-Alert",
13878		config: Config{
13879			Bugs: ProtocolBugs{
13880				SendSpuriousAlert: alertRecordOverflow,
13881			},
13882		},
13883		flags:         []string{"-peek-then-read"},
13884		shouldFail:    true,
13885		expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
13886	})
13887
13888	// Test SSL_peek can handle KeyUpdate.
13889	testCases = append(testCases, testCase{
13890		name: "Peek-KeyUpdate",
13891		config: Config{
13892			MaxVersion: VersionTLS13,
13893		},
13894		sendKeyUpdates:   1,
13895		keyUpdateRequest: keyUpdateNotRequested,
13896		flags:            []string{"-peek-then-read"},
13897	})
13898}
13899
13900func addRecordVersionTests() {
13901	for _, ver := range tlsVersions {
13902		// Test that the record version is enforced.
13903		testCases = append(testCases, testCase{
13904			name: "CheckRecordVersion-" + ver.name,
13905			config: Config{
13906				MinVersion: ver.version,
13907				MaxVersion: ver.version,
13908				Bugs: ProtocolBugs{
13909					SendRecordVersion: 0x03ff,
13910				},
13911			},
13912			shouldFail:    true,
13913			expectedError: ":WRONG_VERSION_NUMBER:",
13914		})
13915
13916		// Test that the ClientHello may use any record version, for
13917		// compatibility reasons.
13918		testCases = append(testCases, testCase{
13919			testType: serverTest,
13920			name:     "LooseInitialRecordVersion-" + ver.name,
13921			config: Config{
13922				MinVersion: ver.version,
13923				MaxVersion: ver.version,
13924				Bugs: ProtocolBugs{
13925					SendInitialRecordVersion: 0x03ff,
13926				},
13927			},
13928		})
13929
13930		// Test that garbage ClientHello record versions are rejected.
13931		testCases = append(testCases, testCase{
13932			testType: serverTest,
13933			name:     "GarbageInitialRecordVersion-" + ver.name,
13934			config: Config{
13935				MinVersion: ver.version,
13936				MaxVersion: ver.version,
13937				Bugs: ProtocolBugs{
13938					SendInitialRecordVersion: 0xffff,
13939				},
13940			},
13941			shouldFail:    true,
13942			expectedError: ":WRONG_VERSION_NUMBER:",
13943		})
13944	}
13945}
13946
13947func addCertificateTests() {
13948	for _, ver := range tlsVersions {
13949		// Test that a certificate chain with intermediate may be sent
13950		// and received as both client and server.
13951		testCases = append(testCases, testCase{
13952			testType: clientTest,
13953			name:     "SendReceiveIntermediate-Client-" + ver.name,
13954			config: Config{
13955				MinVersion:   ver.version,
13956				MaxVersion:   ver.version,
13957				Certificates: []Certificate{rsaChainCertificate},
13958				ClientAuth:   RequireAnyClientCert,
13959			},
13960			expectPeerCertificate: &rsaChainCertificate,
13961			flags: []string{
13962				"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13963				"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
13964				"-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13965			},
13966		})
13967
13968		testCases = append(testCases, testCase{
13969			testType: serverTest,
13970			name:     "SendReceiveIntermediate-Server-" + ver.name,
13971			config: Config{
13972				MinVersion:   ver.version,
13973				MaxVersion:   ver.version,
13974				Certificates: []Certificate{rsaChainCertificate},
13975			},
13976			expectPeerCertificate: &rsaChainCertificate,
13977			flags: []string{
13978				"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13979				"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
13980				"-require-any-client-certificate",
13981				"-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
13982			},
13983		})
13984
13985		// Test that garbage leaf certificates are properly rejected.
13986		testCases = append(testCases, testCase{
13987			testType: clientTest,
13988			name:     "GarbageCertificate-Client-" + ver.name,
13989			config: Config{
13990				MinVersion:   ver.version,
13991				MaxVersion:   ver.version,
13992				Certificates: []Certificate{garbageCertificate},
13993			},
13994			shouldFail:         true,
13995			expectedError:      ":CANNOT_PARSE_LEAF_CERT:",
13996			expectedLocalError: "remote error: error decoding message",
13997		})
13998
13999		testCases = append(testCases, testCase{
14000			testType: serverTest,
14001			name:     "GarbageCertificate-Server-" + ver.name,
14002			config: Config{
14003				MinVersion:   ver.version,
14004				MaxVersion:   ver.version,
14005				Certificates: []Certificate{garbageCertificate},
14006			},
14007			flags:              []string{"-require-any-client-certificate"},
14008			shouldFail:         true,
14009			expectedError:      ":CANNOT_PARSE_LEAF_CERT:",
14010			expectedLocalError: "remote error: error decoding message",
14011		})
14012	}
14013}
14014
14015func addRetainOnlySHA256ClientCertTests() {
14016	for _, ver := range tlsVersions {
14017		// Test that enabling
14018		// SSL_CTX_set_retain_only_sha256_of_client_certs without
14019		// actually requesting a client certificate is a no-op.
14020		testCases = append(testCases, testCase{
14021			testType: serverTest,
14022			name:     "RetainOnlySHA256-NoCert-" + ver.name,
14023			config: Config{
14024				MinVersion: ver.version,
14025				MaxVersion: ver.version,
14026			},
14027			flags: []string{
14028				"-on-initial-retain-only-sha256-client-cert",
14029				"-on-resume-retain-only-sha256-client-cert",
14030			},
14031			resumeSession: true,
14032		})
14033
14034		// Test that when retaining only a SHA-256 certificate is
14035		// enabled, the hash appears as expected.
14036		testCases = append(testCases, testCase{
14037			testType: serverTest,
14038			name:     "RetainOnlySHA256-Cert-" + ver.name,
14039			config: Config{
14040				MinVersion:   ver.version,
14041				MaxVersion:   ver.version,
14042				Certificates: []Certificate{rsaCertificate},
14043			},
14044			flags: []string{
14045				"-verify-peer",
14046				"-on-initial-retain-only-sha256-client-cert",
14047				"-on-resume-retain-only-sha256-client-cert",
14048				"-on-initial-expect-sha256-client-cert",
14049				"-on-resume-expect-sha256-client-cert",
14050			},
14051			resumeSession: true,
14052		})
14053
14054		// Test that when the config changes from on to off, a
14055		// resumption is rejected because the server now wants the full
14056		// certificate chain.
14057		testCases = append(testCases, testCase{
14058			testType: serverTest,
14059			name:     "RetainOnlySHA256-OnOff-" + ver.name,
14060			config: Config{
14061				MinVersion:   ver.version,
14062				MaxVersion:   ver.version,
14063				Certificates: []Certificate{rsaCertificate},
14064			},
14065			flags: []string{
14066				"-verify-peer",
14067				"-on-initial-retain-only-sha256-client-cert",
14068				"-on-initial-expect-sha256-client-cert",
14069			},
14070			resumeSession:        true,
14071			expectResumeRejected: true,
14072		})
14073
14074		// Test that when the config changes from off to on, a
14075		// resumption is rejected because the server now wants just the
14076		// hash.
14077		testCases = append(testCases, testCase{
14078			testType: serverTest,
14079			name:     "RetainOnlySHA256-OffOn-" + ver.name,
14080			config: Config{
14081				MinVersion:   ver.version,
14082				MaxVersion:   ver.version,
14083				Certificates: []Certificate{rsaCertificate},
14084			},
14085			flags: []string{
14086				"-verify-peer",
14087				"-on-resume-retain-only-sha256-client-cert",
14088				"-on-resume-expect-sha256-client-cert",
14089			},
14090			resumeSession:        true,
14091			expectResumeRejected: true,
14092		})
14093	}
14094}
14095
14096func addECDSAKeyUsageTests() {
14097	p256 := elliptic.P256()
14098	priv, err := ecdsa.GenerateKey(p256, rand.Reader)
14099	if err != nil {
14100		panic(err)
14101	}
14102
14103	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
14104	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
14105	if err != nil {
14106		panic(err)
14107	}
14108
14109	template := x509.Certificate{
14110		SerialNumber: serialNumber,
14111		Subject: pkix.Name{
14112			Organization: []string{"Acme Co"},
14113		},
14114		NotBefore: time.Now(),
14115		NotAfter:  time.Now(),
14116
14117		// An ECC certificate with only the keyAgreement key usgae may
14118		// be used with ECDH, but not ECDSA.
14119		KeyUsage:              x509.KeyUsageKeyAgreement,
14120		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
14121		BasicConstraintsValid: true,
14122	}
14123
14124	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
14125	if err != nil {
14126		panic(err)
14127	}
14128
14129	cert := Certificate{
14130		Certificate: [][]byte{derBytes},
14131		PrivateKey:  priv,
14132	}
14133
14134	for _, ver := range tlsVersions {
14135		if ver.version < VersionTLS12 {
14136			continue
14137		}
14138
14139		testCases = append(testCases, testCase{
14140			testType: clientTest,
14141			name:     "ECDSAKeyUsage-" + ver.name,
14142			config: Config{
14143				MinVersion:   ver.version,
14144				MaxVersion:   ver.version,
14145				Certificates: []Certificate{cert},
14146			},
14147			shouldFail:    true,
14148			expectedError: ":KEY_USAGE_BIT_INCORRECT:",
14149		})
14150	}
14151}
14152
14153func addRSAKeyUsageTests() {
14154	priv := rsaCertificate.PrivateKey.(*rsa.PrivateKey)
14155
14156	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
14157	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
14158	if err != nil {
14159		panic(err)
14160	}
14161
14162	dsTemplate := x509.Certificate{
14163		SerialNumber: serialNumber,
14164		Subject: pkix.Name{
14165			Organization: []string{"Acme Co"},
14166		},
14167		NotBefore: time.Now(),
14168		NotAfter:  time.Now(),
14169
14170		KeyUsage:              x509.KeyUsageDigitalSignature,
14171		BasicConstraintsValid: true,
14172	}
14173
14174	encTemplate := x509.Certificate{
14175		SerialNumber: serialNumber,
14176		Subject: pkix.Name{
14177			Organization: []string{"Acme Co"},
14178		},
14179		NotBefore: time.Now(),
14180		NotAfter:  time.Now(),
14181
14182		KeyUsage:              x509.KeyUsageKeyEncipherment,
14183		BasicConstraintsValid: true,
14184	}
14185
14186	dsDerBytes, err := x509.CreateCertificate(rand.Reader, &dsTemplate, &dsTemplate, &priv.PublicKey, priv)
14187	if err != nil {
14188		panic(err)
14189	}
14190
14191	encDerBytes, err := x509.CreateCertificate(rand.Reader, &encTemplate, &encTemplate, &priv.PublicKey, priv)
14192	if err != nil {
14193		panic(err)
14194	}
14195
14196	dsCert := Certificate{
14197		Certificate: [][]byte{dsDerBytes},
14198		PrivateKey:  priv,
14199	}
14200
14201	encCert := Certificate{
14202		Certificate: [][]byte{encDerBytes},
14203		PrivateKey:  priv,
14204	}
14205
14206	dsSuites := []uint16{
14207		TLS_AES_128_GCM_SHA256,
14208		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
14209		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
14210	}
14211	encSuites := []uint16{
14212		TLS_RSA_WITH_AES_128_GCM_SHA256,
14213		TLS_RSA_WITH_AES_128_CBC_SHA,
14214	}
14215
14216	for _, ver := range tlsVersions {
14217		testCases = append(testCases, testCase{
14218			testType: clientTest,
14219			name:     "RSAKeyUsage-WantSignature-GotEncipherment-" + ver.name,
14220			config: Config{
14221				MinVersion:   ver.version,
14222				MaxVersion:   ver.version,
14223				Certificates: []Certificate{encCert},
14224				CipherSuites: dsSuites,
14225			},
14226			shouldFail:    true,
14227			expectedError: ":KEY_USAGE_BIT_INCORRECT:",
14228			flags: []string{
14229				"-enforce-rsa-key-usage",
14230			},
14231		})
14232
14233		testCases = append(testCases, testCase{
14234			testType: clientTest,
14235			name:     "RSAKeyUsage-WantSignature-GotSignature-" + ver.name,
14236			config: Config{
14237				MinVersion:   ver.version,
14238				MaxVersion:   ver.version,
14239				Certificates: []Certificate{dsCert},
14240				CipherSuites: dsSuites,
14241			},
14242			flags: []string{
14243				"-enforce-rsa-key-usage",
14244			},
14245		})
14246
14247		// TLS 1.3 removes the encipherment suites.
14248		if ver.version < VersionTLS13 {
14249			testCases = append(testCases, testCase{
14250				testType: clientTest,
14251				name:     "RSAKeyUsage-WantEncipherment-GotEncipherment" + ver.name,
14252				config: Config{
14253					MinVersion:   ver.version,
14254					MaxVersion:   ver.version,
14255					Certificates: []Certificate{encCert},
14256					CipherSuites: encSuites,
14257				},
14258				flags: []string{
14259					"-enforce-rsa-key-usage",
14260				},
14261			})
14262
14263			testCases = append(testCases, testCase{
14264				testType: clientTest,
14265				name:     "RSAKeyUsage-WantEncipherment-GotSignature-" + ver.name,
14266				config: Config{
14267					MinVersion:   ver.version,
14268					MaxVersion:   ver.version,
14269					Certificates: []Certificate{dsCert},
14270					CipherSuites: encSuites,
14271				},
14272				shouldFail:    true,
14273				expectedError: ":KEY_USAGE_BIT_INCORRECT:",
14274				flags: []string{
14275					"-enforce-rsa-key-usage",
14276				},
14277			})
14278
14279			// In 1.2 and below, we should not enforce without the enforce-rsa-key-usage flag.
14280			testCases = append(testCases, testCase{
14281				testType: clientTest,
14282				name:     "RSAKeyUsage-WantSignature-GotEncipherment-Unenforced" + ver.name,
14283				config: Config{
14284					MinVersion:   ver.version,
14285					MaxVersion:   ver.version,
14286					Certificates: []Certificate{dsCert},
14287					CipherSuites: encSuites,
14288				},
14289			})
14290
14291			testCases = append(testCases, testCase{
14292				testType: clientTest,
14293				name:     "RSAKeyUsage-WantEncipherment-GotSignature-Unenforced" + ver.name,
14294				config: Config{
14295					MinVersion:   ver.version,
14296					MaxVersion:   ver.version,
14297					Certificates: []Certificate{encCert},
14298					CipherSuites: dsSuites,
14299				},
14300			})
14301
14302		}
14303
14304		if ver.version >= VersionTLS13 {
14305			// In 1.3 and above, we enforce keyUsage even without the flag.
14306			testCases = append(testCases, testCase{
14307				testType: clientTest,
14308				name:     "RSAKeyUsage-WantSignature-GotEncipherment-Enforced" + ver.name,
14309				config: Config{
14310					MinVersion:   ver.version,
14311					MaxVersion:   ver.version,
14312					Certificates: []Certificate{encCert},
14313					CipherSuites: dsSuites,
14314				},
14315				shouldFail:    true,
14316				expectedError: ":KEY_USAGE_BIT_INCORRECT:",
14317			})
14318
14319		}
14320	}
14321}
14322
14323func addExtraHandshakeTests() {
14324	// An extra SSL_do_handshake is normally a no-op. These tests use -async
14325	// to ensure there is no transport I/O.
14326	testCases = append(testCases, testCase{
14327		testType: clientTest,
14328		name:     "ExtraHandshake-Client-TLS12",
14329		config: Config{
14330			MinVersion: VersionTLS12,
14331			MaxVersion: VersionTLS12,
14332		},
14333		flags: []string{
14334			"-async",
14335			"-no-op-extra-handshake",
14336		},
14337	})
14338	testCases = append(testCases, testCase{
14339		testType: serverTest,
14340		name:     "ExtraHandshake-Server-TLS12",
14341		config: Config{
14342			MinVersion: VersionTLS12,
14343			MaxVersion: VersionTLS12,
14344		},
14345		flags: []string{
14346			"-async",
14347			"-no-op-extra-handshake",
14348		},
14349	})
14350	testCases = append(testCases, testCase{
14351		testType: clientTest,
14352		name:     "ExtraHandshake-Client-TLS13",
14353		config: Config{
14354			MinVersion: VersionTLS13,
14355			MaxVersion: VersionTLS13,
14356		},
14357		flags: []string{
14358			"-async",
14359			"-no-op-extra-handshake",
14360		},
14361	})
14362	testCases = append(testCases, testCase{
14363		testType: serverTest,
14364		name:     "ExtraHandshake-Server-TLS13",
14365		config: Config{
14366			MinVersion: VersionTLS13,
14367			MaxVersion: VersionTLS13,
14368		},
14369		flags: []string{
14370			"-async",
14371			"-no-op-extra-handshake",
14372		},
14373	})
14374
14375	// An extra SSL_do_handshake is a no-op in server 0-RTT.
14376	testCases = append(testCases, testCase{
14377		testType: serverTest,
14378		name:     "ExtraHandshake-Server-EarlyData-TLS13",
14379		config: Config{
14380			MaxVersion: VersionTLS13,
14381			MinVersion: VersionTLS13,
14382			Bugs: ProtocolBugs{
14383				SendEarlyData:           [][]byte{{1, 2, 3, 4}},
14384				ExpectEarlyDataAccepted: true,
14385				ExpectHalfRTTData:       [][]byte{{254, 253, 252, 251}},
14386			},
14387		},
14388		messageCount:  2,
14389		resumeSession: true,
14390		flags: []string{
14391			"-async",
14392			"-enable-early-data",
14393			"-expect-accept-early-data",
14394			"-no-op-extra-handshake",
14395		},
14396	})
14397
14398	// An extra SSL_do_handshake drives the handshake to completion in False
14399	// Start. We test this by handshaking twice and asserting the False
14400	// Start does not appear to happen. See AlertBeforeFalseStartTest for
14401	// how the test works.
14402	testCases = append(testCases, testCase{
14403		testType: clientTest,
14404		name:     "ExtraHandshake-FalseStart",
14405		config: Config{
14406			MaxVersion:   VersionTLS12,
14407			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
14408			NextProtos:   []string{"foo"},
14409			Bugs: ProtocolBugs{
14410				ExpectFalseStart:          true,
14411				AlertBeforeFalseStartTest: alertAccessDenied,
14412			},
14413		},
14414		flags: []string{
14415			"-handshake-twice",
14416			"-false-start",
14417			"-advertise-alpn", "\x03foo",
14418			"-expect-alpn", "foo",
14419		},
14420		shimWritesFirst:    true,
14421		shouldFail:         true,
14422		expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
14423		expectedLocalError: "tls: peer did not false start: EOF",
14424	})
14425}
14426
14427// Test that omitted and empty extensions blocks are tolerated.
14428func addOmitExtensionsTests() {
14429	// Check the ExpectOmitExtensions setting works.
14430	testCases = append(testCases, testCase{
14431		testType: serverTest,
14432		name:     "ExpectOmitExtensions",
14433		config: Config{
14434			MinVersion: VersionTLS12,
14435			MaxVersion: VersionTLS12,
14436			Bugs: ProtocolBugs{
14437				ExpectOmitExtensions: true,
14438			},
14439		},
14440		shouldFail:         true,
14441		expectedLocalError: "tls: ServerHello did not omit extensions",
14442	})
14443
14444	for _, ver := range tlsVersions {
14445		if ver.version > VersionTLS12 {
14446			continue
14447		}
14448
14449		testCases = append(testCases, testCase{
14450			testType: serverTest,
14451			name:     "OmitExtensions-ClientHello-" + ver.name,
14452			config: Config{
14453				MinVersion:             ver.version,
14454				MaxVersion:             ver.version,
14455				SessionTicketsDisabled: true,
14456				Bugs: ProtocolBugs{
14457					OmitExtensions: true,
14458					// With no client extensions, the ServerHello must not have
14459					// extensions. It should then omit the extensions field.
14460					ExpectOmitExtensions: true,
14461				},
14462			},
14463		})
14464
14465		testCases = append(testCases, testCase{
14466			testType: serverTest,
14467			name:     "EmptyExtensions-ClientHello-" + ver.name,
14468			config: Config{
14469				MinVersion:             ver.version,
14470				MaxVersion:             ver.version,
14471				SessionTicketsDisabled: true,
14472				Bugs: ProtocolBugs{
14473					EmptyExtensions: true,
14474					// With no client extensions, the ServerHello must not have
14475					// extensions. It should then omit the extensions field.
14476					ExpectOmitExtensions: true,
14477				},
14478			},
14479		})
14480
14481		testCases = append(testCases, testCase{
14482			testType: clientTest,
14483			name:     "OmitExtensions-ServerHello-" + ver.name,
14484			config: Config{
14485				MinVersion:             ver.version,
14486				MaxVersion:             ver.version,
14487				SessionTicketsDisabled: true,
14488				Bugs: ProtocolBugs{
14489					OmitExtensions: true,
14490					// Disable all ServerHello extensions so
14491					// OmitExtensions works.
14492					NoExtendedMasterSecret:        true,
14493					NoRenegotiationInfo:           true,
14494					NoOCSPStapling:                true,
14495					NoSignedCertificateTimestamps: true,
14496				},
14497			},
14498		})
14499
14500		testCases = append(testCases, testCase{
14501			testType: clientTest,
14502			name:     "EmptyExtensions-ServerHello-" + ver.name,
14503			config: Config{
14504				MinVersion:             ver.version,
14505				MaxVersion:             ver.version,
14506				SessionTicketsDisabled: true,
14507				Bugs: ProtocolBugs{
14508					EmptyExtensions: true,
14509					// Disable all ServerHello extensions so
14510					// EmptyExtensions works.
14511					NoExtendedMasterSecret:        true,
14512					NoRenegotiationInfo:           true,
14513					NoOCSPStapling:                true,
14514					NoSignedCertificateTimestamps: true,
14515				},
14516			},
14517		})
14518	}
14519}
14520
14521func addCertCompressionTests() {
14522	// shrinkingPrefix is the first two bytes of a Certificate message.
14523	shrinkingPrefix := []byte{0, 0}
14524	// expandingPrefix is just some arbitrary byte string. This has to match the
14525	// value in the shim.
14526	expandingPrefix := []byte{1, 2, 3, 4}
14527
14528	shrinking := CertCompressionAlg{
14529		Compress: func(uncompressed []byte) []byte {
14530			if !bytes.HasPrefix(uncompressed, shrinkingPrefix) {
14531				panic(fmt.Sprintf("cannot compress certificate message %x", uncompressed))
14532			}
14533			return uncompressed[len(shrinkingPrefix):]
14534		},
14535		Decompress: func(out []byte, compressed []byte) bool {
14536			if len(out) != len(shrinkingPrefix)+len(compressed) {
14537				return false
14538			}
14539
14540			copy(out, shrinkingPrefix)
14541			copy(out[len(shrinkingPrefix):], compressed)
14542			return true
14543		},
14544	}
14545
14546	expanding := CertCompressionAlg{
14547		Compress: func(uncompressed []byte) []byte {
14548			ret := make([]byte, 0, len(expandingPrefix)+len(uncompressed))
14549			ret = append(ret, expandingPrefix...)
14550			return append(ret, uncompressed...)
14551		},
14552		Decompress: func(out []byte, compressed []byte) bool {
14553			if !bytes.HasPrefix(compressed, expandingPrefix) {
14554				return false
14555			}
14556			copy(out, compressed[len(expandingPrefix):])
14557			return true
14558		},
14559	}
14560
14561	const (
14562		shrinkingAlgId = 0xff01
14563		expandingAlgId = 0xff02
14564	)
14565
14566	for _, ver := range tlsVersions {
14567		if ver.version < VersionTLS12 {
14568			continue
14569		}
14570
14571		// Duplicate compression algorithms is an error, even if nothing is
14572		// configured.
14573		testCases = append(testCases, testCase{
14574			testType: serverTest,
14575			name:     "DuplicateCertCompressionExt-" + ver.name,
14576			config: Config{
14577				MinVersion: ver.version,
14578				MaxVersion: ver.version,
14579				Bugs: ProtocolBugs{
14580					DuplicateCompressedCertAlgs: true,
14581				},
14582			},
14583			shouldFail:    true,
14584			expectedError: ":ERROR_PARSING_EXTENSION:",
14585		})
14586
14587		// With compression algorithms configured, an duplicate values should still
14588		// be an error.
14589		testCases = append(testCases, testCase{
14590			testType: serverTest,
14591			name:     "DuplicateCertCompressionExt2-" + ver.name,
14592			flags:    []string{"-install-cert-compression-algs"},
14593			config: Config{
14594				MinVersion: ver.version,
14595				MaxVersion: ver.version,
14596				Bugs: ProtocolBugs{
14597					DuplicateCompressedCertAlgs: true,
14598				},
14599			},
14600			shouldFail:    true,
14601			expectedError: ":ERROR_PARSING_EXTENSION:",
14602		})
14603
14604		if ver.version < VersionTLS13 {
14605			testCases = append(testCases, testCase{
14606				testType: serverTest,
14607				name:     "CertCompressionIgnoredBefore13-" + ver.name,
14608				flags:    []string{"-install-cert-compression-algs"},
14609				config: Config{
14610					MinVersion:          ver.version,
14611					MaxVersion:          ver.version,
14612					CertCompressionAlgs: map[uint16]CertCompressionAlg{expandingAlgId: expanding},
14613				},
14614			})
14615
14616			continue
14617		}
14618
14619		testCases = append(testCases, testCase{
14620			testType: serverTest,
14621			name:     "CertCompressionExpands-" + ver.name,
14622			flags:    []string{"-install-cert-compression-algs"},
14623			config: Config{
14624				MinVersion:          ver.version,
14625				MaxVersion:          ver.version,
14626				CertCompressionAlgs: map[uint16]CertCompressionAlg{expandingAlgId: expanding},
14627				Bugs: ProtocolBugs{
14628					ExpectedCompressedCert: expandingAlgId,
14629				},
14630			},
14631		})
14632
14633		testCases = append(testCases, testCase{
14634			testType: serverTest,
14635			name:     "CertCompressionShrinks-" + ver.name,
14636			flags:    []string{"-install-cert-compression-algs"},
14637			config: Config{
14638				MinVersion:          ver.version,
14639				MaxVersion:          ver.version,
14640				CertCompressionAlgs: map[uint16]CertCompressionAlg{shrinkingAlgId: shrinking},
14641				Bugs: ProtocolBugs{
14642					ExpectedCompressedCert: shrinkingAlgId,
14643				},
14644			},
14645		})
14646
14647		// With both algorithms configured, the server should pick its most
14648		// preferable. (Which is expandingAlgId.)
14649		testCases = append(testCases, testCase{
14650			testType: serverTest,
14651			name:     "CertCompressionPriority-" + ver.name,
14652			flags:    []string{"-install-cert-compression-algs"},
14653			config: Config{
14654				MinVersion: ver.version,
14655				MaxVersion: ver.version,
14656				CertCompressionAlgs: map[uint16]CertCompressionAlg{
14657					shrinkingAlgId: shrinking,
14658					expandingAlgId: expanding,
14659				},
14660				Bugs: ProtocolBugs{
14661					ExpectedCompressedCert: expandingAlgId,
14662				},
14663			},
14664		})
14665
14666		testCases = append(testCases, testCase{
14667			testType: clientTest,
14668			name:     "CertCompressionExpandsClient-" + ver.name,
14669			flags:    []string{"-install-cert-compression-algs"},
14670			config: Config{
14671				MinVersion: ver.version,
14672				MaxVersion: ver.version,
14673				CertCompressionAlgs: map[uint16]CertCompressionAlg{
14674					expandingAlgId: expanding,
14675				},
14676				Bugs: ProtocolBugs{
14677					ExpectedCompressedCert: expandingAlgId,
14678				},
14679			},
14680		})
14681
14682		testCases = append(testCases, testCase{
14683			testType: clientTest,
14684			name:     "CertCompressionShrinksClient-" + ver.name,
14685			flags:    []string{"-install-cert-compression-algs"},
14686			config: Config{
14687				MinVersion: ver.version,
14688				MaxVersion: ver.version,
14689				CertCompressionAlgs: map[uint16]CertCompressionAlg{
14690					shrinkingAlgId: shrinking,
14691				},
14692				Bugs: ProtocolBugs{
14693					ExpectedCompressedCert: shrinkingAlgId,
14694				},
14695			},
14696		})
14697
14698		testCases = append(testCases, testCase{
14699			testType: clientTest,
14700			name:     "CertCompressionBadAlgIdClient-" + ver.name,
14701			flags:    []string{"-install-cert-compression-algs"},
14702			config: Config{
14703				MinVersion: ver.version,
14704				MaxVersion: ver.version,
14705				CertCompressionAlgs: map[uint16]CertCompressionAlg{
14706					shrinkingAlgId: shrinking,
14707				},
14708				Bugs: ProtocolBugs{
14709					ExpectedCompressedCert:   shrinkingAlgId,
14710					SendCertCompressionAlgId: 1234,
14711				},
14712			},
14713			shouldFail:    true,
14714			expectedError: ":UNKNOWN_CERT_COMPRESSION_ALG:",
14715		})
14716
14717		testCases = append(testCases, testCase{
14718			testType: clientTest,
14719			name:     "CertCompressionTooSmallClient-" + ver.name,
14720			flags:    []string{"-install-cert-compression-algs"},
14721			config: Config{
14722				MinVersion: ver.version,
14723				MaxVersion: ver.version,
14724				CertCompressionAlgs: map[uint16]CertCompressionAlg{
14725					shrinkingAlgId: shrinking,
14726				},
14727				Bugs: ProtocolBugs{
14728					ExpectedCompressedCert:     shrinkingAlgId,
14729					SendCertUncompressedLength: 12,
14730				},
14731			},
14732			shouldFail:    true,
14733			expectedError: ":CERT_DECOMPRESSION_FAILED:",
14734		})
14735
14736		testCases = append(testCases, testCase{
14737			testType: clientTest,
14738			name:     "CertCompressionTooLargeClient-" + ver.name,
14739			flags:    []string{"-install-cert-compression-algs"},
14740			config: Config{
14741				MinVersion: ver.version,
14742				MaxVersion: ver.version,
14743				CertCompressionAlgs: map[uint16]CertCompressionAlg{
14744					shrinkingAlgId: shrinking,
14745				},
14746				Bugs: ProtocolBugs{
14747					ExpectedCompressedCert:     shrinkingAlgId,
14748					SendCertUncompressedLength: 1 << 20,
14749				},
14750			},
14751			shouldFail:    true,
14752			expectedError: ":UNCOMPRESSED_CERT_TOO_LARGE:",
14753		})
14754	}
14755}
14756
14757func addJDK11WorkaroundTests() {
14758	// Test the client treats the JDK 11 downgrade random like the usual one.
14759	testCases = append(testCases, testCase{
14760		testType: clientTest,
14761		name:     "Client-RejectJDK11DowngradeRandom",
14762		config: Config{
14763			MaxVersion: VersionTLS12,
14764			Bugs: ProtocolBugs{
14765				SendJDK11DowngradeRandom: true,
14766			},
14767		},
14768		shouldFail:         true,
14769		expectedError:      ":TLS13_DOWNGRADE:",
14770		expectedLocalError: "remote error: illegal parameter",
14771	})
14772	testCases = append(testCases, testCase{
14773		testType: clientTest,
14774		name:     "Client-AcceptJDK11DowngradeRandom",
14775		config: Config{
14776			MaxVersion: VersionTLS12,
14777			Bugs: ProtocolBugs{
14778				SendJDK11DowngradeRandom: true,
14779			},
14780		},
14781		flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
14782	})
14783
14784	var clientHelloTests = []struct {
14785		clientHello []byte
14786		isJDK11     bool
14787	}{
14788		{
14789			// A default JDK 11 ClientHello.
14790			decodeHexOrPanic("010001a9030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b5"),
14791			true,
14792		},
14793		{
14794			// The above with supported_versions and
14795			// psk_key_exchange_modes in the wrong order.
14796			decodeHexOrPanic("010001a9030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002d00020101002b00090803040303030203010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b5"),
14797			false,
14798		},
14799		{
14800			// The above with a padding extension added at the end.
14801			decodeHexOrPanic("010001b4030336a379aa355a22a064b4402760efae1c73977b0b4c975efc7654c35677723dde201fe3f8a2bca60418a68f72463ea19f3c241e7cbfceb347e451a62bd2417d8981005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000111000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104721f007464cb08a0f36e093ad178eb78d6968df20077b2dd882694a85dc4c9884caf5092db41f16cc3f8d41f59426992fa5e32cfb9ad08deee752cdd95b1a6b50015000700000000000000"),
14802			false,
14803		},
14804		{
14805			// A JDK 11 ClientHello offering a TLS 1.3 PSK.
14806			decodeHexOrPanic("0100024c0303a8d71b20f060545a398226e807d21371a7a02b7ca2f96f476c2dea7e5860c5a400005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff010001c9000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d000201010033004700450017004104aaec585ea9e121b24710a23560571322b2cf8ab8cd14e5762ef0486d8a6d0ecd721d8f2abda2eb8ed5ab7195505660450f49bba94bbf0c3f0070a531d9a1be4f002900cb00a600a0e6f7586d9a2bf64a54c1adf55a2f76657047e8e88e26629e2e7b9d630941e06fd87792770f6834e159a70b252157a9b4b082183f24629c8ff5049088b07ce37c49de8cf752a2ed7a545aff63bdc7a1b18e1bc201f23f159ee75d4987a04e00f840824f764691ab83a20e3032646e793065874cdb46138a52f50ed71406f399f96f9309eba4e5b1966148c22a63dc4aa1364269dd41dd5cc0e848d07af0095622c52cfcfc00212009cc315259e2328d65ad17a3de7c182c7874140a9356fecdd4614657806cd659"),
14807			true,
14808		},
14809		{
14810			// A JDK 11 ClientHello offering a TLS 1.2 session.
14811			decodeHexOrPanic("010001a903038cdec49f4836d064a75046c93f22d0b9c2cf4900917332e6f0e1f41d692d3146201a3e99047492285ec65ab4e0eeee59f8f9d1eb7687398887bcd7b81353e93923005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000106000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b0009080304030303020301002d0002010100330047004500170041041c83c42fcd8fc06265b9f6e4f076f7e7ee17ace915c587845c0e1bc8cd177f904befeb611b682cae4702509a5f5d0c7162a282b8152d843169b91136e7c6f3e7"),
14812			true,
14813		},
14814		{
14815			// A JDK 11 ClientHello with EMS disabled.
14816			decodeHexOrPanic("010001a50303323a857c324a9ef57d6e2544d129073830385cb1dc75ea79f6a2ec8ae09d2e7320f85fdd081678874c67ebab235e6d6a81d947f690bc0af9be4d39854ed67d9ef9005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000102000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b040105010601040203030301030202030201020200110009000702000400000000002b0009080304030303020301002d0002010100330047004500170041049c904c4850b495d75522f955d79e9cabea065c90279d6037a101a4c4ee712afc93ad0df5d12d287d53e458c7075d9a3ce3969c939bb62222bda779cecf54a603"),
14817			true,
14818		},
14819		{
14820			// A JDK 11 ClientHello with OCSP stapling disabled.
14821			decodeHexOrPanic("0100019303038a50481dc85ee4f6581670821c50f2b3d34ac3251dc6e9b751bfd2521ab47ab02069a963c5486034c37ae0577ddb4c2db28cab592380ef8e4599d1305148712112005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff010000f0000000080006000003736e69000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b040105010601040203030301030202030201020200170000002b0009080304030303020301002d00020101003300470045001700410438a97824f842c549e3c339322d8b2dbaa85d10bd7bca9c969376cb0c60b1e929eb4d13db38dcb0082ad8c637b24f55466a9acbb0b63634c1f431ec8342cf720d"),
14822			true,
14823		},
14824		{
14825			// A JDK 11 ClientHello configured with a smaller set of
14826			// ciphers.
14827			decodeHexOrPanic("0100015603036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f4811800061301c02bc02f01000107000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
14828			true,
14829		},
14830		{
14831			// The above with TLS_CHACHA20_POLY1305_SHA256 added,
14832			// which JDK 11 does not support.
14833			decodeHexOrPanic("0100015803036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f48118000813011303c02bc02f01000107000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
14834			false,
14835		},
14836		{
14837			// The above with X25519 added, which JDK 11 does not
14838			// support.
14839			decodeHexOrPanic("0100015803036f5706bbdf1dcae671cd9be043603f5ed20f8fc195b426504cafb4f353edb0012007aabd35e588bc2504a72eda42cbbf89d69cfc0a6a1d77db0d757606f1f4811800061301c02bc02f01000109000000080006000003736e69000500050100000000000a00220020001d0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020011000900070200040000000000170000002b00050403040303002d000201010033004700450017004104d283f3d5a90259b61d43ea1511211f568ce5d18457326b717e1f9d6b7d1476f2b51cdc3c798d3bdfba5095edff0ffd0540f6bc0c324bd9744f3b3f24317496e3ff01000100"),
14840			false,
14841		},
14842		{
14843			// A JDK 11 ClientHello with ALPN protocols configured.
14844			decodeHexOrPanic("010001bb0303c0e0ea707b00c5311eb09cabd58626692cebfaefaef7265637e4550811dae16220da86d6eea04e214e873675223f08a6926bcf79f16d866280bdbab85e9e09c3ff005a13011302c02cc02bc030009dc02ec032009f00a3c02f009cc02dc031009e00a2c024c028003dc026c02a006b006ac00ac0140035c005c00f00390038c023c027003cc025c02900670040c009c013002fc004c00e0033003200ff01000118000000080006000003736e69000500050100000000000a0020001e0017001800190009000a000b000c000d000e001601000101010201030104000b00020100000d002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020032002800260403050306030804080508060809080a080b04010501060104020303030103020203020102020010000e000c02683208687474702f312e310011000900070200040000000000170000002b0009080304030303020301002d00020101003300470045001700410416def07c1d66ddde5fc9dcc328c8e77022d321c590c0d30cb41d515b38dca34540819a216c6c053bd47b9068f4f6b960f03647de4e36e8b7ffeea78f7252e3d9"),
14845			true,
14846		},
14847	}
14848	for i, t := range clientHelloTests {
14849		expectedVersion := uint16(VersionTLS13)
14850		if t.isJDK11 {
14851			expectedVersion = VersionTLS12
14852		}
14853
14854		// In each of these tests, we set DefaultCurves to P-256 to
14855		// match the test inputs. SendClientHelloWithFixes requires the
14856		// key_shares extension to match in type.
14857
14858		// With the workaround enabled, we should negotiate TLS 1.2 on
14859		// JDK 11 ClientHellos.
14860		testCases = append(testCases, testCase{
14861			testType: serverTest,
14862			name:     fmt.Sprintf("Server-JDK11-%d", i),
14863			config: Config{
14864				MaxVersion:    VersionTLS13,
14865				DefaultCurves: []CurveID{CurveP256},
14866				Bugs: ProtocolBugs{
14867					SendClientHelloWithFixes:   t.clientHello,
14868					ExpectJDK11DowngradeRandom: t.isJDK11,
14869				},
14870			},
14871			expectedVersion: expectedVersion,
14872			flags:           []string{"-jdk11-workaround"},
14873		})
14874
14875		// With the workaround disabled, we always negotiate TLS 1.3.
14876		testCases = append(testCases, testCase{
14877			testType: serverTest,
14878			name:     fmt.Sprintf("Server-JDK11-NoWorkaround-%d", i),
14879			config: Config{
14880				MaxVersion:    VersionTLS13,
14881				DefaultCurves: []CurveID{CurveP256},
14882				Bugs: ProtocolBugs{
14883					SendClientHelloWithFixes:   t.clientHello,
14884					ExpectJDK11DowngradeRandom: false,
14885				},
14886			},
14887			expectedVersion: VersionTLS13,
14888		})
14889
14890		// If the server does not support TLS 1.3, the workaround should
14891		// be a no-op. In particular, it should not send the downgrade
14892		// signal.
14893		testCases = append(testCases, testCase{
14894			testType: serverTest,
14895			name:     fmt.Sprintf("Server-JDK11-TLS12-%d", i),
14896			config: Config{
14897				MaxVersion:    VersionTLS13,
14898				DefaultCurves: []CurveID{CurveP256},
14899				Bugs: ProtocolBugs{
14900					SendClientHelloWithFixes:   t.clientHello,
14901					ExpectJDK11DowngradeRandom: false,
14902				},
14903			},
14904			expectedVersion: VersionTLS12,
14905			flags: []string{
14906				"-jdk11-workaround",
14907				"-max-version", strconv.Itoa(VersionTLS12),
14908			},
14909		})
14910	}
14911}
14912
14913func addDelegatedCredentialTests() {
14914	certPath := path.Join(*resourceDir, rsaCertificateFile)
14915	pemBytes, err := ioutil.ReadFile(certPath)
14916	if err != nil {
14917		panic(err)
14918	}
14919
14920	block, _ := pem.Decode(pemBytes)
14921	if block == nil {
14922		panic(fmt.Sprintf("no PEM block found in %q", certPath))
14923	}
14924	parentDER := block.Bytes
14925
14926	rsaPriv, _, err := loadRSAPrivateKey(rsaKeyFile)
14927	if err != nil {
14928		panic(err)
14929	}
14930
14931	ecdsaDC, ecdsaPKCS8, err := createDelegatedCredential(delegatedCredentialConfig{
14932		algo: signatureRSAPSSWithSHA256,
14933	}, parentDER, rsaPriv)
14934	if err != nil {
14935		panic(err)
14936	}
14937	ecdsaFlagValue := fmt.Sprintf("%x,%x", ecdsaDC, ecdsaPKCS8)
14938
14939	testCases = append(testCases, testCase{
14940		testType: serverTest,
14941		name:     "DelegatedCredentials-NoClientSupport",
14942		config: Config{
14943			MinVersion: VersionTLS13,
14944			MaxVersion: VersionTLS13,
14945			Bugs: ProtocolBugs{
14946				DisableDelegatedCredentials: true,
14947			},
14948		},
14949		flags: []string{
14950			"-delegated-credential", ecdsaFlagValue,
14951		},
14952	})
14953
14954	testCases = append(testCases, testCase{
14955		testType: serverTest,
14956		name:     "DelegatedCredentials-Basic",
14957		config: Config{
14958			MinVersion: VersionTLS13,
14959			MaxVersion: VersionTLS13,
14960			Bugs: ProtocolBugs{
14961				ExpectDelegatedCredentials: true,
14962			},
14963		},
14964		flags: []string{
14965			"-delegated-credential", ecdsaFlagValue,
14966		},
14967	})
14968
14969	testCases = append(testCases, testCase{
14970		testType: serverTest,
14971		name:     "DelegatedCredentials-SigAlgoMissing",
14972		config: Config{
14973			MinVersion: VersionTLS13,
14974			MaxVersion: VersionTLS13,
14975			Bugs: ProtocolBugs{
14976				FailIfDelegatedCredentials: true,
14977			},
14978			// If the client doesn't support the delegated credential signature
14979			// algorithm then the handshake should complete without using delegated
14980			// credentials.
14981			VerifySignatureAlgorithms: []signatureAlgorithm{signatureRSAPSSWithSHA256},
14982		},
14983		flags: []string{
14984			"-delegated-credential", ecdsaFlagValue,
14985		},
14986	})
14987
14988	// This flag value has mismatched public and private keys which should cause a
14989	// configuration error in the shim.
14990	_, badTLSVersionPKCS8, err := createDelegatedCredential(delegatedCredentialConfig{
14991		algo:       signatureRSAPSSWithSHA256,
14992		tlsVersion: 0x1234,
14993	}, parentDER, rsaPriv)
14994	if err != nil {
14995		panic(err)
14996	}
14997	mismatchFlagValue := fmt.Sprintf("%x,%x", ecdsaDC, badTLSVersionPKCS8)
14998	testCases = append(testCases, testCase{
14999		testType: serverTest,
15000		name:     "DelegatedCredentials-KeyMismatch",
15001		config: Config{
15002			MinVersion: VersionTLS13,
15003			MaxVersion: VersionTLS13,
15004			Bugs: ProtocolBugs{
15005				FailIfDelegatedCredentials: true,
15006			},
15007		},
15008		flags: []string{
15009			"-delegated-credential", mismatchFlagValue,
15010		},
15011		shouldFail:    true,
15012		expectedError: ":KEY_VALUES_MISMATCH:",
15013	})
15014}
15015
15016func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
15017	defer wg.Done()
15018
15019	for test := range c {
15020		var err error
15021
15022		if *mallocTest >= 0 {
15023			for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
15024				statusChan <- statusMsg{test: test, started: true}
15025				if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
15026					if err != nil {
15027						fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
15028					}
15029					break
15030				}
15031			}
15032		} else if *repeatUntilFailure {
15033			for err == nil {
15034				statusChan <- statusMsg{test: test, started: true}
15035				err = runTest(test, shimPath, -1)
15036			}
15037		} else {
15038			statusChan <- statusMsg{test: test, started: true}
15039			err = runTest(test, shimPath, -1)
15040		}
15041		statusChan <- statusMsg{test: test, err: err}
15042	}
15043}
15044
15045type statusMsg struct {
15046	test    *testCase
15047	started bool
15048	err     error
15049}
15050
15051func statusPrinter(doneChan chan *testresult.Results, statusChan chan statusMsg, total int) {
15052	var started, done, failed, unimplemented, lineLen int
15053
15054	testOutput := testresult.NewResults()
15055	for msg := range statusChan {
15056		if !*pipe {
15057			// Erase the previous status line.
15058			var erase string
15059			for i := 0; i < lineLen; i++ {
15060				erase += "\b \b"
15061			}
15062			fmt.Print(erase)
15063		}
15064
15065		if msg.started {
15066			started++
15067		} else {
15068			done++
15069
15070			if msg.err != nil {
15071				if msg.err == errUnimplemented {
15072					if *pipe {
15073						// Print each test instead of a status line.
15074						fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
15075					}
15076					unimplemented++
15077					if *allowUnimplemented {
15078						testOutput.AddSkip(msg.test.name)
15079					} else {
15080						testOutput.AddResult(msg.test.name, "SKIP")
15081					}
15082				} else {
15083					fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
15084					failed++
15085					testOutput.AddResult(msg.test.name, "FAIL")
15086				}
15087			} else {
15088				if *pipe {
15089					// Print each test instead of a status line.
15090					fmt.Printf("PASSED (%s)\n", msg.test.name)
15091				}
15092				testOutput.AddResult(msg.test.name, "PASS")
15093			}
15094		}
15095
15096		if !*pipe {
15097			// Print a new status line.
15098			line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
15099			lineLen = len(line)
15100			os.Stdout.WriteString(line)
15101		}
15102	}
15103
15104	doneChan <- testOutput
15105}
15106
15107func main() {
15108	flag.Parse()
15109	*resourceDir = path.Clean(*resourceDir)
15110	initCertificates()
15111
15112	addBasicTests()
15113	addCipherSuiteTests()
15114	addBadECDSASignatureTests()
15115	addCBCPaddingTests()
15116	addCBCSplittingTests()
15117	addClientAuthTests()
15118	addDDoSCallbackTests()
15119	addVersionNegotiationTests()
15120	addMinimumVersionTests()
15121	addExtensionTests()
15122	addResumptionVersionTests()
15123	addExtendedMasterSecretTests()
15124	addRenegotiationTests()
15125	addDTLSReplayTests()
15126	addSignatureAlgorithmTests()
15127	addDTLSRetransmitTests()
15128	addExportKeyingMaterialTests()
15129	addExportTrafficSecretsTests()
15130	addTLSUniqueTests()
15131	addCustomExtensionTests()
15132	addRSAClientKeyExchangeTests()
15133	addCurveTests()
15134	addSessionTicketTests()
15135	addTLS13RecordTests()
15136	addAllStateMachineCoverageTests()
15137	addChangeCipherSpecTests()
15138	addWrongMessageTypeTests()
15139	addTrailingMessageDataTests()
15140	addTLS13HandshakeTests()
15141	addTLS13CipherPreferenceTests()
15142	addPeekTests()
15143	addRecordVersionTests()
15144	addCertificateTests()
15145	addRetainOnlySHA256ClientCertTests()
15146	addECDSAKeyUsageTests()
15147	addRSAKeyUsageTests()
15148	addExtraHandshakeTests()
15149	addOmitExtensionsTests()
15150	addCertCompressionTests()
15151	addJDK11WorkaroundTests()
15152	addDelegatedCredentialTests()
15153
15154	testCases = append(testCases, convertToSplitHandshakeTests(testCases)...)
15155
15156	var wg sync.WaitGroup
15157
15158	statusChan := make(chan statusMsg, *numWorkers)
15159	testChan := make(chan *testCase, *numWorkers)
15160	doneChan := make(chan *testresult.Results)
15161
15162	if len(*shimConfigFile) != 0 {
15163		encoded, err := ioutil.ReadFile(*shimConfigFile)
15164		if err != nil {
15165			fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
15166			os.Exit(1)
15167		}
15168
15169		if err := json.Unmarshal(encoded, &shimConfig); err != nil {
15170			fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
15171			os.Exit(1)
15172		}
15173	}
15174
15175	go statusPrinter(doneChan, statusChan, len(testCases))
15176
15177	for i := 0; i < *numWorkers; i++ {
15178		wg.Add(1)
15179		go worker(statusChan, testChan, *shimPath, &wg)
15180	}
15181
15182	var foundTest bool
15183	for i := range testCases {
15184		matched := true
15185		if len(*testToRun) != 0 {
15186			var err error
15187			matched, err = filepath.Match(*testToRun, testCases[i].name)
15188			if err != nil {
15189				fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
15190				os.Exit(1)
15191			}
15192		}
15193
15194		if !*includeDisabled {
15195			for pattern := range shimConfig.DisabledTests {
15196				isDisabled, err := filepath.Match(pattern, testCases[i].name)
15197				if err != nil {
15198					fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
15199					os.Exit(1)
15200				}
15201
15202				if isDisabled {
15203					matched = false
15204					break
15205				}
15206			}
15207		}
15208
15209		if matched {
15210			foundTest = true
15211			testChan <- &testCases[i]
15212
15213			// Only run one test if repeating until failure.
15214			if *repeatUntilFailure {
15215				break
15216			}
15217		}
15218	}
15219
15220	if !foundTest {
15221		fmt.Fprintf(os.Stderr, "No tests run\n")
15222		os.Exit(1)
15223	}
15224
15225	close(testChan)
15226	wg.Wait()
15227	close(statusChan)
15228	testOutput := <-doneChan
15229
15230	fmt.Printf("\n")
15231
15232	if *jsonOutput != "" {
15233		if err := testOutput.WriteToFile(*jsonOutput); err != nil {
15234			fmt.Fprintf(os.Stderr, "Error: %s\n", err)
15235		}
15236	}
15237
15238	if !testOutput.HasUnexpectedResults() {
15239		os.Exit(1)
15240	}
15241}
15242