1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
20 var tests = []handshakeMessage{
26 &certificateRequestMsg{},
27 &certificateVerifyMsg{
28 hasSignatureAlgorithm: true,
30 &certificateStatusMsg{},
31 &clientKeyExchangeMsg{},
32 &newSessionTicketMsg{},
33 &encryptedExtensionsMsg{},
36 &newSessionTicketMsgTLS13{},
37 &certificateRequestMsgTLS13{},
38 &certificateMsgTLS13{},
42 func mustMarshal(t *testing.T, msg handshakeMessage) []byte {
44 b, err := msg.marshal()
51 func TestMarshalUnmarshal(t *testing.T) {
52 rand := rand.New(rand.NewSource(time.Now().UnixNano()))
54 for i, m := range tests {
55 ty := reflect.ValueOf(m).Type()
61 for j := 0; j < n; j++ {
62 v, ok := quick.Value(ty, rand)
64 t.Errorf("#%d: failed to create value", i)
68 m1 := v.Interface().(handshakeMessage)
69 marshaled := mustMarshal(t, m1)
70 if !m.unmarshal(marshaled) {
71 t.Errorf("#%d failed to unmarshal %#v %x", i, m1, marshaled)
74 m.marshal() // to fill any marshal cache in the message
76 if m, ok := m.(*SessionState); ok {
77 m.activeCertHandles = nil
80 if !reflect.DeepEqual(m1, m) {
81 t.Errorf("#%d got:%#v want:%#v %x", i, m, m1, marshaled)
86 // The first three message types (ClientHello,
87 // ServerHello and Finished) are allowed to
88 // have parsable prefixes because the extension
89 // data is optional and the length of the
90 // Finished varies across versions.
91 for j := 0; j < len(marshaled); j++ {
92 if m.unmarshal(marshaled[0:j]) {
93 t.Errorf("#%d unmarshaled a prefix of length %d of %#v", i, j, m1)
102 func TestFuzz(t *testing.T) {
103 rand := rand.New(rand.NewSource(0))
104 for _, m := range tests {
105 for j := 0; j < 1000; j++ {
106 len := rand.Intn(1000)
107 bytes := randomBytes(len, rand)
108 // This just looks for crashes due to bounds errors etc.
114 func randomBytes(n int, rand *rand.Rand) []byte {
116 if _, err := rand.Read(r); err != nil {
117 panic("rand.Read failed: " + err.Error())
122 func randomString(n int, rand *rand.Rand) string {
123 b := randomBytes(n, rand)
127 func (*clientHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
128 m := &clientHelloMsg{}
129 m.vers = uint16(rand.Intn(65536))
130 m.random = randomBytes(32, rand)
131 m.sessionId = randomBytes(rand.Intn(32), rand)
132 m.cipherSuites = make([]uint16, rand.Intn(63)+1)
133 for i := 0; i < len(m.cipherSuites); i++ {
134 cs := uint16(rand.Int31())
135 if cs == scsvRenegotiation {
138 m.cipherSuites[i] = cs
140 m.compressionMethods = randomBytes(rand.Intn(63)+1, rand)
141 if rand.Intn(10) > 5 {
142 m.serverName = randomString(rand.Intn(255), rand)
143 for strings.HasSuffix(m.serverName, ".") {
144 m.serverName = m.serverName[:len(m.serverName)-1]
147 m.ocspStapling = rand.Intn(10) > 5
148 m.supportedPoints = randomBytes(rand.Intn(5)+1, rand)
149 m.supportedCurves = make([]CurveID, rand.Intn(5)+1)
150 for i := range m.supportedCurves {
151 m.supportedCurves[i] = CurveID(rand.Intn(30000) + 1)
153 if rand.Intn(10) > 5 {
154 m.ticketSupported = true
155 if rand.Intn(10) > 5 {
156 m.sessionTicket = randomBytes(rand.Intn(300), rand)
158 m.sessionTicket = make([]byte, 0)
161 if rand.Intn(10) > 5 {
162 m.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
164 if rand.Intn(10) > 5 {
165 m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms()
167 for i := 0; i < rand.Intn(5); i++ {
168 m.alpnProtocols = append(m.alpnProtocols, randomString(rand.Intn(20)+1, rand))
170 if rand.Intn(10) > 5 {
173 if rand.Intn(10) > 5 {
174 m.secureRenegotiationSupported = true
175 m.secureRenegotiation = randomBytes(rand.Intn(50)+1, rand)
177 for i := 0; i < rand.Intn(5); i++ {
178 m.supportedVersions = append(m.supportedVersions, uint16(rand.Intn(0xffff)+1))
180 if rand.Intn(10) > 5 {
181 m.cookie = randomBytes(rand.Intn(500)+1, rand)
183 for i := 0; i < rand.Intn(5); i++ {
185 ks.group = CurveID(rand.Intn(30000) + 1)
186 ks.data = randomBytes(rand.Intn(200)+1, rand)
187 m.keyShares = append(m.keyShares, ks)
189 switch rand.Intn(3) {
191 m.pskModes = []uint8{pskModeDHE}
193 m.pskModes = []uint8{pskModeDHE, pskModePlain}
195 for i := 0; i < rand.Intn(5); i++ {
197 psk.obfuscatedTicketAge = uint32(rand.Intn(500000))
198 psk.label = randomBytes(rand.Intn(500)+1, rand)
199 m.pskIdentities = append(m.pskIdentities, psk)
200 m.pskBinders = append(m.pskBinders, randomBytes(rand.Intn(50)+32, rand))
202 if rand.Intn(10) > 5 {
203 m.quicTransportParameters = randomBytes(rand.Intn(500), rand)
205 if rand.Intn(10) > 5 {
209 return reflect.ValueOf(m)
212 func (*serverHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
213 m := &serverHelloMsg{}
214 m.vers = uint16(rand.Intn(65536))
215 m.random = randomBytes(32, rand)
216 m.sessionId = randomBytes(rand.Intn(32), rand)
217 m.cipherSuite = uint16(rand.Int31())
218 m.compressionMethod = uint8(rand.Intn(256))
219 m.supportedPoints = randomBytes(rand.Intn(5)+1, rand)
221 if rand.Intn(10) > 5 {
222 m.ocspStapling = true
224 if rand.Intn(10) > 5 {
225 m.ticketSupported = true
227 if rand.Intn(10) > 5 {
228 m.alpnProtocol = randomString(rand.Intn(32)+1, rand)
231 for i := 0; i < rand.Intn(4); i++ {
232 m.scts = append(m.scts, randomBytes(rand.Intn(500)+1, rand))
235 if rand.Intn(10) > 5 {
236 m.secureRenegotiationSupported = true
237 m.secureRenegotiation = randomBytes(rand.Intn(50)+1, rand)
239 if rand.Intn(10) > 5 {
240 m.supportedVersion = uint16(rand.Intn(0xffff) + 1)
242 if rand.Intn(10) > 5 {
243 m.cookie = randomBytes(rand.Intn(500)+1, rand)
245 if rand.Intn(10) > 5 {
246 for i := 0; i < rand.Intn(5); i++ {
247 m.serverShare.group = CurveID(rand.Intn(30000) + 1)
248 m.serverShare.data = randomBytes(rand.Intn(200)+1, rand)
250 } else if rand.Intn(10) > 5 {
251 m.selectedGroup = CurveID(rand.Intn(30000) + 1)
253 if rand.Intn(10) > 5 {
254 m.selectedIdentityPresent = true
255 m.selectedIdentity = uint16(rand.Intn(0xffff))
258 return reflect.ValueOf(m)
261 func (*encryptedExtensionsMsg) Generate(rand *rand.Rand, size int) reflect.Value {
262 m := &encryptedExtensionsMsg{}
264 if rand.Intn(10) > 5 {
265 m.alpnProtocol = randomString(rand.Intn(32)+1, rand)
268 return reflect.ValueOf(m)
271 func (*certificateMsg) Generate(rand *rand.Rand, size int) reflect.Value {
272 m := &certificateMsg{}
273 numCerts := rand.Intn(20)
274 m.certificates = make([][]byte, numCerts)
275 for i := 0; i < numCerts; i++ {
276 m.certificates[i] = randomBytes(rand.Intn(10)+1, rand)
278 return reflect.ValueOf(m)
281 func (*certificateRequestMsg) Generate(rand *rand.Rand, size int) reflect.Value {
282 m := &certificateRequestMsg{}
283 m.certificateTypes = randomBytes(rand.Intn(5)+1, rand)
284 for i := 0; i < rand.Intn(100); i++ {
285 m.certificateAuthorities = append(m.certificateAuthorities, randomBytes(rand.Intn(15)+1, rand))
287 return reflect.ValueOf(m)
290 func (*certificateVerifyMsg) Generate(rand *rand.Rand, size int) reflect.Value {
291 m := &certificateVerifyMsg{}
292 m.hasSignatureAlgorithm = true
293 m.signatureAlgorithm = SignatureScheme(rand.Intn(30000))
294 m.signature = randomBytes(rand.Intn(15)+1, rand)
295 return reflect.ValueOf(m)
298 func (*certificateStatusMsg) Generate(rand *rand.Rand, size int) reflect.Value {
299 m := &certificateStatusMsg{}
300 m.response = randomBytes(rand.Intn(10)+1, rand)
301 return reflect.ValueOf(m)
304 func (*clientKeyExchangeMsg) Generate(rand *rand.Rand, size int) reflect.Value {
305 m := &clientKeyExchangeMsg{}
306 m.ciphertext = randomBytes(rand.Intn(1000)+1, rand)
307 return reflect.ValueOf(m)
310 func (*finishedMsg) Generate(rand *rand.Rand, size int) reflect.Value {
312 m.verifyData = randomBytes(12, rand)
313 return reflect.ValueOf(m)
316 func (*newSessionTicketMsg) Generate(rand *rand.Rand, size int) reflect.Value {
317 m := &newSessionTicketMsg{}
318 m.ticket = randomBytes(rand.Intn(4), rand)
319 return reflect.ValueOf(m)
322 var sessionTestCerts []*x509.Certificate
325 cert, err := x509.ParseCertificate(testRSACertificate)
329 sessionTestCerts = append(sessionTestCerts, cert)
330 cert, err = x509.ParseCertificate(testRSACertificateIssuer)
334 sessionTestCerts = append(sessionTestCerts, cert)
337 func (*SessionState) Generate(rand *rand.Rand, size int) reflect.Value {
339 isTLS13 := rand.Intn(10) > 5
341 s.version = VersionTLS13
343 s.version = uint16(rand.Intn(VersionTLS13))
345 s.isClient = rand.Intn(10) > 5
346 s.cipherSuite = uint16(rand.Intn(math.MaxUint16))
347 s.createdAt = uint64(rand.Int63())
348 s.secret = randomBytes(rand.Intn(100)+1, rand)
349 s.Extra = randomBytes(rand.Intn(100), rand)
350 if s.isClient || rand.Intn(10) > 5 {
351 if rand.Intn(10) > 5 {
352 s.peerCertificates = sessionTestCerts
354 s.peerCertificates = sessionTestCerts[:1]
357 if rand.Intn(10) > 5 && s.peerCertificates != nil {
358 s.ocspResponse = randomBytes(rand.Intn(100)+1, rand)
360 if rand.Intn(10) > 5 && s.peerCertificates != nil {
361 for i := 0; i < rand.Intn(2)+1; i++ {
362 s.scts = append(s.scts, randomBytes(rand.Intn(500)+1, rand))
366 for i := 0; i < rand.Intn(3); i++ {
367 if rand.Intn(10) > 5 {
368 s.verifiedChains = append(s.verifiedChains, s.peerCertificates)
370 s.verifiedChains = append(s.verifiedChains, s.peerCertificates[:1])
374 s.useBy = uint64(rand.Int63())
375 s.ageAdd = uint32(rand.Int63() & math.MaxUint32)
378 return reflect.ValueOf(s)
381 func (s *SessionState) marshal() ([]byte, error) { return s.Bytes() }
382 func (s *SessionState) unmarshal(b []byte) bool {
383 ss, err := ParseSessionState(b)
391 func (*endOfEarlyDataMsg) Generate(rand *rand.Rand, size int) reflect.Value {
392 m := &endOfEarlyDataMsg{}
393 return reflect.ValueOf(m)
396 func (*keyUpdateMsg) Generate(rand *rand.Rand, size int) reflect.Value {
398 m.updateRequested = rand.Intn(10) > 5
399 return reflect.ValueOf(m)
402 func (*newSessionTicketMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
403 m := &newSessionTicketMsgTLS13{}
404 m.lifetime = uint32(rand.Intn(500000))
405 m.ageAdd = uint32(rand.Intn(500000))
406 m.nonce = randomBytes(rand.Intn(100), rand)
407 m.label = randomBytes(rand.Intn(1000), rand)
408 if rand.Intn(10) > 5 {
409 m.maxEarlyData = uint32(rand.Intn(500000))
411 return reflect.ValueOf(m)
414 func (*certificateRequestMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
415 m := &certificateRequestMsgTLS13{}
416 if rand.Intn(10) > 5 {
417 m.ocspStapling = true
419 if rand.Intn(10) > 5 {
422 if rand.Intn(10) > 5 {
423 m.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
425 if rand.Intn(10) > 5 {
426 m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms()
428 if rand.Intn(10) > 5 {
429 m.certificateAuthorities = make([][]byte, 3)
430 for i := 0; i < 3; i++ {
431 m.certificateAuthorities[i] = randomBytes(rand.Intn(10)+1, rand)
434 return reflect.ValueOf(m)
437 func (*certificateMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
438 m := &certificateMsgTLS13{}
439 for i := 0; i < rand.Intn(2)+1; i++ {
440 m.certificate.Certificate = append(
441 m.certificate.Certificate, randomBytes(rand.Intn(500)+1, rand))
443 if rand.Intn(10) > 5 {
444 m.ocspStapling = true
445 m.certificate.OCSPStaple = randomBytes(rand.Intn(100)+1, rand)
447 if rand.Intn(10) > 5 {
449 for i := 0; i < rand.Intn(2)+1; i++ {
450 m.certificate.SignedCertificateTimestamps = append(
451 m.certificate.SignedCertificateTimestamps, randomBytes(rand.Intn(500)+1, rand))
454 return reflect.ValueOf(m)
457 func TestRejectEmptySCTList(t *testing.T) {
458 // RFC 6962, Section 3.3.1 specifies that empty SCT lists are invalid.
461 sct := []byte{0x42, 0x42, 0x42, 0x42}
462 serverHello := &serverHelloMsg{
467 serverHelloBytes := mustMarshal(t, serverHello)
469 var serverHelloCopy serverHelloMsg
470 if !serverHelloCopy.unmarshal(serverHelloBytes) {
471 t.Fatal("Failed to unmarshal initial message")
474 // Change serverHelloBytes so that the SCT list is empty
475 i := bytes.Index(serverHelloBytes, sct)
477 t.Fatal("Cannot find SCT in ServerHello")
480 var serverHelloEmptySCT []byte
481 serverHelloEmptySCT = append(serverHelloEmptySCT, serverHelloBytes[:i-6]...)
482 // Append the extension length and SCT list length for an empty list.
483 serverHelloEmptySCT = append(serverHelloEmptySCT, []byte{0, 2, 0, 0}...)
484 serverHelloEmptySCT = append(serverHelloEmptySCT, serverHelloBytes[i+4:]...)
486 // Update the handshake message length.
487 serverHelloEmptySCT[1] = byte((len(serverHelloEmptySCT) - 4) >> 16)
488 serverHelloEmptySCT[2] = byte((len(serverHelloEmptySCT) - 4) >> 8)
489 serverHelloEmptySCT[3] = byte(len(serverHelloEmptySCT) - 4)
491 // Update the extensions length
492 serverHelloEmptySCT[42] = byte((len(serverHelloEmptySCT) - 44) >> 8)
493 serverHelloEmptySCT[43] = byte((len(serverHelloEmptySCT) - 44))
495 if serverHelloCopy.unmarshal(serverHelloEmptySCT) {
496 t.Fatal("Unmarshaled ServerHello with empty SCT list")
500 func TestRejectEmptySCT(t *testing.T) {
501 // Not only must the SCT list be non-empty, but the SCT elements must
502 // not be zero length.
505 serverHello := &serverHelloMsg{
510 serverHelloBytes := mustMarshal(t, serverHello)
512 var serverHelloCopy serverHelloMsg
513 if serverHelloCopy.unmarshal(serverHelloBytes) {
514 t.Fatal("Unmarshaled ServerHello with zero-length SCT")
518 func TestRejectDuplicateExtensions(t *testing.T) {
519 clientHelloBytes, err := hex.DecodeString("010000440303000000000000000000000000000000000000000000000000000000000000000000000000001c0000000a000800000568656c6c6f0000000a000800000568656c6c6f")
521 t.Fatalf("failed to decode test ClientHello: %s", err)
523 var clientHelloCopy clientHelloMsg
524 if clientHelloCopy.unmarshal(clientHelloBytes) {
525 t.Error("Unmarshaled ClientHello with duplicate extensions")
528 serverHelloBytes, err := hex.DecodeString("02000030030300000000000000000000000000000000000000000000000000000000000000000000000000080005000000050000")
530 t.Fatalf("failed to decode test ServerHello: %s", err)
532 var serverHelloCopy serverHelloMsg
533 if serverHelloCopy.unmarshal(serverHelloBytes) {
534 t.Fatal("Unmarshaled ServerHello with duplicate extensions")