1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
24 &certificateRequestMsg{},
25 &certificateVerifyMsg{
26 hasSignatureAlgorithm: true,
28 &certificateStatusMsg{},
29 &clientKeyExchangeMsg{},
30 &newSessionTicketMsg{},
33 &encryptedExtensionsMsg{},
36 &newSessionTicketMsgTLS13{},
37 &certificateRequestMsgTLS13{},
38 &certificateMsgTLS13{},
41 func mustMarshal(t *testing.T, msg handshakeMessage) []byte {
43 b, err := msg.marshal()
50 func TestMarshalUnmarshal(t *testing.T) {
51 rand := rand.New(rand.NewSource(time.Now().UnixNano()))
53 for i, iface := range tests {
54 ty := reflect.ValueOf(iface).Type()
60 for j := 0; j < n; j++ {
61 v, ok := quick.Value(ty, rand)
63 t.Errorf("#%d: failed to create value", i)
67 m1 := v.Interface().(handshakeMessage)
68 marshaled := mustMarshal(t, m1)
69 m2 := iface.(handshakeMessage)
70 if !m2.unmarshal(marshaled) {
71 t.Errorf("#%d failed to unmarshal %#v %x", i, m1, marshaled)
74 m2.marshal() // to fill any marshal cache in the message
76 if !reflect.DeepEqual(m1, m2) {
77 t.Errorf("#%d got:%#v want:%#v %x", i, m2, m1, marshaled)
82 // The first three message types (ClientHello,
83 // ServerHello and Finished) are allowed to
84 // have parsable prefixes because the extension
85 // data is optional and the length of the
86 // Finished varies across versions.
87 for j := 0; j < len(marshaled); j++ {
88 if m2.unmarshal(marshaled[0:j]) {
89 t.Errorf("#%d unmarshaled a prefix of length %d of %#v", i, j, m1)
98 func TestFuzz(t *testing.T) {
99 rand := rand.New(rand.NewSource(0))
100 for _, iface := range tests {
101 m := iface.(handshakeMessage)
103 for j := 0; j < 1000; j++ {
104 len := rand.Intn(100)
105 bytes := randomBytes(len, rand)
106 // This just looks for crashes due to bounds errors etc.
112 func randomBytes(n int, rand *rand.Rand) []byte {
114 if _, err := rand.Read(r); err != nil {
115 panic("rand.Read failed: " + err.Error())
120 func randomString(n int, rand *rand.Rand) string {
121 b := randomBytes(n, rand)
125 func (*clientHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
126 m := &clientHelloMsg{}
127 m.vers = uint16(rand.Intn(65536))
128 m.random = randomBytes(32, rand)
129 m.sessionId = randomBytes(rand.Intn(32), rand)
130 m.cipherSuites = make([]uint16, rand.Intn(63)+1)
131 for i := 0; i < len(m.cipherSuites); i++ {
132 cs := uint16(rand.Int31())
133 if cs == scsvRenegotiation {
136 m.cipherSuites[i] = cs
138 m.compressionMethods = randomBytes(rand.Intn(63)+1, rand)
139 if rand.Intn(10) > 5 {
140 m.serverName = randomString(rand.Intn(255), rand)
141 for strings.HasSuffix(m.serverName, ".") {
142 m.serverName = m.serverName[:len(m.serverName)-1]
145 m.ocspStapling = rand.Intn(10) > 5
146 m.supportedPoints = randomBytes(rand.Intn(5)+1, rand)
147 m.supportedCurves = make([]CurveID, rand.Intn(5)+1)
148 for i := range m.supportedCurves {
149 m.supportedCurves[i] = CurveID(rand.Intn(30000) + 1)
151 if rand.Intn(10) > 5 {
152 m.ticketSupported = true
153 if rand.Intn(10) > 5 {
154 m.sessionTicket = randomBytes(rand.Intn(300), rand)
156 m.sessionTicket = make([]byte, 0)
159 if rand.Intn(10) > 5 {
160 m.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
162 if rand.Intn(10) > 5 {
163 m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms()
165 for i := 0; i < rand.Intn(5); i++ {
166 m.alpnProtocols = append(m.alpnProtocols, randomString(rand.Intn(20)+1, rand))
168 if rand.Intn(10) > 5 {
171 if rand.Intn(10) > 5 {
172 m.secureRenegotiationSupported = true
173 m.secureRenegotiation = randomBytes(rand.Intn(50)+1, rand)
175 for i := 0; i < rand.Intn(5); i++ {
176 m.supportedVersions = append(m.supportedVersions, uint16(rand.Intn(0xffff)+1))
178 if rand.Intn(10) > 5 {
179 m.cookie = randomBytes(rand.Intn(500)+1, rand)
181 for i := 0; i < rand.Intn(5); i++ {
183 ks.group = CurveID(rand.Intn(30000) + 1)
184 ks.data = randomBytes(rand.Intn(200)+1, rand)
185 m.keyShares = append(m.keyShares, ks)
187 switch rand.Intn(3) {
189 m.pskModes = []uint8{pskModeDHE}
191 m.pskModes = []uint8{pskModeDHE, pskModePlain}
193 for i := 0; i < rand.Intn(5); i++ {
195 psk.obfuscatedTicketAge = uint32(rand.Intn(500000))
196 psk.label = randomBytes(rand.Intn(500)+1, rand)
197 m.pskIdentities = append(m.pskIdentities, psk)
198 m.pskBinders = append(m.pskBinders, randomBytes(rand.Intn(50)+32, rand))
200 if rand.Intn(10) > 5 {
201 m.quicTransportParameters = randomBytes(rand.Intn(500), rand)
203 if rand.Intn(10) > 5 {
207 return reflect.ValueOf(m)
210 func (*serverHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
211 m := &serverHelloMsg{}
212 m.vers = uint16(rand.Intn(65536))
213 m.random = randomBytes(32, rand)
214 m.sessionId = randomBytes(rand.Intn(32), rand)
215 m.cipherSuite = uint16(rand.Int31())
216 m.compressionMethod = uint8(rand.Intn(256))
217 m.supportedPoints = randomBytes(rand.Intn(5)+1, rand)
219 if rand.Intn(10) > 5 {
220 m.ocspStapling = true
222 if rand.Intn(10) > 5 {
223 m.ticketSupported = true
225 if rand.Intn(10) > 5 {
226 m.alpnProtocol = randomString(rand.Intn(32)+1, rand)
229 for i := 0; i < rand.Intn(4); i++ {
230 m.scts = append(m.scts, randomBytes(rand.Intn(500)+1, rand))
233 if rand.Intn(10) > 5 {
234 m.secureRenegotiationSupported = true
235 m.secureRenegotiation = randomBytes(rand.Intn(50)+1, rand)
237 if rand.Intn(10) > 5 {
238 m.supportedVersion = uint16(rand.Intn(0xffff) + 1)
240 if rand.Intn(10) > 5 {
241 m.cookie = randomBytes(rand.Intn(500)+1, rand)
243 if rand.Intn(10) > 5 {
244 for i := 0; i < rand.Intn(5); i++ {
245 m.serverShare.group = CurveID(rand.Intn(30000) + 1)
246 m.serverShare.data = randomBytes(rand.Intn(200)+1, rand)
248 } else if rand.Intn(10) > 5 {
249 m.selectedGroup = CurveID(rand.Intn(30000) + 1)
251 if rand.Intn(10) > 5 {
252 m.selectedIdentityPresent = true
253 m.selectedIdentity = uint16(rand.Intn(0xffff))
256 return reflect.ValueOf(m)
259 func (*encryptedExtensionsMsg) Generate(rand *rand.Rand, size int) reflect.Value {
260 m := &encryptedExtensionsMsg{}
262 if rand.Intn(10) > 5 {
263 m.alpnProtocol = randomString(rand.Intn(32)+1, rand)
266 return reflect.ValueOf(m)
269 func (*certificateMsg) Generate(rand *rand.Rand, size int) reflect.Value {
270 m := &certificateMsg{}
271 numCerts := rand.Intn(20)
272 m.certificates = make([][]byte, numCerts)
273 for i := 0; i < numCerts; i++ {
274 m.certificates[i] = randomBytes(rand.Intn(10)+1, rand)
276 return reflect.ValueOf(m)
279 func (*certificateRequestMsg) Generate(rand *rand.Rand, size int) reflect.Value {
280 m := &certificateRequestMsg{}
281 m.certificateTypes = randomBytes(rand.Intn(5)+1, rand)
282 for i := 0; i < rand.Intn(100); i++ {
283 m.certificateAuthorities = append(m.certificateAuthorities, randomBytes(rand.Intn(15)+1, rand))
285 return reflect.ValueOf(m)
288 func (*certificateVerifyMsg) Generate(rand *rand.Rand, size int) reflect.Value {
289 m := &certificateVerifyMsg{}
290 m.hasSignatureAlgorithm = true
291 m.signatureAlgorithm = SignatureScheme(rand.Intn(30000))
292 m.signature = randomBytes(rand.Intn(15)+1, rand)
293 return reflect.ValueOf(m)
296 func (*certificateStatusMsg) Generate(rand *rand.Rand, size int) reflect.Value {
297 m := &certificateStatusMsg{}
298 m.response = randomBytes(rand.Intn(10)+1, rand)
299 return reflect.ValueOf(m)
302 func (*clientKeyExchangeMsg) Generate(rand *rand.Rand, size int) reflect.Value {
303 m := &clientKeyExchangeMsg{}
304 m.ciphertext = randomBytes(rand.Intn(1000)+1, rand)
305 return reflect.ValueOf(m)
308 func (*finishedMsg) Generate(rand *rand.Rand, size int) reflect.Value {
310 m.verifyData = randomBytes(12, rand)
311 return reflect.ValueOf(m)
314 func (*newSessionTicketMsg) Generate(rand *rand.Rand, size int) reflect.Value {
315 m := &newSessionTicketMsg{}
316 m.ticket = randomBytes(rand.Intn(4), rand)
317 return reflect.ValueOf(m)
320 func (*sessionState) Generate(rand *rand.Rand, size int) reflect.Value {
322 s.vers = uint16(rand.Intn(10000))
323 s.cipherSuite = uint16(rand.Intn(10000))
324 s.masterSecret = randomBytes(rand.Intn(100)+1, rand)
325 s.createdAt = uint64(rand.Int63())
326 for i := 0; i < rand.Intn(20); i++ {
327 s.certificates = append(s.certificates, randomBytes(rand.Intn(500)+1, rand))
329 return reflect.ValueOf(s)
332 func (*sessionStateTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
333 s := &sessionStateTLS13{}
334 s.cipherSuite = uint16(rand.Intn(10000))
335 s.resumptionSecret = randomBytes(rand.Intn(100)+1, rand)
336 s.createdAt = uint64(rand.Int63())
337 for i := 0; i < rand.Intn(2)+1; i++ {
338 s.certificate.Certificate = append(
339 s.certificate.Certificate, randomBytes(rand.Intn(500)+1, rand))
341 if rand.Intn(10) > 5 {
342 s.certificate.OCSPStaple = randomBytes(rand.Intn(100)+1, rand)
344 if rand.Intn(10) > 5 {
345 for i := 0; i < rand.Intn(2)+1; i++ {
346 s.certificate.SignedCertificateTimestamps = append(
347 s.certificate.SignedCertificateTimestamps, randomBytes(rand.Intn(500)+1, rand))
350 return reflect.ValueOf(s)
353 func (*endOfEarlyDataMsg) Generate(rand *rand.Rand, size int) reflect.Value {
354 m := &endOfEarlyDataMsg{}
355 return reflect.ValueOf(m)
358 func (*keyUpdateMsg) Generate(rand *rand.Rand, size int) reflect.Value {
360 m.updateRequested = rand.Intn(10) > 5
361 return reflect.ValueOf(m)
364 func (*newSessionTicketMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
365 m := &newSessionTicketMsgTLS13{}
366 m.lifetime = uint32(rand.Intn(500000))
367 m.ageAdd = uint32(rand.Intn(500000))
368 m.nonce = randomBytes(rand.Intn(100), rand)
369 m.label = randomBytes(rand.Intn(1000), rand)
370 if rand.Intn(10) > 5 {
371 m.maxEarlyData = uint32(rand.Intn(500000))
373 return reflect.ValueOf(m)
376 func (*certificateRequestMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
377 m := &certificateRequestMsgTLS13{}
378 if rand.Intn(10) > 5 {
379 m.ocspStapling = true
381 if rand.Intn(10) > 5 {
384 if rand.Intn(10) > 5 {
385 m.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
387 if rand.Intn(10) > 5 {
388 m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms()
390 if rand.Intn(10) > 5 {
391 m.certificateAuthorities = make([][]byte, 3)
392 for i := 0; i < 3; i++ {
393 m.certificateAuthorities[i] = randomBytes(rand.Intn(10)+1, rand)
396 return reflect.ValueOf(m)
399 func (*certificateMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
400 m := &certificateMsgTLS13{}
401 for i := 0; i < rand.Intn(2)+1; i++ {
402 m.certificate.Certificate = append(
403 m.certificate.Certificate, randomBytes(rand.Intn(500)+1, rand))
405 if rand.Intn(10) > 5 {
406 m.ocspStapling = true
407 m.certificate.OCSPStaple = randomBytes(rand.Intn(100)+1, rand)
409 if rand.Intn(10) > 5 {
411 for i := 0; i < rand.Intn(2)+1; i++ {
412 m.certificate.SignedCertificateTimestamps = append(
413 m.certificate.SignedCertificateTimestamps, randomBytes(rand.Intn(500)+1, rand))
416 return reflect.ValueOf(m)
419 func TestRejectEmptySCTList(t *testing.T) {
420 // RFC 6962, Section 3.3.1 specifies that empty SCT lists are invalid.
423 sct := []byte{0x42, 0x42, 0x42, 0x42}
424 serverHello := &serverHelloMsg{
429 serverHelloBytes := mustMarshal(t, serverHello)
431 var serverHelloCopy serverHelloMsg
432 if !serverHelloCopy.unmarshal(serverHelloBytes) {
433 t.Fatal("Failed to unmarshal initial message")
436 // Change serverHelloBytes so that the SCT list is empty
437 i := bytes.Index(serverHelloBytes, sct)
439 t.Fatal("Cannot find SCT in ServerHello")
442 var serverHelloEmptySCT []byte
443 serverHelloEmptySCT = append(serverHelloEmptySCT, serverHelloBytes[:i-6]...)
444 // Append the extension length and SCT list length for an empty list.
445 serverHelloEmptySCT = append(serverHelloEmptySCT, []byte{0, 2, 0, 0}...)
446 serverHelloEmptySCT = append(serverHelloEmptySCT, serverHelloBytes[i+4:]...)
448 // Update the handshake message length.
449 serverHelloEmptySCT[1] = byte((len(serverHelloEmptySCT) - 4) >> 16)
450 serverHelloEmptySCT[2] = byte((len(serverHelloEmptySCT) - 4) >> 8)
451 serverHelloEmptySCT[3] = byte(len(serverHelloEmptySCT) - 4)
453 // Update the extensions length
454 serverHelloEmptySCT[42] = byte((len(serverHelloEmptySCT) - 44) >> 8)
455 serverHelloEmptySCT[43] = byte((len(serverHelloEmptySCT) - 44))
457 if serverHelloCopy.unmarshal(serverHelloEmptySCT) {
458 t.Fatal("Unmarshaled ServerHello with empty SCT list")
462 func TestRejectEmptySCT(t *testing.T) {
463 // Not only must the SCT list be non-empty, but the SCT elements must
464 // not be zero length.
467 serverHello := &serverHelloMsg{
472 serverHelloBytes := mustMarshal(t, serverHello)
474 var serverHelloCopy serverHelloMsg
475 if serverHelloCopy.unmarshal(serverHelloBytes) {
476 t.Fatal("Unmarshaled ServerHello with zero-length SCT")
480 func TestRejectDuplicateExtensions(t *testing.T) {
481 clientHelloBytes, err := hex.DecodeString("010000440303000000000000000000000000000000000000000000000000000000000000000000000000001c0000000a000800000568656c6c6f0000000a000800000568656c6c6f")
483 t.Fatalf("failed to decode test ClientHello: %s", err)
485 var clientHelloCopy clientHelloMsg
486 if clientHelloCopy.unmarshal(clientHelloBytes) {
487 t.Error("Unmarshaled ClientHello with duplicate extensions")
490 serverHelloBytes, err := hex.DecodeString("02000030030300000000000000000000000000000000000000000000000000000000000000000000000000080005000000050000")
492 t.Fatalf("failed to decode test ServerHello: %s", err)
494 var serverHelloCopy serverHelloMsg
495 if serverHelloCopy.unmarshal(serverHelloBytes) {
496 t.Fatal("Unmarshaled ServerHello with duplicate extensions")