add more ssl runner tests

samuel40791765 · samuel40791765 · commit c516faf2bf3f · 2023-08-15T01:06:57.000+08:00
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
@@ -19618,17 +19618,31 @@ var testMultipleCertSlotsAlgorithms = []struct {
 	{"ECDSA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0, testCertECDSAP256, CurveP256},
 }
 
-// TODO: Add more failure test cases.
 func addMultipleCertSlotTests() {
 	var allAlgorithms []signatureAlgorithm
 	for _, alg := range testMultipleCertSlotsAlgorithms {
 		if alg.id != 0 {
 			allAlgorithms = append(allAlgorithms, alg.id)
 		}
 	}
+	multipleCertsFlag := "-multiple-certs-slot"
+	rsaCertSlot := []string{
+		multipleCertsFlag, path.Join(*resourceDir, getShimCertificate(testCertRSA)) + "," + path.Join(*resourceDir, getShimKey(testCertRSA)),
+	}
+	ecdsaCertSlot := []string{
+		multipleCertsFlag, path.Join(*resourceDir, getShimCertificate(testCertECDSAP256)) + "," + path.Join(*resourceDir, getShimKey(testCertECDSAP256)),
+	}
+	ed25519CertSlot := []string{
+		multipleCertsFlag, path.Join(*resourceDir, getShimCertificate(testCertEd25519)) + "," + path.Join(*resourceDir, getShimKey(testCertEd25519)),
+	}
+	certificateSlotFlags := []string{
+		rsaCertSlot[0], rsaCertSlot[1],
+		ecdsaCertSlot[0], ecdsaCertSlot[1],
+		ed25519CertSlot[0], ed25519CertSlot[1],
+	}
 
-	// TODO: add client tests to verify we don't support multiple certs on the client end.
-	prefix := "Server-"
+	signError := ":NO_COMMON_SIGNATURE_ALGORITHMS:"
+	signLocalError := "remote error: handshake failure"
 
 	// Make sure each signature algorithm works.
 	for _, alg := range testMultipleCertSlotsAlgorithms {
@@ -19637,6 +19651,7 @@ func addMultipleCertSlotTests() {
 				continue
 			}
 
+			prefix := "Server-"
 			var shouldFail bool
 			// ecdsa_sha1 does not exist in TLS 1.3.
 			if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
@@ -19672,17 +19687,14 @@ func addMultipleCertSlotTests() {
 					VerifySignatureAlgorithms: allAlgorithms,
 				},
 				flags: append(
-					[]string{
-						"-multiple-certs-slot", path.Join(*resourceDir, getShimCertificate(testCertRSA)) + "," + path.Join(*resourceDir, getShimKey(testCertRSA)),
-						"-multiple-certs-slot", path.Join(*resourceDir, getShimCertificate(testCertECDSAP256)) + "," + path.Join(*resourceDir, getShimKey(testCertECDSAP256)),
-						"-multiple-certs-slot", path.Join(*resourceDir, getShimCertificate(testCertEd25519)) + "," + path.Join(*resourceDir, getShimKey(testCertEd25519)),
-					},
+					certificateSlotFlags,
 					curveFlags...,
 				),
 				expectations: connectionExpectations{
 					peerSignatureAlgorithm: alg.id,
 				},
 			}
+
 			if alg.id != 0 {
 				strictAlgTest.flags = append(strictAlgTest.flags, "-signing-prefs", strconv.Itoa(int(alg.id)))
 			}
@@ -19692,8 +19704,41 @@ func addMultipleCertSlotTests() {
 				strictAlgTest.config.CipherSuites = []uint16{alg.cipher}
 			}
 
+			// Extend the original test, but force it to use the early certificate callback instead.
+			// Expected behavior should be the same.
+			strictAlgCallbackTest := strictAlgTest
+			strictAlgCallbackTest.name = prefix + "Multiple-Cert-Strict-Alg-Callback" + suffix
+			strictAlgCallbackTest.flags = append(strictAlgCallbackTest.flags, "-use-early-callback")
+
+			// Verify that we don't support multiple certificate slots on the client side. The client should be
+			// configured with the last certificate set (ED25519 in this case).
+			prefix = "Client-"
+			strictAlgClientTest := testCase{
+				testType: clientTest,
+				name:     prefix + "Multiple-Cert-Strict-Alg" + suffix,
+				config: Config{
+					MaxVersion:                ver.version,
+					VerifySignatureAlgorithms: []signatureAlgorithm{alg.id},
+					ClientAuth:                RequireAnyClientCert,
+					Certificates:              []Certificate{rsaCertificate, ecdsaP256Certificate, ed25519Certificate},
+				},
+				flags: append(
+					certificateSlotFlags,
+					curveFlags...,
+				),
+			}
+			if alg.id != signatureEd25519 {
+				// ED25519 is the last certificate set in |certificateSlotFlags|. We don't support multiple certificate
+				// slots on the client side, so the client should only be configured to use ED25519.
+				strictAlgClientTest.shouldFail = true
+				strictAlgClientTest.expectedError = signError
+				strictAlgClientTest.expectedLocalError = signLocalError
+			}
+
 			if !shouldFail {
 				testCases = append(testCases, strictAlgTest)
+				testCases = append(testCases, strictAlgCallbackTest)
+				testCases = append(testCases, strictAlgClientTest)
 			}
 		}
 	}
@@ -19704,27 +19749,94 @@ func addMultipleCertSlotTests() {
 		// ED25519 signature algorithm should be prioritized if supported.
 		ed25519PriorityTest := testCase{
 			testType: serverTest,
-			name:     prefix + "Multiple-Cert-ED25519-Priority" + suffix,
+			name:     "Server-Multiple-Cert-ED25519-Priority" + suffix,
 			config: Config{
 				MaxVersion:                ver.version,
 				VerifySignatureAlgorithms: allAlgorithms,
 			},
 			flags: append(
-				[]string{
-					"-multiple-certs-slot", path.Join(*resourceDir, getShimCertificate(testCertRSA)) + "," + path.Join(*resourceDir, getShimKey(testCertRSA)),
-					"-multiple-certs-slot", path.Join(*resourceDir, getShimCertificate(testCertECDSAP256)) + "," + path.Join(*resourceDir, getShimKey(testCertECDSAP256)),
-					"-multiple-certs-slot", path.Join(*resourceDir, getShimCertificate(testCertEd25519)) + "," + path.Join(*resourceDir, getShimKey(testCertEd25519)),
-				},
+				certificateSlotFlags,
 				flagInts("-curves", []int{int(CurveX25519), int(CurveP256)})...,
 			),
 			expectations: connectionExpectations{
 				peerSignatureAlgorithm: signatureEd25519,
 			},
 		}
 
+		// Below tests verify that multiple certificates only works because we have a valid cert.
+
+		// Connection shouldn't be accepted without RSA cert.
+		noRSACertTest := testCase{
+			testType: serverTest,
+			name:     "Server-Multiple-Cert-No-RSA" + suffix,
+			config: Config{
+				MaxVersion:                ver.version,
+				VerifySignatureAlgorithms: allAlgorithms,
+			},
+			flags: []string{
+				ecdsaCertSlot[0], ecdsaCertSlot[1],
+				ed25519CertSlot[0], ed25519CertSlot[1],
+				"-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
+			},
+			shouldFail:         true,
+			expectedError:      signError,
+			expectedLocalError: signLocalError,
+		}
+		// RSA support in TLS1.2 and lower is indicated with |mask_k| in |ssl_get_compatible_server_ciphers|.
+		// We do not have a valid public or private RSA key set up, so this fails early.
+		if ver.version <= VersionTLS12 {
+			noRSACertTest.expectedError = ":NO_SHARED_CIPHER:"
+		}
+
+		// Connection shouldn't be accepted without ECDSA cert.
+		noECDSACertTest := testCase{
+			testType: serverTest,
+			name:     "Server-Multiple-Cert-No-ECDSA" + suffix,
+			config: Config{
+				MaxVersion:                ver.version,
+				VerifySignatureAlgorithms: allAlgorithms,
+			},
+			flags: []string{
+				rsaCertSlot[0], rsaCertSlot[1],
+				ed25519CertSlot[0], ed25519CertSlot[1],
+				"-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
+			},
+			shouldFail:         true,
+			expectedError:      signError,
+			expectedLocalError: signLocalError,
+		}
+
+		// Connection shouldn't be accepted without ED25519 cert.
+		noED25519CertTest := testCase{
+			testType: serverTest,
+			name:     "Server-Multiple-Cert-No-ED25519" + suffix,
+			config: Config{
+				MaxVersion:                ver.version,
+				VerifySignatureAlgorithms: allAlgorithms,
+			},
+			flags: []string{
+				rsaCertSlot[0], rsaCertSlot[1],
+				ecdsaCertSlot[0], ecdsaCertSlot[1],
+				"-signing-prefs", strconv.Itoa(int(signatureEd25519)),
+			},
+			shouldFail:         true,
+			expectedError:      signError,
+			expectedLocalError: signLocalError,
+		}
+
+		if ver.version <= VersionTLS12 {
+			noRSACertTest.config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}
+			noECDSACertTest.config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA}
+			noED25519CertTest.config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
+		}
+
+		// ED25519 is only supported in TLS1.2 and above.
 		if ver.version >= VersionTLS12 {
 			testCases = append(testCases, ed25519PriorityTest)
+			testCases = append(testCases, noED25519CertTest)
 		}
+		testCases = append(testCases, noRSACertTest)
+		testCases = append(testCases, noECDSACertTest)
 	}
 }
 
diff --git a/ssl/test/runner/ssl_transfer/test_case_names.txt b/ssl/test/runner/ssl_transfer/test_case_names.txt
@@ -519,6 +519,22 @@ Server-JDK11-TLS12-8
 Server-JDK11-TLS12-9
 Server-Multiple-Cert-ED25519-Priority-TLS12
 Server-Multiple-Cert-ED25519-Priority-TLS13
+Server-Multiple-Cert-Strict-Alg-Callback-ECDSA_P224_SHA256-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-ECDSA_P256_SHA256-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-ECDSA_P256_SHA256-TLS13
+Server-Multiple-Cert-Strict-Alg-Callback-ECDSA_SHA1-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-Ed25519-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-Ed25519-TLS13
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PKCS1_SHA1-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PKCS1_SHA256-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PKCS1_SHA384-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PKCS1_SHA512-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PSS_SHA256-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PSS_SHA256-TLS13
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PSS_SHA384-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PSS_SHA384-TLS13
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PSS_SHA512-TLS12
+Server-Multiple-Cert-Strict-Alg-Callback-RSA_PSS_SHA512-TLS13
 Server-Multiple-Cert-Strict-Alg-ECDSA_P224_SHA256-TLS12
 Server-Multiple-Cert-Strict-Alg-ECDSA_P256_SHA256-TLS12
 Server-Multiple-Cert-Strict-Alg-ECDSA_P256_SHA256-TLS13
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
@@ -1398,7 +1398,9 @@ static enum ssl_select_cert_result_t SelectCertificateCallback(
     return ssl_select_cert_error;
   }
 
-  if (config->use_early_callback && !InstallCertificate(ssl)) {
+  if (config->use_early_callback &&
+      !InstallMultipleCertificates(ssl) &&
+      !InstallCertificate(ssl)) {
     return ssl_select_cert_error;
   }
 
@@ -1824,7 +1826,6 @@ bssl::UniquePtr<SSL> TestConfig::NewSSL(
     return nullptr;
   }
   // Install the certificate synchronously if nothing else will handle it.
-  // Multiple Certificates is only tested synchronously as of now.
   if (!use_early_callback && !use_old_client_cert_callback && !async &&
       !InstallMultipleCertificates(ssl.get()) &&
       !InstallCertificate(ssl.get())) {
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
@@ -211,6 +211,8 @@ struct TestConfig {
   // multiple_certs_slot is used to associate the server with the multiple
   // certificate/private key slot configuration. The certificate comes first,
   // then the private key.
+  // When |multiple_certs_slot| is defined, the certificates defined are
+  // prioritized over certs defined with |cert_file| and |key_file|.
   std::vector<std::pair<std::string, std::string>> multiple_certs_slot;
 
   int argc;

Original file line number	Diff line number	Diff line change
`@@ -1398,7 +1398,9 @@ static enum ssl_select_cert_result_t SelectCertificateCallback(`
`1398`	`1398`	`return ssl_select_cert_error;`
`1399`	`1399`	`}`
`1400`	`1400`
`1401`		`- if (config->use_early_callback && !InstallCertificate(ssl)) {`
	`1401`	`+ if (config->use_early_callback &&`
	`1402`	`+ !InstallMultipleCertificates(ssl) &&`
	`1403`	`+ !InstallCertificate(ssl)) {`
`1402`	`1404`	`return ssl_select_cert_error;`
`1403`	`1405`	`}`
`1404`	`1406`
`@@ -1824,7 +1826,6 @@ bssl::UniquePtr<SSL> TestConfig::NewSSL(`
`1824`	`1826`	`return nullptr;`
`1825`	`1827`	`}`
`1826`	`1828`	`// Install the certificate synchronously if nothing else will handle it.`
`1827`		`- // Multiple Certificates is only tested synchronously as of now.`
`1828`	`1829`	`if (!use_early_callback && !use_old_client_cert_callback && !async &&`
`1829`	`1830`	`!InstallMultipleCertificates(ssl.get()) &&`
`1830`	`1831`	`!InstallCertificate(ssl.get())) {`