Test that False Start fails if the server second leg is omitted.

This works fine, but I believe NSS had a bug here a couple years ago. Also move
all the Skip* bug options next to each other in order.

Change-Id: I72dcb3babeee7ba73b3d7dc5ebef2e2298e37438
Reviewed-on: https://boringssl-review.googlesource.com/3333
Reviewed-by: Adam Langley <agl@google.com>

ssl/test/runner/common.go

@@ -429,15 +429,27 @@ type ProtocolBugs struct {
 	// ServerKeyExchange.
 	UnauthenticatedECDH bool
 
+	// SkipHelloVerifyRequest causes a DTLS server to skip the
+	// HelloVerifyRequest message.
+	SkipHelloVerifyRequest bool
+
 	// SkipServerKeyExchange causes the server to skip sending
 	// ServerKeyExchange messages.
 	SkipServerKeyExchange bool
 
+	// SkipNewSessionTicket causes the server to skip sending the
+	// NewSessionTicket message despite promising to in ServerHello.
+	SkipNewSessionTicket bool
+
 	// SkipChangeCipherSpec causes the implementation to skip
 	// sending the ChangeCipherSpec message (and adjusting cipher
 	// state accordingly for the Finished message).
 	SkipChangeCipherSpec bool
 
+	// SkipFinished causes the implementation to skip sending the Finished
+	// message.
+	SkipFinished bool
+
 	// EarlyChangeCipherSpec causes the client to send an early
 	// ChangeCipherSpec message before the ClientKeyExchange. A value of
 	// zero disables this behavior. One and two configure variants for 0.9.8
@@ -449,10 +461,6 @@ type ProtocolBugs struct {
 	// messages.
 	FragmentAcrossChangeCipherSpec bool
 
-	// SkipNewSessionTicket causes the server to skip sending the
-	// NewSessionTicket message despite promising to in ServerHello.
-	SkipNewSessionTicket bool
-
 	// SendV2ClientHello causes the client to send a V2ClientHello
 	// instead of a normal ClientHello.
 	SendV2ClientHello bool
@@ -492,10 +500,6 @@ type ProtocolBugs struct {
 	// TLS version in the ClientHello than the maximum supported version.
 	SendClientVersion uint16
 
-	// SkipHelloVerifyRequest causes a DTLS server to skip the
-	// HelloVerifyRequest message.
-	SkipHelloVerifyRequest bool
-
 	// ExpectFalseStart causes the server to, on full handshakes,
 	// expect the peer to False Start; the server Finished message
 	// isn't sent until we receive an application data record

ssl/test/runner/handshake_client.go

@@ -872,9 +872,11 @@ func (hs *clientHandshakeState) sendFinished(isResume bool) error {
 		c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
 	}
 
-	c.writeRecord(recordTypeHandshake, postCCSBytes)
-	if err := c.dtlsFlushHandshake(false); err != nil {
-		return err
+	if !c.config.Bugs.SkipFinished {
+		c.writeRecord(recordTypeHandshake, postCCSBytes)
+		if err := c.dtlsFlushHandshake(false); err != nil {
+			return err
+		}
 	}
 	return nil
 }

ssl/test/runner/handshake_server.go

@@ -857,9 +857,11 @@ func (hs *serverHandshakeState) sendFinished() error {
 		c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
 	}
 
-	c.writeRecord(recordTypeHandshake, postCCSBytes)
-	if err := c.dtlsFlushHandshake(false); err != nil {
-		return err
+	if !c.config.Bugs.SkipFinished {
+		c.writeRecord(recordTypeHandshake, postCCSBytes)
+		if err := c.dtlsFlushHandshake(false); err != nil {
+			return err
+		}
 	}
 
 	c.cipherSuite = hs.suite.id

ssl/test/runner/runner.go

@@ -739,6 +739,26 @@ var testCases = []testCase{
 		shouldFail:    true,
 		expectedError: ":UNEXPECTED_RECORD:",
 	},
+	{
+		name: "FalseStart-SkipServerSecondLeg",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			NextProtos:   []string{"foo"},
+			Bugs: ProtocolBugs{
+				SkipNewSessionTicket: true,
+				SkipChangeCipherSpec: true,
+				SkipFinished:         true,
+				ExpectFalseStart:     true,
+			},
+		},
+		flags: []string{
+			"-false-start",
+			"-advertise-alpn", "\x03foo",
+		},
+		shimWritesFirst: true,
+		shouldFail:      true,
+		expectedError:   ":UNEXPECTED_RECORD:",
+	},
 }
 
 func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {