Test the exporter at all versions + ciphers + side.

The Go side (thankfully not the C side) was not fully updated for the exporter secret derivation being earlier at some point. Also TLS 1.2 upgrades the PRF hash for pre-1.2 ciphers to SHA-256, so make sure we cover that. Change-Id: Ibdf50ef500e7e48a52799ac75577822bc304a613 Reviewed-on: https://boringssl-review.googlesource.com/13663 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-02-07 16:06:48 -05:00 · 2017-02-07 16:06:48 -05:00 · cdb6fe90cb
commit cdb6fe90cb
parent 3bd57e3a6f
2 changed files with 23 additions and 11 deletions
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@ -860,6 +860,10 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
 	hs.finishedHash.addEntropy(zeroSecret)
 	clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel)
 	serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel)
+	c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel)
+
+	// Switch to application data keys on read. In particular, any alerts
+	// from the client certificate are read over these keys.
 	c.in.useTrafficSecret(c.vers, hs.suite, serverTrafficSecret, serverWrite)

 	// If we're expecting 0.5-RTT messages from the server, read them
@ -966,7 +970,6 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
 	// Switch to application data keys.
 	c.out.useTrafficSecret(c.vers, hs.suite, clientTrafficSecret, clientWrite)

-	c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel)
 	c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel)
 	return nil
 }
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -2553,6 +2553,13 @@ func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol proto
 		sendCipherSuite = suite.id
 	}

+	// For cipher suites and versions where exporters are defined, verify
+	// that they interoperate.
+	var exportKeyingMaterial int
+	if ver.version > VersionSSL30 {
+		exportKeyingMaterial = 1024
+	}
+
 	testCases = append(testCases, testCase{
 		testType: serverTest,
 		protocol: protocol,
@ -2574,6 +2581,7 @@ func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol proto
 		resumeSession:        true,
 		shouldFail:           shouldServerFail,
 		expectedError:        expectedServerError,
+		exportKeyingMaterial: exportKeyingMaterial,
 	})

 	testCases = append(testCases, testCase{
@ -2596,6 +2604,7 @@ func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol proto
 		resumeSession:        true,
 		shouldFail:           shouldClientFail,
 		expectedError:        expectedClientError,
+		exportKeyingMaterial: exportKeyingMaterial,
 	})

 	if shouldClientFail {