Flesh out missing TLS 1.3 state machine coverage.

The TLS 1.3 state machine is actually less in need of the aggressive
state machine coverage tests, but nonetheless, we should cover all
handshake shapes. PSK resumption and HelloRetryRequest were missing.

We were also accidentally running "DTLS" versions of the TLS 1.3 tests
but silently running TLS 1.2.

Change-Id: I65db4052b89d770db7e47738e73aaadde9634236
Reviewed-on: https://boringssl-review.googlesource.com/10441
Reviewed-by: Nick Harper <nharper@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/runner/common.go

@@ -1041,6 +1041,11 @@ type ProtocolBugs struct {
 	// HelloRequest in the same record as Finished.
 	PackHelloRequestWithFinished bool
 
+	// ExpectMissingKeyShare, if true, causes the TLS server to fail the
+	// connection if the selected curve appears in the client's initial
+	// ClientHello. That is, it requires that a HelloRetryRequest be sent.
+	ExpectMissingKeyShare bool
+
 	// SendExtraFinished, if true, causes an extra Finished message to be
 	// sent.
 	SendExtraFinished bool

ssl/test/runner/handshake_server.go

@@ -430,6 +430,10 @@ Curves:
 			}
 		}
 
+		if config.Bugs.ExpectMissingKeyShare && selectedKeyShare != nil {
+			return errors.New("tls: expected missing key share")
+		}
+
 		sendHelloRetryRequest := selectedKeyShare == nil
 		if config.Bugs.UnnecessaryHelloRetryRequest {
 			sendHelloRetryRequest = true
@@ -451,6 +455,7 @@ Curves:
 			}
 			hs.writeServerHash(helloRetryRequestMsg.marshal())
 			c.writeRecord(recordTypeHandshake, helloRetryRequestMsg.marshal())
+			c.flushHandshake()
 
 			// Read new ClientHello.
 			newMsg, err := c.readHandshake()

ssl/test/runner/runner.go

@@ -3118,19 +3118,57 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
 	})
 
 	// TLS 1.3 basic handshake shapes.
-	tests = append(tests, testCase{
-		name: "TLS13-1RTT-Client",
-		config: Config{
-			MaxVersion: VersionTLS13,
-		},
-	})
-	tests = append(tests, testCase{
-		testType: serverTest,
-		name:     "TLS13-1RTT-Server",
-		config: Config{
-			MaxVersion: VersionTLS13,
-		},
-	})
+	if config.protocol == tls {
+		tests = append(tests, testCase{
+			name: "TLS13-1RTT-Client",
+			config: Config{
+				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
+			},
+			resumeSession:        true,
+		})
+
+		tests = append(tests, testCase{
+			testType: serverTest,
+			name:     "TLS13-1RTT-Server",
+			config: Config{
+				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
+			},
+			resumeSession:        true,
+		})
+
+		tests = append(tests, testCase{
+			name: "TLS13-HelloRetryRequest-Client",
+			config: Config{
+				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
+				// P-384 requires a HelloRetryRequest against
+				// BoringSSL's default configuration. Assert
+				// that we do indeed test this with
+				// ExpectMissingKeyShare.
+				CurvePreferences: []CurveID{CurveP384},
+				Bugs: ProtocolBugs{
+					ExpectMissingKeyShare: true,
+				},
+			},
+			// Cover HelloRetryRequest during an ECDHE-PSK resumption.
+			resumeSession: true,
+		})
+
+		tests = append(tests, testCase{
+			testType: serverTest,
+			name:     "TLS13-HelloRetryRequest-Server",
+			config: Config{
+				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
+				// Require a HelloRetryRequest for every curve.
+				DefaultCurves: []CurveID{},
+			},
+			// Cover HelloRetryRequest during an ECDHE-PSK resumption.
+			resumeSession: true,
+		})
+	}
 
 	// TLS client auth.
 	tests = append(tests, testCase{