Flesh out missing TLS 1.3 state machine coverage.

The TLS 1.3 state machine is actually less in need of the aggressive state machine coverage tests, but nonetheless, we should cover all handshake shapes. PSK resumption and HelloRetryRequest were missing. We were also accidentally running "DTLS" versions of the TLS 1.3 tests but silently running TLS 1.2. Change-Id: I65db4052b89d770db7e47738e73aaadde9634236 Reviewed-on: https://boringssl-review.googlesource.com/10441 Reviewed-by: Nick Harper <nharper@chromium.org> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-08-17 00:29:33 -04:00 · 2016-08-17 00:29:33 -04:00 · e73c7f4281
commit e73c7f4281
parent e54af069d8
3 changed files with 61 additions and 13 deletions
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@ -1041,6 +1041,11 @@ type ProtocolBugs struct {
 	// HelloRequest in the same record as Finished.
 	PackHelloRequestWithFinished bool

+	// ExpectMissingKeyShare, if true, causes the TLS server to fail the
+	// connection if the selected curve appears in the client's initial
+	// ClientHello. That is, it requires that a HelloRetryRequest be sent.
+	ExpectMissingKeyShare bool
+
 	// SendExtraFinished, if true, causes an extra Finished message to be
 	// sent.
 	SendExtraFinished bool
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@ -430,6 +430,10 @@ Curves:
 			}
 		}

+		if config.Bugs.ExpectMissingKeyShare && selectedKeyShare != nil {
+			return errors.New("tls: expected missing key share")
+		}
+
 		sendHelloRetryRequest := selectedKeyShare == nil
 		if config.Bugs.UnnecessaryHelloRetryRequest {
 			sendHelloRetryRequest = true
@ -451,6 +455,7 @@ Curves:
 			}
 			hs.writeServerHash(helloRetryRequestMsg.marshal())
 			c.writeRecord(recordTypeHandshake, helloRetryRequestMsg.marshal())
+			c.flushHandshake()

 			// Read new ClientHello.
 			newMsg, err := c.readHandshake()
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -3118,20 +3118,58 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
 	})

 	// TLS 1.3 basic handshake shapes.
+	if config.protocol == tls {
 		tests = append(tests, testCase{
 			name: "TLS13-1RTT-Client",
 			config: Config{
 				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
 			},
+			resumeSession:        true,
 		})
+
 		tests = append(tests, testCase{
 			testType: serverTest,
 			name:     "TLS13-1RTT-Server",
 			config: Config{
 				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
 			},
+			resumeSession:        true,
 		})

+		tests = append(tests, testCase{
+			name: "TLS13-HelloRetryRequest-Client",
+			config: Config{
+				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
+				// P-384 requires a HelloRetryRequest against
+				// BoringSSL's default configuration. Assert
+				// that we do indeed test this with
+				// ExpectMissingKeyShare.
+				CurvePreferences: []CurveID{CurveP384},
+				Bugs: ProtocolBugs{
+					ExpectMissingKeyShare: true,
+				},
+			},
+			// Cover HelloRetryRequest during an ECDHE-PSK resumption.
+			resumeSession: true,
+		})
+
+		tests = append(tests, testCase{
+			testType: serverTest,
+			name:     "TLS13-HelloRetryRequest-Server",
+			config: Config{
+				MaxVersion: VersionTLS13,
+				MinVersion: VersionTLS13,
+				// Require a HelloRetryRequest for every curve.
+				DefaultCurves: []CurveID{},
+			},
+			// Cover HelloRetryRequest during an ECDHE-PSK resumption.
+			resumeSession: true,
+		})
+	}
+
 	// TLS client auth.
 	tests = append(tests, testCase{
 		testType: clientTest,