boringssl/ssl/test/runner
Adam Langley ba5934b77f Tighten up EMS resumption behaviour.
The client and server both have to decide on behaviour when resuming a
session where the EMS state of the session doesn't match the EMS state
as exchanged in the handshake.

                        Original handshake
      |  No                                         Yes
------+--------------------------------------------------------------
      |
R     |  Server: ok [1]                     Server: abort [3]
e  No |  Client: ok [2]                     Client: abort [4]
s     |
u     |
m     |
e     |
  Yes |  Server: don't resume                   No problem
      |  Client: abort; server
      |    shouldn't have resumed

[1] Servers want to accept legacy clients. The draft[5] says that
resumptions SHOULD be rejected so that Triple-Handshake can't be done,
but we'll rather enforce that EMS was used when using tls-unique etc.

[2] The draft[5] says that even the initial handshake should be aborted
if the server doesn't support EMS, but we need to be able to talk to the
world.

[3] This is a very weird case where a client has regressed without
flushing the session cache. Hopefully we can be strict and reject these.

[4] This can happen when a server-farm shares a session cache but
frontends are not all updated at once. If Chrome is strict here then
hopefully we can prevent any servers from existing that will try to
resume an EMS session that they don't understand. OpenSSL appears to be
ok here: https://www.ietf.org/mail-archive/web/tls/current/msg16570.html

[5] https://tools.ietf.org/html/draft-ietf-tls-session-hash-05#section-5.2

BUG=492200

Change-Id: Ie1225a3960d49117b05eefa5a36263d8e556e467
Reviewed-on: https://boringssl-review.googlesource.com/4981
Reviewed-by: Adam Langley <agl@google.com>
2015-06-03 22:05:50 +00:00
..
alert.go Inital import. 2014-06-20 13:17:32 -07:00
cert.pem Inital import. 2014-06-20 13:17:32 -07:00
chacha20_poly1305_test.go Add tests for CHACHA20_POLY1305 ciphers. 2015-04-08 20:47:08 +00:00
chacha20_poly1305.go Add tests for CHACHA20_POLY1305 ciphers. 2015-04-08 20:47:08 +00:00
channel_id_key.pem Add basic TLS Channel ID tests. 2014-08-26 17:40:36 +00:00
cipher_suites.go Add tests for CHACHA20_POLY1305 ciphers. 2015-04-08 20:47:08 +00:00
common.go Add a test that DTLS does not support RC4. 2015-06-01 22:43:34 +00:00
conn.go Deprecate SSL_*_read_ahead and enforce DTLS packet boundaries. 2015-05-21 18:29:34 +00:00
dtls.go Fix DTLS handling of multiple records in a packet. 2015-05-29 22:59:38 +00:00
ecdsa_cert.pem Inital import. 2014-06-20 13:17:32 -07:00
ecdsa_key.pem Inital import. 2014-06-20 13:17:32 -07:00
handshake_client.go Add a test that DTLS does not support RC4. 2015-06-01 22:43:34 +00:00
handshake_messages.go Add tests for OCSP stapling and SCT lists. 2014-12-02 19:26:01 +00:00
handshake_server.go Add client-side tests for renegotiation_info enforcement. 2015-05-20 21:10:14 +00:00
key_agreement.go Set minimum DH group size to 1024 bits. 2015-05-20 18:35:31 +00:00
key.pem Inital import. 2014-06-20 13:17:32 -07:00
packet_adapter.go runner: fix a couple of nits from govet. 2015-04-17 21:45:50 +00:00
poly1305.go Add tests for CHACHA20_POLY1305 ciphers. 2015-04-08 20:47:08 +00:00
prf.go Test that signature_algorithm preferences are enforced. 2015-03-20 18:23:54 +00:00
recordingconn.go Extended master secret support. 2014-10-24 21:19:44 +00:00
runner.go Tighten up EMS resumption behaviour. 2015-06-03 22:05:50 +00:00
test_output.go runner and all_tests should exit with failure on failing tests. 2015-04-06 20:49:54 +00:00
ticket.go Extended master secret support. 2014-10-24 21:19:44 +00:00
tls.go Add DTLS replay tests. 2014-11-10 23:58:56 +00:00