Google Git
Sign in
boringssl/boringssl.git/1286beef9499c5b76865bcf687e803a8e12cd2fa^!/.
commit
1286beef9499c5b76865bcf687e803a8e12cd2fa
[log]
author
David Benjamin <davidben@google.com>
Fri Oct 07 15:25:06 2016 -0400
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Fri Oct 07 21:00:59 2016 +0000
tree
98f75f2375fa05f8e1d1703c082329445730450b
parent
1a5e8ecd6429b9206f460047c0da323f84630896 [diff]
Test that unknown TLS 1.3 ticket extensions are tolerated.

Change-Id: Ifcdbeab9291d1141605a09a1960702c792cffa86
Reviewed-on: https://boringssl-review.googlesource.com/11561
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 1449550..4e3f014 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -100,6 +100,11 @@
 	extensionChannelID                  uint16 = 30032 // not IANA assigned
 )
 
+// TLS ticket extension numbers
+const (
+	ticketExtensionCustom uint16 = 1234 // not IANA assigned
+)
+
 // TLS signaling cipher suite values
 const (
 	scsvRenegotiation uint16 = 0x00ff
@@ -887,6 +892,10 @@
 	// of a custom extension.
 	ExpectedCustomExtension *string
 
+	// CustomTicketExtension, if not empty, contains the contents of an
+	// extension what will be added to NewSessionTicket in TLS 1.3.
+	CustomTicketExtension string
+
 	// NoCloseNotify, if true, causes the close_notify alert to be skipped
 	// on connection shutdown.
 	NoCloseNotify bool

diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index 7f395d5..24f0d60 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go

@@ -1714,10 +1714,11 @@
 
 	// TODO(davidben): Allow configuring these values.
 	m := &newSessionTicketMsg{
-		version:        c.vers,
-		ticketLifetime: uint32(24 * time.Hour / time.Second),
-		keModes:        []byte{pskDHEKEMode},
-		authModes:      []byte{pskAuthMode},
+		version:         c.vers,
+		ticketLifetime:  uint32(24 * time.Hour / time.Second),
+		keModes:         []byte{pskDHEKEMode},
+		authModes:       []byte{pskAuthMode},
+		customExtension: c.config.Bugs.CustomTicketExtension,
 	}
 
 	if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 {

diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index 9864b0a..546966a 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go

@@ -1825,6 +1825,7 @@
 	keModes            []byte
 	authModes          []byte
 	ticket             []byte
+	customExtension    string
 	hasGREASEExtension bool
 }
 
@@ -1847,11 +1848,11 @@
 	ticket.addBytes(m.ticket)
 
 	if m.version >= VersionTLS13 {
-		// Send no extensions.
-		//
-		// TODO(davidben): Add an option to send a custom extension to
-		// test we correctly ignore unknown ones.
-		body.addU16(0)
+		extensions := body.addU16LengthPrefixed()
+		if len(m.customExtension) > 0 {
+			extensions.addU16(ticketExtensionCustom)
+			extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension))
+		}
 	}
 
 	m.raw = ticketMsg.finish()

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index a7fd154..95dbc0d 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -8595,6 +8595,17 @@
 		shouldFail:    true,
 		expectedError: ":PSK_IDENTITY_NOT_FOUND:",
 	})
+
+	// Test that unknown NewSessionTicket extensions are tolerated.
+	testCases = append(testCases, testCase{
+		name: "TLS13-CustomTicketExtension",
+		config: Config{
+			MaxVersion: VersionTLS13,
+			Bugs: ProtocolBugs{
+				CustomTicketExtension: "1234",
+			},
+		},
+	})
 }
 
 func addPeekTests() {