Test that Finished checks are enforced in 0-RTT.
This is analogous to needing to test that Finished is enforced in False
Start.
Change-Id: I168a72ac51b0f75156aaf6ccc9724ae66ce1e734
Reviewed-on: https://boringssl-review.googlesource.com/18986
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/fuzzer_mode.json b/ssl/test/runner/fuzzer_mode.json
index 834be40..9fa49b5 100644
--- a/ssl/test/runner/fuzzer_mode.json
+++ b/ssl/test/runner/fuzzer_mode.json
@@ -2,8 +2,7 @@
"DisabledTests": {
"BadCBCPadding*": "Fuzzer mode has no CBC padding.",
- "BadFinished-*": "Fuzzer mode ignores Finished checks.",
- "FalseStart-BadFinished": "Fuzzer mode ignores Finished checks.",
+ "*BadFinished*": "Fuzzer mode ignores Finished checks.",
"TrailingMessageData-*Finished*": "Fuzzer mode ignores Finished checks.",
"DTLSIgnoreBadPackets*": "Fuzzer mode has no bad packets.",
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 4d7d2b0..1015857 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -11768,7 +11768,8 @@
Bugs: ProtocolBugs{
SendEarlyData: [][]byte{{1, 2, 3, 4}},
SendStrayEarlyHandshake: true,
- ExpectEarlyDataAccepted: true},
+ ExpectEarlyDataAccepted: true,
+ },
},
resumeSession: true,
shouldFail: true,
@@ -11796,6 +11797,59 @@
"-expect-version", strconv.Itoa(VersionTLS13),
},
})
+
+ // Test that client and server both notice handshake errors after data
+ // has started flowing.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "TLS13-EarlyData-Client-BadFinished",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ },
+ resumeConfig: &Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ BadFinished: true,
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-early-data",
+ "-expect-early-data-info",
+ "-expect-accept-early-data",
+ },
+ shouldFail: true,
+ expectedError: ":DIGEST_CHECK_FAILED:",
+ expectedLocalError: "remote error: error decrypting message",
+ })
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "TLS13-EarlyData-Server-BadFinished",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ },
+ resumeConfig: &Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ SendEarlyData: [][]byte{{1, 2, 3, 4}},
+ ExpectEarlyDataAccepted: true,
+ ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
+ BadFinished: true,
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-early-data",
+ "-expect-accept-early-data",
+ },
+ shouldFail: true,
+ expectedError: ":DIGEST_CHECK_FAILED:",
+ expectedLocalError: "remote error: error decrypting message",
+ })
}
func addTLS13CipherPreferenceTests() {