Add tests for bad ChangeCipherSpecs.

Change-Id: I7eac3582b7b23b5da95be68277609cfa63195b02
Reviewed-on: https://boringssl-review.googlesource.com/6629
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 2addea6..ec0e2db 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -805,6 +805,10 @@
 	// bytes) of the server's Diffie-Hellman public value is not equal to
 	// this.
 	RequireDHPublicValueLen int
+
+	// BadChangeCipherSpec, if not nil, is the body to be sent in
+	// ChangeCipherSpec records instead of {1}.
+	BadChangeCipherSpec []byte
 }
 
 func (c *Config) serverInit() {
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 512d23f..64630ba 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -924,7 +924,11 @@
 
 	if !c.config.Bugs.SkipChangeCipherSpec &&
 		c.config.Bugs.EarlyChangeCipherSpec == 0 {
-		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
+		ccs := []byte{1}
+		if c.config.Bugs.BadChangeCipherSpec != nil {
+			ccs = c.config.Bugs.BadChangeCipherSpec
+		}
+		c.writeRecord(recordTypeChangeCipherSpec, ccs)
 	}
 
 	if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 61c6cbe..0232772 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -914,7 +914,11 @@
 	c.dtlsFlushHandshake()
 
 	if !c.config.Bugs.SkipChangeCipherSpec {
-		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
+		ccs := []byte{1}
+		if c.config.Bugs.BadChangeCipherSpec != nil {
+			ccs = c.config.Bugs.BadChangeCipherSpec
+		}
+		c.writeRecord(recordTypeChangeCipherSpec, ccs)
 	}
 
 	if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
diff --git a/ssl/test/runner/packet_adapter.go b/ssl/test/runner/packet_adapter.go
index 2351eb0..a8da311 100644
--- a/ssl/test/runner/packet_adapter.go
+++ b/ssl/test/runner/packet_adapter.go
@@ -96,7 +96,7 @@
 // for acknowledgement of the timeout, buffering any packets received since
 // then. The packets are then returned.
 func (p *packetAdaptor) SendReadTimeout(d time.Duration) ([][]byte, error) {
-	p.log("Simulating read timeout: " + d.String(), nil)
+	p.log("Simulating read timeout: "+d.String(), nil)
 
 	payload := make([]byte, 1+8)
 	payload[0] = opcodeTimeout
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 19a9dac..1e5ffd9 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1995,6 +1995,48 @@
 			shouldFail:    true,
 			expectedError: ":BAD_ECC_CERT:",
 		},
+		{
+			name: "BadChangeCipherSpec-1",
+			config: Config{
+				Bugs: ProtocolBugs{
+					BadChangeCipherSpec: []byte{2},
+				},
+			},
+			shouldFail:    true,
+			expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
+		},
+		{
+			name: "BadChangeCipherSpec-2",
+			config: Config{
+				Bugs: ProtocolBugs{
+					BadChangeCipherSpec: []byte{1, 1},
+				},
+			},
+			shouldFail:    true,
+			expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
+		},
+		{
+			protocol: dtls,
+			name:     "BadChangeCipherSpec-DTLS-1",
+			config: Config{
+				Bugs: ProtocolBugs{
+					BadChangeCipherSpec: []byte{2},
+				},
+			},
+			shouldFail:    true,
+			expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
+		},
+		{
+			protocol: dtls,
+			name:     "BadChangeCipherSpec-DTLS-2",
+			config: Config{
+				Bugs: ProtocolBugs{
+					BadChangeCipherSpec: []byte{1, 1},
+				},
+			},
+			shouldFail:    true,
+			expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
+		},
 	}
 	testCases = append(testCases, basicTests...)
 }