Work around yaSSL bug.

yaSSL has a couple of bugs in their DH client implementation. This
change works around the worst of the two.

Firstly, they expect the the DH public value to be the same length as
the prime. This change pads the public value as needed to ensure this.

Secondly, although they handle the first byte of the shared key being
zero, they don't handle the case of the second, third, etc bytes being
zero. So whenever that happens the handshake fails. I don't think that
there's anything that we can do about that one.

Change-Id: I789c9e5739f19449473305d59fe5c3fb9b4a6167
Reviewed-by: David Benjamin <>
Reviewed-by: Adam Langley <>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index a1801c8..befde86 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -2185,6 +2185,20 @@
 		expectedError: ":DH_P_TOO_LONG:",
+	// This test ensures that Diffie-Hellman public values are padded with
+	// zeros so that they're the same length as the prime. This is to avoid
+	// hitting a bug in yaSSL.
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "DHPublicValuePadded",
+		config: Config{
+			CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
+			Bugs: ProtocolBugs{
+				RequireDHPublicValueLen: (1025 + 7) / 8,
+			},
+		},
+		flags: []string{"-use-sparse-dh-prime"},
+	})
 	// versionSpecificCiphersTest specifies a test for the TLS 1.0 and TLS
 	// 1.1 specific cipher suite settings. A server is setup with the given