Test that we tolerate server-sent supported groups.
I should have added this test in
https://boringssl-review.googlesource.com/10320. This is necessary in
TLS 1.3 and spec compliance and TLS 1.2 to tolerate some broken servers.
Change-Id: Ibb52eaa1e370062f83e84856ef7f1c2c79d6a5d3
Reviewed-on: https://boringssl-review.googlesource.com/21124
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index dc4055e..3991870 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -1386,6 +1386,12 @@
// empty slice, no extension will be sent.
SendSupportedPointFormats []byte
+ // SendServerSupportedCurves, if true, causes the server to send its
+ // supported curves list in the ServerHello (TLS 1.2) or
+ // EncryptedExtensions (TLS 1.3) message. This is invalid in TLS 1.2 and
+ // valid in TLS 1.3.
+ SendServerSupportedCurves bool
+
// MaxReceivePlaintext, if non-zero, is the maximum plaintext record
// length accepted from the peer.
MaxReceivePlaintext int
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index 5dbcab9..bf9cb7f 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -1149,6 +1149,7 @@
keyShare keyShareEntry
supportedVersion uint16
supportedPoints []uint8
+ supportedCurves []CurveID
serverNameAck bool
}
@@ -1256,6 +1257,15 @@
supportedPoints := supportedPointsList.addU8LengthPrefixed()
supportedPoints.addBytes(m.supportedPoints)
}
+ if len(m.supportedCurves) > 0 {
+ // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
+ extensions.addU16(extensionSupportedCurves)
+ supportedCurvesList := extensions.addU16LengthPrefixed()
+ supportedCurves := supportedCurvesList.addU16LengthPrefixed()
+ for _, curve := range m.supportedCurves {
+ supportedCurves.addU16(uint16(curve))
+ }
+ }
if m.hasEarlyData {
extensions.addU16(extensionEarlyData)
extensions.addBytes([]byte{0, 0})
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index b1729cb..f67cc94 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -1297,6 +1297,10 @@
serverExtensions.supportedPoints = c.config.Bugs.SendSupportedPointFormats
}
+ if c.config.Bugs.SendServerSupportedCurves {
+ serverExtensions.supportedCurves = c.config.curvePreferences()
+ }
+
if !hs.clientHello.hasGREASEExtension && config.Bugs.ExpectGREASE {
return errors.New("tls: no GREASE extension found")
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index bc0a9d0..39a3765 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -9612,6 +9612,28 @@
expectedError: ":ERROR_PARSING_EXTENSION:",
})
+ // Server-sent supported groups/curves are legal in TLS 1.3. They are
+ // illegal in TLS 1.2, but some servers send them anyway, so we must
+ // tolerate them.
+ testCases = append(testCases, testCase{
+ name: "SupportedCurves-ServerHello-TLS12",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ SendServerSupportedCurves: true,
+ },
+ },
+ })
+ testCases = append(testCases, testCase{
+ name: "SupportedCurves-EncryptedExtensions-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Bugs: ProtocolBugs{
+ SendServerSupportedCurves: true,
+ },
+ },
+ })
+
// Test that we tolerate unknown point formats, as long as
// pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
// check they are still functional.