commit daa8850c83cc460a5229a15cdace386a05a81cd9
author David Benjamin <davidben@google.com> Tue Oct 04 16:32:16 2016 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Tue Oct 04 20:53:21 2016 +0000
tree 2658b740b4fde4143c701aac85a9392efa806f21
parent 6dbde984a2e7f0cbd7e18a5a77aa4b936a9c33e4

Add tests for OCSP's interaction with resumption.

This is another case where the specification failed to hammer things
down and OpenSSL messed it up as a result. Also fix the SCT test in TLS
1.3.

Change-Id: I47541670447d1929869e1a39b2d9671a127bfba0
Reviewed-on: https://boringssl-review.googlesource.com/11480
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index bb07136..5630b47 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5009,6 +5009,9 @@
 			},
 			resumeSession: true,
 		})
+
+		// The SCT extension did not specify that it must only be sent on resumption as it
+		// should have, so test that we tolerate but ignore it.
 		testCases = append(testCases, testCase{
 			name: "SendSCTListOnResume-" + ver.name,
 			config: Config{
@@ -5024,6 +5027,7 @@
 			},
 			resumeSession: true,
 		})
+
 		testCases = append(testCases, testCase{
 			name:     "SignedCertificateTimestampList-Server-" + ver.name,
 			testType: serverTest,
@@ -5219,6 +5223,43 @@
 		expectedError:      ":CHANNEL_ID_SIGNATURE_INVALID:",
 		expectedLocalError: "remote error: error decrypting message",
 	})
+
+	// OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
+	// tolerated.
+	testCases = append(testCases, testCase{
+		name: "SendOCSPResponseOnResume-TLS12",
+		config: Config{
+			MaxVersion: VersionTLS12,
+			Bugs: ProtocolBugs{
+				SendOCSPResponseOnResume: []byte("bogus"),
+			},
+		},
+		flags: []string{
+			"-enable-ocsp-stapling",
+			"-expect-ocsp-response",
+			base64.StdEncoding.EncodeToString(testOCSPResponse),
+		},
+		resumeSession: true,
+	})
+
+	// Beginning TLS 1.3, enforce this does not happen.
+	testCases = append(testCases, testCase{
+		name: "SendOCSPResponseOnResume-TLS13",
+		config: Config{
+			MaxVersion: VersionTLS13,
+			Bugs: ProtocolBugs{
+				SendOCSPResponseOnResume: []byte("bogus"),
+			},
+		},
+		flags: []string{
+			"-enable-ocsp-stapling",
+			"-expect-ocsp-response",
+			base64.StdEncoding.EncodeToString(testOCSPResponse),
+		},
+		resumeSession: true,
+		shouldFail:    true,
+		expectedError: ":ERROR_PARSING_EXTENSION:",
+	})
 }
 
 func addResumptionVersionTests() {