enable relevant BoGo tests for session resumption

randombit · May 17, 2022 · 5b4843d · 5b4843d
1 parent 0d6937c
commit 5b4843d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 29 deletions.
diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
@@ -152,13 +152,16 @@ std::string map_to_bogo_error(const std::string& e)
          { "Policy forbids all available TLS version", ":NO_SUPPORTED_VERSIONS_ENABLED:" },
          { "Policy refuses to accept signing with any hash supported by peer", ":NO_COMMON_SIGNATURE_ALGORITHMS:" },
          { "Policy requires client send a certificate, but it did not", ":PEER_DID_NOT_RETURN_A_CERTIFICATE:" },
+         { "PSK identity selected by server is out of bounds", ":PSK_IDENTITY_NOT_FOUND:" },
+         { "PSK and ciphersuite selected by server are not compatible", ":OLD_SESSION_PRF_HASH_MISMATCH:" },
          { "Received a record that exceeds maximum size", ":ENCRYPTED_LENGTH_TOO_LONG:" },
          { "Received an encrypted record that exceeds maximum size", ":ENCRYPTED_LENGTH_TOO_LONG:" },
          { "Received application data after connection closure", ":APPLICATION_DATA_ON_SHUTDOWN:" },
          { "Received handshake data after connection closure", ":NO_RENEGOTIATION:" },
          { "Received unexpected record version in initial record", ":WRONG_VERSION_NUMBER:" },
          { "Received unexpected record version", ":WRONG_VERSION_NUMBER:" },
          { "Rejecting ALPN request with alert", ":NO_APPLICATION_PROTOCOL:" },
+         { "RSA signatures must use an RSASSA-PSS algorithm", ":WRONG_SIGNATURE_TYPE:" },
          { "Server attempting to negotiate SSLv3 which is not supported", ":UNSUPPORTED_PROTOCOL:" },
          { "Server certificate changed during renegotiation", ":SERVER_CERT_CHANGED:" },
          { "Server changed its mind about extended master secret", ":RENEGOTIATION_EMS_MISMATCH:" },
@@ -757,6 +760,8 @@ std::unique_ptr<Shim_Arguments> parse_options(char* argv[])
       "max-version",
       "min-version",
       "mtu",
+      "on-initial-expect-curve-id",
+      "on-resume-expect-curve-id",
       "port",
       "read-size",
       "resume-count",

diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json
@@ -12,7 +12,8 @@
         "PartialFinishedWithServerHelloDone": "Unexpected record vs excess handshake data",
         "HelloRetryRequest-DuplicateCurve-TLS13": "expects 'illegal parameter' but we want to stick with 'decode error'",
         "HelloRetryRequest-DuplicateCookie-TLS13": "expects 'illegal parameter' but we want to stick with 'decode error'",
-        "EncryptedExtensionsWithKeyShare-TLS13": "expects 'unsupported extension' but RFC requires 'illegal parameter'"
+        "EncryptedExtensionsWithKeyShare-TLS13": "expects 'unsupported extension' but RFC requires 'illegal parameter'",
+        "Resume-Client-Mismatch-TLS13-TLS12-TLS": "server requests a downgrade to TLS 1.2, echoing the random session ID during a TLS 1.3 resumption. => error mapping conflict"
     },
 
     "DisabledTests": {
@@ -40,33 +41,10 @@
         "TooManyChangeCipherSpec-Client-TLS13": "Limits on the number of CCS are not implemented",
         "TooManyKeyUpdates": "Limits on the number of KeyUpdates are not implemented",
 
-        "CertificateVerificationSucceed-Client-TLS13-*" : "TLS 1.3 session resumption is NYI",
-        "Client-VerifyDefault-*-TLS13" : "TLS 1.3 session resumption is NYI",
-        "Client-Verify-*-TLS13" : "TLS 1.3 session resumption is NYI",
-        "ExportKeyingMaterial-TLS13" : "TLS 1.3 session resumption is NYI",
-        "InvalidPSKIdentity-TLS13" : "TLS 1.3 session resumption is NYI",
-        "NegotiatePSKResumption-TLS13" : "TLS 1.3 session resumption is NYI",
-        "Resume-Client-CipherMismatch-TLS13" : "TLS 1.3 session resumption is NYI",
-        "Resume-Client-Mismatch-TLS13-TLS12-TLS" : "TLS 1.3 session resumption is NYI",
-        "Resume-Client-TLS13-TLS13-TLS" : "TLS 1.3 session resumption is NYI",
-        "TLS-TLS13-AES_128_GCM_SHA256-client" : "TLS 1.3 session resumption is NYI",
-        "TLS-TLS13-AES_256_GCM_SHA384-client" : "TLS 1.3 session resumption is NYI",
-        "TLS-TLS13-CHACHA20_POLY1305_SHA256-client" : "TLS 1.3 session resumption is NYI",
-        "TLS12SessionID-TLS13" : "TLS 1.3 session resumption is NYI",
-        "TLS13-HonorServerSessionTicketLifetime" : "TLS 1.3 session resumption is NYI",
-        "TLS13-TestBadTicketAge-Client" : "TLS 1.3 session resumption is NYI",
-        "TLS13-TestValidTicketAge-Client" : "TLS 1.3 session resumption is NYI",
-        "TLS13SessionID-TLS13" : "TLS 1.3 session resumption is NYI",
-        "TolerateServerNameAck-TLS-TLS13" : "TLS 1.3 session resumption is NYI",
-        "OCSPStapling-Client-TLS13-*" : "TLS 1.3 session resumption is NYI",
-        "Resume-Client-NoResume-TLS12-TLS13-TLS": "TLS 1.3 session resumption is NYI",
-        "Resume-Client-Mismatch-TLS12-TLS13-TLS": "TLS 1.3 session resumption is NYI",
-        "Ticket-Forbidden-TLS13": "TLS 1.3 session resumption is NYI",
-        "Resume-Client-PRFMismatch-TLS13": "TLS 1.3 session resumption is NYI",
-        "TLS13-HelloRetryRequest-Client-*": "TLS 1.3 session resumption is NYI",
-        "TLS13-TicketAgeSkew-*": "TLS 1.3 session resumption is NYI",
-        "CurveID-Resume-Client-TLS13": "TLS 1.3 session resumption is NYI",
-        "ALPNClient-TLS-TLS13": "TLS 1.3 session resumption is NYI",
+        "TLS12SessionID-TLS13": "We don't offer TLS 1.3 when a TLS 1.2 session was found",
+        "Ticket-Forbidden-TLS13": "We don't offer TLS 1.3 when a TLS 1.2 session was found",
+        "Resume-Client-NoResume-TLS12-TLS13-TLS": "We don't offer TLS 1.3 when a TLS 1.2 session was found",
+        "Resume-Client-Mismatch-TLS12-TLS13-TLS": "We don't offer TLS 1.3 when a TLS 1.2 session was found",
 
         "KeyUpdate-FromServer": "No TLS 1.3 server, yet",
         "FragmentedClientVersion": "No TLS 1.3 server, yet",
@@ -81,6 +59,7 @@
         "ECDSACurveMismatch-Sign-TLS13": "No TLS 1.3 server, yet",
         "MinimumVersion-Server*-TLS13*": "No TLS 1.3 server, yet",
         "Resume-Server*TLS13*": "No TLS 1.3 server, yet",
+        "Resume-Server-*": "No TLS 1.3 server, yet",
         "Server-Sign-*-TLS13": "No TLS 1.3 server, yet",
         "Server-Verify-*-TLS13": "No TLS 1.3 server, yet",
         "Server-VerifyDefault-*-TLS13": "No TLS 1.3 server, yet",
@@ -109,6 +88,7 @@
         "UnexpectedClientEncryptedExtensions-TLS-TLS13": "No TLS 1.3 server, yet",
         "UnknownCipher-TLS13": "No TLS 1.3 server, yet",
         "VersionTolerance-TLS13": "No TLS 1.3 server, yet",
+        "TLS13-TicketAgeSkew-*": "No TLS 1.3 server, yet",
 
         "*EarlyData*": "No TLS 1.3 Early Data, yet",
         "TLS13-1RTT-Client-*": "No TLS 1.3 Early Data, yet",
@@ -132,7 +112,6 @@
 
         "KeyUpdate-RequestACK-UnfinishedWrite": "-read-with-unfinished-write currently not supported in the shim",
 
-        "*Binder*": "No TLS 1.3",
         "NoExportEarlyKeyingMaterial*": "No TLS 1.3",
         "EarlyDataEnabled*": "No TLS 1.3",
         "TLS-ECH*": "No ECH support",