kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Test both disabled version/cipher combinations too.

Browse Source 
This unifies a bunch of tests and also adds a few missing ones.

Change-Id: I91652bd010da6cdb62168ce0a3415737127e1577
Reviewed-on: https://boringssl-review.googlesource.com/8360
Reviewed-by: Nick Harper <nharper@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
David Benjamin 2016-06-17 16:41:18 -04:00
parent aaa39e97f4
commit 0407e76daa
4 changed files with 87 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ssl/test/runner/common.go
View File

@ -558,10 +558,6 @@ type ProtocolBugs struct {
// closed the connection) before or after sending app data.
AlertBeforeFalseStartTest alert
// SkipCipherVersionCheck causes the server to negotiate
// TLS 1.2 ciphers in earlier versions of TLS.
SkipCipherVersionCheck bool
// ExpectServerName, if not empty, is the hostname the client
// must specify in the server_name extension.
ExpectServerName string
@ -760,8 +756,9 @@ type ProtocolBugs struct {
// into individual packets, up to the specified packet size.
PackHandshakeRecords int
// EnableAllCiphersInDTLS, if true, causes RC4 to be enabled in DTLS.
EnableAllCiphersInDTLS bool
// EnableAllCiphers, if true, causes all configured ciphers to be
// enabled.
EnableAllCiphers bool
// EmptyCertificateList, if true, causes the server to send an empty
// certificate list in the Certificate message.

18
ssl/test/runner/handshake_client.go
View File

@ -111,14 +111,16 @@ NextCipherSuite:
if suite.id != suiteId {
continue
}
// Don't advertise TLS 1.2-only cipher suites unless
// we're attempting TLS 1.2.
if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
continue
}
// Don't advertise non-DTLS cipher suites on DTLS.
if c.isDTLS && suite.flags&suiteNoDTLS != 0 && !c.config.Bugs.EnableAllCiphersInDTLS {
continue
if !c.config.Bugs.EnableAllCiphers {
// Don't advertise TLS 1.2-only cipher suites unless
// we're attempting TLS 1.2.
if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
continue
}
// Don't advertise non-DTLS cipher suites in DTLS.
if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
continue
}
}
hello.cipherSuites = append(hello.cipherSuites, suiteId)
continue NextCipherSuite

24
ssl/test/runner/handshake_server.go
View File

@ -1063,17 +1063,19 @@ func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version
}
// Don't select a ciphersuite which we can't
// support for this client.
if (candidate.flags&suiteECDHE != 0) && !ellipticOk {
continue
}
if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
continue
}
if !c.config.Bugs.SkipCipherVersionCheck && version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
continue
}
if c.isDTLS && candidate.flags&suiteNoDTLS != 0 {
continue
if !c.config.Bugs.EnableAllCiphers {
if (candidate.flags&suiteECDHE != 0) && !ellipticOk {
continue
}
if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
continue
}
if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
continue
}
if c.isDTLS && candidate.flags&suiteNoDTLS != 0 {
continue
}
}
return candidate
}

156
ssl/test/runner/runner.go
View File

@ -941,12 +941,6 @@ func hasComponent(suiteName, component string) bool {
return strings.Contains("-"+suiteName+"-", "-"+component+"-")
}
func isTLSOnly(suiteName string) bool {
// BoringSSL doesn't support ECDHE without a curves extension, and
// SSLv3 doesn't contain extensions.
return hasComponent(suiteName, "ECDHE") || isTLS12Only(suiteName)
}
func isTLS12Only(suiteName string) bool {
return hasComponent(suiteName, "GCM") ||
hasComponent(suiteName, "SHA256") ||
@ -1391,18 +1385,6 @@ func addBasicTests() {
shouldFail: true,
expectedError: ":WRONG_VERSION_NUMBER:",
},
{
name: "SkipCipherVersionCheck",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
MaxVersion: VersionTLS11,
Bugs: ProtocolBugs{
SkipCipherVersionCheck: true,
},
},
shouldFail: true,
expectedError: ":WRONG_CIPHER_RETURNED:",
},
{
name: "RSAEphemeralKey",
config: Config{
@ -2003,19 +1985,6 @@ func addBasicTests() {
},
},
},
{
testType: serverTest,
protocol: dtls,
name: "NoRC4-DTLS",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_RC4_128_SHA},
Bugs: ProtocolBugs{
EnableAllCiphersInDTLS: true,
},
},
shouldFail: true,
expectedError: ":NO_SHARED_CIPHER:",
},
{
name: "SendEmptyRecords-Pass",
sendEmptyRecords: 32,
@ -2312,75 +2281,44 @@ func addCipherSuiteTests() {
}
for _, ver := range tlsVersions {
if ver.version < VersionTLS12 && isTLS12Only(suite.name) {
continue
}
for _, protocol := range []protocol{tls, dtls} {
var prefix string
if protocol == dtls {
if !ver.hasDTLS {
continue
}
prefix = "D"
}
shouldFail := isTLSOnly(suite.name) && ver.version == VersionSSL30
var shouldServerFail, shouldClientFail bool
if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
// BoringSSL clients accept ECDHE on SSLv3, but
// a BoringSSL server will never select it
// because the extension is missing.
shouldServerFail = true
}
if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
shouldClientFail = true
shouldServerFail = true
}
if !isDTLSCipher(suite.name) && protocol == dtls {
shouldClientFail = true
shouldServerFail = true
}
expectedError := ""
if shouldFail {
expectedError = ":NO_SHARED_CIPHER:"
}
var expectedServerError, expectedClientError string
if shouldServerFail {
expectedServerError = ":NO_SHARED_CIPHER:"
}
if shouldClientFail {
expectedClientError = ":WRONG_CIPHER_RETURNED:"
}
testCases = append(testCases, testCase{
testType: serverTest,
name: ver.name + "-" + suite.name + "-server",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
},
certFile: certFile,
keyFile: keyFile,
flags: flags,
resumeSession: true,
shouldFail: shouldFail,
expectedError: expectedError,
})
if shouldFail {
continue
}
testCases = append(testCases, testCase{
testType: clientTest,
name: ver.name + "-" + suite.name + "-client",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
},
flags: flags,
resumeSession: true,
})
if ver.hasDTLS && isDTLSCipher(suite.name) {
testCases = append(testCases, testCase{
testType: clientTest,
protocol: dtls,
name: "D" + ver.name + "-" + suite.name + "-client",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
},
flags: flags,
resumeSession: true,
})
testCases = append(testCases, testCase{
testType: serverTest,
protocol: dtls,
name: "D" + ver.name + "-" + suite.name + "-server",
protocol: protocol,
name: prefix + ver.name + "-" + suite.name + "-server",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
@ -2388,11 +2326,39 @@ func addCipherSuiteTests() {
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Bugs: ProtocolBugs{
EnableAllCiphers: true,
IgnorePeerCipherPreferences: true,
},
},
certFile: certFile,
keyFile: keyFile,
flags: flags,
resumeSession: true,
shouldFail: shouldServerFail,
expectedError: expectedServerError,
})
testCases = append(testCases, testCase{
testType: clientTest,
protocol: protocol,
name: prefix + ver.name + "-" + suite.name + "-client",
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
Certificates: []Certificate{cert},
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Bugs: ProtocolBugs{
EnableAllCiphers: true,
IgnorePeerCipherPreferences: true,
},
},
flags: flags,
resumeSession: true,
shouldFail: shouldClientFail,
expectedError: expectedClientError,
})
}
}