Test both disabled version/cipher combinations too.

This unifies a bunch of tests and also adds a few missing ones. Change-Id: I91652bd010da6cdb62168ce0a3415737127e1577 Reviewed-on: https://boringssl-review.googlesource.com/8360 Reviewed-by: Nick Harper <nharper@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-06-17 16:41:18 -04:00 · 2016-06-17 16:41:18 -04:00 · 0407e76daa
commit 0407e76daa
parent aaa39e97f4
4 changed files with 87 additions and 120 deletions
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@ -558,10 +558,6 @@ type ProtocolBugs struct {
 	// closed the connection) before or after sending app data.
 	AlertBeforeFalseStartTest alert
 	// SkipCipherVersionCheck causes the server to negotiate
 	// TLS 1.2 ciphers in earlier versions of TLS.
 	SkipCipherVersionCheck bool
 	// ExpectServerName, if not empty, is the hostname the client
 	// must specify in the server_name extension.
 	ExpectServerName string
@ -760,8 +756,9 @@ type ProtocolBugs struct {
 	// into individual packets, up to the specified packet size.
 	PackHandshakeRecords int
-	// EnableAllCiphersInDTLS, if true, causes RC4 to be enabled in DTLS.
+	// EnableAllCiphers, if true, causes all configured ciphers to be
-	EnableAllCiphersInDTLS bool
+	// enabled.
 	EnableAllCiphers bool
 	// EmptyCertificateList, if true, causes the server to send an empty
 	// certificate list in the Certificate message.
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@ -111,14 +111,16 @@ NextCipherSuite:
 			if suite.id != suiteId {
 				continue
 			}
-			// Don't advertise TLS 1.2-only cipher suites unless
+			if !c.config.Bugs.EnableAllCiphers {
-			// we're attempting TLS 1.2.
+				// Don't advertise TLS 1.2-only cipher suites unless
-			if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
+				// we're attempting TLS 1.2.
-				continue
+				if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
-			}
+					continue
-			// Don't advertise non-DTLS cipher suites on DTLS.
+				}
-			if c.isDTLS && suite.flags&suiteNoDTLS != 0 && !c.config.Bugs.EnableAllCiphersInDTLS {
+				// Don't advertise non-DTLS cipher suites in DTLS.
-				continue
+				if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
 					continue
 				}
 			}
 			hello.cipherSuites = append(hello.cipherSuites, suiteId)
 			continue NextCipherSuite
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@ -1063,17 +1063,19 @@ func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version
 			}
 			// Don't select a ciphersuite which we can't
 			// support for this client.
-			if (candidate.flags&suiteECDHE != 0) && !ellipticOk {
+			if !c.config.Bugs.EnableAllCiphers {
-				continue
+				if (candidate.flags&suiteECDHE != 0) && !ellipticOk {
-			}
+					continue
-			if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
+				}
-				continue
+				if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
-			}
+					continue
-			if !c.config.Bugs.SkipCipherVersionCheck && version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
+				}
-				continue
+				if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
-			}
+					continue
-			if c.isDTLS && candidate.flags&suiteNoDTLS != 0 {
+				}
-				continue
+				if c.isDTLS && candidate.flags&suiteNoDTLS != 0 {
 					continue
 				}
 			}
 			return candidate
 		}
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -941,12 +941,6 @@ func hasComponent(suiteName, component string) bool {
 	return strings.Contains("-"+suiteName+"-", "-"+component+"-")
 }
 func isTLSOnly(suiteName string) bool {
 	// BoringSSL doesn't support ECDHE without a curves extension, and
 	// SSLv3 doesn't contain extensions.
 	return hasComponent(suiteName, "ECDHE") || isTLS12Only(suiteName)
 }
 func isTLS12Only(suiteName string) bool {
 	return hasComponent(suiteName, "GCM") ||
 		hasComponent(suiteName, "SHA256") ||
@ -1391,18 +1385,6 @@ func addBasicTests() {
 			shouldFail:    true,
 			expectedError: ":WRONG_VERSION_NUMBER:",
 		},
 		{
 			name: "SkipCipherVersionCheck",
 			config: Config{
 				CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
 				MaxVersion:   VersionTLS11,
 				Bugs: ProtocolBugs{
 					SkipCipherVersionCheck: true,
 				},
 			},
 			shouldFail:    true,
 			expectedError: ":WRONG_CIPHER_RETURNED:",
 		},
 		{
 			name: "RSAEphemeralKey",
 			config: Config{
@ -2003,19 +1985,6 @@ func addBasicTests() {
 				},
 			},
 		},
 		{
 			testType: serverTest,
 			protocol: dtls,
 			name:     "NoRC4-DTLS",
 			config: Config{
 				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_RC4_128_SHA},
 				Bugs: ProtocolBugs{
 					EnableAllCiphersInDTLS: true,
 				},
 			},
 			shouldFail:    true,
 			expectedError: ":NO_SHARED_CIPHER:",
 		},
 		{
 			name:             "SendEmptyRecords-Pass",
 			sendEmptyRecords: 32,
@ -2312,75 +2281,44 @@ func addCipherSuiteTests() {
 		}
 		for _, ver := range tlsVersions {
-			if ver.version < VersionTLS12 && isTLS12Only(suite.name) {
+			for _, protocol := range []protocol{tls, dtls} {
-				continue
+				var prefix string
-			}
+				if protocol == dtls {
 					if !ver.hasDTLS {
 						continue
 					}
 					prefix = "D"
 				}
-			shouldFail := isTLSOnly(suite.name) && ver.version == VersionSSL30
+				var shouldServerFail, shouldClientFail bool
 				if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
 					// BoringSSL clients accept ECDHE on SSLv3, but
 					// a BoringSSL server will never select it
 					// because the extension is missing.
 					shouldServerFail = true
 				}
 				if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
 					shouldClientFail = true
 					shouldServerFail = true
 				}
 				if !isDTLSCipher(suite.name) && protocol == dtls {
 					shouldClientFail = true
 					shouldServerFail = true
 				}
-			expectedError := ""
+				var expectedServerError, expectedClientError string
-			if shouldFail {
+				if shouldServerFail {
-				expectedError = ":NO_SHARED_CIPHER:"
+					expectedServerError = ":NO_SHARED_CIPHER:"
-			}
+				}
 				if shouldClientFail {
 					expectedClientError = ":WRONG_CIPHER_RETURNED:"
 				}
 			testCases = append(testCases, testCase{
 				testType: serverTest,
 				name:     ver.name + "-" + suite.name + "-server",
 				config: Config{
 					MinVersion:           ver.version,
 					MaxVersion:           ver.version,
 					CipherSuites:         []uint16{suite.id},
 					Certificates:         []Certificate{cert},
 					PreSharedKey:         []byte(psk),
 					PreSharedKeyIdentity: pskIdentity,
 				},
 				certFile:      certFile,
 				keyFile:       keyFile,
 				flags:         flags,
 				resumeSession: true,
 				shouldFail:    shouldFail,
 				expectedError: expectedError,
 			})
 			if shouldFail {
 				continue
 			}
 			testCases = append(testCases, testCase{
 				testType: clientTest,
 				name:     ver.name + "-" + suite.name + "-client",
 				config: Config{
 					MinVersion:           ver.version,
 					MaxVersion:           ver.version,
 					CipherSuites:         []uint16{suite.id},
 					Certificates:         []Certificate{cert},
 					PreSharedKey:         []byte(psk),
 					PreSharedKeyIdentity: pskIdentity,
 				},
 				flags:         flags,
 				resumeSession: true,
 			})
 			if ver.hasDTLS && isDTLSCipher(suite.name) {
 				testCases = append(testCases, testCase{
 					testType: clientTest,
 					protocol: dtls,
 					name:     "D" + ver.name + "-" + suite.name + "-client",
 					config: Config{
 						MinVersion:           ver.version,
 						MaxVersion:           ver.version,
 						CipherSuites:         []uint16{suite.id},
 						Certificates:         []Certificate{cert},
 						PreSharedKey:         []byte(psk),
 						PreSharedKeyIdentity: pskIdentity,
 					},
 					flags:         flags,
 					resumeSession: true,
 				})
 				testCases = append(testCases, testCase{
 					testType: serverTest,
-					protocol: dtls,
+					protocol: protocol,
-					name:     "D" + ver.name + "-" + suite.name + "-server",
+
 					name: prefix + ver.name + "-" + suite.name + "-server",
 					config: Config{
 						MinVersion:           ver.version,
 						MaxVersion:           ver.version,
@ -2388,11 +2326,39 @@ func addCipherSuiteTests() {
 						Certificates:         []Certificate{cert},
 						PreSharedKey:         []byte(psk),
 						PreSharedKeyIdentity: pskIdentity,
 						Bugs: ProtocolBugs{
 							EnableAllCiphers:            true,
 							IgnorePeerCipherPreferences: true,
 						},
 					},
 					certFile:      certFile,
 					keyFile:       keyFile,
 					flags:         flags,
 					resumeSession: true,
 					shouldFail:    shouldServerFail,
 					expectedError: expectedServerError,
 				})
 				testCases = append(testCases, testCase{
 					testType: clientTest,
 					protocol: protocol,
 					name:     prefix + ver.name + "-" + suite.name + "-client",
 					config: Config{
 						MinVersion:           ver.version,
 						MaxVersion:           ver.version,
 						CipherSuites:         []uint16{suite.id},
 						Certificates:         []Certificate{cert},
 						PreSharedKey:         []byte(psk),
 						PreSharedKeyIdentity: pskIdentity,
 						Bugs: ProtocolBugs{
 							EnableAllCiphers:            true,
 							IgnorePeerCipherPreferences: true,
 						},
 					},
 					flags:         flags,
 					resumeSession: true,
 					shouldFail:    shouldClientFail,
 					expectedError: expectedClientError,
 				})
 			}
 		}