Add negative False Start tests.
Extend the False Start tests to optionally send an alert (thus avoiding deadlock) before waiting for the out-of-order app data. Based on whether the peer shuts off the connection before or after sending app data, we can determine whether the peer False Started by observing purely external effects. Change-Id: I8b9fecc29668e0b0c34b5fd19d0f239545011bae Reviewed-on: https://boringssl-review.googlesource.com/4213 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
87e4acd2f5
commit
1c633159a7
@ -506,6 +506,13 @@ type ProtocolBugs struct {
|
||||
// from the peer.
|
||||
ExpectFalseStart bool
|
||||
|
||||
// AlertBeforeFalseStartTest, if non-zero, causes the server to, on full
|
||||
// handshakes, send an alert just before reading the application data
|
||||
// record to test False Start. This can be used in a negative False
|
||||
// Start test to determine whether the peer processed the alert (and
|
||||
// closed the connection) before or after sending app data.
|
||||
AlertBeforeFalseStartTest alert
|
||||
|
||||
// SSL3RSAKeyExchange causes the client to always send an RSA
|
||||
// ClientKeyExchange message without the two-byte length
|
||||
// prefix, as if it were SSL3.
|
||||
|
@ -97,9 +97,12 @@ func (c *Conn) serverHandshake() error {
|
||||
if err := hs.readFinished(isResume); err != nil {
|
||||
return err
|
||||
}
|
||||
if c.config.Bugs.AlertBeforeFalseStartTest != 0 {
|
||||
c.sendAlert(c.config.Bugs.AlertBeforeFalseStartTest)
|
||||
}
|
||||
if c.config.Bugs.ExpectFalseStart {
|
||||
if err := c.readRecord(recordTypeApplicationData); err != nil {
|
||||
return err
|
||||
return fmt.Errorf("tls: peer did not false start: %s", err)
|
||||
}
|
||||
}
|
||||
if err := hs.sendSessionTicket(); err != nil {
|
||||
|
@ -952,6 +952,80 @@ var testCases = []testCase{
|
||||
shouldFail: true,
|
||||
expectedError: ":DIGEST_CHECK_FAILED:",
|
||||
},
|
||||
{
|
||||
name: "NoFalseStart-NoALPN",
|
||||
config: Config{
|
||||
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
Bugs: ProtocolBugs{
|
||||
ExpectFalseStart: true,
|
||||
AlertBeforeFalseStartTest: alertAccessDenied,
|
||||
},
|
||||
},
|
||||
flags: []string{
|
||||
"-false-start",
|
||||
},
|
||||
shimWritesFirst: true,
|
||||
shouldFail: true,
|
||||
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
|
||||
expectedLocalError: "tls: peer did not false start: EOF",
|
||||
},
|
||||
{
|
||||
name: "NoFalseStart-NoAEAD",
|
||||
config: Config{
|
||||
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
|
||||
NextProtos: []string{"foo"},
|
||||
Bugs: ProtocolBugs{
|
||||
ExpectFalseStart: true,
|
||||
AlertBeforeFalseStartTest: alertAccessDenied,
|
||||
},
|
||||
},
|
||||
flags: []string{
|
||||
"-false-start",
|
||||
"-advertise-alpn", "\x03foo",
|
||||
},
|
||||
shimWritesFirst: true,
|
||||
shouldFail: true,
|
||||
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
|
||||
expectedLocalError: "tls: peer did not false start: EOF",
|
||||
},
|
||||
{
|
||||
name: "NoFalseStart-RSA",
|
||||
config: Config{
|
||||
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
|
||||
NextProtos: []string{"foo"},
|
||||
Bugs: ProtocolBugs{
|
||||
ExpectFalseStart: true,
|
||||
AlertBeforeFalseStartTest: alertAccessDenied,
|
||||
},
|
||||
},
|
||||
flags: []string{
|
||||
"-false-start",
|
||||
"-advertise-alpn", "\x03foo",
|
||||
},
|
||||
shimWritesFirst: true,
|
||||
shouldFail: true,
|
||||
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
|
||||
expectedLocalError: "tls: peer did not false start: EOF",
|
||||
},
|
||||
{
|
||||
name: "NoFalseStart-DHE_RSA",
|
||||
config: Config{
|
||||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
NextProtos: []string{"foo"},
|
||||
Bugs: ProtocolBugs{
|
||||
ExpectFalseStart: true,
|
||||
AlertBeforeFalseStartTest: alertAccessDenied,
|
||||
},
|
||||
},
|
||||
flags: []string{
|
||||
"-false-start",
|
||||
"-advertise-alpn", "\x03foo",
|
||||
},
|
||||
shimWritesFirst: true,
|
||||
shouldFail: true,
|
||||
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
|
||||
expectedLocalError: "tls: peer did not false start: EOF",
|
||||
},
|
||||
}
|
||||
|
||||
func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {
|
||||
|
Loading…
Reference in New Issue
Block a user