Test bad records at all cipher suites.
We have AEAD-level coverage for these, but we should also test this in the TLS stack, and at maximum size per upstream's CVE-2016-7054. Change-Id: I1f4ad0356e793d6a3eefdc2d55a9c7e05ea08261 Reviewed-on: https://boringssl-review.googlesource.com/12187 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
126fa278f8
commit
231a475355
@ -2488,6 +2488,7 @@ func addCipherSuiteTests() {
|
||||
if !shouldClientFail {
|
||||
// Ensure the maximum record size is accepted.
|
||||
testCases = append(testCases, testCase{
|
||||
protocol: protocol,
|
||||
name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
|
||||
config: Config{
|
||||
MinVersion: ver.version,
|
||||
@ -2500,6 +2501,33 @@ func addCipherSuiteTests() {
|
||||
flags: flags,
|
||||
messageLen: maxPlaintext,
|
||||
})
|
||||
|
||||
// Test bad records for all ciphers. Bad records are fatal in TLS
|
||||
// and ignored in DTLS.
|
||||
var shouldFail bool
|
||||
var expectedError string
|
||||
if protocol == tls {
|
||||
shouldFail = true
|
||||
expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
|
||||
}
|
||||
|
||||
testCases = append(testCases, testCase{
|
||||
protocol: protocol,
|
||||
name: prefix + ver.name + "-" + suite.name + "-BadRecord",
|
||||
config: Config{
|
||||
MinVersion: ver.version,
|
||||
MaxVersion: ver.version,
|
||||
CipherSuites: []uint16{suite.id},
|
||||
Certificates: []Certificate{cert},
|
||||
PreSharedKey: []byte(psk),
|
||||
PreSharedKeyIdentity: pskIdentity,
|
||||
},
|
||||
flags: flags,
|
||||
damageFirstWrite: true,
|
||||
messageLen: maxPlaintext,
|
||||
shouldFail: shouldFail,
|
||||
expectedError: expectedError,
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -62,7 +62,7 @@ func DecryptShimTicket(in []byte) ([]byte, error) {
|
||||
// Decrypt in-place.
|
||||
iv := in[:block.BlockSize()]
|
||||
in = in[block.BlockSize():]
|
||||
if l := len(in); l == 0 || l % block.BlockSize() != 0 {
|
||||
if l := len(in); l == 0 || l%block.BlockSize() != 0 {
|
||||
return nil, errors.New("tls: ticket ciphertext not a multiple of the block size")
|
||||
}
|
||||
out := make([]byte, len(in))
|
||||
|
Loading…
Reference in New Issue
Block a user