Test that client cipher preferences are enforced.

Change-Id: I6e760cfd785c0c5688da6f7d3d3092a8add40409
Reviewed-on: https://boringssl-review.googlesource.com/4070
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2015-03-16 15:16:23 -04:00 committed by Adam Langley
parent 642f1498d0
commit 67d1fb59ad
6 changed files with 25 additions and 0 deletions

View File

@ -615,6 +615,10 @@ static bool DoExchange(ScopedSSL_SESSION *out_session, SSL_CTX *ssl_ctx,
if (config->install_ddos_callback) {
SSL_CTX_set_dos_protection_cb(ssl_ctx, DDoSCallback);
}
if (!config->cipher.empty() &&
!SSL_set_cipher_list(ssl.get(), config->cipher.c_str())) {
return false;
}
int sock = Connect(config->port);
if (sock == -1) {

View File

@ -671,6 +671,10 @@ type ProtocolBugs struct {
// NoSignatureAlgorithmsOnRenego, if true, causes renegotiations to omit
// the signature_algorithms extension.
NoSignatureAlgorithmsOnRenego bool
// IgnorePeerCipherPreferences, if true, causes the peer's cipher
// preferences to be ignored.
IgnorePeerCipherPreferences bool
}
func (c *Config) serverInit() {

View File

@ -340,6 +340,9 @@ Curves:
return false, errors.New("tls: fallback SCSV found when not expected")
}
if config.Bugs.IgnorePeerCipherPreferences {
hs.clientHello.cipherSuites = c.config.cipherSuites()
}
var preferenceList, supportedList []uint16
if c.config.PreferServerCipherSuites {
preferenceList = c.config.cipherSuites()

View File

@ -892,6 +892,18 @@ var testCases = []testCase{
},
},
},
{
name: "UnsupportedCipherSuite",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
Bugs: ProtocolBugs{
IgnorePeerCipherPreferences: true,
},
},
flags: []string{"-cipher", "DEFAULT:!RC4"},
shouldFail: true,
expectedError: ":WRONG_CIPHER_RETURNED:",
},
}
func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {

View File

@ -96,6 +96,7 @@ const Flag<std::string> kStringFlags[] = {
{ "-psk", &TestConfig::psk },
{ "-psk-identity", &TestConfig::psk_identity },
{ "-srtp-profiles", &TestConfig::srtp_profiles },
{ "-cipher", &TestConfig::cipher },
};
const Flag<std::string> kBase64Flags[] = {

View File

@ -73,6 +73,7 @@ struct TestConfig {
bool install_ddos_callback;
bool fail_ddos_callback;
bool fail_second_ddos_callback;
std::string cipher;
};
bool ParseConfig(int argc, char **argv, TestConfig *out_config);