Test that client cipher preferences are enforced.

Change-Id: I6e760cfd785c0c5688da6f7d3d3092a8add40409 Reviewed-on: https://boringssl-review.googlesource.com/4070 Reviewed-by: Adam Langley <agl@google.com>
2015-03-16 15:16:23 -04:00 · 2015-03-16 15:16:23 -04:00 · 67d1fb59ad
commit 67d1fb59ad
parent 642f1498d0
6 changed files with 25 additions and 0 deletions
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@ -615,6 +615,10 @@ static bool DoExchange(ScopedSSL_SESSION *out_session, SSL_CTX *ssl_ctx,
  if (config->install_ddos_callback) {
    SSL_CTX_set_dos_protection_cb(ssl_ctx, DDoSCallback);
  }
+  if (!config->cipher.empty() &&
+      !SSL_set_cipher_list(ssl.get(), config->cipher.c_str())) {
+    return false;
+  }

  int sock = Connect(config->port);
  if (sock == -1) {
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@ -671,6 +671,10 @@ type ProtocolBugs struct {
 	// NoSignatureAlgorithmsOnRenego, if true, causes renegotiations to omit
 	// the signature_algorithms extension.
 	NoSignatureAlgorithmsOnRenego bool
+
+	// IgnorePeerCipherPreferences, if true, causes the peer's cipher
+	// preferences to be ignored.
+	IgnorePeerCipherPreferences bool
 }

 func (c *Config) serverInit() {
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@ -340,6 +340,9 @@ Curves:
 		return false, errors.New("tls: fallback SCSV found when not expected")
 	}

+	if config.Bugs.IgnorePeerCipherPreferences {
+		hs.clientHello.cipherSuites = c.config.cipherSuites()
+	}
 	var preferenceList, supportedList []uint16
 	if c.config.PreferServerCipherSuites {
 		preferenceList = c.config.cipherSuites()
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -892,6 +892,18 @@ var testCases = []testCase{
 			},
 		},
 	},
+	{
+		name: "UnsupportedCipherSuite",
+		config: Config{
+			CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+			Bugs: ProtocolBugs{
+				IgnorePeerCipherPreferences: true,
+			},
+		},
+		flags:         []string{"-cipher", "DEFAULT:!RC4"},
+		shouldFail:    true,
+		expectedError: ":WRONG_CIPHER_RETURNED:",
+	},
 }

 func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@ -96,6 +96,7 @@ const Flag<std::string> kStringFlags[] = {
  { "-psk", &TestConfig::psk },
  { "-psk-identity", &TestConfig::psk_identity },
  { "-srtp-profiles", &TestConfig::srtp_profiles },
+  { "-cipher", &TestConfig::cipher },
 };

 const Flag<std::string> kBase64Flags[] = {
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@ -73,6 +73,7 @@ struct TestConfig {
  bool install_ddos_callback;
  bool fail_ddos_callback;
  bool fail_second_ddos_callback;
+  std::string cipher;
 };

 bool ParseConfig(int argc, char **argv, TestConfig *out_config);