Test that the server picks a non-ECC cipher when no curves are supported.

Change-Id: I9cd788998345ad877f73dd1341ccff68dbb8d124 Reviewed-on: https://boringssl-review.googlesource.com/4465 Reviewed-by: Adam Langley <agl@google.com>
2015-04-20 14:57:57 -04:00 · 2015-04-20 14:57:57 -04:00 · 90da8c8817
commit 90da8c8817
parent dd978784d7
1 changed files with 19 additions and 0 deletions
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -135,6 +135,9 @@ type testCase struct {
 	// expectedResumeVersion, if non-zero, specifies the TLS version that
 	// must be negotiated on resumption. If zero, expectedVersion is used.
 	expectedResumeVersion uint16
+	// expectedCipher, if non-zero, specifies the TLS cipher suite that
+	// should be negotiated.
+	expectedCipher uint16
 	// expectChannelID controls whether the connection should have
 	// negotiated a Channel ID with channelIDKey.
 	expectChannelID bool
@ -1070,6 +1073,18 @@ var testCases = []testCase{
 			},
 		},
 	},
+	{
+		testType: serverTest,
+		name:     "NoCommonCurves",
+		config: Config{
+			CipherSuites: []uint16{
+				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+			},
+			CurvePreferences: []CurveID{CurveP224},
+		},
+		expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	},
 }

 func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {
@ -1133,6 +1148,10 @@ func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, i
 		return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
 	}

+	if cipher := tlsConn.ConnectionState().CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
+		return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
+	}
+
 	if test.expectChannelID {
 		channelID := tlsConn.ConnectionState().ChannelID
 		if channelID == nil {