diff options
| author | David Benjamin <davidben@chromium.org> | 2014-11-23 20:11:01 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2014-12-02 22:29:23 +0300 |
| commit | c44b1df45978ae57a2b573b0654759408e38baa0 (patch) | |
| tree | 973faf5c561cc8647a1ca459acd8116941ad984d /ssl/test | |
| parent | 81ea0bf538909a0aa3fe2f82726ebdda7dc94ab1 (diff) | |
Add test for renego client_version quirk.
In upstream's f4e1169341ad1217e670387db5b0c12d680f95f4, the client_version was
made constant across renegotiations, even if the server negotiated a lower
version. NSS has the same quirk, reportedly for SChannel:
https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/ssl3con.c&sq=package:chromium&l=5103
Add a test to ensure we do not regress this.
Change-Id: I214e062463c203b86a9bab00f8503442e1bf74fe
Reviewed-on: https://boringssl-review.googlesource.com/2405
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'ssl/test')
| -rw-r--r-- | ssl/test/runner/common.go | 5 | ||||
| -rw-r--r-- | ssl/test/runner/conn.go | 2 | ||||
| -rw-r--r-- | ssl/test/runner/handshake_server.go | 7 | ||||
| -rw-r--r-- | ssl/test/runner/runner.go | 10 |
4 files changed, 24 insertions, 0 deletions
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index 02ee7e2e..628c208b 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go @@ -577,6 +577,11 @@ type ProtocolBugs struct { // CertificateRequest message. None the less, the configured set will // still be enforced. NoSignatureAndHashes bool + + // RequireSameRenegoClientVersion, if true, causes the server + // to require that all ClientHellos match in offered version + // across a renego. + RequireSameRenegoClientVersion bool } func (c *Config) serverInit() { diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go index 94d7434d..177e4580 100644 --- a/ssl/test/runner/conn.go +++ b/ssl/test/runner/conn.go @@ -58,6 +58,8 @@ type Conn struct { srtpProtectionProfile uint16 + clientVersion uint16 + // input/output in, out halfConn // in.Mutex < out.Mutex rawInput *block // raw input, right off the wire diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index ec79b79f..4bdede15 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go @@ -162,6 +162,13 @@ func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) { hs.clientHello = newClientHello } + if config.Bugs.RequireSameRenegoClientVersion && c.clientVersion != 0 { + if c.clientVersion != hs.clientHello.vers { + return false, fmt.Errorf("tls: client offered different version on renego") + } + } + c.clientVersion = hs.clientHello.vers + c.vers, ok = config.mutualVersion(hs.clientHello.vers) if !ok { c.sendAlert(alertProtocolVersion) diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 79f8ee06..73563882 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -2109,6 +2109,16 @@ func addRenegotiationTests() { }, renegotiateCiphers: []uint16{TLS_RSA_WITH_RC4_128_SHA}, }) + testCases = append(testCases, testCase{ + name: "Renegotiate-SameClientVersion", + renegotiate: true, + config: Config{ + MaxVersion: VersionTLS10, + Bugs: ProtocolBugs{ + RequireSameRenegoClientVersion: true, + }, + }, + }) } func addDTLSReplayTests() { |