Add a test that DTLS does not support RC4.
Make sure we don't break that on accident.
Change-Id: I22d58d35170d43375622fe61e4a588d1d626a054
Reviewed-on: https://boringssl-review.googlesource.com/4960
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 864f526..feef551 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -723,6 +723,9 @@
// PackHandshakeRecords, if true, causes handshake records to be packed
// into individual packets, up to the specified packet size.
PackHandshakeRecords int
+
+ // EnableAllCiphersInDTLS, if true, causes RC4 to be enabled in DTLS.
+ EnableAllCiphersInDTLS bool
}
func (c *Config) serverInit() {
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 1f9e84f..0c5df73 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -115,7 +115,7 @@
continue
}
// Don't advertise non-DTLS cipher suites on DTLS.
- if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
+ if c.isDTLS && suite.flags&suiteNoDTLS != 0 && !c.config.Bugs.EnableAllCiphersInDTLS {
continue
}
hello.cipherSuites = append(hello.cipherSuites, suiteId)
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 6c0d294..40d8e7d 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1116,6 +1116,19 @@
},
},
},
+ {
+ testType: serverTest,
+ protocol: dtls,
+ name: "NoRC4-DTLS",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_RC4_128_SHA},
+ Bugs: ProtocolBugs{
+ EnableAllCiphersInDTLS: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":NO_SHARED_CIPHER:",
+ },
}
func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {