Google Git
Sign in
boringssl / boringssl / 23849f09afde0825071be4158507121643c7603d^! / .
commit23849f09afde0825071be4158507121643c7603d[log] [tgz]
authorDavid Benjamin <davidben@google.com>Tue Aug 21 21:30:42 2018 -0500
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Wed Aug 22 15:47:11 2018 +0000
tree109639ece2b5cd036890bc42b2fe6da7695c89c8
parent1c2532ffe61f37cb4405d9efc5db85f1c39cf658 [diff]
Fix TLS 1.3 downgrade tests.

The client downgrade detection tests were not asserting on the error (would
have caught the missing error string). Additionally, Downgrade-FalseStart-Draft
isn't testing what it's supposed to; it doesn't actually configure a draft
version or anything. Fix that and have it use ALPN rather than NPN, to match
the test above.

Change-Id: I0b759385641aa00994a912303a6f5bd65522b4bb
Reviewed-on: https://boringssl-review.googlesource.com/31204
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 7c5b84c..5955eda 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -5902,6 +5902,7 @@
 		tls13Variant:       TLS13RFC,
 		expectedVersion:    VersionTLS12,
 		shouldFail:         true,
+		expectedError:      ":TLS13_DOWNGRADE:",
 		expectedLocalError: "remote error: illegal parameter",
 	})
 	testCases = append(testCases, testCase{
@@ -5928,6 +5929,7 @@
 		tls13Variant:       TLS13RFC,
 		expectedVersion:    VersionTLS11,
 		shouldFail:         true,
+		expectedError:      ":TLS13_DOWNGRADE:",
 		expectedLocalError: "remote error: illegal parameter",
 	})
 	testCases = append(testCases, testCase{
@@ -5992,23 +5994,27 @@
 		expectedLocalError: "tls: peer did not false start: EOF",
 	})
 
+	// Test that draft TLS 1.3 versions do not trigger disabling False Start.
 	testCases = append(testCases, testCase{
 		name: "Downgrade-FalseStart-Draft",
 		config: Config{
 			MaxVersion:   VersionTLS13,
-			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			TLS13Variant: TLS13RFC,
 			NextProtos:   []string{"foo"},
 			Bugs: ProtocolBugs{
 				ExpectFalseStart: true,
 			},
 		},
+		expectedVersion: VersionTLS12,
 		flags: []string{
 			"-false-start",
-			"-select-next-proto", "foo",
-			"-max-version", strconv.Itoa(VersionTLS12),
+			"-advertise-alpn", "\x03foo",
+			"-expect-alpn", "foo",
+			"-ignore-tls13-downgrade",
+			"-tls13-variant", strconv.Itoa(TLS13Draft28),
+			"-max-version", strconv.Itoa(VersionTLS13),
 		},
 		shimWritesFirst: true,
-		resumeSession:   true,
 	})
 
 	// SSL 3.0 support has been removed. Test that the shim does not