Add tests for certificate mismatch.
Cover another mildly interesting error case.
Change-Id: Ice773af79f5e03f39f0cd2a9e158bae03e065392
Reviewed-on: https://boringssl-review.googlesource.com/2841
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 443d464..774c7a3 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -594,6 +594,11 @@
// MaxPacketLength, if non-zero, is the maximum acceptable size for a
// packet.
MaxPacketLength int
+
+ // SendCipherSuite, if non-zero, is the cipher suite value that the
+ // server will send in the ServerHello. This does not affect the cipher
+ // the server believes it has actually negotiated.
+ SendCipherSuite uint16
}
func (c *Config) serverInit() {
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 284f314..f811fb2 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -444,6 +444,9 @@
hs.hello.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled && c.vers > VersionSSL30
hs.hello.cipherSuite = hs.suite.id
+ if config.Bugs.SendCipherSuite != 0 {
+ hs.hello.cipherSuite = config.Bugs.SendCipherSuite
+ }
c.extendedMasterSecret = hs.hello.extendedMasterSecret
// Generate a session ID if we're to save the session.
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 2342682..3e1e7b4 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -588,6 +588,30 @@
shouldFail: true,
expectedLocalError: "dtls: exceeded maximum packet length",
},
+ {
+ name: "CertMismatchRSA",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
+ Certificates: []Certificate{getECDSACertificate()},
+ Bugs: ProtocolBugs{
+ SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":WRONG_CERTIFICATE_TYPE:",
+ },
+ {
+ name: "CertMismatchECDSA",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ Certificates: []Certificate{getRSACertificate()},
+ Bugs: ProtocolBugs{
+ SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":WRONG_CERTIFICATE_TYPE:",
+ },
}
func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {