commit 6de0e539195a7f70bcded4a094ca60a8c1e67d65
author David Benjamin <davidben@chromium.org> Tue Jul 28 22:43:19 2015 -0400
committer Adam Langley <agl@google.com> Fri Jul 31 22:32:17 2015 +0000
tree a8acf36f93b8a152917a688aced14309ecf0e30f
parent 50f1d00beee5e8a8c5126d3318d5f2129efbdd3f

Add tests for bad CertificateVerify signatures.

I don't think we had coverage for this check.

Change-Id: I5e454e69c1ee9f1b9760d2ef1431170d76f78d63
Reviewed-on: https://boringssl-review.googlesource.com/5544
Reviewed-by: Adam Langley <agl@google.com>

ssl/test/runner/common.go

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index ddd0468..07cb175 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -400,6 +400,10 @@
 	// ServerKeyExchange message should be invalid.
 	InvalidSKXSignature bool
 
+	// InvalidCertVerifySignature specifies that the signature in a
+	// CertificateVerify message should be invalid.
+	InvalidCertVerifySignature bool
+
 	// InvalidSKXCurve causes the curve ID in the ServerKeyExchange message
 	// to be wrong.
 	InvalidSKXCurve bool

ssl/test/runner/handshake_client.go

diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index a96cd9c..c38334e 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -622,6 +622,9 @@
 			c.sendAlert(alertInternalError)
 			return err
 		}
+		if c.config.Bugs.InvalidCertVerifySignature {
+			digest[0] ^= 0x80
+		}
 
 		switch key := c.config.Certificates[0].PrivateKey.(type) {
 		case *ecdsa.PrivateKey:

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 1121dac..9fa394f 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -786,6 +786,32 @@
 			expectedError: ":BAD_SIGNATURE:",
 		},
 		{
+			testType: serverTest,
+			name:     "BadRSASignature-ClientAuth",
+			config: Config{
+				Bugs: ProtocolBugs{
+					InvalidCertVerifySignature: true,
+				},
+				Certificates: []Certificate{getRSACertificate()},
+			},
+			shouldFail:    true,
+			expectedError: ":BAD_SIGNATURE:",
+			flags:         []string{"-require-any-client-certificate"},
+		},
+		{
+			testType: serverTest,
+			name:     "BadECDSASignature-ClientAuth",
+			config: Config{
+				Bugs: ProtocolBugs{
+					InvalidCertVerifySignature: true,
+				},
+				Certificates: []Certificate{getECDSACertificate()},
+			},
+			shouldFail:    true,
+			expectedError: ":BAD_SIGNATURE:",
+			flags:         []string{"-require-any-client-certificate"},
+		},
+		{
 			name: "BadECDSACurve",
 			config: Config{
 				CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},