Test that the server picks a non-ECC cipher when no curves are supported.
Change-Id: I9cd788998345ad877f73dd1341ccff68dbb8d124
Reviewed-on: https://boringssl-review.googlesource.com/4465
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index e583428..0b631e2 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -135,6 +135,9 @@
// expectedResumeVersion, if non-zero, specifies the TLS version that
// must be negotiated on resumption. If zero, expectedVersion is used.
expectedResumeVersion uint16
+ // expectedCipher, if non-zero, specifies the TLS cipher suite that
+ // should be negotiated.
+ expectedCipher uint16
// expectChannelID controls whether the connection should have
// negotiated a Channel ID with channelIDKey.
expectChannelID bool
@@ -1070,6 +1073,18 @@
},
},
},
+ {
+ testType: serverTest,
+ name: "NoCommonCurves",
+ config: Config{
+ CipherSuites: []uint16{
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ CurvePreferences: []CurveID{CurveP224},
+ },
+ expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
}
func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {
@@ -1133,6 +1148,10 @@
return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
}
+ if cipher := tlsConn.ConnectionState().CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
+ return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
+ }
+
if test.expectChannelID {
channelID := tlsConn.ConnectionState().ChannelID
if channelID == nil {