Be strict about requiring ServerKeyExchange.
Missing ServerKeyExchange is handled, but only because it hits an
ERR_R_INTERNAL_ERROR in ssl3_send_client_key_exchange in trying to find the
server ECDH parameters. Be strict about requiring it for ECDHE.
Change-Id: Ifce5b73c8bd14746b8a2185f479d550e9e3f84df
Reviewed-on: https://boringssl-review.googlesource.com/1157
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 328807a..ffa35db 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -359,6 +359,10 @@
// Certificate message is sent and no signature is added to
// ServerKeyExchange.
UnauthenticatedECDH bool
+
+ // SkipServerKeyExchange causes the server to skip sending
+ // ServerKeyExchange messages.
+ SkipServerKeyExchange bool
}
func (c *Config) serverInit() {
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 0b49a00..f177fc8 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -332,7 +332,7 @@
c.sendAlert(alertHandshakeFailure)
return err
}
- if skx != nil {
+ if skx != nil && !config.Bugs.SkipServerKeyExchange {
hs.finishedHash.Write(skx.marshal())
c.writeRecord(recordTypeHandshake, skx.marshal())
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 1207e9a..3d3e538 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -200,6 +200,17 @@
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
},
+ {
+ name: "SkipServerKeyExchange",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ Bugs: ProtocolBugs{
+ SkipServerKeyExchange: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_MESSAGE:",
+ },
}
func doExchange(tlsConn *Conn, messageLen int) error {
