Add tests for CertificateVerify CertificateVerify must be sent after a non-empty Certificate msg for: 1) TLS1.2 client 2) TLS1.3 client and server This CL adds tests for those use cases. Change-Id: I696e9dd74dcd523c6f8868a4fb9ada28fd67746d Reviewed-on: https://boringssl-review.googlesource.com/19044 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

commit: bd70845a80c22cb02ee76ed1b5bfae8898e0f763 [log] [tgz]
author: Dimitar Vlahovski <dvlahovski@google.com> Thu Aug 10 18:01:06 2017 +0200
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu Aug 10 18:44:57 2017 +0000
tree: 336115e45082f934f1c9e8097a9f5c84cc8fd7b2
parent: ca9e8f52f1631fa4906a0d44abdeb55f80fe026d [diff]
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index b8c2785..b402f38 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -573,6 +573,10 @@
 	// end_of_early_data alert.
 	SkipEndOfEarlyData bool
 
+	// SkipCertificateVerify, if true causes peer to skip sending a
+	// CertificateVerify message after the Certificate message.
+	SkipCertificateVerify bool
+
 	// EarlyChangeCipherSpec causes the client to send an early
 	// ChangeCipherSpec message before the ClientKeyExchange. A value of
 	// zero disables this behavior. One and two configure variants for 0.9.8

diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 33c1b12..7423726 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go

@@ -974,8 +974,10 @@
 				certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
 			}
 
-			hs.writeClientHash(certVerify.marshal())
-			c.writeRecord(recordTypeHandshake, certVerify.marshal())
+			if !c.config.Bugs.SkipCertificateVerify {
+				hs.writeClientHash(certVerify.marshal())
+				c.writeRecord(recordTypeHandshake, certVerify.marshal())
+			}
 		}
 	}
 
@@ -1200,8 +1202,10 @@
 			return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
 		}
 
-		hs.writeClientHash(certVerify.marshal())
-		c.writeRecord(recordTypeHandshake, certVerify.marshal())
+		if !c.config.Bugs.SkipCertificateVerify {
+			hs.writeClientHash(certVerify.marshal())
+			c.writeRecord(recordTypeHandshake, certVerify.marshal())
+		}
 	}
 	// flushHandshake will be called in sendFinished.
 

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 614bb50..194244d 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go

@@ -863,8 +863,10 @@
 			certVerify.signatureAlgorithm = config.Bugs.SendSignatureAlgorithm
 		}
 
-		hs.writeServerHash(certVerify.marshal())
-		c.writeRecord(recordTypeHandshake, certVerify.marshal())
+		if !config.Bugs.SkipCertificateVerify {
+			hs.writeServerHash(certVerify.marshal())
+			c.writeRecord(recordTypeHandshake, certVerify.marshal())
+		}
 	} else if hs.sessionState != nil {
 		// Pick up certificates from the session instead.
 		if len(hs.sessionState.certificates) > 0 {

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 1015857..7e64fe5 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -1512,6 +1512,24 @@
 		},
 		{
 			testType: serverTest,
+			name:     "ServerSkipCertificateVerify",
+			config: Config{
+				MaxVersion:   VersionTLS12,
+				Certificates: []Certificate{rsaChainCertificate},
+				Bugs: ProtocolBugs{
+					SkipCertificateVerify: true,
+				},
+			},
+			expectPeerCertificate: &rsaChainCertificate,
+			flags: []string{
+				"-require-any-client-certificate",
+			},
+			shouldFail:         true,
+			expectedError:      ":UNEXPECTED_RECORD:",
+			expectedLocalError: "remote error: unexpected message",
+		},
+		{
+			testType: serverTest,
 			name:     "Alert",
 			config: Config{
 				Bugs: ProtocolBugs{
@@ -11850,6 +11868,47 @@
 		expectedError:      ":DIGEST_CHECK_FAILED:",
 		expectedLocalError: "remote error: error decrypting message",
 	})
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "TLS13-ServerSkipCertificateVerify",
+		config: Config{
+			MinVersion:   VersionTLS13,
+			MaxVersion:   VersionTLS13,
+			Certificates: []Certificate{rsaChainCertificate},
+			Bugs: ProtocolBugs{
+				SkipCertificateVerify: true,
+			},
+		},
+		expectPeerCertificate: &rsaChainCertificate,
+		flags: []string{
+			"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
+			"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
+			"-require-any-client-certificate",
+		},
+		shouldFail:         true,
+		expectedError:      ":UNEXPECTED_MESSAGE:",
+		expectedLocalError: "remote error: unexpected message",
+	})
+	testCases = append(testCases, testCase{
+		testType: clientTest,
+		name:     "TLS13-ClientSkipCertificateVerify",
+		config: Config{
+			MinVersion:   VersionTLS13,
+			MaxVersion:   VersionTLS13,
+			Certificates: []Certificate{rsaChainCertificate},
+			Bugs: ProtocolBugs{
+				SkipCertificateVerify: true,
+			},
+		},
+		expectPeerCertificate: &rsaChainCertificate,
+		flags: []string{
+			"-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
+			"-key-file", path.Join(*resourceDir, rsaChainKeyFile),
+		},
+		shouldFail:         true,
+		expectedError:      ":UNEXPECTED_MESSAGE:",
+		expectedLocalError: "remote error: unexpected message",
+	})
 }
 
 func addTLS13CipherPreferenceTests() {
commit	bd70845a80c22cb02ee76ed1b5bfae8898e0f763	[log] [tgz]
author	Dimitar Vlahovski <dvlahovski@google.com>	Thu Aug 10 18:01:06 2017 +0200
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Thu Aug 10 18:44:57 2017 +0000
tree	336115e45082f934f1c9e8097a9f5c84cc8fd7b2
parent	ca9e8f52f1631fa4906a0d44abdeb55f80fe026d [diff]