Add server-side FallbackSCSV tests.
Assert that inappropriate fallbacks are detected, but if the client_version
matches the server's highest version, do not abort the handshake.
Change-Id: I9d72570bce45e1eb23fc2b74a3c5fca10562e573
Reviewed-on: https://boringssl-review.googlesource.com/1373
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 1cfdda9..4f34ce4 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -387,6 +387,10 @@
// SendV2ClientHello causes the client to send a V2ClientHello
// instead of a normal ClientHello.
SendV2ClientHello bool
+
+ // SendFallbackSCSV causes the client to include
+ // TLS_FALLBACK_SCSV in the ClientHello.
+ SendFallbackSCSV bool
}
func (c *Config) serverInit() {
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 0b9d772..9d2c1fa 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -71,6 +71,10 @@
}
}
+ if c.config.Bugs.SendFallbackSCSV {
+ hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
+ }
+
_, err := io.ReadFull(c.config.rand(), hello.random)
if err != nil {
c.sendAlert(alertInternalError)
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index bec89b1..07b1a12 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -380,6 +380,27 @@
},
},
},
+ {
+ testType: serverTest,
+ name: "FallbackSCSV",
+ config: Config{
+ MaxVersion: VersionTLS11,
+ Bugs: ProtocolBugs{
+ SendFallbackSCSV: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":INAPPROPRIATE_FALLBACK:",
+ },
+ {
+ testType: serverTest,
+ name: "FallbackSCSV-VersionMatch",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendFallbackSCSV: true,
+ },
+ },
+ },
}
func doExchange(testType testType, config *Config, conn net.Conn, messageLen int) error {