Google Git
Sign in
boringssl / boringssl / cdea40c3e217a9f0a86ea4b87560727b932ed231^! / . / ssl
commitcdea40c3e217a9f0a86ea4b87560727b932ed231[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Thu Mar 19 14:09:43 2015 -0400
committerAdam Langley <agl@google.com>Thu Mar 19 19:51:16 2015 +0000
tree161faf26dd99c6c8b72a29c40984a122b49139b6
parent4b1510c71ecadeb15e866f17086487a2d9691b48 [diff]
Add tests for full handshakes under renegotiation.

In verifying the fix for CVE-2015-0291, I noticed we don't actually have any
test coverage for full handshakes on renegotiation. All our tests always do
resumptions.

Change-Id: Ia9b701e8a50ba9353fefb8cc4fb86e78065d0b40
Reviewed-on: https://boringssl-review.googlesource.com/4050
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index b8cc44a..a33ad19 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -663,6 +663,10 @@
 	// SendEmptyFragments, if true, causes handshakes to include empty
 	// fragments in DTLS.
 	SendEmptyFragments bool
+
+	// NeverResumeOnRenego, if true, causes renegotiations to always be full
+	// handshakes.
+	NeverResumeOnRenego bool
 }
 
 func (c *Config) serverInit() {

diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index a4fab0c..4ed9025 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go

@@ -137,6 +137,9 @@
 	var session *ClientSessionState
 	var cacheKey string
 	sessionCache := c.config.ClientSessionCache
+	if c.config.Bugs.NeverResumeOnRenego && c.cipherSuite != 0 {
+		sessionCache = nil
+	}
 
 	if sessionCache != nil {
 		hello.ticketSupported = !c.config.SessionTicketsDisabled

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 9085faf..3caf81b 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go

@@ -367,6 +367,10 @@
 func (hs *serverHandshakeState) checkForResumption() bool {
 	c := hs.c
 
+	if c.config.Bugs.NeverResumeOnRenego && c.cipherSuite != 0 {
+		return false
+	}
+
 	if len(hs.clientHello.sessionTicket) > 0 {
 		if c.config.SessionTicketsDisabled {
 			return false

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 3f26786..3ea0332 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -2619,6 +2619,17 @@
 	})
 	testCases = append(testCases, testCase{
 		testType: serverTest,
+		name:     "Renegotiate-Server-Full",
+		config: Config{
+			Bugs: ProtocolBugs{
+				NeverResumeOnRenego: true,
+			},
+		},
+		flags:           []string{"-renegotiate"},
+		shimWritesFirst: true,
+	})
+	testCases = append(testCases, testCase{
+		testType: serverTest,
 		name:     "Renegotiate-Server-EmptyExt",
 		config: Config{
 			Bugs: ProtocolBugs{
@@ -2677,6 +2688,15 @@
 		renegotiate: true,
 	})
 	testCases = append(testCases, testCase{
+		name: "Renegotiate-Client-Full",
+		config: Config{
+			Bugs: ProtocolBugs{
+				NeverResumeOnRenego: true,
+			},
+		},
+		renegotiate: true,
+	})
+	testCases = append(testCases, testCase{
 		name:        "Renegotiate-Client-EmptyExt",
 		renegotiate: true,
 		config: Config{