Enforce the SSL 3.0 no_certificate alert in tests.
As long as we still have this code, we should make sure it doesn't
regress.
Change-Id: I0290792aedcf667ec49b251d747ffbc141c0cec4
Reviewed-on: https://boringssl-review.googlesource.com/13053
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index 510bcf7..3e22465 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go
@@ -21,6 +21,8 @@
"time"
)
+var errNoCertificateAlert = errors.New("tls: no certificate alert")
+
// A Conn represents a secured connection.
// It implements the net.Conn interface.
type Conn struct {
@@ -895,6 +897,11 @@
}
switch data[0] {
case alertLevelWarning:
+ if alert(data[1]) == alertNoCertificate {
+ c.in.freeBlock(b)
+ return errNoCertificateAlert
+ }
+
// drop on the floor
c.in.freeBlock(b)
goto Again
@@ -963,7 +970,7 @@
// L < c.out.Mutex.
func (c *Conn) sendAlert(err alert) error {
level := byte(alertLevelError)
- if err == alertNoRenegotiation || err == alertCloseNotify || err == alertNoCertficate {
+ if err == alertNoRenegotiation || err == alertCloseNotify || err == alertNoCertificate {
level = alertLevelWarning
}
return c.SendAlert(level, err)
@@ -1195,6 +1202,13 @@
// c.in.Mutex < L; c.out.Mutex < L.
func (c *Conn) readHandshake() (interface{}, error) {
data, err := c.doReadHandshake()
+ if err == errNoCertificateAlert {
+ if c.hand.Len() != 0 {
+ // The warning alert may not interleave with a handshake message.
+ return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
+ }
+ return new(ssl3NoCertificateMsg), nil
+ }
if err != nil {
return nil, err
}