Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 2c66e079ab6b2c38581847156fffe5224c6c180e^! / . / ssl / test / runner / runner.go
commit2c66e079ab6b2c38581847156fffe5224c6c180e[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Sep 16 15:58:00 2016 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Fri Sep 16 20:12:09 2016 +0000
tree35fb40b842e66022a091d8946c8a1c604d4d2a38
parentdefe2a85b1b7848d8a9e4d1d2168113389d6ac9f [diff] [blame]
Don't send the access_denied alert innappropriately.

access_denied is only used to indicate client cert errors and Chrome
maps it to ERR_SSL_BAD_CLIENT_AUTH_CERT accordingly:

   access_denied
      A valid certificate was received, but when access control was
      applied, the sender decided not to proceed with negotiation.  This
      message is always fatal.

We don't appear to be the cause of Chrome's recent
ERR_SSL_BAD_CLIENT_AUTH_CERT spike, but we should send these correctly
nonetheless.

If the early callback fails, handshake_failure seems the most
appropriate ("I was unable to find suitable parameters"). There isn't
really an alert that matches DoS, but internal_error seems okay?

   internal_error
      An internal error unrelated to the peer or the correctness of the
      protocol (such as a memory allocation failure) makes it impossible
      to continue.  This message is always fatal.

There's nothing wrong, per se, with your ClientHello, but I just can't
deal with it right now. Please go away.

Change-Id: Icd1c998c09dc42daa4b309c1a4a0f136b85eb69d
Reviewed-on: https://boringssl-review.googlesource.com/11084
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 67adacd..8e107aa 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -1706,7 +1706,7 @@
 			flags:              []string{"-fail-early-callback"},
 			shouldFail:         true,
 			expectedError:      ":CONNECTION_REJECTED:",
-			expectedLocalError: "remote error: access denied",
+			expectedLocalError: "remote error: handshake failure",
 		},
 		{
 			protocol: dtls,
@@ -4004,10 +4004,11 @@
 			config: Config{
 				MaxVersion: VersionTLS12,
 			},
-			flags:         []string{"-install-ddos-callback", failFlag},
-			resumeSession: resume,
-			shouldFail:    true,
-			expectedError: ":CONNECTION_REJECTED:",
+			flags:              []string{"-install-ddos-callback", failFlag},
+			resumeSession:      resume,
+			shouldFail:         true,
+			expectedError:      ":CONNECTION_REJECTED:",
+			expectedLocalError: "remote error: internal error",
 		})
 		testCases = append(testCases, testCase{
 			testType: serverTest,
@@ -4015,10 +4016,11 @@
 			config: Config{
 				MaxVersion: VersionTLS13,
 			},
-			flags:         []string{"-install-ddos-callback", failFlag},
-			resumeSession: resume,
-			shouldFail:    true,
-			expectedError: ":CONNECTION_REJECTED:",
+			flags:              []string{"-install-ddos-callback", failFlag},
+			resumeSession:      resume,
+			shouldFail:         true,
+			expectedError:      ":CONNECTION_REJECTED:",
+			expectedLocalError: "remote error: internal error",
 		})
 	}
 }