Report TLS 1.3 as supporting secure renegotiation.
TLS 1.3 doesn't support renegotiation in the first place, but so callers
don't report TLS 1.3 servers as missing it, always report it as
(vacuously) protected against this bug.
BUG=chromium:680281
Change-Id: Ibfec03102b2aec7eaa773c331d6844292e7bb685
Reviewed-on: https://boringssl-review.googlesource.com/13046
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index ba78fce..dee1bb9 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5246,6 +5246,7 @@
RequireRenegotiationInfo: true,
},
},
+ flags: []string{"-expect-secure-renegotiation"},
})
testCases = append(testCases, testCase{
testType: serverTest,
@@ -5258,6 +5259,7 @@
RequireRenegotiationInfo: true,
},
},
+ flags: []string{"-expect-secure-renegotiation"},
})
// Test that illegal extensions in TLS 1.3 are rejected by the client if
@@ -6015,6 +6017,7 @@
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
+ "-expect-secure-renegotiation",
},
})
testCases = append(testCases, testCase{
@@ -6081,6 +6084,7 @@
flags: []string{
"-renegotiate-freely",
"-expect-total-renegotiations", "1",
+ "-expect-no-secure-renegotiation",
},
})
@@ -6347,6 +6351,22 @@
shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:",
})
+
+ // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
+ // always reads as supporting it, regardless of whether it was
+ // negotiated.
+ testCases = append(testCases, testCase{
+ name: "AlwaysReportRenegotiationInfo-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Bugs: ProtocolBugs{
+ NoRenegotiationInfo: true,
+ },
+ },
+ flags: []string{
+ "-expect-secure-renegotiation",
+ },
+ })
}
func addDTLSReplayTests() {