preferServerCipherSuites bool
serverCiphers []uint16
expectedCipher uint16
+ boringExpectedCipher uint16 // If non-zero, used when BoringCrypto is enabled.
}{
{
name: "server has hardware AES, client doesn't (pick ChaCha)",
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
- serverHasAESGCM: false,
- expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+ serverHasAESGCM: false,
+ expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+ boringExpectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // When BoringCrypto is enabled, AES-GCM is prioritized even without server hardware.
},
{
name: "client prefers AES-GCM, server has hardware AES (pick AES-GCM)",
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
- serverHasAESGCM: false,
- expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+ serverHasAESGCM: false,
+ expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+ boringExpectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // When BoringCrypto is enabled, AES-GCM is prioritized even without server hardware.
},
{
name: "client supports multiple AES-GCM, server doesn't have hardware AES and doesn't support ChaCha (pick corrent AES-GCM)",
t.Errorf("pickCipherSuite failed: %s", err)
}
- if tc.expectedCipher != hs.suite.id {
- t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
+ want := tc.expectedCipher
+ if boringEnabled && tc.boringExpectedCipher != 0 {
+ want = tc.boringExpectedCipher
+ }
+ if want != hs.suite.id {
+ t.Errorf("unexpected cipher chosen: want %d, got %d", want, hs.suite.id)
}
})
}
serverHasAESGCM bool
preferServerCipherSuites bool
expectedCipher uint16
+ boringExpectedCipher uint16 // If non-zero, used when BoringCrypto is enabled.
}{
{
name: "server has hardware AES, client doesn't (pick ChaCha)",
serverHasAESGCM: false,
preferServerCipherSuites: true,
expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
+ boringExpectedCipher: TLS_AES_128_GCM_SHA256, // When BoringCrypto is enabled, AES-GCM is prioritized even without server hardware.
},
{
name: "client prefers AES and sends GREASE, server doesn't have hardware, prefer server ciphers (pick ChaCha)",
serverHasAESGCM: false,
preferServerCipherSuites: true,
expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
+ boringExpectedCipher: TLS_AES_128_GCM_SHA256, // When BoringCrypto is enabled, AES-GCM is prioritized even without server hardware.
},
{
name: "client prefers AES, server doesn't (pick ChaCha)",
TLS_AES_128_GCM_SHA256,
TLS_CHACHA20_POLY1305_SHA256,
},
- serverHasAESGCM: false,
- expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
+ serverHasAESGCM: false,
+ expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
+ boringExpectedCipher: TLS_AES_128_GCM_SHA256, // When BoringCrypto is enabled, AES-GCM is prioritized even without server hardware.
},
{
name: "client prefers AES, server has hardware AES (pick AES)",
t.Errorf("pickCipherSuite failed: %s", err)
}
- if tc.expectedCipher != hs.suite.id {
- t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
+ want := tc.expectedCipher
+ if boringEnabled && tc.boringExpectedCipher != 0 {
+ want = tc.boringExpectedCipher
+ }
+ if want != hs.suite.id {
+ t.Errorf("unexpected cipher chosen: want %d, got %d", want, hs.suite.id)
}
})
}