SSL test framework: port SNI tests

Observe that the old tests were partly ill-defined: setting sn_server1 but not sn_server2 in ssltest_old.c does not enable the SNI callback. Fix this, and also explicitly test both flavours of SNI mismatch (ignore / fatal alert). Tests still pass. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2016-06-20 17:20:25 +0200
committer: Emilia Kasper <emilia@openssl.org> 2016-06-28 17:26:24 +0200
commit: d2b23cd2b077de8507c49f632e20dfcdb653a35b (patch)
tree: 3a8a980e199c680d7e296468439c6f53d05fa1a0 /test/ssl_test_ctx.h
parent: base64 macro: parenthesize for clarity (diff)
download: openssl-d2b23cd2b077de8507c49f632e20dfcdb653a35b.tar.xz
openssl-d2b23cd2b077de8507c49f632e20dfcdb653a35b.zip
1 files changed, 23 insertions, 1 deletions
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index 492d1d7aa8..c551a9baa7 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -29,10 +29,18 @@ typedef enum {
 typedef enum {
     SSL_TEST_SERVERNAME_NONE = 0, /* Default */
     SSL_TEST_SERVERNAME_SERVER1,
-    SSL_TEST_SERVERNAME_SERVER2
+    SSL_TEST_SERVERNAME_SERVER2,
+    SSL_TEST_SERVERNAME_INVALID
 } ssl_servername_t;
 
 typedef enum {
+    SSL_TEST_SERVERNAME_CB_NONE = 0,  /* Default */
+    SSL_TEST_SERVERNAME_IGNORE_MISMATCH,
+    SSL_TEST_SERVERNAME_REJECT_MISMATCH
+} ssl_servername_callback_t;
+
+
+typedef enum {
     SSL_TEST_SESSION_TICKET_IGNORE = 0, /* Default */
     SSL_TEST_SESSION_TICKET_YES,
     SSL_TEST_SESSION_TICKET_NO,
@@ -61,6 +69,18 @@ typedef struct ssl_test_ctx {
     ssl_verify_callback_t client_verify_callback;
     /* One of a number of predefined server names use by the client */
     ssl_servername_t servername;
+    /*
+     * The expected SNI context to use.
+     * We test server-side that the server switched to the expected context.
+     * Set by the callback upon success, so if the callback wasn't called or
+     * terminated with an alert, the servername will match with
+     * SSL_TEST_SERVERNAME_NONE.
+     * Note: in the event that the servername was accepted, the client should
+     * also receive an empty SNI extension back but we have no way of probing
+     * client-side via the API that this was the case.
+     */
+    ssl_servername_t expected_servername;
+    ssl_servername_callback_t servername_callback;
     ssl_session_ticket_t session_ticket_expected;
     /* Whether the server/client CTX should use DTLS or TLS. */
     ssl_test_method_t method;
@@ -71,6 +91,8 @@ const char *ssl_alert_name(int alert);
 const char *ssl_protocol_name(int protocol);
 const char *ssl_verify_callback_name(ssl_verify_callback_t verify_callback);
 const char *ssl_servername_name(ssl_servername_t server);
+const char *ssl_servername_callback_name(ssl_servername_callback_t
+                                         servername_callback);
 const char *ssl_session_ticket_name(ssl_session_ticket_t server);
 const char *ssl_test_method_name(ssl_test_method_t method);
author	Emilia Kasper <emilia@openssl.org>	2016-06-20 17:20:25 +0200
committer	Emilia Kasper <emilia@openssl.org>	2016-06-28 17:26:24 +0200
commit	d2b23cd2b077de8507c49f632e20dfcdb653a35b (patch)
tree	3a8a980e199c680d7e296468439c6f53d05fa1a0 /test/ssl_test_ctx.h
parent	base64 macro: parenthesize for clarity (diff)
download	openssl-d2b23cd2b077de8507c49f632e20dfcdb653a35b.tar.xz openssl-d2b23cd2b077de8507c49f632e20dfcdb653a35b.zip