summaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
authorRich Salz <rsalz@akamai.com>2021-05-21 19:26:33 +0200
committerTomas Mraz <tomas@openssl.org>2021-06-15 12:36:51 +0200
commitf4752e88272933777dbdbda31d00b388fa5a8e2d (patch)
treecac20c191b6964ce9cab26738abc4e2c58f1d487 /test
parentremove end of line whitespace (diff)
downloadopenssl-f4752e88272933777dbdbda31d00b388fa5a8e2d.tar.xz
openssl-f4752e88272933777dbdbda31d00b388fa5a8e2d.zip
Move AllowClientRenegotiation tests
Move them from test_renegotiation to renegotiation in ssl_new Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15415)
Diffstat (limited to 'test')
-rw-r--r--test/README.ssltest.md8
-rw-r--r--test/generate_ssl_tests.pl2
-rw-r--r--test/helpers/ssl_test_ctx.c1
-rw-r--r--test/recipes/70-test_renegotiation.t15
-rw-r--r--test/ssl-tests/17-renegotiate.cnf62
-rw-r--r--test/ssl-tests/17-renegotiate.cnf.in32
6 files changed, 101 insertions, 19 deletions
diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index 6ae10fdc18..81ee7dfdb8 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -67,7 +67,7 @@ handshake.
- InternalError - some other error
* ExpectedClientAlert, ExpectedServerAlert - expected alert. See
- `ssl_test_ctx.c` for known values. Note: the expected alert is currently
+ `test/helpers/ssl_test_ctx.c` for known values. Note: the expected alert is currently
matched against the _last_ received alert (i.e., a fatal alert or a
`close_notify`). Warning alert expectations are not yet supported. (A warning
alert will not be correctly matched, if followed by a `close_notify` or
@@ -261,12 +261,14 @@ environment variable to point to the location of the certs. E.g., from the root
OpenSSL directory, do
$ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs test/ssl_test \
- test/ssl-tests/01-simple.cnf
+ test/ssl-tests/01-simple.cnf default
or for shared builds
$ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs \
- util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf
+ util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf default
+
+In the above examples, `default` is the provider to use.
Note that the test expectations sometimes depend on the Configure settings. For
example, the negotiated protocol depends on the set of available (enabled)
diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl
index 1783d1729e..defe3c745b 100644
--- a/test/generate_ssl_tests.pl
+++ b/test/generate_ssl_tests.pl
@@ -30,7 +30,7 @@ BEGIN {
#Input file may be relative to cwd, but setup below changes the cwd, so
#figure out the absolute path first
$input_file = abs_path(shift);
- $provider = shift;
+ $provider = shift // '';
OpenSSL::Test::setup("no_test_here", quiet => 1);
}
diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c
index 6ba8a52c2d..1374b04cf0 100644
--- a/test/helpers/ssl_test_ctx.c
+++ b/test/helpers/ssl_test_ctx.c
@@ -124,6 +124,7 @@ static const test_enum ssl_alerts[] = {
{"UnknownCA", SSL_AD_UNKNOWN_CA},
{"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE},
{"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},
+ {"NoRenegotiation", SSL_AD_NO_RENEGOTIATION},
{"BadCertificate", SSL_AD_BAD_CERTIFICATE},
{"NoApplicationProtocol", SSL_AD_NO_APPLICATION_PROTOCOL},
{"CertificateRequired", SSL_AD_CERTIFICATE_REQUIRED},
diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t
index 0dc0594775..b7bc9c025a 100644
--- a/test/recipes/70-test_renegotiation.t
+++ b/test/recipes/70-test_renegotiation.t
@@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled"
plan skip_all => "$test_name needs TLS <= 1.2 enabled"
if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
-plan tests => 6;
+plan tests => 5;
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
@@ -110,19 +110,6 @@ SKIP: {
"Check client renegotiation failed");
}
-SKIP: {
- skip "TLSv1.2 and TLSv1.1 disabled", 1
- if disabled("tls1_2") && disabled("tls1_1");
- #Test 6: Server can do renegotiation
- $proxy->clear();
- $proxy->filter(undef);
- $proxy->serverflags("-no_tls1_3 -immediate_renegotiation");
- $proxy->clientflags("-no_tls1_3");
- $proxy->start();
- ok(TLSProxy::Message->success(),
- "Check server renegotiation succeeded");
-}
-
sub reneg_filter
{
my $proxy = shift;
diff --git a/test/ssl-tests/17-renegotiate.cnf b/test/ssl-tests/17-renegotiate.cnf
index ac826af187..099d6d6f19 100644
--- a/test/ssl-tests/17-renegotiate.cnf
+++ b/test/ssl-tests/17-renegotiate.cnf
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 15
+num_tests = 17
test-0 = 0-renegotiate-client-no-resume
test-1 = 1-renegotiate-client-resume
@@ -17,6 +17,8 @@ test-11 = 11-no-renegotiation-server-by-server
test-12 = 12-no-renegotiation-client-by-server
test-13 = 13-no-renegotiation-client-by-client
test-14 = 14-no-extms-on-renegotiation
+test-15 = 15-allow-client-renegotiation
+test-16 = 16-no-client-renegotiation
# ===========================================================
[0-renegotiate-client-no-resume]
@@ -463,3 +465,61 @@ client = 14-no-extms-on-renegotiation-client-extra
RenegotiateNoExtms = Yes
+# ===========================================================
+
+[15-allow-client-renegotiation]
+ssl_conf = 15-allow-client-renegotiation-ssl
+
+[15-allow-client-renegotiation-ssl]
+server = 15-allow-client-renegotiation-server
+client = 15-allow-client-renegotiation-client
+
+[15-allow-client-renegotiation-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[15-allow-client-renegotiation-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-15]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[16-no-client-renegotiation]
+ssl_conf = 16-no-client-renegotiation-ssl
+
+[16-no-client-renegotiation-ssl]
+server = 16-no-client-renegotiation-server
+client = 16-no-client-renegotiation-client
+
+[16-no-client-renegotiation-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = -ClientRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[16-no-client-renegotiation-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
+ExpectedResult = ClientFail
+ExpectedServerAlert = NoRenegotiation
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = No
+
+
diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in
index ff3f74906a..86c858f786 100644
--- a/test/ssl-tests/17-renegotiate.cnf.in
+++ b/test/ssl-tests/17-renegotiate.cnf.in
@@ -261,6 +261,38 @@ our @tests_tls1_2 = (
"ResumptionExpected" => "No",
"ExpectedResult" => "ServerFail"
}
+ },
+ {
+ name => "allow-client-renegotiation",
+ server => {
+ "MaxProtocol" => "TLSv1.2",
+ },
+ client => {
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "Yes",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "no-client-renegotiation",
+ server => {
+ "MaxProtocol" => "TLSv1.2",
+ "Options" => "-ClientRenegotiation"
+ },
+ client => {
+ "MaxProtocol" => "TLSv1.2",
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "ClientFail",
+ "ExpectedServerAlert" => "NoRenegotiation"
+ }
}
);