From f4752e88272933777dbdbda31d00b388fa5a8e2d Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Fri, 21 May 2021 13:26:33 -0400 Subject: Move AllowClientRenegotiation tests Move them from test_renegotiation to renegotiation in ssl_new Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15415) --- test/README.ssltest.md | 8 +++-- test/generate_ssl_tests.pl | 2 +- test/helpers/ssl_test_ctx.c | 1 + test/recipes/70-test_renegotiation.t | 15 +-------- test/ssl-tests/17-renegotiate.cnf | 62 +++++++++++++++++++++++++++++++++++- test/ssl-tests/17-renegotiate.cnf.in | 32 +++++++++++++++++++ 6 files changed, 101 insertions(+), 19 deletions(-) (limited to 'test') diff --git a/test/README.ssltest.md b/test/README.ssltest.md index 6ae10fdc18..81ee7dfdb8 100644 --- a/test/README.ssltest.md +++ b/test/README.ssltest.md @@ -67,7 +67,7 @@ handshake. - InternalError - some other error * ExpectedClientAlert, ExpectedServerAlert - expected alert. See - `ssl_test_ctx.c` for known values. Note: the expected alert is currently + `test/helpers/ssl_test_ctx.c` for known values. Note: the expected alert is currently matched against the _last_ received alert (i.e., a fatal alert or a `close_notify`). Warning alert expectations are not yet supported. (A warning alert will not be correctly matched, if followed by a `close_notify` or @@ -261,12 +261,14 @@ environment variable to point to the location of the certs. E.g., from the root OpenSSL directory, do $ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs test/ssl_test \ - test/ssl-tests/01-simple.cnf + test/ssl-tests/01-simple.cnf default or for shared builds $ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs \ - util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf + util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf default + +In the above examples, `default` is the provider to use. Note that the test expectations sometimes depend on the Configure settings. For example, the negotiated protocol depends on the set of available (enabled) diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl index 1783d1729e..defe3c745b 100644 --- a/test/generate_ssl_tests.pl +++ b/test/generate_ssl_tests.pl @@ -30,7 +30,7 @@ BEGIN { #Input file may be relative to cwd, but setup below changes the cwd, so #figure out the absolute path first $input_file = abs_path(shift); - $provider = shift; + $provider = shift // ''; OpenSSL::Test::setup("no_test_here", quiet => 1); } diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c index 6ba8a52c2d..1374b04cf0 100644 --- a/test/helpers/ssl_test_ctx.c +++ b/test/helpers/ssl_test_ctx.c @@ -124,6 +124,7 @@ static const test_enum ssl_alerts[] = { {"UnknownCA", SSL_AD_UNKNOWN_CA}, {"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE}, {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME}, + {"NoRenegotiation", SSL_AD_NO_RENEGOTIATION}, {"BadCertificate", SSL_AD_BAD_CERTIFICATE}, {"NoApplicationProtocol", SSL_AD_NO_APPLICATION_PROTOCOL}, {"CertificateRequired", SSL_AD_CERTIFICATE_REQUIRED}, diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t index 0dc0594775..b7bc9c025a 100644 --- a/test/recipes/70-test_renegotiation.t +++ b/test/recipes/70-test_renegotiation.t @@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS <= 1.2 enabled" if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2")); -plan tests => 6; +plan tests => 5; $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( @@ -110,19 +110,6 @@ SKIP: { "Check client renegotiation failed"); } -SKIP: { - skip "TLSv1.2 and TLSv1.1 disabled", 1 - if disabled("tls1_2") && disabled("tls1_1"); - #Test 6: Server can do renegotiation - $proxy->clear(); - $proxy->filter(undef); - $proxy->serverflags("-no_tls1_3 -immediate_renegotiation"); - $proxy->clientflags("-no_tls1_3"); - $proxy->start(); - ok(TLSProxy::Message->success(), - "Check server renegotiation succeeded"); -} - sub reneg_filter { my $proxy = shift; diff --git a/test/ssl-tests/17-renegotiate.cnf b/test/ssl-tests/17-renegotiate.cnf index ac826af187..099d6d6f19 100644 --- a/test/ssl-tests/17-renegotiate.cnf +++ b/test/ssl-tests/17-renegotiate.cnf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 15 +num_tests = 17 test-0 = 0-renegotiate-client-no-resume test-1 = 1-renegotiate-client-resume @@ -17,6 +17,8 @@ test-11 = 11-no-renegotiation-server-by-server test-12 = 12-no-renegotiation-client-by-server test-13 = 13-no-renegotiation-client-by-client test-14 = 14-no-extms-on-renegotiation +test-15 = 15-allow-client-renegotiation +test-16 = 16-no-client-renegotiation # =========================================================== [0-renegotiate-client-no-resume] @@ -463,3 +465,61 @@ client = 14-no-extms-on-renegotiation-client-extra RenegotiateNoExtms = Yes +# =========================================================== + +[15-allow-client-renegotiation] +ssl_conf = 15-allow-client-renegotiation-ssl + +[15-allow-client-renegotiation-ssl] +server = 15-allow-client-renegotiation-server +client = 15-allow-client-renegotiation-client + +[15-allow-client-renegotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[15-allow-client-renegotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-15] +ExpectedResult = Success +HandshakeMode = RenegotiateClient +Method = TLS +ResumptionExpected = Yes + + +# =========================================================== + +[16-no-client-renegotiation] +ssl_conf = 16-no-client-renegotiation-ssl + +[16-no-client-renegotiation-ssl] +server = 16-no-client-renegotiation-server +client = 16-no-client-renegotiation-client + +[16-no-client-renegotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +Options = -ClientRenegotiation +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[16-no-client-renegotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-16] +ExpectedResult = ClientFail +ExpectedServerAlert = NoRenegotiation +HandshakeMode = RenegotiateClient +Method = TLS +ResumptionExpected = No + + diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in index ff3f74906a..86c858f786 100644 --- a/test/ssl-tests/17-renegotiate.cnf.in +++ b/test/ssl-tests/17-renegotiate.cnf.in @@ -261,6 +261,38 @@ our @tests_tls1_2 = ( "ResumptionExpected" => "No", "ExpectedResult" => "ServerFail" } + }, + { + name => "allow-client-renegotiation", + server => { + "MaxProtocol" => "TLSv1.2", + }, + client => { + "MaxProtocol" => "TLSv1.2" + }, + test => { + "Method" => "TLS", + "HandshakeMode" => "RenegotiateClient", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success" + } + }, + { + name => "no-client-renegotiation", + server => { + "MaxProtocol" => "TLSv1.2", + "Options" => "-ClientRenegotiation" + }, + client => { + "MaxProtocol" => "TLSv1.2", + }, + test => { + "Method" => "TLS", + "HandshakeMode" => "RenegotiateClient", + "ResumptionExpected" => "No", + "ExpectedResult" => "ClientFail", + "ExpectedServerAlert" => "NoRenegotiation" + } } ); -- cgit v1.2.3