Move AllowClientRenegotiation tests

Move them from test_renegotiation to renegotiation in ssl_new Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15415)
2 years ago · f4752e8827
parent 60d13c8ff8
commit f4752e8827
6 changed files with 101 additions and 19 deletions
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@ -67,7 +67,7 @@ handshake.
  - InternalError - some other error

 * ExpectedClientAlert, ExpectedServerAlert - expected alert. See
-  `ssl_test_ctx.c` for known values. Note: the expected alert is currently
+  `test/helpers/ssl_test_ctx.c` for known values. Note: the expected alert is currently
  matched against the _last_ received alert (i.e., a fatal alert or a
  `close_notify`). Warning alert expectations are not yet supported. (A warning
  alert will not be correctly matched, if followed by a `close_notify` or
@ -261,12 +261,14 @@ environment variable to point to the location of the certs. E.g., from the root
 OpenSSL directory, do

    $ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs test/ssl_test \
-      test/ssl-tests/01-simple.cnf
+      test/ssl-tests/01-simple.cnf default

 or for shared builds

    $ CTLOG_FILE=test/ct/log_list.cnf  TEST_CERTS_DIR=test/certs \
-      util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf
+      util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf default
+
+In the above examples, `default` is the provider to use.

 Note that the test expectations sometimes depend on the Configure settings. For
 example, the negotiated protocol depends on the set of available (enabled)
--- a/test/generate_ssl_tests.pl
+++ b/test/generate_ssl_tests.pl
@ -30,7 +30,7 @@ BEGIN {
    #Input file may be relative to cwd, but setup below changes the cwd, so
    #figure out the absolute path first
    $input_file = abs_path(shift);
-    $provider = shift;
+    $provider = shift // '';

    OpenSSL::Test::setup("no_test_here", quiet => 1);
 }
--- a/test/helpers/ssl_test_ctx.c
+++ b/test/helpers/ssl_test_ctx.c
@ -124,6 +124,7 @@ static const test_enum ssl_alerts[] = {
    {"UnknownCA", SSL_AD_UNKNOWN_CA},
    {"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE},
    {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},
+    {"NoRenegotiation", SSL_AD_NO_RENEGOTIATION},
    {"BadCertificate", SSL_AD_BAD_CERTIFICATE},
    {"NoApplicationProtocol", SSL_AD_NO_APPLICATION_PROTOCOL},
    {"CertificateRequired", SSL_AD_CERTIFICATE_REQUIRED},
--- a/test/recipes/70-test_renegotiation.t
+++ b/test/recipes/70-test_renegotiation.t
@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS <= 1.2 enabled"
    if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));

-plan tests => 6;
+plan tests => 5;

 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
@ -110,19 +110,6 @@ SKIP: {
        "Check client renegotiation failed");
 }

-SKIP: {
-    skip "TLSv1.2 and TLSv1.1 disabled", 1
-        if disabled("tls1_2") && disabled("tls1_1");
-    #Test 6: Server can do renegotiation
-    $proxy->clear();
-    $proxy->filter(undef);
-    $proxy->serverflags("-no_tls1_3 -immediate_renegotiation");
-    $proxy->clientflags("-no_tls1_3");
-    $proxy->start();
-    ok(TLSProxy::Message->success(),
-        "Check server renegotiation succeeded");
-}
-
 sub reneg_filter
 {
    my $proxy = shift;
--- a/test/ssl-tests/17-renegotiate.cnf
+++ b/test/ssl-tests/17-renegotiate.cnf
@ -1,6 +1,6 @@
 # Generated with generate_ssl_tests.pl

-num_tests = 15
+num_tests = 17

 test-0 = 0-renegotiate-client-no-resume
 test-1 = 1-renegotiate-client-resume
@ -17,6 +17,8 @@ test-11 = 11-no-renegotiation-server-by-server
 test-12 = 12-no-renegotiation-client-by-server
 test-13 = 13-no-renegotiation-client-by-client
 test-14 = 14-no-extms-on-renegotiation
+test-15 = 15-allow-client-renegotiation
+test-16 = 16-no-client-renegotiation
 # ===========================================================

 [0-renegotiate-client-no-resume]
@ -463,3 +465,61 @@ client = 14-no-extms-on-renegotiation-client-extra
 RenegotiateNoExtms = Yes


+# ===========================================================
+
+[15-allow-client-renegotiation]
+ssl_conf = 15-allow-client-renegotiation-ssl
+
+[15-allow-client-renegotiation-ssl]
+server = 15-allow-client-renegotiation-server
+client = 15-allow-client-renegotiation-client
+
+[15-allow-client-renegotiation-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[15-allow-client-renegotiation-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-15]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[16-no-client-renegotiation]
+ssl_conf = 16-no-client-renegotiation-ssl
+
+[16-no-client-renegotiation-ssl]
+server = 16-no-client-renegotiation-server
+client = 16-no-client-renegotiation-client
+
+[16-no-client-renegotiation-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = -ClientRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[16-no-client-renegotiation-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
+ExpectedResult = ClientFail
+ExpectedServerAlert = NoRenegotiation
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = No
+
+
--- a/test/ssl-tests/17-renegotiate.cnf.in
+++ b/test/ssl-tests/17-renegotiate.cnf.in
@ -261,6 +261,38 @@ our @tests_tls1_2 = (
            "ResumptionExpected" => "No",
            "ExpectedResult" => "ServerFail"
        }
+    },
+    {
+        name => "allow-client-renegotiation",
+        server => {
+            "MaxProtocol" => "TLSv1.2",
+        },
+        client => {
+            "MaxProtocol" => "TLSv1.2"
+        },
+        test => {
+            "Method" => "TLS",
+            "HandshakeMode" => "RenegotiateClient",
+            "ResumptionExpected" => "Yes",
+            "ExpectedResult" => "Success"
+        }
+    },
+    {
+        name => "no-client-renegotiation",
+        server => {
+            "MaxProtocol" => "TLSv1.2",
+            "Options" => "-ClientRenegotiation"
+        },
+        client => {
+            "MaxProtocol" => "TLSv1.2",
+        },
+        test => {
+            "Method" => "TLS",
+            "HandshakeMode" => "RenegotiateClient",
+            "ResumptionExpected" => "No",
+            "ExpectedResult" => "ClientFail",
+            "ExpectedServerAlert" => "NoRenegotiation"
+        }
    }
 );