Add a test for renegotiation with EXTMS dropped
authorTomas Mraz <tmraz@fedoraproject.org>
Fri, 5 Jun 2020 08:50:25 +0000 (10:50 +0200)
committerTomas Mraz <tmraz@fedoraproject.org>
Tue, 9 Jun 2020 12:11:20 +0000 (14:11 +0200)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12045)

test/handshake_helper.c
test/ssl-tests/17-renegotiate.cnf
test/ssl-tests/17-renegotiate.cnf.in
test/ssl_test_ctx.c
test/ssl_test_ctx.h

index 32aa12c..0300732 100644 (file)
@@ -938,16 +938,24 @@ static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer)
             if (SSL_is_server(peer->ssl)) {
                 ret = SSL_renegotiate(peer->ssl);
             } else {
+                int full_reneg = 0;
+
+                if (test_ctx->extra.client.no_extms_on_reneg) {
+                    SSL_set_options(peer->ssl, SSL_OP_NO_EXTENDED_MASTER_SECRET);
+                    full_reneg = 1;
+                }
                 if (test_ctx->extra.client.reneg_ciphers != NULL) {
                     if (!SSL_set_cipher_list(peer->ssl,
                                 test_ctx->extra.client.reneg_ciphers)) {
                         peer->status = PEER_ERROR;
                         return;
                     }
+                    full_reneg = 1;
+                }
+                if (full_reneg)
                     ret = SSL_renegotiate(peer->ssl);
-                } else {
+                else
                     ret = SSL_renegotiate_abbreviated(peer->ssl);
-                }
             }
             if (!ret) {
                 peer->status = PEER_ERROR;
index 12cf791..ac826af 100644 (file)
@@ -1,6 +1,6 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 14
+num_tests = 15
 
 test-0 = 0-renegotiate-client-no-resume
 test-1 = 1-renegotiate-client-resume
@@ -16,6 +16,7 @@ test-10 = 10-no-renegotiation-server-by-client
 test-11 = 11-no-renegotiation-server-by-server
 test-12 = 12-no-renegotiation-client-by-server
 test-13 = 13-no-renegotiation-client-by-client
+test-14 = 14-no-extms-on-renegotiation
 # ===========================================================
 
 [0-renegotiate-client-no-resume]
@@ -430,3 +431,35 @@ Method = TLS
 ResumptionExpected = No
 
 
+# ===========================================================
+
+[14-no-extms-on-renegotiation]
+ssl_conf = 14-no-extms-on-renegotiation-ssl
+
+[14-no-extms-on-renegotiation-ssl]
+server = 14-no-extms-on-renegotiation-server
+client = 14-no-extms-on-renegotiation-client
+
+[14-no-extms-on-renegotiation-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[14-no-extms-on-renegotiation-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-14]
+ExpectedResult = ServerFail
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = No
+client = 14-no-extms-on-renegotiation-client-extra
+
+[14-no-extms-on-renegotiation-client-extra]
+RenegotiateNoExtms = Yes
+
+
index 2cc2181..ff3f749 100644 (file)
@@ -243,6 +243,24 @@ our @tests_tls1_2 = (
             "ResumptionExpected" => "No",
             "ExpectedResult" => "ClientFail"
         }
+    },
+    {
+        name => "no-extms-on-renegotiation",
+        server => {
+            "MaxProtocol" => "TLSv1.2"
+        },
+        client => {
+            "MaxProtocol" => "TLSv1.2",
+            extra => {
+                "RenegotiateNoExtms" => "Yes"
+            }
+        },
+        test => {
+            "Method" => "TLS",
+            "HandshakeMode" => "RenegotiateClient",
+            "ResumptionExpected" => "No",
+            "ExpectedResult" => "ServerFail"
+        }
     }
 );
 
index aee9773..31da26b 100644 (file)
@@ -638,6 +638,7 @@ IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_cipher)
 
 IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, enable_pha)
 IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, force_pha)
+IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, no_extms_on_reneg)
 
 /* Known test options and their corresponding parse methods. */
 
@@ -697,6 +698,7 @@ static const ssl_test_client_option ssl_test_client_options[] = {
     { "SRPPassword", &parse_client_srp_password },
     { "MaxFragmentLenExt", &parse_max_fragment_len_mode },
     { "EnablePHA", &parse_client_enable_pha },
+    { "RenegotiateNoExtms", &parse_client_no_extms_on_reneg },
 };
 
 /* Nested server options. */
index 29a989a..d08c415 100644 (file)
@@ -110,6 +110,8 @@ typedef struct {
     char *srp_password;
     /* PHA enabled */
     int enable_pha;
+    /* Do not send extms on renegotiation */
+    int no_extms_on_reneg;
 } SSL_TEST_CLIENT_CONF;
 
 typedef struct {