From: Tomas Mraz Date: Fri, 5 Jun 2020 08:50:25 +0000 (+0200) Subject: Add a test for renegotiation with EXTMS dropped X-Git-Tag: openssl-3.0.0-alpha4~146 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cd4afec69f13e283f74d59f1c97e15db6803bdcb;p=oweals%2Fopenssl.git Add a test for renegotiation with EXTMS dropped Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12045) --- diff --git a/test/handshake_helper.c b/test/handshake_helper.c index 32aa12c466..030073289a 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -938,16 +938,24 @@ static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer) if (SSL_is_server(peer->ssl)) { ret = SSL_renegotiate(peer->ssl); } else { + int full_reneg = 0; + + if (test_ctx->extra.client.no_extms_on_reneg) { + SSL_set_options(peer->ssl, SSL_OP_NO_EXTENDED_MASTER_SECRET); + full_reneg = 1; + } if (test_ctx->extra.client.reneg_ciphers != NULL) { if (!SSL_set_cipher_list(peer->ssl, test_ctx->extra.client.reneg_ciphers)) { peer->status = PEER_ERROR; return; } + full_reneg = 1; + } + if (full_reneg) ret = SSL_renegotiate(peer->ssl); - } else { + else ret = SSL_renegotiate_abbreviated(peer->ssl); - } } if (!ret) { peer->status = PEER_ERROR; diff --git a/test/ssl-tests/17-renegotiate.cnf b/test/ssl-tests/17-renegotiate.cnf index 12cf791310..ac826af187 100644 --- a/test/ssl-tests/17-renegotiate.cnf +++ b/test/ssl-tests/17-renegotiate.cnf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 14 +num_tests = 15 test-0 = 0-renegotiate-client-no-resume test-1 = 1-renegotiate-client-resume @@ -16,6 +16,7 @@ test-10 = 10-no-renegotiation-server-by-client test-11 = 11-no-renegotiation-server-by-server test-12 = 12-no-renegotiation-client-by-server test-13 = 13-no-renegotiation-client-by-client +test-14 = 14-no-extms-on-renegotiation # =========================================================== [0-renegotiate-client-no-resume] @@ -430,3 +431,35 @@ Method = TLS ResumptionExpected = No +# =========================================================== + +[14-no-extms-on-renegotiation] +ssl_conf = 14-no-extms-on-renegotiation-ssl + +[14-no-extms-on-renegotiation-ssl] +server = 14-no-extms-on-renegotiation-server +client = 14-no-extms-on-renegotiation-client + +[14-no-extms-on-renegotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[14-no-extms-on-renegotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-14] +ExpectedResult = ServerFail +HandshakeMode = RenegotiateClient +Method = TLS +ResumptionExpected = No +client = 14-no-extms-on-renegotiation-client-extra + +[14-no-extms-on-renegotiation-client-extra] +RenegotiateNoExtms = Yes + + diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in index 2cc2181532..ff3f74906a 100644 --- a/test/ssl-tests/17-renegotiate.cnf.in +++ b/test/ssl-tests/17-renegotiate.cnf.in @@ -243,6 +243,24 @@ our @tests_tls1_2 = ( "ResumptionExpected" => "No", "ExpectedResult" => "ClientFail" } + }, + { + name => "no-extms-on-renegotiation", + server => { + "MaxProtocol" => "TLSv1.2" + }, + client => { + "MaxProtocol" => "TLSv1.2", + extra => { + "RenegotiateNoExtms" => "Yes" + } + }, + test => { + "Method" => "TLS", + "HandshakeMode" => "RenegotiateClient", + "ResumptionExpected" => "No", + "ExpectedResult" => "ServerFail" + } } ); diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index aee9773bf8..31da26b0d7 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -638,6 +638,7 @@ IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_cipher) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, enable_pha) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, force_pha) +IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, no_extms_on_reneg) /* Known test options and their corresponding parse methods. */ @@ -697,6 +698,7 @@ static const ssl_test_client_option ssl_test_client_options[] = { { "SRPPassword", &parse_client_srp_password }, { "MaxFragmentLenExt", &parse_max_fragment_len_mode }, { "EnablePHA", &parse_client_enable_pha }, + { "RenegotiateNoExtms", &parse_client_no_extms_on_reneg }, }; /* Nested server options. */ diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h index 29a989abc8..d08c415fd2 100644 --- a/test/ssl_test_ctx.h +++ b/test/ssl_test_ctx.h @@ -110,6 +110,8 @@ typedef struct { char *srp_password; /* PHA enabled */ int enable_pha; + /* Do not send extms on renegotiation */ + int no_extms_on_reneg; } SSL_TEST_CLIENT_CONF; typedef struct {