From f9b1b6644a3a8fc6d617625ad979ee61cb67d381 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 27 Sep 2016 12:24:47 +0100 Subject: [PATCH] Add DTLS renegotiation tests Reviewed-by: Rich Salz --- test/recipes/80-test_ssl_new.t | 3 +- test/ssl-tests/18-dtls-renegotiate.conf | 86 ++++++++++++++++++++++ test/ssl-tests/18-dtls-renegotiate.conf.in | 63 ++++++++++++++++ 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 test/ssl-tests/18-dtls-renegotiate.conf create mode 100644 test/ssl-tests/18-dtls-renegotiate.conf.in diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index d496f21ecd..54e32bb878 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -29,7 +29,7 @@ map { s/\.in// } @conf_files; # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 17; # = scalar @conf_srcs +plan tests => 18; # = scalar @conf_srcs # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. @@ -73,6 +73,7 @@ my %skip = ( "14-curves.conf" => disabled("tls1_2") || $no_ec || $no_ec2m, "15-certstatus.conf" => $no_ocsp, "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp, + "18-dtls-renegotiate.conf" => $no_dtls, ); foreach my $conf (@conf_files) { diff --git a/test/ssl-tests/18-dtls-renegotiate.conf b/test/ssl-tests/18-dtls-renegotiate.conf new file mode 100644 index 0000000000..32eeaf0443 --- /dev/null +++ b/test/ssl-tests/18-dtls-renegotiate.conf @@ -0,0 +1,86 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 3 + +test-0 = 0-renegotiate-client-no-resume +test-1 = 1-renegotiate-client-resume +test-2 = 2-renegotiate-server-resume +# =========================================================== + +[0-renegotiate-client-no-resume] +ssl_conf = 0-renegotiate-client-no-resume-ssl + +[0-renegotiate-client-no-resume-ssl] +server = 0-renegotiate-client-no-resume-server +client = 0-renegotiate-client-no-resume-client + +[0-renegotiate-client-no-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = NoResumptionOnRenegotiation +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-renegotiate-client-no-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = Success +HandshakeMode = RenegotiateClient +Method = DTLS +ResumptionExpected = No + + +# =========================================================== + +[1-renegotiate-client-resume] +ssl_conf = 1-renegotiate-client-resume-ssl + +[1-renegotiate-client-resume-ssl] +server = 1-renegotiate-client-resume-server +client = 1-renegotiate-client-resume-client + +[1-renegotiate-client-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-renegotiate-client-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success +HandshakeMode = RenegotiateClient +Method = DTLS +ResumptionExpected = Yes + + +# =========================================================== + +[2-renegotiate-server-resume] +ssl_conf = 2-renegotiate-server-resume-ssl + +[2-renegotiate-server-resume-ssl] +server = 2-renegotiate-server-resume-server +client = 2-renegotiate-server-resume-client + +[2-renegotiate-server-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[2-renegotiate-server-resume-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +ExpectedResult = Success +HandshakeMode = RenegotiateServer +Method = DTLS +ResumptionExpected = No + + diff --git a/test/ssl-tests/18-dtls-renegotiate.conf.in b/test/ssl-tests/18-dtls-renegotiate.conf.in new file mode 100644 index 0000000000..440fb2514a --- /dev/null +++ b/test/ssl-tests/18-dtls-renegotiate.conf.in @@ -0,0 +1,63 @@ +# -*- mode: perl; -*- +# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## Test Renegotiation + +use strict; +use warnings; + +package ssltests; + + +our @tests = ( + { + name => "renegotiate-client-no-resume", + server => { + "Options" => "NoResumptionOnRenegotiation" + }, + client => {}, + test => { + "Method" => "DTLS", + "HandshakeMode" => "RenegotiateClient", + "ResumptionExpected" => "No", + "ExpectedResult" => "Success" + } + }, + { + name => "renegotiate-client-resume", + server => {}, + client => {}, + test => { + "Method" => "DTLS", + "HandshakeMode" => "RenegotiateClient", + "ResumptionExpected" => "Yes", + "ExpectedResult" => "Success" + } + }, +# Note: Unlike the TLS tests, we will never do resumption with server +# initiated reneg. This is because an OpenSSL DTLS client will always do a full +# handshake (i.e. it doesn't supply a session id) when it receives a +# HelloRequest. This is different to the OpenSSL TLS implementation where an +# OpenSSL client will always try an abbreviated handshake (i.e. it will supply +# the session id). This goes all the way to commit 48ae85b6f when abbreviated +# handshake support was first added. Neither behaviour is wrong, but the +# discrepancy is strange. TODO: Should we harmonise the TLS and DTLS behaviour, +# and if so, what to? + { + name => "renegotiate-server-resume", + server => {}, + client => {}, + test => { + "Method" => "DTLS", + "HandshakeMode" => "RenegotiateServer", + "ResumptionExpected" => "No", + "ExpectedResult" => "Success" + } + }, +); -- 2.25.1