The branch master has been updated
via 5bbe2134188a45a937e7aefd46b7eeee258d0ab8 (commit)
via f4752e88272933777dbdbda31d00b388fa5a8e2d (commit)
from 60d13c8ff824720580db9665489832fb50f9e60a (commit)
- Log -----------------------------------------------------------------
commit 5bbe2134188a45a937e7aefd46b7eeee258d0ab8
Author: Rich Salz <rs...@akamai.com>
Date: Sun Jun 13 10:49:47 2021 -0400
Remove "-immedate_renegotiation" option
Reviewed-by: Matt Caswell <m...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15415)
commit f4752e88272933777dbdbda31d00b388fa5a8e2d
Author: Rich Salz <rs...@akamai.com>
Date: Fri May 21 13:26:33 2021 -0400
Move AllowClientRenegotiation tests
Move them from test_renegotiation to renegotiation in ssl_new
Reviewed-by: Matt Caswell <m...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15415)
-----------------------------------------------------------------------
Summary of changes:
apps/include/opt.h | 4 +--
apps/s_client.c | 3 --
apps/s_server.c | 6 ----
doc/man3/SSL_CONF_cmd.pod | 6 ----
doc/perlvars.pm | 5 ++-
test/README.ssltest.md | 8 +++--
test/generate_ssl_tests.pl | 2 +-
test/helpers/ssl_test_ctx.c | 1 +
test/recipes/70-test_renegotiation.t | 15 +--------
test/ssl-tests/17-renegotiate.cnf | 62 +++++++++++++++++++++++++++++++++++-
test/ssl-tests/17-renegotiate.cnf.in | 32 +++++++++++++++++++
11 files changed, 104 insertions(+), 40 deletions(-)
diff --git a/apps/include/opt.h b/apps/include/opt.h
index 951557974b..b77c5a52e5 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -162,7 +162,7 @@
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
- OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_IMMEDIATE_RENEG, \
+ OPT_S_MINPROTO, OPT_S_MAXPROTO, \
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
# define OPT_S_OPTIONS \
@@ -211,8 +211,6 @@
{"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3
ciphersuites to be used"}, \
{"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol
version to be used"}, \
{"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol
version to be used"}, \
- {"immediate_renegotiation", OPT_S_IMMEDIATE_RENEG, '-', \
- "Immediately attempt renegotiation"}, \
{"record_padding", OPT_S_RECORD_PADDING, 's', \
"Block size to pad TLS 1.3 records to."}, \
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
diff --git a/apps/s_client.c b/apps/s_client.c
index ac9b08dfc2..3b9be0e8c2 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1047,9 +1047,6 @@ int s_client_main(int argc, char **argv)
case OPT_BRIEF:
c_brief = verify_args.quiet = c_quiet = 1;
break;
- case OPT_S_IMMEDIATE_RENEG:
- /* Option ignored on client. */
- break;
case OPT_S_CASES:
if (ssl_args == NULL)
ssl_args = sk_OPENSSL_STRING_new_null();
diff --git a/apps/s_server.c b/apps/s_server.c
index 009ac5a1eb..e32d25e800 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -78,7 +78,6 @@ static int accept_socket = -1;
static int s_nbio = 0;
static int s_nbio_test = 0;
static int s_crlf = 0;
-static int immediate_reneg = 0;
static SSL_CTX *ctx = NULL;
static SSL_CTX *ctx2 = NULL;
static int www = 0;
@@ -1270,9 +1269,6 @@ int s_server_main(int argc, char *argv[])
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
goto opthelp;
break;
- case OPT_S_IMMEDIATE_RENEG:
- immediate_reneg = 1;
- break;
case OPT_S_CASES:
case OPT_S_NUM_TICKETS:
case OPT_ANTI_REPLAY:
@@ -2811,8 +2807,6 @@ static int init_ssl_connection(SSL *con)
} else {
do {
i = SSL_accept(con);
- if (immediate_reneg)
- SSL_renegotiate(con);
if (i <= 0)
retry = is_retryable(con, i);
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 68c05d33d7..7971d6e0b5 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -83,12 +83,6 @@ Sets B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION>. Only
used by servers.
Permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
clients only. Equivalent to setting or clearing
B<SSL_OP_LEGACY_SERVER_CONNECT>.
-=item B<-immediate_renegotiation>
-
-Try to do a renegotiation immediately after the handshake.
-This is for debugging and has no option equivalent.
-Ignored by the B<openssl s_client> command.
-
=item B<-prioritize_chacha>
Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index 71f3888d58..133ad3c416 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -183,7 +183,6 @@ $OpenSSL::safe::opt_s_synopsis = ""
. "[B<-legacy_renegotiation>]\n"
. "[B<-no_renegotiation>]\n"
. "[B<-no_resumption_on_reneg>]\n"
-. "[B<-immediate_renegotiation>]\n"
. "[B<-legacy_server_connect>]\n"
. "[B<-no_legacy_server_connect>]\n"
. "[B<-allow_no_dhe_kex>]\n"
@@ -203,9 +202,9 @@ $OpenSSL::safe::opt_s_synopsis = ""
. "[B<-no_middlebox>]";
$OpenSSL::safe::opt_s_item = ""
. "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
-. "B<-client_renegotiation>, B<_immediate_renegotiation>,\n"
+. "B<-client_renegotiation>,\n"
. "B<-legacy_renegotiation>, B<-no_renegotiation>,\n"
-. "B<-immediate_renegotiation>, B<-no_resumption_on_reneg>,\n"
+. "B<-no_resumption_on_reneg>,\n"
. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
. "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
. "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"
diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index 6ae10fdc18..81ee7dfdb8 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -67,7 +67,7 @@ handshake.
- InternalError - some other error
* ExpectedClientAlert, ExpectedServerAlert - expected alert. See
- `ssl_test_ctx.c` for known values. Note: the expected alert is currently
+ `test/helpers/ssl_test_ctx.c` for known values. Note: the expected alert is
currently
matched against the _last_ received alert (i.e., a fatal alert or a
`close_notify`). Warning alert expectations are not yet supported. (A warning
alert will not be correctly matched, if followed by a `close_notify` or
@@ -261,12 +261,14 @@ environment variable to point to the location of the
certs. E.g., from the root
OpenSSL directory, do
$ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs test/ssl_test \
- test/ssl-tests/01-simple.cnf
+ test/ssl-tests/01-simple.cnf default
or for shared builds
$ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs \
- util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf
+ util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf default
+
+In the above examples, `default` is the provider to use.
Note that the test expectations sometimes depend on the Configure settings. For
example, the negotiated protocol depends on the set of available (enabled)
diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl
index 1783d1729e..defe3c745b 100644
--- a/test/generate_ssl_tests.pl
+++ b/test/generate_ssl_tests.pl
@@ -30,7 +30,7 @@ BEGIN {
#Input file may be relative to cwd, but setup below changes the cwd, so
#figure out the absolute path first
$input_file = abs_path(shift);
- $provider = shift;
+ $provider = shift // '';
OpenSSL::Test::setup("no_test_here", quiet => 1);
}
diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c
index 6ba8a52c2d..1374b04cf0 100644
--- a/test/helpers/ssl_test_ctx.c
+++ b/test/helpers/ssl_test_ctx.c
@@ -124,6 +124,7 @@ static const test_enum ssl_alerts[] = {
{"UnknownCA", SSL_AD_UNKNOWN_CA},
{"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE},
{"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},
+ {"NoRenegotiation", SSL_AD_NO_RENEGOTIATION},
{"BadCertificate", SSL_AD_BAD_CERTIFICATE},
{"NoApplicationProtocol", SSL_AD_NO_APPLICATION_PROTOCOL},
{"CertificateRequired", SSL_AD_CERTIFICATE_REQUIRED},
diff --git a/test/recipes/70-test_renegotiation.t
b/test/recipes/70-test_renegotiation.t
index 0dc0594775..b7bc9c025a 100644
--- a/test/recipes/70-test_renegotiation.t
+++ b/test/recipes/70-test_renegotiation.t
@@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled"
plan skip_all => "$test_name needs TLS <= 1.2 enabled"
if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
-plan tests => 6;
+plan tests => 5;
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
@@ -110,19 +110,6 @@ SKIP: {
"Check client renegotiation failed");
}
-SKIP: {
- skip "TLSv1.2 and TLSv1.1 disabled", 1
- if disabled("tls1_2") && disabled("tls1_1");
- #Test 6: Server can do renegotiation
- $proxy->clear();
- $proxy->filter(undef);
- $proxy->serverflags("-no_tls1_3 -immediate_renegotiation");
- $proxy->clientflags("-no_tls1_3");
- $proxy->start();
- ok(TLSProxy::Message->success(),
- "Check server renegotiation succeeded");
-}
-
sub reneg_filter
{
my $proxy = shift;
diff --git a/test/ssl-tests/17-renegotiate.cnf
b/test/ssl-tests/17-renegotiate.cnf
index ac826af187..099d6d6f19 100644
--- a/test/ssl-tests/17-renegotiate.cnf
+++ b/test/ssl-tests/17-renegotiate.cnf
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 15
+num_tests = 17
test-0 = 0-renegotiate-client-no-resume
test-1 = 1-renegotiate-client-resume
@@ -17,6 +17,8 @@ test-11 = 11-no-renegotiation-server-by-server
test-12 = 12-no-renegotiation-client-by-server
test-13 = 13-no-renegotiation-client-by-client
test-14 = 14-no-extms-on-renegotiation
+test-15 = 15-allow-client-renegotiation
+test-16 = 16-no-client-renegotiation
# ===========================================================
[0-renegotiate-client-no-resume]
@@ -463,3 +465,61 @@ client = 14-no-extms-on-renegotiation-client-extra
RenegotiateNoExtms = Yes
+# ===========================================================
+
+[15-allow-client-renegotiation]
+ssl_conf = 15-allow-client-renegotiation-ssl
+
+[15-allow-client-renegotiation-ssl]
+server = 15-allow-client-renegotiation-server
+client = 15-allow-client-renegotiation-client
+
+[15-allow-client-renegotiation-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[15-allow-client-renegotiation-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-15]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = Yes
+
+
+# ===========================================================
+
+[16-no-client-renegotiation]
+ssl_conf = 16-no-client-renegotiation-ssl
+
+[16-no-client-renegotiation-ssl]
+server = 16-no-client-renegotiation-server
+client = 16-no-client-renegotiation-client
+
+[16-no-client-renegotiation-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = -ClientRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[16-no-client-renegotiation-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
+ExpectedResult = ClientFail
+ExpectedServerAlert = NoRenegotiation
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = No
+
+
diff --git a/test/ssl-tests/17-renegotiate.cnf.in
b/test/ssl-tests/17-renegotiate.cnf.in
index ff3f74906a..86c858f786 100644
--- a/test/ssl-tests/17-renegotiate.cnf.in
+++ b/test/ssl-tests/17-renegotiate.cnf.in
@@ -261,6 +261,38 @@ our @tests_tls1_2 = (
"ResumptionExpected" => "No",
"ExpectedResult" => "ServerFail"
}
+ },
+ {
+ name => "allow-client-renegotiation",
+ server => {
+ "MaxProtocol" => "TLSv1.2",
+ },
+ client => {
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "Yes",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "no-client-renegotiation",
+ server => {
+ "MaxProtocol" => "TLSv1.2",
+ "Options" => "-ClientRenegotiation"
+ },
+ client => {
+ "MaxProtocol" => "TLSv1.2",
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "ClientFail",
+ "ExpectedServerAlert" => "NoRenegotiation"
+ }
}
);
