Test client certificates carry over on session resumption.
We have tests for this as a server, but none as a client. Extend the
certificate verification tests here. This is in preparation for ensuring
that TLS 1.3 session resumption works correctly.
Change-Id: I9ab9f42838ffd69f73fbd877b0cdfaf31caea707
Reviewed-on: https://boringssl-review.googlesource.com/9111
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 5694ac2..b2360de 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -1212,19 +1212,18 @@
}
}
- if (!config->is_server) {
- /* Clients should expect a peer certificate chain iff this was not a PSK
- * cipher suite. */
- if (config->psk.empty()) {
- if (SSL_get_peer_cert_chain(ssl) == nullptr) {
- fprintf(stderr, "Missing peer certificate chain!\n");
- return false;
- }
- } else if (SSL_get_peer_cert_chain(ssl) != nullptr) {
- fprintf(stderr, "Unexpected peer certificate chain!\n");
+ if (!config->psk.empty()) {
+ if (SSL_get_peer_cert_chain(ssl) != nullptr) {
+ fprintf(stderr, "Received peer certificate on a PSK cipher.\n");
+ return false;
+ }
+ } else if (!config->is_server || config->require_any_client_certificate) {
+ if (SSL_get_peer_cert_chain(ssl) == nullptr) {
+ fprintf(stderr, "Received no peer certificate but expected one.\n");
return false;
}
}
+
return true;
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 02e26a2..085d7e1 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -3413,40 +3413,64 @@
if config.protocol == dtls && !vers.hasDTLS {
continue
}
- tests = append(tests, testCase{
- testType: clientTest,
- name: "CertificateVerificationSucceed-" + vers.name,
- config: Config{
- MaxVersion: vers.version,
- },
- flags: []string{
- "-verify-peer",
- },
- resumeSession: vers.version != VersionTLS13,
- })
- tests = append(tests, testCase{
- testType: clientTest,
- name: "CertificateVerificationFail-" + vers.name,
- config: Config{
- MaxVersion: vers.version,
- },
- flags: []string{
- "-verify-fail",
- "-verify-peer",
- },
- shouldFail: true,
- expectedError: ":CERTIFICATE_VERIFY_FAILED:",
- })
+ for _, testType := range []testType{clientTest, serverTest} {
+ suffix := "-Client"
+ if testType == serverTest {
+ suffix = "-Server"
+ }
+ suffix += "-" + vers.name
+
+ flag := "-verify-peer"
+ if testType == serverTest {
+ flag = "-require-any-client-certificate"
+ }
+
+ tests = append(tests, testCase{
+ testType: testType,
+ name: "CertificateVerificationSucceed" + suffix,
+ config: Config{
+ MaxVersion: vers.version,
+ Certificates: []Certificate{rsaCertificate},
+ },
+ flags: []string{
+ flag,
+ "-expect-verify-result",
+ },
+ // TODO(davidben): Enable this when resumption is
+ // implemented in TLS 1.3.
+ resumeSession: vers.version != VersionTLS13,
+ })
+ tests = append(tests, testCase{
+ testType: testType,
+ name: "CertificateVerificationFail" + suffix,
+ config: Config{
+ MaxVersion: vers.version,
+ Certificates: []Certificate{rsaCertificate},
+ },
+ flags: []string{
+ flag,
+ "-verify-fail",
+ },
+ shouldFail: true,
+ expectedError: ":CERTIFICATE_VERIFY_FAILED:",
+ })
+ }
+
+ // By default, the client is in a soft fail mode where the peer
+ // certificate is verified but failures are non-fatal.
tests = append(tests, testCase{
testType: clientTest,
name: "CertificateVerificationSoftFail-" + vers.name,
config: Config{
- MaxVersion: vers.version,
+ MaxVersion: vers.version,
+ Certificates: []Certificate{rsaCertificate},
},
flags: []string{
"-verify-fail",
"-expect-verify-result",
},
+ // TODO(davidben): Enable this when resumption is
+ // implemented in TLS 1.3.
resumeSession: vers.version != VersionTLS13,
})
}
