Add client-side tests for renegotiation_info enforcement.
Since we hope to eventually lose server-side renegotiation support
altogether, get the client-side version of those tests. We should have
had those anyway to test that the default is to allow it.
BUG=429450
Change-Id: I4a18f339b55f3f07d77e22e823141e10a12bc9ff
Reviewed-on: https://boringssl-review.googlesource.com/4780
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 09f54dc..a9d21eb 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -599,6 +599,9 @@
if (config->allow_unsafe_legacy_renegotiation) {
SSL_set_options(ssl.get(), SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
}
+ if (config->no_legacy_server_connect) {
+ SSL_clear_options(ssl.get(), SSL_OP_LEGACY_SERVER_CONNECT);
+ }
if (!config->expected_channel_id.empty()) {
SSL_enable_tls_channel_id(ssl.get());
}
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index f159aff..8ca18e5 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -274,6 +274,10 @@
hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation
}
+ if c.config.Bugs.NoRenegotiationInfo {
+ hs.hello.secureRenegotiation = nil
+ }
+
hs.hello.compressionMethod = compressionNone
hs.hello.duplicateExtension = c.config.Bugs.DuplicateExtension
if len(hs.clientHello.serverName) > 0 {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index c892c37..eed3a39 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -3000,6 +3000,27 @@
expectedError: ":RENEGOTIATION_MISMATCH:",
})
testCases = append(testCases, testCase{
+ name: "Renegotiate-Client-NoExt",
+ renegotiate: true,
+ config: Config{
+ Bugs: ProtocolBugs{
+ NoRenegotiationInfo: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNSAFE_LEGACY_RENEGOTIATION_DISABLED:",
+ flags: []string{"-no-legacy-server-connect"},
+ })
+ testCases = append(testCases, testCase{
+ name: "Renegotiate-Client-NoExt-Allowed",
+ renegotiate: true,
+ config: Config{
+ Bugs: ProtocolBugs{
+ NoRenegotiationInfo: true,
+ },
+ },
+ })
+ testCases = append(testCases, testCase{
name: "Renegotiate-Client-SwitchCiphers",
renegotiate: true,
config: Config{
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 25906f7..4b24da6 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -81,6 +81,7 @@
{ "-handshake-never-done", &TestConfig::handshake_never_done },
{ "-use-export-context", &TestConfig::use_export_context },
{ "-reject-peer-renegotiations", &TestConfig::reject_peer_renegotiations },
+ { "-no-legacy-server-connect", &TestConfig::no_legacy_server_connect },
};
const Flag<std::string> kStringFlags[] = {
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index f107a0f..4bac561 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@@ -78,6 +78,7 @@
std::string export_context;
bool use_export_context = false;
bool reject_peer_renegotiations = false;
+ bool no_legacy_server_connect = false;
};
bool ParseConfig(int argc, char **argv, TestConfig *out_config);