Merge commit 'f6080b8' into dtls
* commit 'f6080b8':
Fix warning in reduced configs
Adapt to "negative" switch for renego
Add tests for periodic renegotiation
Make renego period configurable
Auto-renegotiate before sequence number wrapping
Update Changelog for compile-option renegotiation
Switch from an enable to a disable flag
Save 48 bytes if SSLv3 is not defined
Make renegotiation a compile-time option
Add tests for renego security enforcement
Conflicts:
include/polarssl/ssl.h
library/ssl_cli.c
library/ssl_srv.c
library/ssl_tls.c
programs/ssl/ssl_server2.c
tests/ssl-opt.sh
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index f8c536d..2e6e1fd 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -21,7 +21,7 @@
O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
-G_CLI="$GNUTLS_CLI"
+G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
TESTS=0
FAILS=0
@@ -495,19 +495,20 @@
# Pick a "unique" server port in the range 10000-19999, and a proxy port
PORT_BASE="0000$$"
-PORT_BASE="$( echo -n $PORT_BASE | tail -c 4 )"
+PORT_BASE="$( echo -n $PORT_BASE | tail -c 5 )"
SRV_PORT="1$PORT_BASE"
PXY_PORT="2$PORT_BASE"
unset PORT_BASE
# fix commands to use this port, force IPv4 while at it
+# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT"
O_SRV="$O_SRV -accept $SRV_PORT"
O_CLI="$O_CLI -connect localhost:+SRV_PORT"
G_SRV="$G_SRV -p $SRV_PORT"
-G_CLI="$G_CLI -p +SRV_PORT"
+G_CLI="$G_CLI -p +SRV_PORT localhost"
# Also pick a unique name for intermediate files
SRV_OUT="srv_out.$$"
@@ -1168,6 +1169,70 @@
-S "SSL - An unexpected message was received from our peer" \
-S "failed"
+run_test "Renegotiation: periodic, just below period" \
+ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
+ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
+ 0 \
+ -C "client hello, adding renegotiation extension" \
+ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
+ -S "found renegotiation extension" \
+ -s "server hello, secure renegotiation extension" \
+ -c "found renegotiation extension" \
+ -S "record counter limit reached: renegotiate" \
+ -C "=> renegotiate" \
+ -S "=> renegotiate" \
+ -S "write hello request" \
+ -S "SSL - An unexpected message was received from our peer" \
+ -S "failed"
+
+run_test "Renegotiation: periodic, just above period" \
+ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
+ "$P_CLI debug_level=3 exchanges=3 renegotiation=1" \
+ 0 \
+ -c "client hello, adding renegotiation extension" \
+ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
+ -s "found renegotiation extension" \
+ -s "server hello, secure renegotiation extension" \
+ -c "found renegotiation extension" \
+ -s "record counter limit reached: renegotiate" \
+ -c "=> renegotiate" \
+ -s "=> renegotiate" \
+ -s "write hello request" \
+ -S "SSL - An unexpected message was received from our peer" \
+ -S "failed"
+
+run_test "Renegotiation: periodic, two times period" \
+ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
+ "$P_CLI debug_level=3 exchanges=6 renegotiation=1" \
+ 0 \
+ -c "client hello, adding renegotiation extension" \
+ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
+ -s "found renegotiation extension" \
+ -s "server hello, secure renegotiation extension" \
+ -c "found renegotiation extension" \
+ -s "record counter limit reached: renegotiate" \
+ -c "=> renegotiate" \
+ -s "=> renegotiate" \
+ -s "write hello request" \
+ -S "SSL - An unexpected message was received from our peer" \
+ -S "failed"
+
+run_test "Renegotiation: periodic, above period, disabled" \
+ "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3" \
+ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
+ 0 \
+ -C "client hello, adding renegotiation extension" \
+ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
+ -S "found renegotiation extension" \
+ -s "server hello, secure renegotiation extension" \
+ -c "found renegotiation extension" \
+ -S "record counter limit reached: renegotiate" \
+ -C "=> renegotiate" \
+ -S "=> renegotiate" \
+ -S "write hello request" \
+ -S "SSL - An unexpected message was received from our peer" \
+ -S "failed"
+
run_test "Renegotiation: nbio, client-initiated" \
"$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
"$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
@@ -1201,18 +1266,53 @@
-c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \
-c "=> renegotiate" \
- -C "ssl_handshake returned" \
+ -C "ssl_hanshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
-run_test "Renegotiation: gnutls server, client-initiated" \
- "$G_SRV" \
+run_test "Renegotiation: gnutls server strict, client-initiated" \
+ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
0 \
-c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \
-c "=> renegotiate" \
- -C "ssl_handshake returned" \
+ -C "ssl_hanshake() returned" \
+ -C "error" \
+ -c "HTTP/1.0 200 [Oo][Kk]"
+
+run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
+ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
+ 1 \
+ -c "client hello, adding renegotiation extension" \
+ -C "found renegotiation extension" \
+ -c "=> renegotiate" \
+ -c "ssl_handshake() returned" \
+ -c "error" \
+ -C "HTTP/1.0 200 [Oo][Kk]"
+
+run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
+ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
+ allow_legacy=0" \
+ 1 \
+ -c "client hello, adding renegotiation extension" \
+ -C "found renegotiation extension" \
+ -c "=> renegotiate" \
+ -c "ssl_handshake() returned" \
+ -c "error" \
+ -C "HTTP/1.0 200 [Oo][Kk]"
+
+run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
+ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
+ allow_legacy=1" \
+ 0 \
+ -c "client hello, adding renegotiation extension" \
+ -C "found renegotiation extension" \
+ -c "=> renegotiate" \
+ -C "ssl_hanshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
@@ -1254,6 +1354,53 @@
-C "error" \
-s "Extra-header:"
+# Test for the "secure renegotation" extension only (no actual renegotiation)
+
+run_test "Renego ext: gnutls server strict, client default" \
+ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -c "found renegotiation extension" \
+ -C "error" \
+ -c "HTTP/1.0 200 [Oo][Kk]"
+
+run_test "Renego ext: gnutls server unsafe, client default" \
+ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -C "found renegotiation extension" \
+ -C "error" \
+ -c "HTTP/1.0 200 [Oo][Kk]"
+
+run_test "Renego ext: gnutls server unsafe, client break legacy" \
+ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+ "$P_CLI debug_level=3 allow_legacy=-1" \
+ 1 \
+ -C "found renegotiation extension" \
+ -c "error" \
+ -C "HTTP/1.0 200 [Oo][Kk]"
+
+run_test "Renego ext: gnutls client strict, server default" \
+ "$P_SRV debug_level=3" \
+ "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
+ 0 \
+ -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
+ -s "server hello, secure renegotiation extension"
+
+run_test "Renego ext: gnutls client unsafe, server default" \
+ "$P_SRV debug_level=3" \
+ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+ 0 \
+ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
+ -S "server hello, secure renegotiation extension"
+
+run_test "Renego ext: gnutls client unsafe, server break legacy" \
+ "$P_SRV debug_level=3 allow_legacy=-1" \
+ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+ 1 \
+ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
+ -S "server hello, secure renegotiation extension"
+
# Tests for auth_mode
run_test "Authentication: server badcert, client required" \