Provide a test for the Encrypt-Then-Mac renegotiation crash (cc22cd54) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

test/handshake_helper.c

+13 −3

Original line number	Diff line number	Diff line
		@@ -607,10 +607,20 @@ static void do_reneg_setup_step(const SSL_TEST_CTX test_ctx, PEER peer)
		* session. The server may or may not resume dependant on the
		* setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
		*/
		if (SSL_is_server(peer->ssl))
		if (SSL_is_server(peer->ssl)) {
		ret = SSL_renegotiate(peer->ssl);
		else
		} else {
		if (test_ctx->extra.client.reneg_ciphers != NULL) {
		if (!SSL_set_cipher_list(peer->ssl,
		test_ctx->extra.client.reneg_ciphers)) {
		peer->status = PEER_ERROR;
		return;
		}
		ret = SSL_renegotiate(peer->ssl);
		} else {
		ret = SSL_renegotiate_abbreviated(peer->ssl);
		}
		}
		if (!ret) {
		peer->status = PEER_ERROR;
		return;

test/ssl-tests/17-renegotiate.conf

+133 −1

Original line number	Diff line number	Diff line
		# Generated with generate_ssl_tests.pl

		num_tests = 6
		num_tests = 10

		test-0 = 0-renegotiate-client-no-resume
		test-1 = 1-renegotiate-client-resume
		@@ -8,6 +8,10 @@ test-2 = 2-renegotiate-server-no-resume
		test-3 = 3-renegotiate-server-resume
		test-4 = 4-renegotiate-client-auth-require
		test-5 = 5-renegotiate-client-auth-once
		test-6 = 6-renegotiate-aead-to-non-aead
		test-7 = 7-renegotiate-non-aead-to-aead
		test-8 = 8-renegotiate-non-aead-to-non-aead
		test-9 = 9-renegotiate-aead-to-aead
		# ===========================================================

		[0-renegotiate-client-no-resume]
		@@ -182,3 +186,131 @@ Method = TLS
		ResumptionExpected = No


		# ===========================================================

		[6-renegotiate-aead-to-non-aead]
		ssl_conf = 6-renegotiate-aead-to-non-aead-ssl

		[6-renegotiate-aead-to-non-aead-ssl]
		server = 6-renegotiate-aead-to-non-aead-server
		client = 6-renegotiate-aead-to-non-aead-client

		[6-renegotiate-aead-to-non-aead-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		MaxProtocol = TLSv1.2
		Options = NoResumptionOnRenegotiation
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[6-renegotiate-aead-to-non-aead-client]
		CipherString = AES128-GCM-SHA256
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-6]
		ExpectedResult = Success
		HandshakeMode = RenegotiateClient
		Method = TLS
		ResumptionExpected = No
		client = 6-renegotiate-aead-to-non-aead-client-extra

		[6-renegotiate-aead-to-non-aead-client-extra]
		RenegotiateCiphers = AES128-SHA


		# ===========================================================

		[7-renegotiate-non-aead-to-aead]
		ssl_conf = 7-renegotiate-non-aead-to-aead-ssl

		[7-renegotiate-non-aead-to-aead-ssl]
		server = 7-renegotiate-non-aead-to-aead-server
		client = 7-renegotiate-non-aead-to-aead-client

		[7-renegotiate-non-aead-to-aead-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		MaxProtocol = TLSv1.2
		Options = NoResumptionOnRenegotiation
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[7-renegotiate-non-aead-to-aead-client]
		CipherString = AES128-SHA
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-7]
		ExpectedResult = Success
		HandshakeMode = RenegotiateClient
		Method = TLS
		ResumptionExpected = No
		client = 7-renegotiate-non-aead-to-aead-client-extra

		[7-renegotiate-non-aead-to-aead-client-extra]
		RenegotiateCiphers = AES128-GCM-SHA256


		# ===========================================================

		[8-renegotiate-non-aead-to-non-aead]
		ssl_conf = 8-renegotiate-non-aead-to-non-aead-ssl

		[8-renegotiate-non-aead-to-non-aead-ssl]
		server = 8-renegotiate-non-aead-to-non-aead-server
		client = 8-renegotiate-non-aead-to-non-aead-client

		[8-renegotiate-non-aead-to-non-aead-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		MaxProtocol = TLSv1.2
		Options = NoResumptionOnRenegotiation
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[8-renegotiate-non-aead-to-non-aead-client]
		CipherString = AES128-SHA
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-8]
		ExpectedResult = Success
		HandshakeMode = RenegotiateClient
		Method = TLS
		ResumptionExpected = No
		client = 8-renegotiate-non-aead-to-non-aead-client-extra

		[8-renegotiate-non-aead-to-non-aead-client-extra]
		RenegotiateCiphers = AES256-SHA


		# ===========================================================

		[9-renegotiate-aead-to-aead]
		ssl_conf = 9-renegotiate-aead-to-aead-ssl

		[9-renegotiate-aead-to-aead-ssl]
		server = 9-renegotiate-aead-to-aead-server
		client = 9-renegotiate-aead-to-aead-client

		[9-renegotiate-aead-to-aead-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		MaxProtocol = TLSv1.2
		Options = NoResumptionOnRenegotiation
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[9-renegotiate-aead-to-aead-client]
		CipherString = AES128-GCM-SHA256
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-9]
		ExpectedResult = Success
		HandshakeMode = RenegotiateClient
		Method = TLS
		ResumptionExpected = No
		client = 9-renegotiate-aead-to-aead-client-extra

		[9-renegotiate-aead-to-aead-client-extra]
		RenegotiateCiphers = AES256-GCM-SHA384

test/ssl-tests/17-renegotiate.conf.in

+77 −1

Original line number	Diff line number	Diff line
		@@ -108,5 +108,81 @@ our @tests = (
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		{
		name => "renegotiate-aead-to-non-aead",
		server => {
		"Options" => "NoResumptionOnRenegotiation",
		"MaxProtocol" => "TLSv1.2"
		},
		client => {
		"CipherString" => "AES128-GCM-SHA256",
		extra => {
		"RenegotiateCiphers" => "AES128-SHA"
		}
		},
		test => {
		"Method" => "TLS",
		"HandshakeMode" => "RenegotiateClient",
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		{
		name => "renegotiate-non-aead-to-aead",
		server => {
		"Options" => "NoResumptionOnRenegotiation",
		"MaxProtocol" => "TLSv1.2"
		},
		client => {
		"CipherString" => "AES128-SHA",
		extra => {
		"RenegotiateCiphers" => "AES128-GCM-SHA256"
		}
		},
		test => {
		"Method" => "TLS",
		"HandshakeMode" => "RenegotiateClient",
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		{
		name => "renegotiate-non-aead-to-non-aead",
		server => {
		"Options" => "NoResumptionOnRenegotiation",
		"MaxProtocol" => "TLSv1.2"
		},
		client => {
		"CipherString" => "AES128-SHA",
		extra => {
		"RenegotiateCiphers" => "AES256-SHA"
		}
		},
		test => {
		"Method" => "TLS",
		"HandshakeMode" => "RenegotiateClient",
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		{
		name => "renegotiate-aead-to-aead",
		server => {
		"Options" => "NoResumptionOnRenegotiation",
		"MaxProtocol" => "TLSv1.2"
		},
		client => {
		"CipherString" => "AES128-GCM-SHA256",
		extra => {
		"RenegotiateCiphers" => "AES256-GCM-SHA384"
		}
		},
		test => {
		"Method" => "TLS",
		"HandshakeMode" => "RenegotiateClient",
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		);

test/ssl-tests/18-dtls-renegotiate.conf

+129 −1

Original line number	Diff line number	Diff line
		# Generated with generate_ssl_tests.pl

		num_tests = 5
		num_tests = 9

		test-0 = 0-renegotiate-client-no-resume
		test-1 = 1-renegotiate-client-resume
		test-2 = 2-renegotiate-server-resume
		test-3 = 3-renegotiate-client-auth-require
		test-4 = 4-renegotiate-client-auth-once
		test-5 = 5-renegotiate-aead-to-non-aead
		test-6 = 6-renegotiate-non-aead-to-aead
		test-7 = 7-renegotiate-non-aead-to-non-aead
		test-8 = 8-renegotiate-aead-to-aead
		# ===========================================================

		[0-renegotiate-client-no-resume]
		@@ -146,3 +150,127 @@ Method = DTLS
		ResumptionExpected = No


		# ===========================================================

		[5-renegotiate-aead-to-non-aead]
		ssl_conf = 5-renegotiate-aead-to-non-aead-ssl

		[5-renegotiate-aead-to-non-aead-ssl]
		server = 5-renegotiate-aead-to-non-aead-server
		client = 5-renegotiate-aead-to-non-aead-client

		[5-renegotiate-aead-to-non-aead-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		Options = NoResumptionOnRenegotiation
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[5-renegotiate-aead-to-non-aead-client]
		CipherString = AES128-GCM-SHA256
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-5]
		ExpectedResult = Success
		HandshakeMode = RenegotiateClient
		Method = DTLS
		ResumptionExpected = No
		client = 5-renegotiate-aead-to-non-aead-client-extra

		[5-renegotiate-aead-to-non-aead-client-extra]
		RenegotiateCiphers = AES128-SHA


		# ===========================================================

		[6-renegotiate-non-aead-to-aead]
		ssl_conf = 6-renegotiate-non-aead-to-aead-ssl

		[6-renegotiate-non-aead-to-aead-ssl]
		server = 6-renegotiate-non-aead-to-aead-server
		client = 6-renegotiate-non-aead-to-aead-client

		[6-renegotiate-non-aead-to-aead-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		Options = NoResumptionOnRenegotiation
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[6-renegotiate-non-aead-to-aead-client]
		CipherString = AES128-SHA
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-6]
		ExpectedResult = Success
		HandshakeMode = RenegotiateClient
		Method = DTLS
		ResumptionExpected = No
		client = 6-renegotiate-non-aead-to-aead-client-extra

		[6-renegotiate-non-aead-to-aead-client-extra]
		RenegotiateCiphers = AES128-GCM-SHA256


		# ===========================================================

		[7-renegotiate-non-aead-to-non-aead]
		ssl_conf = 7-renegotiate-non-aead-to-non-aead-ssl

		[7-renegotiate-non-aead-to-non-aead-ssl]
		server = 7-renegotiate-non-aead-to-non-aead-server
		client = 7-renegotiate-non-aead-to-non-aead-client

		[7-renegotiate-non-aead-to-non-aead-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		Options = NoResumptionOnRenegotiation
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[7-renegotiate-non-aead-to-non-aead-client]
		CipherString = AES128-SHA
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-7]
		ExpectedResult = Success
		HandshakeMode = RenegotiateClient
		Method = DTLS
		ResumptionExpected = No
		client = 7-renegotiate-non-aead-to-non-aead-client-extra

		[7-renegotiate-non-aead-to-non-aead-client-extra]
		RenegotiateCiphers = AES256-SHA


		# ===========================================================

		[8-renegotiate-aead-to-aead]
		ssl_conf = 8-renegotiate-aead-to-aead-ssl

		[8-renegotiate-aead-to-aead-ssl]
		server = 8-renegotiate-aead-to-aead-server
		client = 8-renegotiate-aead-to-aead-client

		[8-renegotiate-aead-to-aead-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT
		Options = NoResumptionOnRenegotiation
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[8-renegotiate-aead-to-aead-client]
		CipherString = AES128-GCM-SHA256
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-8]
		ExpectedResult = Success
		HandshakeMode = RenegotiateClient
		Method = DTLS
		ResumptionExpected = No
		client = 8-renegotiate-aead-to-aead-client-extra

		[8-renegotiate-aead-to-aead-client-extra]
		RenegotiateCiphers = AES256-GCM-SHA384

test/ssl-tests/18-dtls-renegotiate.conf.in

+73 −1

Original line number	Diff line number	Diff line
		@@ -94,5 +94,77 @@ our @tests = (
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		{
		name => "renegotiate-aead-to-non-aead",
		server => {
		"Options" => "NoResumptionOnRenegotiation"
		},
		client => {
		"CipherString" => "AES128-GCM-SHA256",
		extra => {
		"RenegotiateCiphers" => "AES128-SHA"
		}
		},
		test => {
		"Method" => "DTLS",
		"HandshakeMode" => "RenegotiateClient",
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		{
		name => "renegotiate-non-aead-to-aead",
		server => {
		"Options" => "NoResumptionOnRenegotiation"
		},
		client => {
		"CipherString" => "AES128-SHA",
		extra => {
		"RenegotiateCiphers" => "AES128-GCM-SHA256"
		}
		},
		test => {
		"Method" => "DTLS",
		"HandshakeMode" => "RenegotiateClient",
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		{
		name => "renegotiate-non-aead-to-non-aead",
		server => {
		"Options" => "NoResumptionOnRenegotiation"
		},
		client => {
		"CipherString" => "AES128-SHA",
		extra => {
		"RenegotiateCiphers" => "AES256-SHA"
		}
		},
		test => {
		"Method" => "DTLS",
		"HandshakeMode" => "RenegotiateClient",
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		{
		name => "renegotiate-aead-to-aead",
		server => {
		"Options" => "NoResumptionOnRenegotiation"
		},
		client => {
		"CipherString" => "AES128-GCM-SHA256",
		extra => {
		"RenegotiateCiphers" => "AES256-GCM-SHA384"
		}
		},
		test => {
		"Method" => "DTLS",
		"HandshakeMode" => "RenegotiateClient",
		"ResumptionExpected" => "No",
		"ExpectedResult" => "Success"
		}
		},
		);