kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Test client certificates carry over on session resumption.

Browse Source 
We have tests for this as a server, but none as a client. Extend the
certificate verification tests here. This is in preparation for ensuring
that TLS 1.3 session resumption works correctly.

Change-Id: I9ab9f42838ffd69f73fbd877b0cdfaf31caea707
Reviewed-on: https://boringssl-review.googlesource.com/9111
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-08-03 14:14:47 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent e455e51d85
commit bb9e36e005
2 changed files with 58 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
ssl/test/bssl_shim.cc
View File

@ -1212,19 +1212,18 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) {
}
}
if (!config->is_server) {
/* Clients should expect a peer certificate chain iff this was not a PSK
* cipher suite. */
if (config->psk.empty()) {
if (SSL_get_peer_cert_chain(ssl) == nullptr) {
fprintf(stderr, "Missing peer certificate chain!\n");
return false;
}
} else if (SSL_get_peer_cert_chain(ssl) != nullptr) {
fprintf(stderr, "Unexpected peer certificate chain!\n");
if (!config->psk.empty()) {
if (SSL_get_peer_cert_chain(ssl) != nullptr) {
fprintf(stderr, "Received peer certificate on a PSK cipher.\n");
return false;
}
} else if (!config->is_server || config->require_any_client_certificate) {
if (SSL_get_peer_cert_chain(ssl) == nullptr) {
fprintf(stderr, "Received no peer certificate but expected one.\n");
return false;
}
}
return true;
}

74
ssl/test/runner/runner.go
View File

@ -3413,40 +3413,64 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
if config.protocol == dtls && !vers.hasDTLS {
continue
}
tests = append(tests, testCase{
testType: clientTest,
name: "CertificateVerificationSucceed-" + vers.name,
config: Config{
MaxVersion: vers.version,
},
flags: []string{
"-verify-peer",
},
resumeSession: vers.version != VersionTLS13,
})
tests = append(tests, testCase{
testType: clientTest,
name: "CertificateVerificationFail-" + vers.name,
config: Config{
MaxVersion: vers.version,
},
flags: []string{
"-verify-fail",
"-verify-peer",
},
shouldFail: true,
expectedError: ":CERTIFICATE_VERIFY_FAILED:",
})
for _, testType := range []testType{clientTest, serverTest} {
suffix := "-Client"
if testType == serverTest {
suffix = "-Server"
}
suffix += "-" + vers.name
flag := "-verify-peer"
if testType == serverTest {
flag = "-require-any-client-certificate"
}
tests = append(tests, testCase{
testType: testType,
name: "CertificateVerificationSucceed" + suffix,
config: Config{
MaxVersion: vers.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
flag,
"-expect-verify-result",
},
// TODO(davidben): Enable this when resumption is
// implemented in TLS 1.3.
resumeSession: vers.version != VersionTLS13,
})
tests = append(tests, testCase{
testType: testType,
name: "CertificateVerificationFail" + suffix,
config: Config{
MaxVersion: vers.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
flag,
"-verify-fail",
},
shouldFail: true,
expectedError: ":CERTIFICATE_VERIFY_FAILED:",
})
}
// By default, the client is in a soft fail mode where the peer
// certificate is verified but failures are non-fatal.
tests = append(tests, testCase{
testType: clientTest,
name: "CertificateVerificationSoftFail-" + vers.name,
config: Config{
MaxVersion: vers.version,
MaxVersion: vers.version,
Certificates: []Certificate{rsaCertificate},
},
flags: []string{
"-verify-fail",
"-expect-verify-result",
},
// TODO(davidben): Enable this when resumption is
// implemented in TLS 1.3.
resumeSession: vers.version != VersionTLS13,
})
}