diff options
Diffstat (limited to 'security/nss/gtests/ssl_gtest/ssl_renegotiation_unittest.cc')
-rw-r--r-- | security/nss/gtests/ssl_gtest/ssl_renegotiation_unittest.cc | 212 |
1 files changed, 0 insertions, 212 deletions
diff --git a/security/nss/gtests/ssl_gtest/ssl_renegotiation_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_renegotiation_unittest.cc deleted file mode 100644 index a902a5f7f..000000000 --- a/security/nss/gtests/ssl_gtest/ssl_renegotiation_unittest.cc +++ /dev/null @@ -1,212 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this file, - * You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <functional> -#include <memory> -#include "secerr.h" -#include "ssl.h" -#include "sslerr.h" -#include "sslproto.h" - -#include "gtest_utils.h" -#include "tls_connect.h" - -namespace nss_test { - -// 1.3 is disabled in the next few tests because we don't -// presently support resumption in 1.3. -TEST_P(TlsConnectStreamPre13, RenegotiateClient) { - Connect(); - server_->PrepareForRenegotiate(); - client_->StartRenegotiate(); - Handshake(); - CheckConnected(); -} - -TEST_P(TlsConnectStreamPre13, RenegotiateServer) { - Connect(); - client_->PrepareForRenegotiate(); - server_->StartRenegotiate(); - Handshake(); - CheckConnected(); -} - -// The renegotiation options shouldn't cause an error if TLS 1.3 is chosen. -TEST_F(TlsConnectTest, RenegotiationConfigTls13) { - EnsureTlsSetup(); - ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); - server_->SetOption(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED); - server_->SetOption(SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE); - Connect(); - SendReceive(); - CheckKeys(); -} - -TEST_P(TlsConnectStream, ConnectTls10AndServerRenegotiateHigher) { - if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) { - return; - } - // Set the client so it will accept any version from 1.0 - // to |version_|. - client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_); - server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, - SSL_LIBRARY_VERSION_TLS_1_0); - // Reset version so that the checks succeed. - uint16_t test_version = version_; - version_ = SSL_LIBRARY_VERSION_TLS_1_0; - Connect(); - - // Now renegotiate, with the server being set to do - // |version_|. - client_->PrepareForRenegotiate(); - server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, test_version); - // Reset version and cipher suite so that the preinfo callback - // doesn't fail. - server_->ResetPreliminaryInfo(); - server_->StartRenegotiate(); - - if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) { - ExpectAlert(server_, kTlsAlertUnexpectedMessage); - } else { - ExpectAlert(server_, kTlsAlertProtocolVersion); - } - - Handshake(); - if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) { - // In TLS 1.3, the server detects this problem. - client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); - server_->CheckErrorCode(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); - } else { - client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT); - server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION); - } -} - -TEST_P(TlsConnectStream, ConnectTls10AndClientRenegotiateHigher) { - if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) { - return; - } - // Set the client so it will accept any version from 1.0 - // to |version_|. - client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_); - server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, - SSL_LIBRARY_VERSION_TLS_1_0); - // Reset version so that the checks succeed. - uint16_t test_version = version_; - version_ = SSL_LIBRARY_VERSION_TLS_1_0; - Connect(); - - // Now renegotiate, with the server being set to do - // |version_|. - server_->PrepareForRenegotiate(); - server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, test_version); - // Reset version and cipher suite so that the preinfo callback - // doesn't fail. - server_->ResetPreliminaryInfo(); - client_->StartRenegotiate(); - if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) { - ExpectAlert(server_, kTlsAlertUnexpectedMessage); - } else { - ExpectAlert(server_, kTlsAlertProtocolVersion); - } - Handshake(); - if (test_version >= SSL_LIBRARY_VERSION_TLS_1_3) { - // In TLS 1.3, the server detects this problem. - client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); - server_->CheckErrorCode(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); - } else { - client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT); - server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION); - } -} - -TEST_P(TlsConnectStream, ConnectAndServerRenegotiateLower) { - if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) { - return; - } - Connect(); - - // Now renegotiate with the server set to TLS 1.0. - client_->PrepareForRenegotiate(); - server_->PrepareForRenegotiate(); - client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_); - // Reset version and cipher suite so that the preinfo callback - // doesn't fail. - server_->ResetPreliminaryInfo(); - - SECStatus rv = SSL_ReHandshake(server_->ssl_fd(), PR_TRUE); - if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { - EXPECT_EQ(SECFailure, rv); - return; - } - ASSERT_EQ(SECSuccess, rv); - - // Now, before handshaking, tweak the server configuration. - server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, - SSL_LIBRARY_VERSION_TLS_1_0); - - // The server should catch the own error. - ExpectAlert(server_, kTlsAlertProtocolVersion); - - Handshake(); - client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT); - server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION); -} - -TEST_P(TlsConnectStream, ConnectAndServerWontRenegotiateLower) { - if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) { - return; - } - Connect(); - - // Now renegotiate with the server set to TLS 1.0. - client_->PrepareForRenegotiate(); - server_->PrepareForRenegotiate(); - client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, version_); - server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, - SSL_LIBRARY_VERSION_TLS_1_0); - // Reset version and cipher suite so that the preinfo callback - // doesn't fail. - server_->ResetPreliminaryInfo(); - - EXPECT_EQ(SECFailure, SSL_ReHandshake(server_->ssl_fd(), PR_TRUE)); -} - -TEST_P(TlsConnectStream, ConnectAndClientWontRenegotiateLower) { - if (version_ == SSL_LIBRARY_VERSION_TLS_1_0) { - return; - } - Connect(); - - // Now renegotiate with the client set to TLS 1.0. - client_->PrepareForRenegotiate(); - server_->PrepareForRenegotiate(); - server_->ResetPreliminaryInfo(); - client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0, - SSL_LIBRARY_VERSION_TLS_1_0); - // The client will refuse to renegotiate down. - EXPECT_EQ(SECFailure, SSL_ReHandshake(client_->ssl_fd(), PR_TRUE)); -} - -TEST_F(TlsConnectTest, Tls13RejectsRehandshakeClient) { - EnsureTlsSetup(); - ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); - Connect(); - SECStatus rv = SSL_ReHandshake(client_->ssl_fd(), PR_TRUE); - EXPECT_EQ(SECFailure, rv); - EXPECT_EQ(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, PORT_GetError()); -} - -TEST_F(TlsConnectTest, Tls13RejectsRehandshakeServer) { - EnsureTlsSetup(); - ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); - Connect(); - SECStatus rv = SSL_ReHandshake(server_->ssl_fd(), PR_TRUE); - EXPECT_EQ(SECFailure, rv); - EXPECT_EQ(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, PORT_GetError()); -} - -} // namespace nss_test |