Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the Signature Algorithm extension when renegotiating. (By nature, this bug affected only the server) The tests check for the fallback hash (SHA1) in the server log to detect that the Signature Algorithm extension hasn't been parsed at least in one of the handshakes. A more direct way of testing is not possible with the current test framework, since the Signature Algorithm extension is parsed in the first handshake and any corresponding debug message is present in the logs.
This commit is contained in:
parent
73a381772b
commit
b0f148c0ab
1 changed files with 34 additions and 0 deletions
|
@ -1470,6 +1470,40 @@ run_test "Renegotiation: server-initiated" \
|
|||
-s "=> renegotiate" \
|
||||
-s "write hello request"
|
||||
|
||||
# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
|
||||
# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
|
||||
# algorithm stronger than SHA-1 is enabled in config.h
|
||||
run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
|
||||
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
|
||||
"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
|
||||
0 \
|
||||
-c "client hello, adding renegotiation extension" \
|
||||
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
||||
-s "found renegotiation extension" \
|
||||
-s "server hello, secure renegotiation extension" \
|
||||
-c "found renegotiation extension" \
|
||||
-c "=> renegotiate" \
|
||||
-s "=> renegotiate" \
|
||||
-S "write hello request" \
|
||||
-S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
|
||||
|
||||
# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
|
||||
# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
|
||||
# algorithm stronger than SHA-1 is enabled in config.h
|
||||
run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
|
||||
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
|
||||
"$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
|
||||
0 \
|
||||
-c "client hello, adding renegotiation extension" \
|
||||
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
||||
-s "found renegotiation extension" \
|
||||
-s "server hello, secure renegotiation extension" \
|
||||
-c "found renegotiation extension" \
|
||||
-c "=> renegotiate" \
|
||||
-s "=> renegotiate" \
|
||||
-s "write hello request" \
|
||||
-S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
|
||||
|
||||
run_test "Renegotiation: double" \
|
||||
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
|
||||
"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
|
||||
|
|
Loading…
Reference in a new issue