xref: /freebsd/crypto/openssl/test/ssl-tests/17-renegotiate.cnf.in (revision df21a004be237a1dccd03c7b47254625eea62fa9) 
1# -*- mode: perl; -*-
2# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10## Test Renegotiation
11
12use strict;
13use warnings;
14
15package ssltests;
16use OpenSSL::Test::Utils;
17
18our $fips_3_4;
19
20our @tests = (
21    {
22        name => "renegotiate-client-no-resume",
23        server => {
24            "Options" => "NoResumptionOnRenegotiation",
25            "MaxProtocol" => "TLSv1.2"
26        },
27        client => {},
28        test => {
29            "Method" => "TLS",
30            "HandshakeMode" => "RenegotiateClient",
31            "ResumptionExpected" => "No",
32            "ExpectedResult" => "Success"
33        }
34    },
35    {
36        name => "renegotiate-client-resume",
37        server => {
38            "MaxProtocol" => "TLSv1.2"
39        },
40        client => {},
41        test => {
42            "Method" => "TLS",
43            "HandshakeMode" => "RenegotiateClient",
44            "ResumptionExpected" => "Yes",
45            "ExpectedResult" => "Success"
46        }
47    },
48    {
49        name => "renegotiate-server-no-resume",
50        server => {
51            "Options" => "NoResumptionOnRenegotiation",
52            "MaxProtocol" => "TLSv1.2"
53        },
54        client => {},
55        test => {
56            "Method" => "TLS",
57            "HandshakeMode" => "RenegotiateServer",
58            "ResumptionExpected" => "No",
59            "ExpectedResult" => "Success"
60        }
61    },
62    {
63        name => "renegotiate-server-resume",
64        server => {
65            "MaxProtocol" => "TLSv1.2"
66        },
67        client => {},
68        test => {
69            "Method" => "TLS",
70            "HandshakeMode" => "RenegotiateServer",
71            "ResumptionExpected" => "Yes",
72            "ExpectedResult" => "Success"
73        }
74    },
75    {
76        name => "renegotiate-client-auth-require",
77        server => {
78            "Options" => "NoResumptionOnRenegotiation",
79            "MaxProtocol" => "TLSv1.2",
80            "VerifyCAFile" => test_pem("root-cert.pem"),
81            "VerifyMode" => "Require",
82        },
83        client => {
84            "Certificate" => test_pem("ee-client-chain.pem"),
85            "PrivateKey"  => test_pem("ee-key.pem"),
86        },
87        test => {
88            "Method" => "TLS",
89            "HandshakeMode" => "RenegotiateServer",
90            "ResumptionExpected" => "No",
91            "ExpectedResult" => "Success"
92        }
93    },
94    {
95        name => "renegotiate-client-auth-once",
96        server => {
97            "Options" => "NoResumptionOnRenegotiation",
98            "MaxProtocol" => "TLSv1.2",
99            "VerifyCAFile" => test_pem("root-cert.pem"),
100            "VerifyMode" => "Once",
101        },
102        client => {
103            "Certificate" => test_pem("ee-client-chain.pem"),
104            "PrivateKey"  => test_pem("ee-key.pem"),
105        },
106        test => {
107            "Method" => "TLS",
108            "HandshakeMode" => "RenegotiateServer",
109            "ResumptionExpected" => "No",
110            "ExpectedResult" => "Success"
111        }
112    },
113    {
114#       Just test that UnsafeLegacyServerConnect option
115#       exists, it won't have any real effect here
116        name => "renegotiate-client-legacy-connect",
117        server => {
118            "MaxProtocol" => "TLSv1.2"
119        },
120        client => {
121            "Options" => "UnsafeLegacyServerConnect",
122        },
123        test => {
124            "Method" => "TLS",
125            "HandshakeMode" => "RenegotiateClient",
126            "ResumptionExpected" => "Yes",
127            "ExpectedResult" => "Success"
128        }
129    },
130);
131our @tests_tls1_2_rsa = (
132    {
133        name => "renegotiate-aead-to-non-aead",
134        server => {
135            "Options" => "NoResumptionOnRenegotiation",
136        },
137        client => {
138            "CipherString" => "AES128-GCM-SHA256",
139            "MaxProtocol" => "TLSv1.2",
140            extra => {
141                "RenegotiateCiphers" => "AES128-SHA"
142            }
143        },
144        test => {
145            "Method" => "TLS",
146            "HandshakeMode" => "RenegotiateClient",
147            "ResumptionExpected" => "No",
148            "ExpectedResult" => "Success"
149        }
150    },
151    {
152        name => "renegotiate-non-aead-to-aead",
153        server => {
154            "Options" => "NoResumptionOnRenegotiation",
155        },
156        client => {
157            "CipherString" => "AES128-SHA",
158            "MaxProtocol" => "TLSv1.2",
159            extra => {
160                "RenegotiateCiphers" => "AES128-GCM-SHA256"
161            }
162        },
163        test => {
164            "Method" => "TLS",
165            "HandshakeMode" => "RenegotiateClient",
166            "ResumptionExpected" => "No",
167            "ExpectedResult" => "Success"
168        }
169    },
170    {
171        name => "renegotiate-non-aead-to-non-aead",
172        server => {
173            "Options" => "NoResumptionOnRenegotiation",
174        },
175        client => {
176            "CipherString" => "AES128-SHA",
177            "MaxProtocol" => "TLSv1.2",
178            extra => {
179                "RenegotiateCiphers" => "AES256-SHA"
180            }
181        },
182        test => {
183            "Method" => "TLS",
184            "HandshakeMode" => "RenegotiateClient",
185            "ResumptionExpected" => "No",
186            "ExpectedResult" => "Success"
187        }
188    },
189    {
190        name => "renegotiate-aead-to-aead",
191        server => {
192            "Options" => "NoResumptionOnRenegotiation",
193        },
194        client => {
195            "CipherString" => "AES128-GCM-SHA256",
196            "MaxProtocol" => "TLSv1.2",
197            extra => {
198                "RenegotiateCiphers" => "AES256-GCM-SHA384"
199            }
200        },
201        test => {
202            "Method" => "TLS",
203            "HandshakeMode" => "RenegotiateClient",
204            "ResumptionExpected" => "No",
205            "ExpectedResult" => "Success"
206        }
207    }
208);
209
210our @tests_tls1_2 = (
211    {
212        name => "no-renegotiation-server-by-client",
213        server => {
214            "Options" => "NoRenegotiation",
215            "MaxProtocol" => "TLSv1.2"
216        },
217        client => { },
218        test => {
219            "Method" => "TLS",
220            "HandshakeMode" => "RenegotiateClient",
221            "ResumptionExpected" => "No",
222            "ExpectedResult" => "ClientFail"
223        }
224    },
225    {
226        name => "no-renegotiation-server-by-server",
227        server => {
228            "Options" => "NoRenegotiation",
229            "MaxProtocol" => "TLSv1.2"
230        },
231        client => { },
232        test => {
233            "Method" => "TLS",
234            "HandshakeMode" => "RenegotiateServer",
235            "ResumptionExpected" => "No",
236            "ExpectedResult" => "ServerFail"
237        }
238    },
239    {
240        name => "no-renegotiation-client-by-server",
241        server => {
242            "MaxProtocol" => "TLSv1.2"
243        },
244        client => {
245            "Options" => "NoRenegotiation",
246        },
247        test => {
248            "Method" => "TLS",
249            "HandshakeMode" => "RenegotiateServer",
250            "ResumptionExpected" => "No",
251            "ExpectedResult" => "ServerFail"
252        }
253    },
254    {
255        name => "no-renegotiation-client-by-client",
256        server => {
257            "MaxProtocol" => "TLSv1.2"
258        },
259        client => {
260            "Options" => "NoRenegotiation",
261        },
262        test => {
263            "Method" => "TLS",
264            "HandshakeMode" => "RenegotiateClient",
265            "ResumptionExpected" => "No",
266            "ExpectedResult" => "ClientFail"
267        }
268    },
269    {
270        name => "no-extms-on-renegotiation",
271        server => {
272            "MaxProtocol" => "TLSv1.2"
273        },
274        client => {
275            "MaxProtocol" => "TLSv1.2",
276            extra => {
277                "RenegotiateNoExtms" => "Yes"
278            }
279        },
280        test => {
281            "Method" => "TLS",
282            "HandshakeMode" => "RenegotiateClient",
283            "ResumptionExpected" => "No",
284            "ExpectedResult" => "ServerFail"
285        }
286    },
287    {
288        name => "allow-client-renegotiation",
289        server => {
290            "MaxProtocol" => "TLSv1.2",
291        },
292        client => {
293            "MaxProtocol" => "TLSv1.2"
294        },
295        test => {
296            "Method" => "TLS",
297            "HandshakeMode" => "RenegotiateClient",
298            "ResumptionExpected" => "Yes",
299            "ExpectedResult" => "Success"
300        }
301    },
302    {
303        name => "no-client-renegotiation",
304        server => {
305            "MaxProtocol" => "TLSv1.2",
306            "Options" => "-ClientRenegotiation"
307        },
308        client => {
309            "MaxProtocol" => "TLSv1.2",
310        },
311        test => {
312            "Method" => "TLS",
313            "HandshakeMode" => "RenegotiateClient",
314            "ResumptionExpected" => "No",
315            "ExpectedResult" => "ClientFail",
316            "ExpectedServerAlert" => "NoRenegotiation"
317        }
318    }
319);
320
321push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_3_4;
322push @tests, @tests_tls1_2 unless disabled("tls1_2");
323