Extend the renegotiation tests

Add the ability to test both server initiated and client initiated reneg.

Reviewed-by: Rich Salz <rsalz@openssl.org>

1 files changed, 57 insertions, 24 deletions

diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 1c6ad487cb..9004489aa4 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -583,30 +583,55 @@ static void do_app_data_step(PEER *peer)
     }
 }
 
-static void do_reneg_setup_step(PEER *peer)
+static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer)
 {
     int ret;
     char buf;
 
     TEST_check(peer->status == PEER_RETRY);
-    /* We only support client initiated reneg at the moment */
-    /* TODO: server side */
-    if (!SSL_is_server(peer->ssl)) {
-        ret = SSL_renegotiate(peer->ssl);
-        if (!ret) {
-            peer->status = PEER_ERROR;
-            return;
-        }
-        do_handshake_step(peer);
+    TEST_check(test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER
+                || test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT);
+
+    /* Check if we are the peer that is going to initiate */
+    if ((test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER
+                && SSL_is_server(peer->ssl))
+            || (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT
+                && !SSL_is_server(peer->ssl))) {
         /*
-         * If status is PEER_RETRY it means we're waiting on the server to
-         * continue the handshake. As far as setting up the renegotiation is
-         * concerned that is a success. The next step will continue the
-         * handshake to its conclusion.
+         * If we already asked for a renegotiation then fall through to the
+         * SSL_read() below.
          */
-        if (peer->status == PEER_RETRY)
-            peer->status = PEER_SUCCESS;
-        return;
+        if (!SSL_renegotiate_pending(peer->ssl)) {
+            /*
+             * If we are the client we will always attempt to resume the
+             * session. The server may or may not resume dependant on the
+             * setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+             */
+            if (SSL_is_server(peer->ssl))
+                ret = SSL_renegotiate(peer->ssl);
+            else
+                ret = SSL_renegotiate_abbreviated(peer->ssl);
+            if (!ret) {
+                peer->status = PEER_ERROR;
+                return;
+            }
+            do_handshake_step(peer);
+            /*
+             * If status is PEER_RETRY it means we're waiting on the peer to
+             * continue the handshake. As far as setting up the renegotiation is
+             * concerned that is a success. The next step will continue the
+             * handshake to its conclusion.
+             *
+             * If status is PEER_SUCCESS then we are the server and we have
+             * successfully sent the HelloRequest. We need to continue to wait
+             * until the handshake arrives from the client.
+             */
+            if (peer->status == PEER_RETRY)
+                peer->status = PEER_SUCCESS;
+            else if (peer->status == PEER_SUCCESS)
+                peer->status = PEER_RETRY;
+            return;
+        }
     }
 
     /*
@@ -616,15 +641,21 @@ static void do_reneg_setup_step(PEER *peer)
      */
     ret = SSL_read(peer->ssl, &buf, sizeof(buf));
     if (ret >= 0) {
-        /* We're not actually expecting data - we're expect a reneg to start */
+        /*
+         * We're not actually expecting data - we're expecting a reneg to
+         * start
+         */
         peer->status = PEER_ERROR;
         return;
     } else {
         int error = SSL_get_error(peer->ssl, ret);
-        if (error != SSL_ERROR_WANT_READ || !SSL_in_init(peer->ssl)) {
+        if (error != SSL_ERROR_WANT_READ) {
             peer->status = PEER_ERROR;
             return;
         }
+        /* If we're no in init yet then we're not done with setup yet */
+        if (!SSL_in_init(peer->ssl))
+            return;
     }
 
     peer->status = PEER_SUCCESS;
@@ -678,7 +709,8 @@ static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx,
 {
     switch (phase) {
     case HANDSHAKE:
-        if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEGOTIATE)
+        if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER
+                || test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT)
             return RENEG_APPLICATION_DATA;
         return APPLICATION_DATA;
     case RENEG_APPLICATION_DATA:
@@ -698,7 +730,8 @@ static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx,
     return -1;
 }
 
-static void do_connect_step(PEER *peer, connect_phase_t phase)
+static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+                            connect_phase_t phase)
 {
     switch (phase) {
     case HANDSHAKE:
@@ -708,7 +741,7 @@ static void do_connect_step(PEER *peer, connect_phase_t phase)
         do_app_data_step(peer);
         break;
     case RENEG_SETUP:
-        do_reneg_setup_step(peer);
+        do_reneg_setup_step(test_ctx, peer);
         break;
     case RENEG_HANDSHAKE:
         do_handshake_step(peer);
@@ -915,11 +948,11 @@ static HANDSHAKE_RESULT *do_handshake_internal(
      */
     for(;;) {
         if (client_turn) {
-            do_connect_step(&client, phase);
+            do_connect_step(test_ctx, &client, phase);
             status = handshake_status(client.status, server.status,
                                       1 /* client went last */);
         } else {
-            do_connect_step(&server, phase);
+            do_connect_step(test_ctx, &server, phase);
             status = handshake_status(server.status, client.status,
                                       0 /* server went last */);
         }