safe renegotiation self checks

Simon Josefsson simon at josefsson.org
Mon Jun 7 15:15:57 CEST 2010 

On the gnutls_2_10_x branch I have fixed so that we have the self-tests
for safe renegotiation described below.  Are there more cases that we
want to test?  Review welcome, it is easy to go code blind with this
complexity.  Code is available from:

http://git.savannah.gnu.org/cgit/gnutls.git/tree/tests/safe-renegotiation?h=gnutls_2_10_x

/Simon

Testing safe renegotiation is relatively complex, here is a summary of
what we test and what how we believe it should work.

	Client setting
			Server setting
					Initial handshake outcome
							Rehandshake outcome
srn0.c

 This tests that the safe renegotiation extension is negotiated
 properly by default on initial connections and on rehandshaked
 connections.  Consequently, it also verifies that rehandshaked
 connections work with the extension enabled.

	NORMAL
			NORMAL
					OK
							OK

srn1.c

 This tests that clients without support for safe renegotiation is
 able to handshake against servers with support, but not able to
 rehandshake (server will refuse rehandshake).

	NORMAL:%DISABLE_SAFE_RENEGOTIATION
			NORMAL
					OK
							Server refuses

srn2.c

 This tests that clients with support for safe renegotiation is able
 to handshake against servers without support, but not able to
 rehandshake (client will refuse rehandshake).

	NORMAL
			NORMAL:%DISABLE_SAFE_RENEGOTIATION
					OK
							Client refuses

srn3.c

 This tests that a %SAFE_RENEGOTIATION client will reject handshakes
 against servers that do not support the extension (server uses
 %DISABLE_SAFE_RENEGOTIATION).

	NORMAL:%SAFE_RENEGOTIATION
			NORMAL:%DISABLE_SAFE_RENEGOTIATION
					Client refuses
							N/A

srn4.c

 This tests that a %SAFE_RENEGOTIATION server will reject handshakes
 against clients that do not support the extension.

	NORMAL:%DISABLE_SAFE_RENEGOTIATION
			NORMAL:%SAFE_RENEGOTIATION
					Server refuses
							N/A

srn5.c

 This tests that a client with a permissive policy
 (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a
 server with no support for the extension.

	NORMAL:%DISABLE_SAFE_RENEGOTIATION
			NORMAL:%UNSAFE_RENEGOTIATION
					OK
							OK

srn6.c

 This tests that a server with a permissive policy
 (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a
 client with no support for the extension.

	NORMAL:%UNSAFE_RENEGOTIATION
			NORMAL:%DISABLE_SAFE_RENEGOTIATION
					OK
							OK

srn7.c

 This tests that clients and servers in %SAFE_RENEGOTIATION mode are
 able to handshake and rehandshake.

	NORMAL:%SAFE_RENEGOTIATION
			NORMAL:%SAFE_RENEGOTIATION
					OK
							OK

More information about the Gnutls-devel mailing list