commit bb9e36e0051e15b633616067d71e95010e841dfa
author David Benjamin <davidben@google.com> Wed Aug 03 14:14:47 2016 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu Aug 04 16:43:57 2016 +0000
tree a85d6281693c3b2f309112d9728086833e7711db
parent e455e51d85571fc22e57e3c376a0202d12349419

Test client certificates carry over on session resumption.

We have tests for this as a server, but none as a client. Extend the
certificate verification tests here. This is in preparation for ensuring
that TLS 1.3 session resumption works correctly.

Change-Id: I9ab9f42838ffd69f73fbd877b0cdfaf31caea707
Reviewed-on: https://boringssl-review.googlesource.com/9111
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 02e26a2..085d7e1 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -3413,40 +3413,64 @@
 		if config.protocol == dtls && !vers.hasDTLS {
 			continue
 		}
-		tests = append(tests, testCase{
-			testType: clientTest,
-			name:     "CertificateVerificationSucceed-" + vers.name,
-			config: Config{
-				MaxVersion: vers.version,
-			},
-			flags: []string{
-				"-verify-peer",
-			},
-			resumeSession: vers.version != VersionTLS13,
-		})
-		tests = append(tests, testCase{
-			testType: clientTest,
-			name:     "CertificateVerificationFail-" + vers.name,
-			config: Config{
-				MaxVersion: vers.version,
-			},
-			flags: []string{
-				"-verify-fail",
-				"-verify-peer",
-			},
-			shouldFail:    true,
-			expectedError: ":CERTIFICATE_VERIFY_FAILED:",
-		})
+		for _, testType := range []testType{clientTest, serverTest} {
+			suffix := "-Client"
+			if testType == serverTest {
+				suffix = "-Server"
+			}
+			suffix += "-" + vers.name
+
+			flag := "-verify-peer"
+			if testType == serverTest {
+				flag = "-require-any-client-certificate"
+			}
+
+			tests = append(tests, testCase{
+				testType: testType,
+				name:     "CertificateVerificationSucceed" + suffix,
+				config: Config{
+					MaxVersion:   vers.version,
+					Certificates: []Certificate{rsaCertificate},
+				},
+				flags: []string{
+					flag,
+					"-expect-verify-result",
+				},
+				// TODO(davidben): Enable this when resumption is
+				// implemented in TLS 1.3.
+				resumeSession: vers.version != VersionTLS13,
+			})
+			tests = append(tests, testCase{
+				testType: testType,
+				name:     "CertificateVerificationFail" + suffix,
+				config: Config{
+					MaxVersion:   vers.version,
+					Certificates: []Certificate{rsaCertificate},
+				},
+				flags: []string{
+					flag,
+					"-verify-fail",
+				},
+				shouldFail:    true,
+				expectedError: ":CERTIFICATE_VERIFY_FAILED:",
+			})
+		}
+
+		// By default, the client is in a soft fail mode where the peer
+		// certificate is verified but failures are non-fatal.
 		tests = append(tests, testCase{
 			testType: clientTest,
 			name:     "CertificateVerificationSoftFail-" + vers.name,
 			config: Config{
-				MaxVersion: vers.version,
+				MaxVersion:   vers.version,
+				Certificates: []Certificate{rsaCertificate},
 			},
 			flags: []string{
 				"-verify-fail",
 				"-expect-verify-result",
 			},
+			// TODO(davidben): Enable this when resumption is
+			// implemented in TLS 1.3.
 			resumeSession: vers.version != VersionTLS13,
 		})
 	}