static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
{
int res = X509_verify_cert(ctx);
+ int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
+ SSL *ssl;
+
+ /* this should not happen but check anyway */
+ if (idx < 0
+ || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
+ return 0;
if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
- return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
+ /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
+ return SSL_set_retry_verify(ssl);
+
return res;
}
return ret;
}
+static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
+{
+ static const char pass[] = "testpass";
+
+ if (!TEST_int_eq(size, PEM_BUFSIZE))
+ return -1;
+
+ memcpy(buf, pass, sizeof(pass) - 1);
+ return sizeof(pass) - 1;
+}
+
static int test_ssl_ctx_build_cert_chain(void)
{
int ret = 0;
SSL_CTX *ctx = NULL;
- char *skey = test_mk_file_path(certsdir, "leaf.key");
+ char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
goto end;
+ SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
/* leaf_chain contains leaf + subinterCA + interCA + rootCA */
if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
|| !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
size_t readbytes;
/*
- * Create a conection so we can resume and potentially (but not) use
+ * Create a connection so we can resume and potentially (but not) use
* a different cipher in the second connection.
*/
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
#if defined(OPENSSL_NO_KTLS_RX)
rx_supported = 0;
#else
- rx_supported = (tls_version != TLS1_3_VERSION);
+ rx_supported = 1;
#endif
if (!cis_ktls || !rx_supported) {
if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
goto end;
}
- if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0)))
+ if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
goto end;
out = BIO_new_file(tmpfilename, "wb");
return SSL_TLSEXT_ERR_OK;
}
+static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+ return 1;
+}
+
/*
* Custom call back tests.
* Test 0: Old style callbacks in TLSv1.2
* Test 2: New style callbacks in TLSv1.2 with SNI
* Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
* Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
+ * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
*/
static int test_custom_exts(int tst)
{
SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
}
- if (tst == 4) {
+ if (tst == 5) {
+ context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+ | SSL_EXT_TLS1_3_CERTIFICATE;
+ SSL_CTX_set_verify(sctx,
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ verify_cb);
+ if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
+ SSL_FILETYPE_PEM), 1)
+ || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
+ SSL_FILETYPE_PEM), 1)
+ || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
+ goto end;
+ } else if (tst == 4) {
context = SSL_EXT_CLIENT_HELLO
| SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_3_SERVER_HELLO
|| (tst != 2 && snicb != 0)
|| (tst == 2 && snicb != 1))
goto end;
+ } else if (tst == 5) {
+ if (clntaddnewcb != 1
+ || clntparsenewcb != 1
+ || srvaddnewcb != 1
+ || srvparsenewcb != 1)
+ goto end;
} else {
/* In this case there 2 NewSessionTicket messages created */
if (clntaddnewcb != 1
SSL_free(clientssl);
serverssl = clientssl = NULL;
- if (tst == 3) {
- /* We don't bother with the resumption aspects for this test */
+ if (tst == 3 || tst == 5) {
+ /* We don't bother with the resumption aspects for these tests */
testresult = 1;
goto end;
}
PACKET pkt, pkt2, pkt3;
unsigned int MFL_code = 0, type = 0;
- if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
+ if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
goto end;
memset(&pkt, 0, sizeof(pkt));
memset(&pkt3, 0, sizeof(pkt3));
if (!TEST_long_gt(len, 0)
- || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
+ || !TEST_true(PACKET_buf_init(&pkt, data, len))
/* Skip the record header */
|| !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
/* Skip the handshake message header */
row = NULL;
- if (!TXT_DB_write(out, db))
+ if (TXT_DB_write(out, db) <= 0)
goto end;
ret = 1;
if (!TEST_ptr(chain))
goto out;
if (!TEST_ptr(in = BIO_new(BIO_s_file()))
- || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
+ || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
|| !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
|| !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
|| !TEST_true(sk_X509_push(chain, rootx)))
rootx = NULL;
BIO_free(in);
if (!TEST_ptr(in = BIO_new(BIO_s_file()))
- || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
+ || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
|| !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
|| !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
goto out;
BIO_free(in);
if (!TEST_ptr(in = BIO_new(BIO_s_file()))
- || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
+ || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
|| !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
NULL, NULL,
libctx, NULL)))
EVP_PKEY_free(pkey);
X509_free(x509);
X509_free(rootx);
- sk_X509_pop_free(chain, X509_free);
+ OSSL_STACK_OF_X509_free(chain);
return ret;
}
else
cert_cb_cnt = 0;
- if (tst == 2)
- snictx = SSL_CTX_new(TLS_server_method());
+ if (tst == 2) {
+ snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
+ if (!TEST_ptr(snictx))
+ goto end;
+ }
+
SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
return 0;
}
-static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
-{
- return 1;
-}
-
static int test_client_cert_cb(int tst)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
if (!TEST_ptr(pctx)
- || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
+ || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
goto end;
tmpl = OSSL_PARAM_BLD_new();
params = OSSL_PARAM_BLD_to_param(tmpl);
if (!TEST_ptr(params)
- || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
- EVP_PKEY_KEY_PARAMETERS, params)))
+ || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
+ EVP_PKEY_KEY_PARAMETERS,
+ params), 1))
goto end;
tmp_dh_params = dhpkey;
SSL_CTX_free(cctx);
return testresult;
}
+
+/*
+ * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
+ * 0 = TLSv1.2
+ * 1 = TLSv1.3
+ */
+static int test_ticket_lifetime(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ int version = TLS1_3_VERSION;
+
+#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
+#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
+
+ if (idx == 0) {
+#ifdef OPENSSL_NO_TLS1_2
+ return TEST_skip("TLS 1.2 is disabled.");
+#else
+ version = TLS1_2_VERSION;
+#endif
+ }
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), version, version,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+ &clientssl, NULL, NULL)))
+ goto end;
+
+ /*
+ * Set the timeout to be more than 1 week
+ * make sure the returned value is the default
+ */
+ if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
+ SSL_get_default_timeout(serverssl)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (idx == 0) {
+ /* TLSv1.2 uses the set value */
+ if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
+ goto end;
+ } else {
+ /* TLSv1.3 uses the limited value */
+ if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
+ goto end;
+ }
+ testresult = 1;
+
+end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ return testresult;
+}
#endif
/*
* Test that setting an ALPN does not violate RFC
return testresult;
}
+/*
+ * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
+ */
+static int test_set_verify_cert_store_ssl_ctx(void)
+{
+ SSL_CTX *ctx = NULL;
+ int testresult = 0;
+ X509_STORE *store = NULL, *new_store = NULL,
+ *cstore = NULL, *new_cstore = NULL;
+
+ /* Create an initial SSL_CTX. */
+ ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
+ if (!TEST_ptr(ctx))
+ goto end;
+
+ /* Retrieve verify store pointer. */
+ if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
+ goto end;
+
+ /* Retrieve chain store pointer. */
+ if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
+ goto end;
+
+ /* We haven't set any yet, so this should be NULL. */
+ if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
+ goto end;
+
+ /* Create stores. We use separate stores so pointers are different. */
+ new_store = X509_STORE_new();
+ if (!TEST_ptr(new_store))
+ goto end;
+
+ new_cstore = X509_STORE_new();
+ if (!TEST_ptr(new_cstore))
+ goto end;
+
+ /* Set stores. */
+ if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
+ goto end;
+
+ if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
+ goto end;
+
+ /* Should be able to retrieve the same pointer. */
+ if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
+ goto end;
+
+ if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
+ goto end;
+
+ if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
+ goto end;
+
+ /* Should be able to unset again. */
+ if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
+ goto end;
+
+ /* Should now be NULL. */
+ if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
+ goto end;
+
+ if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
+ goto end;
+
+ if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
+ goto end;
+
+ testresult = 1;
+
+end:
+ X509_STORE_free(new_store);
+ X509_STORE_free(new_cstore);
+ SSL_CTX_free(ctx);
+ return testresult;
+}
+
+/*
+ * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
+ */
+static int test_set_verify_cert_store_ssl(void)
+{
+ SSL_CTX *ctx = NULL;
+ SSL *ssl = NULL;
+ int testresult = 0;
+ X509_STORE *store = NULL, *new_store = NULL,
+ *cstore = NULL, *new_cstore = NULL;
+
+ /* Create an initial SSL_CTX. */
+ ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
+ if (!TEST_ptr(ctx))
+ goto end;
+
+ /* Create an SSL object. */
+ ssl = SSL_new(ctx);
+ if (!TEST_ptr(ssl))
+ goto end;
+
+ /* Retrieve verify store pointer. */
+ if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
+ goto end;
+
+ /* Retrieve chain store pointer. */
+ if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
+ goto end;
+
+ /* We haven't set any yet, so this should be NULL. */
+ if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
+ goto end;
+
+ /* Create stores. We use separate stores so pointers are different. */
+ new_store = X509_STORE_new();
+ if (!TEST_ptr(new_store))
+ goto end;
+
+ new_cstore = X509_STORE_new();
+ if (!TEST_ptr(new_cstore))
+ goto end;
+
+ /* Set stores. */
+ if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
+ goto end;
+
+ if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
+ goto end;
+
+ /* Should be able to retrieve the same pointer. */
+ if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
+ goto end;
+
+ if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
+ goto end;
+
+ if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
+ goto end;
+
+ /* Should be able to unset again. */
+ if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
+ goto end;
+
+ /* Should now be NULL. */
+ if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
+ goto end;
+
+ if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
+ goto end;
+
+ if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
+ goto end;
+
+ testresult = 1;
+
+end:
+ X509_STORE_free(new_store);
+ X509_STORE_free(new_cstore);
+ SSL_free(ssl);
+ SSL_CTX_free(ctx);
+ return testresult;
+}
+
+
static int test_inherit_verify_param(void)
{
int testresult = 0;
/* Test with only TLSv1.3 versions */
ADD_ALL_TESTS(test_key_exchange, 12);
# endif
- ADD_ALL_TESTS(test_custom_exts, 5);
+ ADD_ALL_TESTS(test_custom_exts, 6);
ADD_TEST(test_stateless);
ADD_TEST(test_pha_key_update);
#else
#endif
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_TEST(test_sni_tls13);
+ ADD_ALL_TESTS(test_ticket_lifetime, 2);
#endif
ADD_TEST(test_inherit_verify_param);
ADD_TEST(test_set_alpn);
+ ADD_TEST(test_set_verify_cert_store_ssl_ctx);
+ ADD_TEST(test_set_verify_cert_store_ssl);
ADD_ALL_TESTS(test_session_timeout, 1);
return 1;