From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 25 Jan 2017 18:43:13 +0000 (+0000)
Subject: Add server signature algorithm bug test.
X-Git-Tag: OpenSSL_1_1_1-pre1~2595
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9cf847d7056877f3d6b3f20c11ead8110eae951f

Add server signature algorithm bug test.

Add a client authentication signature algorithm to simple
ssl test and a server signature algorithm. Since we don't
do client auth this should have no effect. However if we
use client auth signature algorithms by mistake this will
abort the handshake with a no shared signature algorithms
error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2290)
---

diff --git a/test/ssl-tests/01-simple.conf b/test/ssl-tests/01-simple.conf
index 6f2f6c4893..5f4dd841b4 100644
--- a/test/ssl-tests/01-simple.conf
+++ b/test/ssl-tests/01-simple.conf
@@ -1,9 +1,10 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 2
+num_tests = 3
 
 test-0 = 0-default
-test-1 = 1-verify-cert
+test-1 = 1-Server signature algorithms bug
+test-2 = 2-verify-cert
 # ===========================================================
 
 [0-default]
@@ -29,23 +30,48 @@ ExpectedResult = Success
 
 # ===========================================================
 
-[1-verify-cert]
-ssl_conf = 1-verify-cert-ssl
+[1-Server signature algorithms bug]
+ssl_conf = 1-Server signature algorithms bug-ssl
 
-[1-verify-cert-ssl]
-server = 1-verify-cert-server
-client = 1-verify-cert-client
+[1-Server signature algorithms bug-ssl]
+server = 1-Server signature algorithms bug-server
+client = 1-Server signature algorithms bug-client
 
-[1-verify-cert-server]
+[1-Server signature algorithms bug-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+ClientSignatureAlgorithms = ECDSA+SHA256
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[1-verify-cert-client]
+[1-Server signature algorithms bug-client]
 CipherString = DEFAULT
+SignatureAlgorithms = RSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-1]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[2-verify-cert]
+ssl_conf = 2-verify-cert-ssl
+
+[2-verify-cert-ssl]
+server = 2-verify-cert-server
+client = 2-verify-cert-client
+
+[2-verify-cert-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[2-verify-cert-client]
+CipherString = DEFAULT
+VerifyMode = Peer
+
+[test-2]
 ExpectedClientAlert = UnknownCA
 ExpectedResult = ClientFail
 
diff --git a/test/ssl-tests/01-simple.conf.in b/test/ssl-tests/01-simple.conf.in
index 45ddd61921..086d66d32f 100644
--- a/test/ssl-tests/01-simple.conf.in
+++ b/test/ssl-tests/01-simple.conf.in
@@ -19,6 +19,14 @@ our @tests = (
         test   => { "ExpectedResult" => "Success" },
     },
 
+    {
+        name => "Server signature algorithms bug",
+        # Should have no effect as we aren't doing client auth
+        server => { "ClientSignatureAlgorithms" => "ECDSA+SHA256" },
+        client => { "SignatureAlgorithms" => "RSA+SHA256" },
+        test   => { "ExpectedResult" => "Success" },
+    },
+
     {
         name => "verify-cert",
         server => { },