From f15b50c4cb6a5d36a3789863035d8b795378280c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 31 Mar 2017 22:35:28 +0100 Subject: [PATCH] Add ExpectedServerCANames Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3015) --- test/README.ssltest.md | 4 ++ test/handshake_helper.c | 11 ++++- test/handshake_helper.h | 2 + test/ssl_test.c | 105 ++++++++++++++++++++++------------------ test/ssl_test_ctx.c | 7 +++ test/ssl_test_ctx.h | 2 + 6 files changed, 81 insertions(+), 50 deletions(-) diff --git a/test/README.ssltest.md b/test/README.ssltest.md index 0d6f4660cb..288dffa7ac 100644 --- a/test/README.ssltest.md +++ b/test/README.ssltest.md @@ -102,6 +102,10 @@ handshake. send. If this is "empty" the list is expected to be empty otherwise it is a file of certificates whose subject names form the list. +* ExpectedServerCANames - list of CA names the client must send, TLS 1.3 only. + If this is "empty" the list is expected to be empty otherwise it is a file + of certificates whose subject names form the list. + ## Configuring the client and server The client and server configurations can be any valid `SSL_CTX` diff --git a/test/handshake_helper.c b/test/handshake_helper.c index 4bccac1d4e..47af3fe396 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -34,6 +34,7 @@ void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result) OPENSSL_free(result->server_npn_negotiated); OPENSSL_free(result->client_alpn_negotiated); OPENSSL_free(result->server_alpn_negotiated); + sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free); sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free); OPENSSL_free(result); } @@ -1123,7 +1124,7 @@ static HANDSHAKE_RESULT *do_handshake_internal( /* API dictates unsigned int rather than size_t. */ unsigned int proto_len = 0; EVP_PKEY *tmp_key; - STACK_OF(X509_NAME) *names; + const STACK_OF(X509_NAME) *names; memset(&server_ctx_data, 0, sizeof(server_ctx_data)); memset(&server2_ctx_data, 0, sizeof(server2_ctx_data)); @@ -1297,12 +1298,18 @@ static HANDSHAKE_RESULT *do_handshake_internal( SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type); SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type); - names = SSL_get_client_CA_list(client.ssl); + names = SSL_get0_peer_CA_list(client.ssl); if (names == NULL) ret->client_ca_names = NULL; else ret->client_ca_names = SSL_dup_CA_list(names); + names = SSL_get0_peer_CA_list(server.ssl); + if (names == NULL) + ret->server_ca_names = NULL; + else + ret->server_ca_names = SSL_dup_CA_list(names); + ret->server_cert_type = peer_pkey_type(client.ssl); ret->client_cert_type = peer_pkey_type(server.ssl); diff --git a/test/handshake_helper.h b/test/handshake_helper.h index a7df5845de..2736057729 100644 --- a/test/handshake_helper.h +++ b/test/handshake_helper.h @@ -52,6 +52,8 @@ typedef struct handshake_result { int server_sign_hash; /* server signature type */ int server_sign_type; + /* server CA names */ + STACK_OF(X509_NAME) *server_ca_names; /* client certificate key type */ int client_cert_type; /* client signing hash */ diff --git a/test/ssl_test.c b/test/ssl_test.c index 0cdec46d3e..9406f94280 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -195,54 +195,6 @@ static int check_nid(const char *name, int expected_nid, int nid) return 0; } -static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) -{ - return check_nid("Tmp key", test_ctx->expected_tmp_key_type, - result->tmp_key_type); -} - -static int check_server_cert_type(HANDSHAKE_RESULT *result, - SSL_TEST_CTX *test_ctx) -{ - return check_nid("Server certificate", test_ctx->expected_server_cert_type, - result->server_cert_type); -} - -static int check_server_sign_hash(HANDSHAKE_RESULT *result, - SSL_TEST_CTX *test_ctx) -{ - return check_nid("Server signing hash", test_ctx->expected_server_sign_hash, - result->server_sign_hash); -} - -static int check_server_sign_type(HANDSHAKE_RESULT *result, - SSL_TEST_CTX *test_ctx) -{ - return check_nid("Server signing", test_ctx->expected_server_sign_type, - result->server_sign_type); -} - -static int check_client_cert_type(HANDSHAKE_RESULT *result, - SSL_TEST_CTX *test_ctx) -{ - return check_nid("Client certificate", test_ctx->expected_client_cert_type, - result->client_cert_type); -} - -static int check_client_sign_hash(HANDSHAKE_RESULT *result, - SSL_TEST_CTX *test_ctx) -{ - return check_nid("Client signing hash", test_ctx->expected_client_sign_hash, - result->client_sign_hash); -} - -static int check_client_sign_type(HANDSHAKE_RESULT *result, - SSL_TEST_CTX *test_ctx) -{ - return check_nid("Client signing", test_ctx->expected_client_sign_type, - result->client_sign_type); -} - static void print_ca_names(STACK_OF(X509_NAME) *names) { BIO *err; @@ -291,6 +243,62 @@ static int check_ca_names(const char *name, return 0; } +static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) +{ + return check_nid("Tmp key", test_ctx->expected_tmp_key_type, + result->tmp_key_type); +} + +static int check_server_cert_type(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Server certificate", test_ctx->expected_server_cert_type, + result->server_cert_type); +} + +static int check_server_sign_hash(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Server signing hash", test_ctx->expected_server_sign_hash, + result->server_sign_hash); +} + +static int check_server_sign_type(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Server signing", test_ctx->expected_server_sign_type, + result->server_sign_type); +} + +static int check_server_ca_names(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_ca_names("Server CA names", + test_ctx->expected_server_ca_names, + result->server_ca_names); +} + +static int check_client_cert_type(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Client certificate", test_ctx->expected_client_cert_type, + result->client_cert_type); +} + +static int check_client_sign_hash(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Client signing hash", test_ctx->expected_client_sign_hash, + result->client_sign_hash); +} + +static int check_client_sign_type(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Client signing", test_ctx->expected_client_sign_type, + result->client_sign_type); +} + static int check_client_ca_names(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) { @@ -324,6 +332,7 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) ret &= check_server_cert_type(result, test_ctx); ret &= check_server_sign_hash(result, test_ctx); ret &= check_server_sign_type(result, test_ctx); + ret &= check_server_ca_names(result, test_ctx); ret &= check_client_cert_type(result, test_ctx); ret &= check_client_sign_hash(result, test_ctx); ret &= check_client_sign_type(result, test_ctx); diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index 7189777b78..6a3b9d1ebd 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -546,6 +546,11 @@ __owur static int parse_expected_ca_names(STACK_OF(X509_NAME) **pnames, *pnames = SSL_load_client_CA_file(value); return *pnames != NULL; } +__owur static int parse_expected_server_ca_names(SSL_TEST_CTX *test_ctx, + const char *value) +{ + return parse_expected_ca_names(&test_ctx->expected_server_ca_names, value); +} __owur static int parse_expected_client_ca_names(SSL_TEST_CTX *test_ctx, const char *value) { @@ -580,6 +585,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = { { "ExpectedServerCertType", &parse_expected_server_cert_type }, { "ExpectedServerSignHash", &parse_expected_server_sign_hash }, { "ExpectedServerSignType", &parse_expected_server_sign_type }, + { "ExpectedServerCANames", &parse_expected_server_ca_names }, { "ExpectedClientCertType", &parse_expected_client_cert_type }, { "ExpectedClientSignHash", &parse_expected_client_sign_hash }, { "ExpectedClientSignType", &parse_expected_client_sign_type }, @@ -661,6 +667,7 @@ void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx) ssl_test_ctx_free_extra_data(ctx); OPENSSL_free(ctx->expected_npn_protocol); OPENSSL_free(ctx->expected_alpn_protocol); + sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free); sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free); OPENSSL_free(ctx); } diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h index 0b37b15de9..54cefb6368 100644 --- a/test/ssl_test_ctx.h +++ b/test/ssl_test_ctx.h @@ -188,6 +188,8 @@ typedef struct { int expected_server_sign_hash; /* Expected server signature type */ int expected_server_sign_type; + /* Expected server CA names */ + STACK_OF(X509_NAME) *expected_server_ca_names; /* Expected client certificate key type */ int expected_client_cert_type; /* Expected client signing hash */ -- 2.34.1