Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1754121886, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"5200a843426a923f3df98db25b928e39", "commit": {"type":"commit", "time": 1565777356, "time_ofs": 60, "oid_tree": { "oid": "24abd6291093da5440dc74952d5fcbcbdd86c8c3", "alias": []}, "oid":{ "oid": "57a3af94a7ccff2efa99c26b2e842f520e4a731c", "alias": []}, "msg": "Extend tests of SSL_check_chain()", "sig_commit": { "git_time": { "time": 1565777356, "offset": 60 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1563898205, "offset": 60 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }}, "body": "Extend tests of SSL_check_chain()\n\nActually supply a chain and then test:\n1) A successful check of both the ee and chain certs\n2) A failure to check the ee cert\n3) A failure to check a chain cert\n\nReviewed-by: Tomas Mraz \u003ctmraz@fedoraproject.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/9443)\n" , "diff": "diff --git a/test/ct_test.c b/test/ct_test.c\nindex f881d5f..78d11ca 100644\n--- a/test/ct_test.c\n+++ b/test/ct_test.c\n@@ -87,29 +87,10 @@ static void tear_down(CT_TEST_FIXTURE *fixture)\n OPENSSL_free(fixture);\n }\n \n-static char *mk_file_path(const char *dir, const char *file)\n-{\n-# ifndef OPENSSL_SYS_VMS\n- const char *sep \u003d \u0022/\u0022;\n-# else\n- const char *sep \u003d \u0022\u0022;\n-# endif\n- size_t len \u003d strlen(dir) + strlen(sep) + strlen(file) + 1;\n- char *full_file \u003d OPENSSL_zalloc(len);\n-\n- if (full_file !\u003d NULL) {\n- OPENSSL_strlcpy(full_file, dir, len);\n- OPENSSL_strlcat(full_file, sep, len);\n- OPENSSL_strlcat(full_file, file, len);\n- }\n-\n- return full_file;\n-}\n-\n static X509 *load_pem_cert(const char *dir, const char *file)\n {\n X509 *cert \u003d NULL;\n- char *file_path \u003d mk_file_path(dir, file);\n+ char *file_path \u003d test_mk_file_path(dir, file);\n \n if (file_path !\u003d NULL) {\n BIO *cert_io \u003d BIO_new_file(file_path, \u0022r\u0022);\n@@ -127,7 +108,7 @@ static int read_text_file(const char *dir, const char *file,\n char *buffer, int buffer_length)\n {\n int len \u003d -1;\n- char *file_path \u003d mk_file_path(dir, file);\n+ char *file_path \u003d test_mk_file_path(dir, file);\n \n if (file_path !\u003d NULL) {\n BIO *file_io \u003d BIO_new_file(file_path, \u0022r\u0022);\ndiff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t\nindex 633df47..4dd70bf 100644\n--- a/test/recipes/90-test_sslapi.t\n+++ b/test/recipes/90-test_sslapi.t\n@@ -8,7 +8,7 @@\n \n \n use OpenSSL::Test::Utils;\n-use OpenSSL::Test qw/:DEFAULT srctop_file/;\n+use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir/;\n use File::Temp qw(tempfile);\n \n setup(\u0022test_sslapi\u0022);\n@@ -20,8 +20,7 @@ plan tests \u003d\u003e 1;\n \n (undef, my $tmpfilename) \u003d tempfile();\n \n-ok(run(test([\u0022sslapitest\u0022, srctop_file(\u0022apps\u0022, \u0022server.pem\u0022),\n- srctop_file(\u0022apps\u0022, \u0022server.pem\u0022),\n+ok(run(test([\u0022sslapitest\u0022, srctop_dir(\u0022test\u0022, \u0022certs\u0022),\n srctop_file(\u0022test\u0022, \u0022recipes\u0022, \u002290-test_sslapi_data\u0022,\n \u0022passwd.txt\u0022), $tmpfilename])),\n \u0022running sslapitest\u0022);\ndiff --git a/test/sslapitest.c b/test/sslapitest.c\nindex 8c6e16c..c29bb64 100644\n--- a/test/sslapitest.c\n+++ b/test/sslapitest.c\n@@ -42,6 +42,7 @@ static int find_session_cb_cnt \u003d 0;\n static SSL_SESSION *create_a_psk(SSL *ssl);\n #endif\n \n+static char *certsdir \u003d NULL;\n static char *cert \u003d NULL;\n static char *privkey \u003d NULL;\n static char *srpvfile \u003d NULL;\n@@ -5664,7 +5665,10 @@ static int cert_cb(SSL *s, void *arg)\n SSL_CTX *ctx \u003d (SSL_CTX *)arg;\n BIO *in \u003d NULL;\n EVP_PKEY *pkey \u003d NULL;\n- X509 *x509 \u003d NULL;\n+ X509 *x509 \u003d NULL, *rootx \u003d NULL;\n+ STACK_OF(X509) *chain \u003d NULL;\n+ char *rootfile \u003d NULL, *ecdsacert \u003d NULL, *ecdsakey \u003d NULL;\n+ int ret \u003d 0;\n \n if (cert_cb_cnt \u003d\u003d 0) {\n /* Suspend the handshake */\n@@ -5687,38 +5691,58 @@ static int cert_cb(SSL *s, void *arg)\n return 1;\n } else if (cert_cb_cnt \u003d\u003d 3) {\n int rv;\n+\n+ rootfile \u003d test_mk_file_path(certsdir, \u0022rootcert.pem\u0022);\n+ ecdsacert \u003d test_mk_file_path(certsdir, \u0022server-ecdsa-cert.pem\u0022);\n+ ecdsakey \u003d test_mk_file_path(certsdir, \u0022server-ecdsa-key.pem\u0022);\n+ if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))\n+ goto out;\n+ chain \u003d sk_X509_new_null();\n+ if (!TEST_ptr(chain))\n+ goto out;\n if (!TEST_ptr(in \u003d BIO_new(BIO_s_file()))\n- || !TEST_int_ge(BIO_read_filename(in, cert), 0)\n+ || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)\n+ || !TEST_ptr(rootx \u003d PEM_read_bio_X509(in, NULL, NULL, NULL))\n+ || !TEST_true(sk_X509_push(chain, rootx)))\n+ goto out;\n+ rootx \u003d NULL;\n+ BIO_free(in);\n+ if (!TEST_ptr(in \u003d BIO_new(BIO_s_file()))\n+ || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)\n || !TEST_ptr(x509 \u003d PEM_read_bio_X509(in, NULL, NULL, NULL)))\n goto out;\n BIO_free(in);\n if (!TEST_ptr(in \u003d BIO_new(BIO_s_file()))\n- || !TEST_int_ge(BIO_read_filename(in, privkey), 0)\n+ || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)\n || !TEST_ptr(pkey \u003d PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))\n goto out;\n- rv \u003d SSL_check_chain(s, x509, pkey, NULL);\n+ rv \u003d SSL_check_chain(s, x509, pkey, chain);\n /*\n * If the cert doesn't show as valid here (e.g., because we don't\n * have any shared sigalgs), then we will not set it, and there will\n * be no certificate at all on the SSL or SSL_CTX. This, in turn,\n * will cause tls_choose_sigalgs() to fail the connection.\n */\n- if ((rv \u0026 CERT_PKEY_VALID)) {\n+ if ((rv \u0026 (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))\n+ \u003d\u003d (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {\n if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))\n goto out;\n }\n- BIO_free(in);\n- EVP_PKEY_free(pkey);\n- X509_free(x509);\n- return 1;\n+\n+ ret \u003d 1;\n }\n \n /* Abort the handshake */\n out:\n+ OPENSSL_free(ecdsacert);\n+ OPENSSL_free(ecdsakey);\n+ OPENSSL_free(rootfile);\n BIO_free(in);\n EVP_PKEY_free(pkey);\n X509_free(x509);\n- return 0;\n+ X509_free(rootx);\n+ sk_X509_pop_free(chain, X509_free);\n+ return ret;\n }\n \n /*\n@@ -5726,6 +5750,10 @@ static int cert_cb(SSL *s, void *arg)\n * Test 0: Callback fails\n * Test 1: Success - no SSL_set_SSL_CTX() in the callback\n * Test 2: Success - SSL_set_SSL_CTX() in the callback\n+ * Test 3: Success - Call SSL_check_chain from the callback\n+ * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the\n+ * chain\n+ * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert\n */\n static int test_cert_cb_int(int prot, int tst)\n {\n@@ -5733,6 +5761,12 @@ static int test_cert_cb_int(int prot, int tst)\n SSL *clientssl \u003d NULL, *serverssl \u003d NULL;\n int testresult \u003d 0, ret;\n \n+#ifdef OPENSSL_NO_EC\n+ /* We use an EC cert in these tests, so we skip in a no-ec build */\n+ if (tst \u003e\u003d 3)\n+ return 1;\n+#endif\n+\n if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),\n TLS_client_method(),\n TLS1_VERSION,\n@@ -5742,10 +5776,11 @@ static int test_cert_cb_int(int prot, int tst)\n \n if (tst \u003d\u003d 0)\n cert_cb_cnt \u003d -1;\n- else if (tst \u003d\u003d 3)\n+ else if (tst \u003e\u003d 3)\n cert_cb_cnt \u003d 3;\n else\n cert_cb_cnt \u003d 0;\n+\n if (tst \u003d\u003d 2)\n snictx \u003d SSL_CTX_new(TLS_server_method());\n SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);\n@@ -5754,8 +5789,26 @@ static int test_cert_cb_int(int prot, int tst)\n NULL, NULL)))\n goto end;\n \n+ if (tst \u003d\u003d 4) {\n+ /*\n+ * We cause SSL_check_chain() to fail by specifying sig_algs that\n+ * the chain doesn't meet (the root uses an RSA cert)\n+ */\n+ if (!TEST_true(SSL_set1_sigalgs_list(clientssl,\n+ \u0022ecdsa_secp256r1_sha256\u0022)))\n+ goto end;\n+ } else if (tst \u003d\u003d 5) {\n+ /*\n+ * We cause SSL_check_chain() to fail by specifying sig_algs that\n+ * the ee cert doesn't meet (the ee uses an ECDSA cert)\n+ */\n+ if (!TEST_true(SSL_set1_sigalgs_list(clientssl,\n+ \u0022rsa_pss_rsae_sha256:rsa_pkcs1_sha256\u0022)))\n+ goto end;\n+ }\n+\n ret \u003d create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);\n- if (!TEST_true(tst \u003d\u003d 0 ? !ret : ret)\n+ if (!TEST_true(tst \u003d\u003d 0 || tst \u003d\u003d 4 || tst \u003d\u003d 5 ? !ret : ret)\n || (tst \u003e 0\n \u0026\u0026 !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {\n goto end;\n@@ -6018,10 +6071,9 @@ static int test_ca_names(int tst)\n \n int setup_tests(void)\n {\n- if (!TEST_ptr(cert \u003d test_get_argument(0))\n- || !TEST_ptr(privkey \u003d test_get_argument(1))\n- || !TEST_ptr(srpvfile \u003d test_get_argument(2))\n- || !TEST_ptr(tmpfilename \u003d test_get_argument(3)))\n+ if (!TEST_ptr(certsdir \u003d test_get_argument(0))\n+ || !TEST_ptr(srpvfile \u003d test_get_argument(1))\n+ || !TEST_ptr(tmpfilename \u003d test_get_argument(2)))\n return 0;\n \n if (getenv(\u0022OPENSSL_TEST_GETCOUNTS\u0022) !\u003d NULL) {\n@@ -6040,6 +6092,16 @@ int setup_tests(void)\n #endif\n }\n \n+ cert \u003d test_mk_file_path(certsdir, \u0022servercert.pem\u0022);\n+ if (cert \u003d\u003d NULL)\n+ return 0;\n+\n+ privkey \u003d test_mk_file_path(certsdir, \u0022serverkey.pem\u0022);\n+ if (privkey \u003d\u003d NULL) {\n+ OPENSSL_free(cert);\n+ return 0;\n+ }\n+\n ADD_TEST(test_large_message_tls);\n ADD_TEST(test_large_message_tls_read_ahead);\n #ifndef OPENSSL_NO_DTLS\n@@ -6120,7 +6182,7 @@ int setup_tests(void)\n ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));\n ADD_ALL_TESTS(test_ticket_callbacks, 12);\n ADD_ALL_TESTS(test_shutdown, 7);\n- ADD_ALL_TESTS(test_cert_cb, 4);\n+ ADD_ALL_TESTS(test_cert_cb, 6);\n ADD_ALL_TESTS(test_client_cert_cb, 2);\n ADD_ALL_TESTS(test_ca_names, 3);\n return 1;\n@@ -6128,6 +6190,8 @@ int setup_tests(void)\n \n void cleanup_tests(void)\n {\n+ OPENSSL_free(cert);\n+ OPENSSL_free(privkey);\n bio_s_mempacket_test_free();\n bio_s_always_retry_free();\n }\ndiff --git a/test/testutil.h b/test/testutil.h\nindex db0c74e..0e9e3d5 100644\n--- a/test/testutil.h\n+++ b/test/testutil.h\n@@ -462,4 +462,7 @@ char *glue_strings(const char *list[], size_t *out_len);\n uint32_t test_random(void);\n void test_random_seed(uint32_t sd);\n \n+/* Create a file path from a directory and a filename */\n+char *test_mk_file_path(const char *dir, const char *file);\n+\n #endif /* HEADER_TESTUTIL_H */\ndiff --git a/test/testutil/driver.c b/test/testutil/driver.c\nindex 48f94ae..89a3a0b 100644\n--- a/test/testutil/driver.c\n+++ b/test/testutil/driver.c\n@@ -297,3 +297,21 @@ char *glue_strings(const char *list[], size_t *out_len)\n return ret;\n }\n \n+char *test_mk_file_path(const char *dir, const char *file)\n+{\n+# ifndef OPENSSL_SYS_VMS\n+ const char *sep \u003d \u0022/\u0022;\n+# else\n+ const char *sep \u003d \u0022\u0022;\n+# endif\n+ size_t len \u003d strlen(dir) + strlen(sep) + strlen(file) + 1;\n+ char *full_file \u003d OPENSSL_zalloc(len);\n+\n+ if (full_file !\u003d NULL) {\n+ OPENSSL_strlcpy(full_file, dir, len);\n+ OPENSSL_strlcat(full_file, sep, len);\n+ OPENSSL_strlcat(full_file, file, len);\n+ }\n+\n+ return full_file;\n+}\n","s":{"c":1754121886,"u": 42777}} ],"g": 44457,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}