[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Fri Jan 20 01:17:22 UTC 2017


The branch master has been updated
       via  062540cbc511e38e25062fcd63a8c815ad071912 (commit)
       via  ee5b6a42be3c0ca18145ace8793135fbb4768248 (commit)
      from  424baabdf5af540bda4a69122d274b071d804390 (commit)


- Log -----------------------------------------------------------------
commit 062540cbc511e38e25062fcd63a8c815ad071912
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sun Jan 15 15:59:48 2017 +0000

    Add signing hash tests
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2235)

commit ee5b6a42be3c0ca18145ace8793135fbb4768248
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Jan 13 15:20:42 2017 +0000

    Add options to check TLS signing hashes
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2235)

-----------------------------------------------------------------------

Summary of changes:
 test/README.ssltest.md                |  3 +++
 test/handshake_helper.c               |  3 +++
 test/handshake_helper.h               |  4 ++++
 test/ssl-tests/04-client_auth.conf    |  2 ++
 test/ssl-tests/04-client_auth.conf.in |  9 +++++++++
 test/ssl-tests/20-cert-select.conf    |  2 ++
 test/ssl-tests/20-cert-select.conf.in |  6 ++++--
 test/ssl_test.c                       | 38 ++++++++++++++++++++++++-----------
 test/ssl_test_ctx.c                   | 35 ++++++++++++++++++++++++++++++++
 test/ssl_test_ctx.h                   |  4 ++++
 10 files changed, 92 insertions(+), 14 deletions(-)

diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index 1c4c482..5e2b2d7 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -92,6 +92,9 @@ handshake.
 * ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or
   curve of server or client certificate
 
+* ExpectedServerSignatureHash, ExpectedClientSignatureHash - the expected
+  signing hash used by server or client certificate
+
 ## Configuring the client and server
 
 The client and server configurations can be any valid `SSL_CTX`
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 01a30c8..c8fd474 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -1070,6 +1070,9 @@ static HANDSHAKE_RESULT *do_handshake_internal(
         EVP_PKEY_free(tmp_key);
     }
 
+    SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash);
+    SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash);
+
     ret->server_cert_type = peer_pkey_type(client.ssl);
     ret->client_cert_type = peer_pkey_type(server.ssl);
 
diff --git a/test/handshake_helper.h b/test/handshake_helper.h
index 1cdd6fa..604eed9 100644
--- a/test/handshake_helper.h
+++ b/test/handshake_helper.h
@@ -47,8 +47,12 @@ typedef struct handshake_result {
     int tmp_key_type;
     /* server certificate key type */
     int server_cert_type;
+    /* server signing hash */
+    int server_sign_hash;
     /* client certificate key type */
     int client_cert_type;
+    /* client signing hash */
+    int client_sign_hash;
 } HANDSHAKE_RESULT;
 
 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf
index 5b725c7..a917098 100644
--- a/test/ssl-tests/04-client_auth.conf
+++ b/test/ssl-tests/04-client_auth.conf
@@ -543,6 +543,7 @@ client = 18-client-auth-TLSv1.2-require-client
 [18-client-auth-TLSv1.2-require-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+ClientSignatureAlgorithms = SHA256+RSA
 MaxProtocol = TLSv1.2
 MinProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@@ -560,6 +561,7 @@ VerifyMode = Peer
 
 [test-18]
 ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
 ExpectedResult = Success
 
 
diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
index 8738f90..d45e399 100644
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -33,6 +33,13 @@ sub generate_tests() {
             } else {
                 $caalert = "UnknownCA";
             }
+            my $clihash;
+            my $clisigalgs;
+            # TODO add TLSv1.3 versions
+            if ($protocol_name eq "TLSv1.2") {
+                $clihash = "SHA256";
+                $clisigalgs = "SHA256+RSA";
+            }
             # Sanity-check simple handshake.
             push @tests, {
                 name => "server-auth-${protocol_name}",
@@ -87,6 +94,7 @@ sub generate_tests() {
                 server => {
                     "MinProtocol" => $protocol,
                     "MaxProtocol" => $protocol,
+                    "ClientSignatureAlgorithms" => $clisigalgs,
                     "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
                     "VerifyMode" => "Request",
                 },
@@ -98,6 +106,7 @@ sub generate_tests() {
                 },
                 test   => { "ExpectedResult" => "Success",
                             "ExpectedClientCertType" => "RSA",
+                            "ExpectedClientSignHash" => $clihash,
                 },
             };
 
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
index dbb339d..c663b7e 100644
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
@@ -111,6 +111,7 @@ VerifyMode = Peer
 [test-3]
 ExpectedResult = Success
 ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
 
 
 # ===========================================================
@@ -163,5 +164,6 @@ VerifyMode = Peer
 [test-5]
 ExpectedResult = Success
 ExpectedServerCertType = RSA
+ExpectedServerSignHash = SHA256
 
 
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index d348491..e8bac76 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -59,7 +59,8 @@ our @tests = (
             "SignatureAlgorithms" => "ECDSA+SHA256",
         },
         test   => {
-            "ExpectedServerCertType" =>, "P-256",
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA256",
             "ExpectedResult" => "Success"
         },
     },
@@ -80,7 +81,8 @@ our @tests = (
             "SignatureAlgorithms" => "RSA+SHA256",
         },
         test   => {
-            "ExpectedServerCertType" =>, "RSA",
+            "ExpectedServerCertType" => "RSA",
+            "ExpectedServerSignHash" => "SHA256",
             "ExpectedResult" => "Success"
         },
     }
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 0d0c35e..58ddca4 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -187,36 +187,48 @@ static int check_resumption(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
     return 1;
 }
 
-static int check_key_type(const char *name, int expected_key_type, int key_type)
+static int check_nid(const char *name, int expected_nid, int nid)
 {
-    if (expected_key_type == 0 || expected_key_type == key_type)
+    if (expected_nid == 0 || expected_nid == nid)
         return 1;
     fprintf(stderr, "%s type mismatch, %s vs %s\n",
-            name, OBJ_nid2ln(expected_key_type),
-            key_type == NID_undef ? "absent" : OBJ_nid2ln(key_type));
+            name, OBJ_nid2ln(expected_nid),
+            nid == NID_undef ? "absent" : OBJ_nid2ln(nid));
     return 0;
 }
 
 static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
 {
-    return check_key_type("Tmp key", test_ctx->expected_tmp_key_type,
-                          result->tmp_key_type);
+    return check_nid("Tmp key", test_ctx->expected_tmp_key_type,
+                     result->tmp_key_type);
 }
 
 static int check_server_cert_type(HANDSHAKE_RESULT *result,
                                   SSL_TEST_CTX *test_ctx)
 {
-    return check_key_type("Server certificate",
-                          test_ctx->expected_server_cert_type,
-                          result->server_cert_type);
+    return check_nid("Server certificate", test_ctx->expected_server_cert_type,
+                     result->server_cert_type);
+}
+
+static int check_server_sign_hash(HANDSHAKE_RESULT *result,
+                                  SSL_TEST_CTX *test_ctx)
+{
+    return check_nid("Server signing hash", test_ctx->expected_server_sign_hash,
+                     result->server_sign_hash);
 }
 
 static int check_client_cert_type(HANDSHAKE_RESULT *result,
                                   SSL_TEST_CTX *test_ctx)
 {
-    return check_key_type("Client certificate",
-                          test_ctx->expected_client_cert_type,
-                          result->client_cert_type);
+    return check_nid("Client certificate", test_ctx->expected_client_cert_type,
+                     result->client_cert_type);
+}
+
+static int check_client_sign_hash(HANDSHAKE_RESULT *result,
+                                  SSL_TEST_CTX *test_ctx)
+{
+    return check_nid("Client signing hash", test_ctx->expected_client_sign_hash,
+                     result->client_sign_hash);
 }
 
 /*
@@ -241,7 +253,9 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
         ret &= check_resumption(result, test_ctx);
         ret &= check_tmp_key(result, test_ctx);
         ret &= check_server_cert_type(result, test_ctx);
+        ret &= check_server_sign_hash(result, test_ctx);
         ret &= check_client_cert_type(result, test_ctx);
+        ret &= check_client_sign_hash(result, test_ctx);
     }
     return ret;
 }
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index f8d5ecd..242602d 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -480,6 +480,39 @@ __owur static int parse_expected_client_cert_type(SSL_TEST_CTX *test_ctx,
                                    value);
 }
 
+/*************************/
+/* Expected signing hash */
+/*************************/
+
+__owur static int parse_expected_sign_hash(int *ptype, const char *value)
+{
+    int nid;
+
+    if (value == NULL)
+        return 0;
+    nid = OBJ_sn2nid(value);
+    if (nid == NID_undef)
+        nid = OBJ_ln2nid(value);
+    if (nid == NID_undef)
+        return 0;
+    *ptype = nid;
+    return 1;
+}
+
+__owur static int parse_expected_server_sign_hash(SSL_TEST_CTX *test_ctx,
+                                                  const char *value)
+{
+    return parse_expected_sign_hash(&test_ctx->expected_server_sign_hash,
+                                    value);
+}
+
+__owur static int parse_expected_client_sign_hash(SSL_TEST_CTX *test_ctx,
+                                                  const char *value)
+{
+    return parse_expected_sign_hash(&test_ctx->expected_server_sign_hash,
+                                    value);
+}
+
 /*************************************************************/
 /* Known test options and their corresponding parse methods. */
 /*************************************************************/
@@ -506,7 +539,9 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
     { "MaxFragmentSize", &parse_test_max_fragment_size },
     { "ExpectedTmpKeyType", &parse_expected_tmp_key_type },
     { "ExpectedServerCertType", &parse_expected_server_cert_type },
+    { "ExpectedServerSignHash", &parse_expected_server_sign_hash },
     { "ExpectedClientCertType", &parse_expected_client_cert_type },
+    { "ExpectedClientSignHash", &parse_expected_client_sign_hash },
 };
 
 /* Nested client options. */
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index f67f01a..b34efe3 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -163,8 +163,12 @@ typedef struct {
     int expected_tmp_key_type;
     /* Expected server certificate key type */
     int expected_server_cert_type;
+    /* Expected server signing hash */
+    int expected_server_sign_hash;
     /* Expected client certificate key type */
     int expected_client_cert_type;
+    /* Expected client signing hash */
+    int expected_client_sign_hash;
 } SSL_TEST_CTX;
 
 const char *ssl_test_result_name(ssl_test_result_t result);


More information about the openssl-commits mailing list