[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Fri Jan 20 01:17:22 UTC 2017
The branch master has been updated
via 062540cbc511e38e25062fcd63a8c815ad071912 (commit)
via ee5b6a42be3c0ca18145ace8793135fbb4768248 (commit)
from 424baabdf5af540bda4a69122d274b071d804390 (commit)
- Log -----------------------------------------------------------------
commit 062540cbc511e38e25062fcd63a8c815ad071912
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Jan 15 15:59:48 2017 +0000
Add signing hash tests
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2235)
commit ee5b6a42be3c0ca18145ace8793135fbb4768248
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Jan 13 15:20:42 2017 +0000
Add options to check TLS signing hashes
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2235)
-----------------------------------------------------------------------
Summary of changes:
test/README.ssltest.md | 3 +++
test/handshake_helper.c | 3 +++
test/handshake_helper.h | 4 ++++
test/ssl-tests/04-client_auth.conf | 2 ++
test/ssl-tests/04-client_auth.conf.in | 9 +++++++++
test/ssl-tests/20-cert-select.conf | 2 ++
test/ssl-tests/20-cert-select.conf.in | 6 ++++--
test/ssl_test.c | 38 ++++++++++++++++++++++++-----------
test/ssl_test_ctx.c | 35 ++++++++++++++++++++++++++++++++
test/ssl_test_ctx.h | 4 ++++
10 files changed, 92 insertions(+), 14 deletions(-)
diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index 1c4c482..5e2b2d7 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -92,6 +92,9 @@ handshake.
* ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or
curve of server or client certificate
+* ExpectedServerSignatureHash, ExpectedClientSignatureHash - the expected
+ signing hash used by server or client certificate
+
## Configuring the client and server
The client and server configurations can be any valid `SSL_CTX`
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 01a30c8..c8fd474 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -1070,6 +1070,9 @@ static HANDSHAKE_RESULT *do_handshake_internal(
EVP_PKEY_free(tmp_key);
}
+ SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash);
+ SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash);
+
ret->server_cert_type = peer_pkey_type(client.ssl);
ret->client_cert_type = peer_pkey_type(server.ssl);
diff --git a/test/handshake_helper.h b/test/handshake_helper.h
index 1cdd6fa..604eed9 100644
--- a/test/handshake_helper.h
+++ b/test/handshake_helper.h
@@ -47,8 +47,12 @@ typedef struct handshake_result {
int tmp_key_type;
/* server certificate key type */
int server_cert_type;
+ /* server signing hash */
+ int server_sign_hash;
/* client certificate key type */
int client_cert_type;
+ /* client signing hash */
+ int client_sign_hash;
} HANDSHAKE_RESULT;
HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf
index 5b725c7..a917098 100644
--- a/test/ssl-tests/04-client_auth.conf
+++ b/test/ssl-tests/04-client_auth.conf
@@ -543,6 +543,7 @@ client = 18-client-auth-TLSv1.2-require-client
[18-client-auth-TLSv1.2-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+ClientSignatureAlgorithms = SHA256+RSA
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
@@ -560,6 +561,7 @@ VerifyMode = Peer
[test-18]
ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
ExpectedResult = Success
diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
index 8738f90..d45e399 100644
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -33,6 +33,13 @@ sub generate_tests() {
} else {
$caalert = "UnknownCA";
}
+ my $clihash;
+ my $clisigalgs;
+ # TODO add TLSv1.3 versions
+ if ($protocol_name eq "TLSv1.2") {
+ $clihash = "SHA256";
+ $clisigalgs = "SHA256+RSA";
+ }
# Sanity-check simple handshake.
push @tests, {
name => "server-auth-${protocol_name}",
@@ -87,6 +94,7 @@ sub generate_tests() {
server => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
+ "ClientSignatureAlgorithms" => $clisigalgs,
"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
"VerifyMode" => "Request",
},
@@ -98,6 +106,7 @@ sub generate_tests() {
},
test => { "ExpectedResult" => "Success",
"ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignHash" => $clihash,
},
};
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
index dbb339d..c663b7e 100644
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
@@ -111,6 +111,7 @@ VerifyMode = Peer
[test-3]
ExpectedResult = Success
ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
# ===========================================================
@@ -163,5 +164,6 @@ VerifyMode = Peer
[test-5]
ExpectedResult = Success
ExpectedServerCertType = RSA
+ExpectedServerSignHash = SHA256
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index d348491..e8bac76 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -59,7 +59,8 @@ our @tests = (
"SignatureAlgorithms" => "ECDSA+SHA256",
},
test => {
- "ExpectedServerCertType" =>, "P-256",
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
"ExpectedResult" => "Success"
},
},
@@ -80,7 +81,8 @@ our @tests = (
"SignatureAlgorithms" => "RSA+SHA256",
},
test => {
- "ExpectedServerCertType" =>, "RSA",
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA256",
"ExpectedResult" => "Success"
},
}
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 0d0c35e..58ddca4 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -187,36 +187,48 @@ static int check_resumption(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
return 1;
}
-static int check_key_type(const char *name, int expected_key_type, int key_type)
+static int check_nid(const char *name, int expected_nid, int nid)
{
- if (expected_key_type == 0 || expected_key_type == key_type)
+ if (expected_nid == 0 || expected_nid == nid)
return 1;
fprintf(stderr, "%s type mismatch, %s vs %s\n",
- name, OBJ_nid2ln(expected_key_type),
- key_type == NID_undef ? "absent" : OBJ_nid2ln(key_type));
+ name, OBJ_nid2ln(expected_nid),
+ nid == NID_undef ? "absent" : OBJ_nid2ln(nid));
return 0;
}
static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
{
- return check_key_type("Tmp key", test_ctx->expected_tmp_key_type,
- result->tmp_key_type);
+ return check_nid("Tmp key", test_ctx->expected_tmp_key_type,
+ result->tmp_key_type);
}
static int check_server_cert_type(HANDSHAKE_RESULT *result,
SSL_TEST_CTX *test_ctx)
{
- return check_key_type("Server certificate",
- test_ctx->expected_server_cert_type,
- result->server_cert_type);
+ return check_nid("Server certificate", test_ctx->expected_server_cert_type,
+ result->server_cert_type);
+}
+
+static int check_server_sign_hash(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Server signing hash", test_ctx->expected_server_sign_hash,
+ result->server_sign_hash);
}
static int check_client_cert_type(HANDSHAKE_RESULT *result,
SSL_TEST_CTX *test_ctx)
{
- return check_key_type("Client certificate",
- test_ctx->expected_client_cert_type,
- result->client_cert_type);
+ return check_nid("Client certificate", test_ctx->expected_client_cert_type,
+ result->client_cert_type);
+}
+
+static int check_client_sign_hash(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Client signing hash", test_ctx->expected_client_sign_hash,
+ result->client_sign_hash);
}
/*
@@ -241,7 +253,9 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
ret &= check_resumption(result, test_ctx);
ret &= check_tmp_key(result, test_ctx);
ret &= check_server_cert_type(result, test_ctx);
+ ret &= check_server_sign_hash(result, test_ctx);
ret &= check_client_cert_type(result, test_ctx);
+ ret &= check_client_sign_hash(result, test_ctx);
}
return ret;
}
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index f8d5ecd..242602d 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -480,6 +480,39 @@ __owur static int parse_expected_client_cert_type(SSL_TEST_CTX *test_ctx,
value);
}
+/*************************/
+/* Expected signing hash */
+/*************************/
+
+__owur static int parse_expected_sign_hash(int *ptype, const char *value)
+{
+ int nid;
+
+ if (value == NULL)
+ return 0;
+ nid = OBJ_sn2nid(value);
+ if (nid == NID_undef)
+ nid = OBJ_ln2nid(value);
+ if (nid == NID_undef)
+ return 0;
+ *ptype = nid;
+ return 1;
+}
+
+__owur static int parse_expected_server_sign_hash(SSL_TEST_CTX *test_ctx,
+ const char *value)
+{
+ return parse_expected_sign_hash(&test_ctx->expected_server_sign_hash,
+ value);
+}
+
+__owur static int parse_expected_client_sign_hash(SSL_TEST_CTX *test_ctx,
+ const char *value)
+{
+ return parse_expected_sign_hash(&test_ctx->expected_server_sign_hash,
+ value);
+}
+
/*************************************************************/
/* Known test options and their corresponding parse methods. */
/*************************************************************/
@@ -506,7 +539,9 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
{ "MaxFragmentSize", &parse_test_max_fragment_size },
{ "ExpectedTmpKeyType", &parse_expected_tmp_key_type },
{ "ExpectedServerCertType", &parse_expected_server_cert_type },
+ { "ExpectedServerSignHash", &parse_expected_server_sign_hash },
{ "ExpectedClientCertType", &parse_expected_client_cert_type },
+ { "ExpectedClientSignHash", &parse_expected_client_sign_hash },
};
/* Nested client options. */
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index f67f01a..b34efe3 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -163,8 +163,12 @@ typedef struct {
int expected_tmp_key_type;
/* Expected server certificate key type */
int expected_server_cert_type;
+ /* Expected server signing hash */
+ int expected_server_sign_hash;
/* Expected client certificate key type */
int expected_client_cert_type;
+ /* Expected client signing hash */
+ int expected_client_sign_hash;
} SSL_TEST_CTX;
const char *ssl_test_result_name(ssl_test_result_t result);
More information about the openssl-commits
mailing list