[openssl] master update
Matt Caswell
matt at openssl.org
Tue Dec 14 16:33:55 UTC 2021
The branch master has been updated
via 0fcf2351ecff5db21cba431704e4da631b74904a (commit)
via 752aa4a6f0f3098258fb6be5592fd18929da59c0 (commit)
via 3269c8bd9489cf9b03abceab5dee24f831a5e492 (commit)
via 6894e20b50c1204bfc990093b4e7ccd10f92865d (commit)
via c1c1bb7c5e2baa109baec62d2af09d24caae5557 (commit)
via 5eef9e1deb11d769dff3b76a21634e39bd533336 (commit)
from 32a3b9b766315a799982ddda82dc40c338b614f7 (commit)
- Log -----------------------------------------------------------------
commit 0fcf2351ecff5db21cba431704e4da631b74904a
Author: Matt Caswell <matt at openssl.org>
Date: Fri Dec 3 15:28:31 2021 +0000
Add a test case for the name constraints bug
Where a chain has name constraints but a certificate does not have a SAN
extension but the CN meets the constraints, then this should be acceptable.
However, and OpenSSL bug meant that an internal error was being reported.
This adds a test case for that scenario.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas at openssl.org>
commit 752aa4a6f0f3098258fb6be5592fd18929da59c0
Author: Matt Caswell <matt at openssl.org>
Date: Fri Dec 3 15:18:27 2021 +0000
Add a TLS test for name constraints with an EE cert without a SAN
It is valid for name constraints to be in force but for there to be no
SAN extension in a certificate. Previous versions of OpenSSL mishandled
this.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas at openssl.org>
commit 3269c8bd9489cf9b03abceab5dee24f831a5e492
Author: Matt Caswell <matt at openssl.org>
Date: Thu Dec 2 17:26:15 2021 +0000
Add a new Name Constraints test cert
Add a cert which complies with the name constraints but has no
SAN extension
Reviewed-by: Tomas Mraz <tomas at openssl.org>
commit 6894e20b50c1204bfc990093b4e7ccd10f92865d
Author: Tobias Nießen <tniessen at tnie.de>
Date: Mon Nov 29 03:41:20 2021 +0000
Fix infinite verification loops due to has_san_id
Where name constraints apply, X509_verify() would incorrectly report an
internal error in the event that a certificate has no SAN extension.
CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
commit c1c1bb7c5e2baa109baec62d2af09d24caae5557
Author: Matt Caswell <matt at openssl.org>
Date: Fri Dec 3 15:56:58 2021 +0000
Fix invalid handling of verify errors in libssl
In the event that X509_verify() returned an internal error result then
libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This
subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY.
That return code is supposed to only ever be returned if an application
is using an app verify callback to complete replace the use of
X509_verify(). Applications may not be written to expect that return code
and could therefore crash (or misbehave in some other way) as a result.
CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas at openssl.org>
commit 5eef9e1deb11d769dff3b76a21634e39bd533336
Author: Matt Caswell <matt at openssl.org>
Date: Tue Dec 14 13:15:58 2021 +0000
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 26 ++++++++++++++++++++-
NEWS.md | 12 +++++++---
crypto/x509/x509_vfy.c | 2 +-
ssl/ssl_cert.c | 15 ++++++++++--
ssl/statem/statem_clnt.c | 2 +-
test/certs/goodcn2-cert.pem | 19 ++++++++++++++++
test/certs/{ncca1-cert.pem => goodcn2-chain.pem} | 19 ++++++++++++++++
test/certs/goodcn2-key.pem | 28 +++++++++++++++++++++++
test/certs/mkcert.sh | 29 +++++++++++++++++-------
test/certs/setup.sh | 6 +++++
test/recipes/25-test_verify.t | 5 +++-
test/ssl-tests/01-simple.cnf | 26 ++++++++++++++++++++-
test/ssl-tests/01-simple.cnf.in | 12 ++++++++++
13 files changed, 183 insertions(+), 18 deletions(-)
create mode 100644 test/certs/goodcn2-cert.pem
copy test/certs/{ncca1-cert.pem => goodcn2-chain.pem} (52%)
create mode 100644 test/certs/goodcn2-key.pem
diff --git a/CHANGES.md b/CHANGES.md
index 11e5864c83..8fd7e7288a 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -72,13 +72,37 @@ OpenSSL 3.1
### Changes between 3.0.0 and 3.0.1 [xx XXX xxxx]
+ * Fixed invalid handling of X509_verify_cert() internal errors in libssl
+ Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
+ verify a certificate supplied by a server. That function may return a
+ negative return value to indicate an internal error (for example out of
+ memory). Such a negative return value is mishandled by OpenSSL and will cause
+ an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate
+ success and a subsequent call to SSL_get_error() to return the value
+ SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be
+ returned by OpenSSL if the application has previously called
+ SSL_CTX_set_cert_verify_callback(). Since most applications do not do this
+ the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be
+ totally unexpected and applications may not behave correctly as a result. The
+ exact behaviour will depend on the application but it could result in
+ crashes, infinite loops or other similar incorrect responses.
+
+ This issue is made more serious in combination with a separate bug in OpenSSL
+ 3.0 that will cause X509_verify_cert() to indicate an internal error when
+ processing a certificate chain. This will occur where a certificate does not
+ include the Subject Alternative Name extension but where a Certificate
+ Authority has enforced name constraints. This issue can occur even with valid
+ chains.
+ ([CVE-2021-4044])
+
+ *Matt Caswell*
+
* Corrected a few file name and file reference bugs in the build,
installation and setup scripts, which lead to installation verification
failures. Slightly enhanced the installation verification script.
*Richard Levitte*
-
OpenSSL 3.0
-----------
diff --git a/NEWS.md b/NEWS.md
index 720cec7330..9da16da913 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -21,13 +21,19 @@ OpenSSL 3.1
### Major changes between OpenSSL 3.0 and OpenSSL 3.1 [under development]
- * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
- by default.
+ * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
+ by default.
OpenSSL 3.0
-----------
-### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0
+### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1
+ * Fixed invalid handling of X509_verify_cert() internal errors in libssl
+ ([CVE-2021-4044])
+ * Allow fetching an operation from the provider that owns an unexportable key
+ as a fallback if that is still allowed by the property query.
+
+### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0
* Enhanced 'openssl list' with many new options.
* Added migration guide to man7.
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7221bbe050..8ab6381daf 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -630,7 +630,7 @@ static int has_san_id(X509 *x, int gtype)
GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (gs == NULL)
- return -1;
+ return 0;
for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {
GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i);
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index e77b6ec097..82028ec5b7 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -362,6 +362,13 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
c->cert_cb_arg = arg;
}
+/*
+ * Verify a certificate chain
+ * Return codes:
+ * 1: Verify success
+ * 0: Verify failure or error
+ * -1: Retry required
+ */
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
{
X509 *x;
@@ -423,10 +430,14 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback);
- if (s->ctx->app_verify_callback != NULL)
+ if (s->ctx->app_verify_callback != NULL) {
i = s->ctx->app_verify_callback(ctx, s->ctx->app_verify_arg);
- else
+ } else {
i = X509_verify_cert(ctx);
+ /* We treat an error in the same way as a failure to verify */
+ if (i < 0)
+ i = 0;
+ }
s->verify_result = X509_STORE_CTX_get_error(ctx);
sk_X509_pop_free(s->verified_chain, X509_free);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 61f035ca58..12f77690cd 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1878,7 +1878,7 @@ WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst)
* (less clean) historic behaviour of performing validation if any flag is
* set. The *documented* interface remains the same.
*/
- if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
+ if (s->verify_mode != SSL_VERIFY_NONE && i == 0) {
SSLfatal(s, ssl_x509err2alert(s->verify_result),
SSL_R_CERTIFICATE_VERIFY_FAILED);
return WORK_ERROR;
diff --git a/test/certs/goodcn2-cert.pem b/test/certs/goodcn2-cert.pem
new file mode 100644
index 0000000000..d22f899636
--- /dev/null
+++ b/test/certs/goodcn2-cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
+Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe
+kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0
+UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B
+0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR
+Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9
+QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX
+dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn
+ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8
+S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM
+D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2
+1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L
+yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg
+fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK
+-----END CERTIFICATE-----
diff --git a/test/certs/ncca1-cert.pem b/test/certs/goodcn2-chain.pem
similarity index 52%
copy from test/certs/ncca1-cert.pem
copy to test/certs/goodcn2-chain.pem
index 68cb870f18..01b7f47f7d 100644
--- a/test/certs/ncca1-cert.pem
+++ b/test/certs/goodcn2-chain.pem
@@ -1,4 +1,23 @@
-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
+Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe
+kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0
+UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B
+0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR
+Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9
+QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX
+dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn
+ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8
+S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM
+D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2
+1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L
+yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg
+fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
IENBMCAXDTIwMTIxMjIwMTk0NFoYDzIxMjAxMjEzMjAxOTQ0WjAXMRUwEwYDVQQD
DAxUZXN0IE5DIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC
diff --git a/test/certs/goodcn2-key.pem b/test/certs/goodcn2-key.pem
new file mode 100644
index 0000000000..09337552a7
--- /dev/null
+++ b/test/certs/goodcn2-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDqx1t7HiPekRAW
+diGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0UZ6R
+ZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B0led
+8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJRIg93
+qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9QDyJ
+VuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmXdwSp
+0LEmQb/DAgMBAAECggEAIdXrXDoCx1+2ptYNjuZIvqghBhNa38foP9YLYGOCZI82
+QUoIUWvJLY/74E3GI6GwjExhVbbo05ZzuNafv4fecMlx9YIerAytje5RSvw8FvPO
+rP/RF/CSzFhB+KxCNbPt5fPYGOoUrfjHgc74jyqHEPsYsseDSe0O5UOLkZHaRHQX
+bOhj/lXCN1KKsK+UXscRO55T5SRmHAe4RWaXX3Z4H6FGabKY+AVkT5GWq814PIFU
+amoch4TwAKgAY8h7kpkfVgLNe3hLddLU0roakfM1cZdpf9n0EGGi21KluNvSa09a
+tiDifv5WDkIQ/Ca2fUvE27atMb1gm4bUzp5OoTWhoQKBgQDrfuxqvouVvM3AyxUY
+e6r7vegg5NiODjpBlT/QUqJjhqTSw6Tq4/f5VWnLy3bzipwvzxFQ8E2LjQMtl2Su
+aQ8jSb9jwpmmWCoOecRExWgboYPzpczhnXpF4DIYhyomBKTBVbk9EI0wJ/tx9F1B
+XCHhA3z8tJvkPTM+QAGGJxdcEQKBgQD/OHN4ujRZ5NgXZp4L9VDosMREvRUbwz+4
+7fgQ70JKdWIVbKFa5/TVIObspLZoRI0jaa4OaaE3v6rqF/yxdPsaPAXW7URR7K52
+HbI41skH0bcflISDdeTpqmlIRAzHG7MeAobV/ARmCnLpa7Lt4p8wT+zAzuY+ncv3
+DabNjePCkwKBgQDoVH/Jj9MGFw6mdbSKQvedBO5OBXfgLgkrSqN6UwwCRIO3q2y4
+j8/FHI8Tj9f6zXTpddAPmgPm+Wd5QzMBHoTgu5EmSoZrpe9X+Km5b0gWenJDnf9T
+Vpma9mR17mOWvl4MnxXxOLMSH1/iPMMECHEkHNziMwzZT8eOUncucsKJAQKBgEnp
+62c3ZhnysLJ2Qads8HWzW+QcbpSPw1CneoRNBoHR5QoXX9OYAcwHr1kxirI/yDBN
+Vt9NsCcZF0Kcl8489svuPjK0nGithwkmKItViPr+vW4j8QyxhA44EC2hp6GyX/l8
++dfXGN8Ef6siSbujOj8fpo1gXkYcJQnzpi85vJCJAoGAdheX12Afx94YbljuaCdT
+T/E+t6xHHnDCpETHmsLh53H03Kv91JCrANMu+BZzKUXI+FW06GJB43S26hF5s+k5
+ZAjJKpgbVC1Jo4Zq5SjlCQhiOvwJ9rt2/6g7qzHZsQMjY/FZKd+8PMgPxWkvjeI7
+lAagooTJyC/VDf6LB05mitg=
+-----END PRIVATE KEY-----
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 8ccf7bc6e3..c3f7ac14b5 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -195,6 +195,23 @@ genpc() {
-set_serial 2 -days "${DAYS}"
}
+geneeconfig() {
+ local key=$1; shift
+ local cert=$1; shift
+ local cakey=$1; shift
+ local ca=$1; shift
+ local conf=$1; shift
+
+ exts=$(printf "%s\n%s\n%s\n%s\n" \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid" \
+ "basicConstraints = CA:false"; \
+ echo "$conf")
+
+ cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+ -set_serial 2 -days "${DAYS}"
+}
+
# Usage: $0 geneealt keyname certname cakeyname cacertname alt1 alt2 ...
#
# Note: takes csr on stdin, so must be used with $0 req like this:
@@ -206,15 +223,11 @@ geneealt() {
local cakey=$1; shift
local ca=$1; shift
- exts=$(printf "%s\n%s\n%s\n%s\n" \
- "subjectKeyIdentifier = hash" \
- "authorityKeyIdentifier = keyid" \
- "basicConstraints = CA:false" \
- "subjectAltName = @alts";
+ conf=$(echo "subjectAltName = @alts"
echo "[alts]";
- for x in "$@"; do echo $x; done)
- cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
- -set_serial 2 -days "${DAYS}"
+ for x in "$@"; do echo "$x"; done)
+
+ geneeconfig $key $cert $cakey $ca "$conf"
}
genee() {
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index f1d5d5187c..21f9355b8b 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -282,6 +282,12 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \
"IP = 127.0.0.1" "IP = 192.168.0.1"
+# all DNS-like CNs allowed by CA1, no SANs
+
+./mkcert.sh req goodcn2-key "O = Good NC Test Certificate 1" \
+ "CN=www.good.org" | \
+ ./mkcert.sh geneeconfig goodcn2-key goodcn2-cert ncca1-key ncca1-cert
+
# Some DNS-like CNs not permitted by CA1, no DNS SANs.
./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index bcd823bcfb..700bbd849c 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 159;
+plan tests => 160;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -337,6 +337,9 @@ ok(verify("alt3-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
ok(verify("goodcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints CNs permitted");
+ok(verify("goodcn2-cert", "", ["root-cert"], ["ncca1-cert"], ),
+ "Name Constraints CNs permitted - no SAN extension");
+
ok(!verify("badcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints CNs not permitted");
diff --git a/test/ssl-tests/01-simple.cnf b/test/ssl-tests/01-simple.cnf
index 7fc23f0b69..dfdd3ee337 100644
--- a/test/ssl-tests/01-simple.cnf
+++ b/test/ssl-tests/01-simple.cnf
@@ -1,10 +1,11 @@
# Generated with generate_ssl_tests.pl
-num_tests = 3
+num_tests = 4
test-0 = 0-default
test-1 = 1-Server signature algorithms bug
test-2 = 2-verify-cert
+test-3 = 3-name-constraints-no-san-in-ee
# ===========================================================
[0-default]
@@ -76,3 +77,26 @@ ExpectedClientAlert = UnknownCA
ExpectedResult = ClientFail
+# ===========================================================
+
+[3-name-constraints-no-san-in-ee]
+ssl_conf = 3-name-constraints-no-san-in-ee-ssl
+
+[3-name-constraints-no-san-in-ee-ssl]
+server = 3-name-constraints-no-san-in-ee-server
+client = 3-name-constraints-no-san-in-ee-client
+
+[3-name-constraints-no-san-in-ee-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/goodcn2-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/goodcn2-key.pem
+
+[3-name-constraints-no-san-in-ee-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/01-simple.cnf.in b/test/ssl-tests/01-simple.cnf.in
index 645b11382c..3ffd596139 100644
--- a/test/ssl-tests/01-simple.cnf.in
+++ b/test/ssl-tests/01-simple.cnf.in
@@ -39,4 +39,16 @@ our @tests = (
"ExpectedClientAlert" => "UnknownCA",
},
},
+
+ {
+ name => "name-constraints-no-san-in-ee",
+ server => {
+ "Certificate" => test_pem("goodcn2-chain.pem"),
+ "PrivateKey" => test_pem("goodcn2-key.pem"),
+ },
+ client => {
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ },
+ test => { "ExpectedResult" => "Success" },
+ },
);
More information about the openssl-commits
mailing list