[openssl] master update
Matt Caswell
matt at openssl.org
Mon Oct 11 10:39:24 UTC 2021
The branch master has been updated
via 0db3a9904fa00569905be130854a31dab7b8f49d (commit)
via cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0 (commit)
from 2b80a7490d5008fa40417b804ea16e8fee13d93d (commit)
- Log -----------------------------------------------------------------
commit 0db3a9904fa00569905be130854a31dab7b8f49d
Author: Matt Caswell <matt at openssl.org>
Date: Mon Sep 20 14:36:42 2021 +0100
Extend custom extension testing
Test the scenario where we add a custom extension to a cetificate
request and expect a response in the client's certificate message.
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
commit cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0
Author: Matt Caswell <matt at openssl.org>
Date: Mon Sep 20 14:15:18 2021 +0100
New extensions can be sent in a certificate request
Normally we expect a client to send new extensions in the ClientHello,
which may be echoed back by the server in subsequent messages. However the
server can also send a new extension in the certificate request message to
be echoed back in a certificate message
Fixes #16632
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/extensions_cust.c | 11 ++++++-----
test/sslapitest.c | 37 ++++++++++++++++++++++++++++---------
2 files changed, 34 insertions(+), 14 deletions(-)
diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index a00194bf33..401a4c5c76 100644
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -145,11 +145,12 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
}
/*
- * Extensions received in the ClientHello are marked with the
- * SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent
- * extensions in the ServerHello/EncryptedExtensions message
+ * Extensions received in the ClientHello or CertificateRequest are marked
+ * with the SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent
+ * extensions in the response messages
*/
- if ((context & SSL_EXT_CLIENT_HELLO) != 0)
+ if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST))
+ != 0)
meth->ext_flags |= SSL_EXT_FLAG_RECEIVED;
/* If no parse function set return success */
@@ -191,7 +192,7 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
| SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
| SSL_EXT_TLS1_3_CERTIFICATE
| SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) {
- /* Only send extensions present in ClientHello. */
+ /* Only send extensions present in ClientHello/CertificateRequest */
if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED))
continue;
}
diff --git a/test/sslapitest.c b/test/sslapitest.c
index e7a00a43e2..fbec107edb 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -5560,6 +5560,11 @@ static int sni_cb(SSL *s, int *al, void *arg)
return SSL_TLSEXT_ERR_OK;
}
+static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+ return 1;
+}
+
/*
* Custom call back tests.
* Test 0: Old style callbacks in TLSv1.2
@@ -5567,6 +5572,7 @@ static int sni_cb(SSL *s, int *al, void *arg)
* Test 2: New style callbacks in TLSv1.2 with SNI
* Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
* Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
+ * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
*/
static int test_custom_exts(int tst)
{
@@ -5608,7 +5614,19 @@ static int test_custom_exts(int tst)
SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
}
- if (tst == 4) {
+ if (tst == 5) {
+ context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+ | SSL_EXT_TLS1_3_CERTIFICATE;
+ SSL_CTX_set_verify(sctx,
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ verify_cb);
+ if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
+ SSL_FILETYPE_PEM), 1)
+ || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
+ SSL_FILETYPE_PEM), 1)
+ || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
+ goto end;
+ } else if (tst == 4) {
context = SSL_EXT_CLIENT_HELLO
| SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_3_SERVER_HELLO
@@ -5704,6 +5722,12 @@ static int test_custom_exts(int tst)
|| (tst != 2 && snicb != 0)
|| (tst == 2 && snicb != 1))
goto end;
+ } else if (tst == 5) {
+ if (clntaddnewcb != 1
+ || clntparsenewcb != 1
+ || srvaddnewcb != 1
+ || srvparsenewcb != 1)
+ goto end;
} else {
/* In this case there 2 NewSessionTicket messages created */
if (clntaddnewcb != 1
@@ -5720,8 +5744,8 @@ static int test_custom_exts(int tst)
SSL_free(clientssl);
serverssl = clientssl = NULL;
- if (tst == 3) {
- /* We don't bother with the resumption aspects for this test */
+ if (tst == 3 || tst == 5) {
+ /* We don't bother with the resumption aspects for these tests */
testresult = 1;
goto end;
}
@@ -8150,11 +8174,6 @@ err:
return 0;
}
-static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
-{
- return 1;
-}
-
static int test_client_cert_cb(int tst)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
@@ -9685,7 +9704,7 @@ int setup_tests(void)
/* Test with only TLSv1.3 versions */
ADD_ALL_TESTS(test_key_exchange, 12);
# endif
- ADD_ALL_TESTS(test_custom_exts, 5);
+ ADD_ALL_TESTS(test_custom_exts, 6);
ADD_TEST(test_stateless);
ADD_TEST(test_pha_key_update);
#else
More information about the openssl-commits
mailing list