[openssl] master update
tomas at openssl.org
tomas at openssl.org
Mon Feb 14 09:21:20 UTC 2022
The branch master has been updated
via 065121ff198a84106023013420dedd57ac4ff53a (commit)
from c920020f0bb13f0d2bf0fcad5c7ee63458b633b4 (commit)
- Log -----------------------------------------------------------------
commit 065121ff198a84106023013420dedd57ac4ff53a
Author: Armin Fuerst <armin at fuerst.priv.at>
Date: Fri Feb 4 20:35:54 2022 +0100
Add tests for do_updatedb
Fixes #13944
Moved "opt_printf_stderr" out of apps.c to avoid duplicate definition in tests.
Added function "asn1_string_to_time_t" including tests.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17645)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 9 +-
apps/include/apps.h | 4 +-
apps/lib/apps.c | 14 +-
os-dep/haiku.h => apps/lib/apps_opt_printf.c | 18 ++-
apps/lib/build.info | 2 +-
crypto/asn1/a_time.c | 40 +++++-
include/crypto/asn1.h | 4 +-
test/asn1_time_test.c | 65 ++++++++-
test/build.info | 12 +-
test/ca_internals_test.c | 93 +++++++++++++
test/recipes/80-test_ca_internals.t | 165 +++++++++++++++++++++++
test/recipes/80-test_ca_internals_data/index.txt | 4 +
12 files changed, 403 insertions(+), 27 deletions(-)
copy os-dep/haiku.h => apps/lib/apps_opt_printf.c (52%)
create mode 100644 test/ca_internals_test.c
create mode 100644 test/recipes/80-test_ca_internals.t
create mode 100644 test/recipes/80-test_ca_internals_data/index.txt
diff --git a/apps/ca.c b/apps/ca.c
index 8de58288ba..454c218d98 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -129,7 +129,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
CONF *conf, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign, unsigned long dateopt);
static int get_certificate_status(const char *ser_status, CA_DB *db);
-static int do_updatedb(CA_DB *db);
static int check_time_format(const char *str);
static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
const char *extval);
@@ -755,7 +754,7 @@ end_of_options:
if (verbose)
BIO_printf(bio_err, "Updating %s ...\n", dbfile);
- i = do_updatedb(db);
+ i = do_updatedb(db, NULL);
if (i == -1) {
BIO_printf(bio_err, "Malloc failure\n");
goto end;
@@ -2290,7 +2289,7 @@ static int get_certificate_status(const char *serial, CA_DB *db)
return ok;
}
-static int do_updatedb(CA_DB *db)
+int do_updatedb(CA_DB *db, time_t *now)
{
ASN1_TIME *a_tm = NULL;
int i, cnt = 0;
@@ -2301,7 +2300,7 @@ static int do_updatedb(CA_DB *db)
return -1;
/* get actual time */
- if (X509_gmtime_adj(a_tm, 0) == NULL) {
+ if (X509_time_adj(a_tm, 0, now) == NULL) {
ASN1_TIME_free(a_tm);
return -1;
}
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 28c2bbdad2..c567ed5664 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -221,6 +221,8 @@ typedef struct ca_db_st {
# endif
} CA_DB;
+extern int do_updatedb(CA_DB *db, time_t *now);
+
void app_bail_out(char *fmt, ...);
void *app_malloc(size_t sz, const char *what);
BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 77edc1d936..021371201b 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -3247,18 +3247,6 @@ void make_uppercase(char *string)
string[i] = toupper((unsigned char)string[i]);
}
-/* This function is defined here due to visibility of bio_err */
-int opt_printf_stderr(const char *fmt, ...)
-{
- va_list ap;
- int ret;
-
- va_start(ap, fmt);
- ret = BIO_vprintf(bio_err, fmt, ap);
- va_end(ap);
- return ret;
-}
-
OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
const OSSL_PARAM *paramdefs)
{
diff --git a/os-dep/haiku.h b/apps/lib/apps_opt_printf.c
similarity index 52%
copy from os-dep/haiku.h
copy to apps/lib/apps_opt_printf.c
index 18e8a59baf..e15f4b795e 100644
--- a/os-dep/haiku.h
+++ b/apps/lib/apps_opt_printf.c
@@ -7,5 +7,19 @@
* https://www.openssl.org/source/license.html
*/
-#include <sys/select.h>
-#include <sys/time.h>
+#include "opt.h"
+#include <openssl/ui.h>
+#include "apps_ui.h"
+
+/* This function is defined here due to visibility of bio_err */
+int opt_printf_stderr(const char *fmt, ...)
+{
+ va_list ap;
+ int ret;
+
+ va_start(ap, fmt);
+ ret = BIO_vprintf(bio_err, fmt, ap);
+ va_end(ap);
+ return ret;
+}
+
diff --git a/apps/lib/build.info b/apps/lib/build.info
index 923ef5d92b..727d924745 100644
--- a/apps/lib/build.info
+++ b/apps/lib/build.info
@@ -10,7 +10,7 @@ ENDIF
# Source for libapps
$LIBAPPSSRC=apps.c apps_ui.c opt.c fmt.c s_cb.c s_socket.c app_rand.c \
columns.c app_params.c names.c app_provider.c app_x509.c http_server.c \
- engine.c engine_loader.c app_libctx.c
+ engine.c engine_loader.c app_libctx.c apps_opt_printf.c
IF[{- !$disabled{apps} -}]
LIBS{noinst}=../libapps.a
diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index 9b3074e47e..e9df23af92 100644
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -589,3 +589,41 @@ int ASN1_TIME_compare(const ASN1_TIME *a, const ASN1_TIME *b)
return -1;
return 0;
}
+
+/*
+ * tweak for Windows
+ */
+#ifdef WIN32
+# define timezone _timezone
+#endif
+
+time_t asn1_string_to_time_t(const char *asn1_string)
+{
+ ASN1_TIME *timestamp_asn1 = NULL;
+ struct tm *timestamp_tm = NULL;
+ time_t timestamp_local;
+ time_t timestamp_utc;
+
+ timestamp_asn1 = ASN1_TIME_new();
+ if (!ASN1_TIME_set_string(timestamp_asn1, asn1_string))
+ {
+ ASN1_TIME_free(timestamp_asn1);
+ return -1;
+ }
+
+ timestamp_tm = OPENSSL_malloc(sizeof(*timestamp_tm));
+
+ if (!(ASN1_TIME_to_tm(timestamp_asn1, timestamp_tm))) {
+ OPENSSL_free(timestamp_tm);
+ ASN1_TIME_free(timestamp_asn1);
+ return -1;
+ }
+
+ timestamp_local = mktime(timestamp_tm);
+ OPENSSL_free(timestamp_tm);
+
+ timestamp_utc = timestamp_local - timezone;
+
+ ASN1_TIME_free(timestamp_asn1);
+ return timestamp_utc;
+}
diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h
index ff02cac573..26e48ef717 100644
--- a/include/crypto/asn1.h
+++ b/include/crypto/asn1.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -147,4 +147,6 @@ EVP_PKEY * ossl_d2i_PrivateKey_legacy(int keytype, EVP_PKEY **a,
OSSL_LIB_CTX *libctx, const char *propq);
X509_ALGOR *ossl_X509_ALGOR_from_nid(int nid, int ptype, void *pval);
+time_t asn1_string_to_time_t(const char *asn1_string);
+
#endif /* ndef OSSL_CRYPTO_ASN1_H */
diff --git a/test/asn1_time_test.c b/test/asn1_time_test.c
index 9dbad22a2d..2383ec25c9 100644
--- a/test/asn1_time_test.c
+++ b/test/asn1_time_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -12,6 +12,7 @@
#include <stdio.h>
#include <string.h>
+#include <crypto/asn1.h>
#include <openssl/asn1.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
@@ -28,6 +29,53 @@ struct testdata {
int convert_result; /* conversion result */
};
+struct TESTDATA_asn1_to_utc {
+ char *input;
+ time_t expected;
+};
+
+static const struct TESTDATA_asn1_to_utc asn1_to_utc[] = {
+ {
+ /*
+ * last second of standard time in central Europe in 2021
+ * specified in GMT
+ */
+ "210328005959Z",
+ 1616893199,
+ },
+ {
+ /*
+ * first second of daylight saving time in central Europe in 2021
+ * specified in GMT
+ */
+ "210328010000Z",
+ 1616893200,
+ },
+ {
+ /*
+ * last second of standard time in central Europe in 2021
+ * specified in offset to GMT
+ */
+ "20210328015959+0100",
+ 1616893199,
+ },
+ {
+ /*
+ * first second of daylight saving time in central Europe in 2021
+ * specified in offset to GMT
+ */
+ "20210328030000+0200",
+ 1616893200,
+ },
+ {
+ /*
+ * Invalid strings should get -1 as a result
+ */
+ "INVALID",
+ -1,
+ },
+};
+
static struct testdata tbl_testdata_pos[] = {
{ "0", V_ASN1_GENERALIZEDTIME, V_ASN1_GENERALIZEDTIME, 0, 0, 0, 0, }, /* Bad time */
{ "ABCD", V_ASN1_GENERALIZEDTIME, V_ASN1_GENERALIZEDTIME, 0, 0, 0, 0, },
@@ -379,6 +427,20 @@ static int test_time_dup(void)
return ret;
}
+static int convert_asn1_to_time_t(int idx)
+{
+ time_t testdateutc;
+
+ testdateutc = asn1_string_to_time_t(asn1_to_utc[idx].input);
+
+ if (!TEST_time_t_eq(testdateutc, asn1_to_utc[idx].expected)) {
+ TEST_info("asn1_string_to_time_t (%s) failed: expected %li, got %li\n",
+ asn1_to_utc[idx].input, asn1_to_utc[idx].expected, (signed long) testdateutc);
+ return 0;
+ }
+ return 1;
+}
+
int setup_tests(void)
{
/*
@@ -414,5 +476,6 @@ int setup_tests(void)
}
ADD_ALL_TESTS(test_table_compare, OSSL_NELEM(tbl_compare_testdata));
ADD_TEST(test_time_dup);
+ ADD_ALL_TESTS(convert_asn1_to_time_t, OSSL_NELEM(asn1_to_utc));
return 1;
}
diff --git a/test/build.info b/test/build.info
index 188b850beb..f304c4cef2 100644
--- a/test/build.info
+++ b/test/build.info
@@ -62,7 +62,7 @@ IF[{- !$disabled{tests} -}]
context_internal_test aesgcmtest params_test evp_pkey_dparams_test \
keymgmt_internal_test hexstr_test provider_status_test defltfips_test \
bio_readbuffer_test user_property_test pkcs7_test upcallstest \
- provfetchtest prov_config_test rand_test
+ provfetchtest prov_config_test rand_test ca_internals_test
IF[{- !$disabled{'deprecated-3.0'} -}]
PROGRAMS{noinst}=enginetest
@@ -575,6 +575,13 @@ IF[{- !$disabled{tests} -}]
INCLUDE[cmp_client_test]=.. ../include ../apps/include
DEPEND[cmp_client_test]=../libcrypto.a libtestutil.a
+ SOURCE[ca_internals_test]=ca_internals_test.c ../apps/ca.c ../apps/lib/apps.c \
+ ../apps/lib/app_rand.c ../apps/lib/engine.c ../apps/lib/app_provider.c \
+ ../apps/lib/app_libctx.c ../apps/lib/fmt.c ../apps/lib/apps_ui.c \
+ ../apps/lib/app_x509.c ../crypto/asn1/a_time.c ../crypto/ctype.c
+ INCLUDE[ca_internals_test]=.. ../include ../apps/include
+ DEPEND[ca_internals_test]=libtestutil.a ../libssl
+
# Internal test programs. These are essentially a collection of internal
# test routines. Some of them need to reach internal symbols that aren't
# available through the shared library (at least on Linux, Solaris, Windows
@@ -780,7 +787,8 @@ IF[{- !$disabled{tests} -}]
ENDIF
PROGRAMS{noinst}=asn1_time_test
- SOURCE[asn1_time_test]=asn1_time_test.c
+ SOURCE[asn1_time_test]=asn1_time_test.c ../crypto/ctype.c \
+ ../crypto/asn1/a_time.c
INCLUDE[asn1_time_test]=../include ../apps/include
DEPEND[asn1_time_test]=../libcrypto libtestutil.a
diff --git a/test/ca_internals_test.c b/test/ca_internals_test.c
new file mode 100644
index 0000000000..2928e5b0b3
--- /dev/null
+++ b/test/ca_internals_test.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include "apps.h"
+#include "testutil.h"
+#include "crypto/asn1.h"
+
+#define binname "ca_internals_test"
+
+char *default_config_file = NULL;
+
+static int test_do_updatedb(void)
+{
+ CA_DB *db = NULL;
+ time_t testdateutc;
+ int rv;
+ size_t argc = test_get_argument_count();
+ BIO *bio_tmp;
+ char *testdate;
+ char *indexfile;
+ int need64bit;
+ int have64bit;
+
+ if (argc != 4) {
+ TEST_error("Usage: %s: do_updatedb dbfile testdate need64bit\n", binname);
+ TEST_error(" testdate format: ASN1-String\n");
+ return 0;
+ }
+
+ /*
+ * if the test will only work with 64bit time_t and
+ * the build only supports 32, assume the test as success
+ */
+ need64bit = (int)strtol(test_get_argument(3), NULL, 0);
+ have64bit = sizeof(time_t) > sizeof(uint32_t);
+ if (need64bit && !have64bit) {
+ BIO_printf(bio_out, "skipping test (need64bit: %i, have64bit: %i)",
+ need64bit, have64bit);
+ return 1;
+ }
+
+ testdate = test_get_argument(2);
+ testdateutc = asn1_string_to_time_t(testdate);
+ if (TEST_time_t_lt(testdateutc, 0)) {
+ return 0;
+ }
+
+ indexfile = test_get_argument(1);
+ db = load_index(indexfile, NULL);
+ if (TEST_ptr_null(db)) {
+ return 0;
+ }
+
+ bio_tmp = bio_err;
+ bio_err = bio_out;
+ rv = do_updatedb(db, &testdateutc);
+ bio_err = bio_tmp;
+
+ if (rv > 0) {
+ if (!TEST_true(save_index(indexfile, "new", db)))
+ goto end;
+
+ if (!TEST_true(rotate_index(indexfile, "new", "old")))
+ goto end;
+ }
+end:
+ free_index(db);
+ return 1;
+}
+
+int setup_tests(void)
+{
+ char *command = test_get_argument(0);
+
+ if (test_get_argument_count() < 1) {
+ TEST_error("%s: no command specified for testing\n", binname);
+ return 0;
+ }
+
+ if (strcmp(command, "do_updatedb") == 0)
+ return test_do_updatedb();
+
+ TEST_error("%s: command '%s' is not supported for testing\n", binname, command);
+ return 0;
+}
+
diff --git a/test/recipes/80-test_ca_internals.t b/test/recipes/80-test_ca_internals.t
new file mode 100644
index 0000000000..b84abdfa66
--- /dev/null
+++ b/test/recipes/80-test_ca_internals.t
@@ -0,0 +1,165 @@
+#! /usr/bin/env perl
+# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+use POSIX;
+use OpenSSL::Test qw/:DEFAULT data_file/;
+use File::Copy;
+
+setup('test_ca_internals');
+
+my @updatedb_tests = (
+ {
+ description => 'updatedb called before the first certificate expires',
+ filename => 'index.txt',
+ copydb => 1,
+ testdate => '990101000000Z',
+ need64bit => 0,
+ expirelist => [ ]
+ },
+ {
+ description => 'updatedb called before Y2k',
+ filename => 'index.txt',
+ copydb => 0,
+ testdate => '991201000000Z',
+ need64bit => 0,
+ expirelist => [ '1000' ]
+ },
+ {
+ description => 'updatedb called after year 2020',
+ filename => 'index.txt',
+ copydb => 0,
+ testdate => '211201000000Z',
+ need64bit => 0,
+ expirelist => [ '1001' ]
+ },
+ {
+ description => 'updatedb called in year 2049 (last year with 2 digits)',
+ filename => 'index.txt',
+ copydb => 0,
+ testdate => '491201000000Z',
+ need64bit => 1,
+ expirelist => [ '1002' ]
+ },
+ {
+ description => 'updatedb called in year 2050 (first year with 4 digits) before the last certificate expires',
+ filename => 'index.txt',
+ copydb => 0,
+ testdate => '20500101000000Z',
+ need64bit => 1,
+ expirelist => [ ]
+ },
+ {
+ description => 'updatedb called after the last certificate expired',
+ filename => 'index.txt',
+ copydb => 0,
+ testdate => '20501201000000Z',
+ need64bit => 1,
+ expirelist => [ '1003' ]
+ },
+ {
+ description => 'updatedb called for the first time after the last certificate expired',
+ filename => 'index.txt',
+ copydb => 1,
+ testdate => '20501201000000Z',
+ need64bit => 1,
+ expirelist => [ '1000',
+ '1001',
+ '1002',
+ '1003' ]
+ }
+);
+
+my @unsupported_commands = (
+ {
+ command => 'unsupported'
+ }
+);
+
+# every "test_updatedb" makes 3 checks
+plan tests => 3 * scalar(@updatedb_tests) +
+ 1 * scalar(@unsupported_commands);
+
+
+foreach my $test (@updatedb_tests) {
+ test_updatedb($test);
+}
+foreach my $test (@unsupported_commands) {
+ test_unsupported_commands($test);
+}
+
+
+################### subs to do tests per supported command ################
+
+sub test_unsupported_commands {
+ my ($opts) = @_;
+
+ run(
+ test(['ca_internals_test',
+ $opts->{command}
+ ]),
+ capture => 0,
+ statusvar => \my $exit
+ );
+
+ is($exit, 0, "command '".$opts->{command}."' completed without an error");
+}
+
+sub test_updatedb {
+ my ($opts) = @_;
+ my $amtexpectedexpired = scalar(@{$opts->{expirelist}});
+ my @output;
+ my $expirelistcorrect = 1;
+ my $cert;
+ my $amtexpired = 0;
+ my $skipped = 0;
+
+ if ($opts->{copydb}) {
+ copy(data_file('index.txt'), 'index.txt');
+ }
+
+ @output = run(
+ test(['ca_internals_test',
+ "do_updatedb",
+ $opts->{filename},
+ $opts->{testdate},
+ $opts->{need64bit}
+ ]),
+ capture => 1,
+ statusvar => \my $exit
+ );
+
+ foreach my $tmp (@output) {
+ ($cert) = $tmp =~ /^[\x20\x23]*[^0-9A-Fa-f]*([0-9A-Fa-f]+)=Expired/;
+ if ($tmp =~ /^[\x20\x23]*skipping test/) {
+ $skipped = 1;
+ }
+ if (defined($cert) && (length($cert) > 0)) {
+ $amtexpired++;
+ my $expirefound = 0;
+ foreach my $expire (@{$opts->{expirelist}}) {
+ if ($expire eq $cert) {
+ $expirefound = 1;
+ }
+ }
+ if ($expirefound != 1) {
+ $expirelistcorrect = 0;
+ }
+ }
+ }
+
+ if ($skipped) {
+ $amtexpired = $amtexpectedexpired;
+ $expirelistcorrect = 1;
+ }
+ is($exit, 1, "ca_internals_test: returned EXIT_FAILURE (".$opts->{description}.")");
+ is($amtexpired, $amtexpectedexpired, "ca_internals_test: amount of expired certificates differs from expected amount (".$opts->{description}.")");
+ is($expirelistcorrect, 1, "ca_internals_test: list of expired certificates differs from expected list (".$opts->{description}.")");
+}
diff --git a/test/recipes/80-test_ca_internals_data/index.txt b/test/recipes/80-test_ca_internals_data/index.txt
new file mode 100644
index 0000000000..e528e8cd43
--- /dev/null
+++ b/test/recipes/80-test_ca_internals_data/index.txt
@@ -0,0 +1,4 @@
+V 990501230004Z 1000 unknown /C=AT/ST=Austria/L=OpenSSL/O=OpenSSL/OU=OpenSSL/CN=1999
+V 200430230003Z 1001 unknown /C=AT/ST=Austria/L=OpenSSL/O=OpenSSL/OU=OpenSSL/CN=2020
+V 490501230003Z 1002 unknown /C=AT/ST=Austria/L=OpenSSL/O=OpenSSL/OU=OpenSSL/CN=2049
+V 20500501230003Z 1003 unknown /C=AT/ST=Austria/L=OpenSSL/O=OpenSSL/OU=OpenSSL/CN=2050
More information about the openssl-commits
mailing list