Commit 062ed73f authored by Matt Caswell's avatar Matt Caswell
Browse files

Add some CertStatus tests 



The previous commit revealed a long standing problem where CertStatus
processing was broken in DTLS. This would have been revealed by better
testing - so add some!

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 767ccc3b)
parent 06314c02

test/handshake_helper.c

+42 −0
Original line number Diff line number Diff line
@@ -144,6 +144,38 @@ static int servername_reject_cb(SSL *s, int *ad, void *arg) 
    return select_server_ctx(s, arg, 0);

}



static unsigned char dummy_ocsp_resp_good_val = 0xff;

static unsigned char dummy_ocsp_resp_bad_val = 0xfe;



static int server_ocsp_cb(SSL *s, void *arg)

{

    unsigned char *resp;



    resp = OPENSSL_malloc(1);

    if (resp == NULL)

        return SSL_TLSEXT_ERR_ALERT_FATAL;

    /*

     * For the purposes of testing we just send back a dummy OCSP response

     */

    *resp = *(unsigned char *)arg;

    if (!SSL_set_tlsext_status_ocsp_resp(s, resp, 1))

        return SSL_TLSEXT_ERR_ALERT_FATAL;



    return SSL_TLSEXT_ERR_OK;

}



static int client_ocsp_cb(SSL *s, void *arg)

{

    const unsigned char *resp;

    int len;



    len = SSL_get_tlsext_status_ocsp_resp(s, &resp);

    if (len != 1 || *resp != dummy_ocsp_resp_good_val)

        return 0;



    return 1;

}



static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) {

    X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);

    return 0;
@@ -319,6 +351,16 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 
        break;

    }



    if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) {

        SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp);

        SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb);

        SSL_CTX_set_tlsext_status_arg(client_ctx, NULL);

        SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb);

        SSL_CTX_set_tlsext_status_arg(server_ctx,

            ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE)

            ? &dummy_ocsp_resp_good_val : &dummy_ocsp_resp_bad_val));

    }



    /*

     * The initial_ctx/session_ctx always handles the encrypt/decrypt of the

     * session ticket. This ticket_key callback is assigned to the second

test/recipes/80-test_ssl_new.t

+3 −2
Original line number Diff line number Diff line
@@ -29,7 +29,7 @@ map { s/\.in// } @conf_files; 


# We hard-code the number of tests to double-check that the globbing above

# finds all files as expected.

plan tests => 14;  # = scalar @conf_srcs

plan tests => 16;  # = scalar @conf_srcs



# Some test results depend on the configuration of enabled protocols. We only

# verify generated sources in the default configuration.
@@ -69,7 +69,8 @@ my %skip = ( 
  # special-casing for.

  # We should review this once we have TLS 1.3.

  "13-fragmentation.conf" => disabled("tls1_2"),

  "14-curves.conf" => disabled("tls1_2") || $no_ec || $no_ec2m

  "14-curves.conf" => disabled("tls1_2") || $no_ec || $no_ec2m,

  "16-dtls-certstatus.conf" => $no_dtls

);



foreach my $conf (@conf_files) {

test/ssl-tests/15-certstatus.conf

0 → 100644
+62 −0
Original line number Diff line number Diff line 
# Generated with generate_ssl_tests.pl



num_tests = 2



test-0 = 0-certstatus-good

test-1 = 1-certstatus-bad

# ===========================================================



[0-certstatus-good]

ssl_conf = 0-certstatus-good-ssl



[0-certstatus-good-ssl]

server = 0-certstatus-good-server

client = 0-certstatus-good-client



[0-certstatus-good-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem



[0-certstatus-good-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-0]

ExpectedResult = Success

Method = TLS

server = 0-certstatus-good-server-extra



[0-certstatus-good-server-extra]

CertStatus = GoodResponse





# ===========================================================



[1-certstatus-bad]

ssl_conf = 1-certstatus-bad-ssl



[1-certstatus-bad-ssl]

server = 1-certstatus-bad-server

client = 1-certstatus-bad-client



[1-certstatus-bad-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem



[1-certstatus-bad-client]

CipherString = DEFAULT

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-1]

ExpectedResult = ClientFail

Method = TLS

server = 1-certstatus-bad-server-extra



[1-certstatus-bad-server-extra]

CertStatus = BadResponse

test/ssl-tests/15-certstatus.conf.in

0 → 100644
+45 −0
Original line number Diff line number Diff line 
# -*- mode: perl; -*-

# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.

#

# Licensed under the OpenSSL license (the "License").  You may not use

# this file except in compliance with the License.  You can obtain a copy

# in the file LICENSE in the source distribution or at

# https://www.openssl.org/source/license.html





## Test CertStatus messages



use strict;

use warnings;



package ssltests;





our @tests = (

    {

        name => "certstatus-good",

        server => {

            extra => {

                "CertStatus" => "GoodResponse",

            },

        },

        client => {},

        test => {

            "Method" => "TLS",

            "ExpectedResult" => "Success"

        }

    },

    {

        name => "certstatus-bad",

        server => {

            extra => {

                "CertStatus" => "BadResponse",

            },

        },

        client => {},

        test => {

            "Method" => "TLS",

            "ExpectedResult" => "ClientFail"

        }

    },

);

test/ssl-tests/16-certstatus.conf

0 → 100644
+0 −0

Empty file added.