Add ExpectedServerCANames (f15b50c4) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

test/README.ssltest.md

+4 −0

Original line number	Diff line number	Diff line
		@@ -102,6 +102,10 @@ handshake.
		send. If this is "empty" the list is expected to be empty otherwise it
		is a file of certificates whose subject names form the list.

		* ExpectedServerCANames - list of CA names the client must send, TLS 1.3 only.
		If this is "empty" the list is expected to be empty otherwise it is a file
		of certificates whose subject names form the list.

		## Configuring the client and server

		The client and server configurations can be any valid `SSL_CTX`

test/handshake_helper.c

+9 −2

Original line number	Diff line number	Diff line
		@@ -34,6 +34,7 @@ void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result)
		OPENSSL_free(result->server_npn_negotiated);
		OPENSSL_free(result->client_alpn_negotiated);
		OPENSSL_free(result->server_alpn_negotiated);
		sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free);
		sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free);
		OPENSSL_free(result);
		}
		@@ -1123,7 +1124,7 @@ static HANDSHAKE_RESULT *do_handshake_internal(
		/* API dictates unsigned int rather than size_t. */
		unsigned int proto_len = 0;
		EVP_PKEY *tmp_key;
		STACK_OF(X509_NAME) *names;
		const STACK_OF(X509_NAME) *names;

		memset(&server_ctx_data, 0, sizeof(server_ctx_data));
		memset(&server2_ctx_data, 0, sizeof(server2_ctx_data));
		@@ -1297,12 +1298,18 @@ static HANDSHAKE_RESULT *do_handshake_internal(
		SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type);
		SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type);

		names = SSL_get_client_CA_list(client.ssl);
		names = SSL_get0_peer_CA_list(client.ssl);
		if (names == NULL)
		ret->client_ca_names = NULL;
		else
		ret->client_ca_names = SSL_dup_CA_list(names);

		names = SSL_get0_peer_CA_list(server.ssl);
		if (names == NULL)
		ret->server_ca_names = NULL;
		else
		ret->server_ca_names = SSL_dup_CA_list(names);

		ret->server_cert_type = peer_pkey_type(client.ssl);
		ret->client_cert_type = peer_pkey_type(server.ssl);

test/handshake_helper.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -52,6 +52,8 @@ typedef struct handshake_result {
		int server_sign_hash;
		/* server signature type */
		int server_sign_type;
		/* server CA names */
		STACK_OF(X509_NAME) *server_ca_names;
		/* client certificate key type */
		int client_cert_type;
		/* client signing hash */

test/ssl_test.c

+57 −48

Original line number	Diff line number	Diff line
		@@ -195,54 +195,6 @@ static int check_nid(const char *name, int expected_nid, int nid)
		return 0;
		}

		static int check_tmp_key(HANDSHAKE_RESULT result, SSL_TEST_CTX test_ctx)
		{
		return check_nid("Tmp key", test_ctx->expected_tmp_key_type,
		result->tmp_key_type);
		}

		static int check_server_cert_type(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Server certificate", test_ctx->expected_server_cert_type,
		result->server_cert_type);
		}

		static int check_server_sign_hash(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Server signing hash", test_ctx->expected_server_sign_hash,
		result->server_sign_hash);
		}

		static int check_server_sign_type(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Server signing", test_ctx->expected_server_sign_type,
		result->server_sign_type);
		}

		static int check_client_cert_type(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Client certificate", test_ctx->expected_client_cert_type,
		result->client_cert_type);
		}

		static int check_client_sign_hash(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Client signing hash", test_ctx->expected_client_sign_hash,
		result->client_sign_hash);
		}

		static int check_client_sign_type(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Client signing", test_ctx->expected_client_sign_type,
		result->client_sign_type);
		}

		static void print_ca_names(STACK_OF(X509_NAME) *names)
		{
		BIO *err;
		@@ -291,6 +243,62 @@ static int check_ca_names(const char *name,
		return 0;
		}

		static int check_tmp_key(HANDSHAKE_RESULT result, SSL_TEST_CTX test_ctx)
		{
		return check_nid("Tmp key", test_ctx->expected_tmp_key_type,
		result->tmp_key_type);
		}

		static int check_server_cert_type(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Server certificate", test_ctx->expected_server_cert_type,
		result->server_cert_type);
		}

		static int check_server_sign_hash(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Server signing hash", test_ctx->expected_server_sign_hash,
		result->server_sign_hash);
		}

		static int check_server_sign_type(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Server signing", test_ctx->expected_server_sign_type,
		result->server_sign_type);
		}

		static int check_server_ca_names(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_ca_names("Server CA names",
		test_ctx->expected_server_ca_names,
		result->server_ca_names);
		}

		static int check_client_cert_type(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Client certificate", test_ctx->expected_client_cert_type,
		result->client_cert_type);
		}

		static int check_client_sign_hash(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Client signing hash", test_ctx->expected_client_sign_hash,
		result->client_sign_hash);
		}

		static int check_client_sign_type(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		return check_nid("Client signing", test_ctx->expected_client_sign_type,
		result->client_sign_type);
		}

		static int check_client_ca_names(HANDSHAKE_RESULT *result,
		SSL_TEST_CTX *test_ctx)
		{
		@@ -324,6 +332,7 @@ static int check_test(HANDSHAKE_RESULT result, SSL_TEST_CTX test_ctx)
		ret &= check_server_cert_type(result, test_ctx);
		ret &= check_server_sign_hash(result, test_ctx);
		ret &= check_server_sign_type(result, test_ctx);
		ret &= check_server_ca_names(result, test_ctx);
		ret &= check_client_cert_type(result, test_ctx);
		ret &= check_client_sign_hash(result, test_ctx);
		ret &= check_client_sign_type(result, test_ctx);

test/ssl_test_ctx.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -546,6 +546,11 @@ __owur static int parse_expected_ca_names(STACK_OF(X509_NAME) **pnames,
		*pnames = SSL_load_client_CA_file(value);
		return *pnames != NULL;
		}
		__owur static int parse_expected_server_ca_names(SSL_TEST_CTX *test_ctx,
		const char *value)
		{
		return parse_expected_ca_names(&test_ctx->expected_server_ca_names, value);
		}
		__owur static int parse_expected_client_ca_names(SSL_TEST_CTX *test_ctx,
		const char *value)
		{
		@@ -580,6 +585,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
		{ "ExpectedServerCertType", &parse_expected_server_cert_type },
		{ "ExpectedServerSignHash", &parse_expected_server_sign_hash },
		{ "ExpectedServerSignType", &parse_expected_server_sign_type },
		{ "ExpectedServerCANames", &parse_expected_server_ca_names },
		{ "ExpectedClientCertType", &parse_expected_client_cert_type },
		{ "ExpectedClientSignHash", &parse_expected_client_sign_hash },
		{ "ExpectedClientSignType", &parse_expected_client_sign_type },
		@@ -661,6 +667,7 @@ void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx)
		ssl_test_ctx_free_extra_data(ctx);
		OPENSSL_free(ctx->expected_npn_protocol);
		OPENSSL_free(ctx->expected_alpn_protocol);
		sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free);
		sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free);
		OPENSSL_free(ctx);
		}