diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2017-01-13 15:20:42 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2017-01-20 01:16:31 +0000 |
| commit | ee5b6a42be3c0ca18145ace8793135fbb4768248 (patch) | |
| tree | d079b139c1c015df4ccf7f9dda092c2fda0d1487 | |
| parent | 424baabdf5af540bda4a69122d274b071d804390 (diff) | |
| download | openssl-ee5b6a42be3c0ca18145ace8793135fbb4768248.tar.gz | |
Add options to check TLS signing hashes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2235)
| -rw-r--r-- | test/README.ssltest.md | 3 | ||||
| -rw-r--r-- | test/handshake_helper.c | 3 | ||||
| -rw-r--r-- | test/handshake_helper.h | 4 | ||||
| -rw-r--r-- | test/ssl_test.c | 38 | ||||
| -rw-r--r-- | test/ssl_test_ctx.c | 35 | ||||
| -rw-r--r-- | test/ssl_test_ctx.h | 4 |
6 files changed, 75 insertions, 12 deletions
diff --git a/test/README.ssltest.md b/test/README.ssltest.md index 1c4c482069..5e2b2d76fc 100644 --- a/test/README.ssltest.md +++ b/test/README.ssltest.md @@ -92,6 +92,9 @@ handshake. * ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or curve of server or client certificate +* ExpectedServerSignatureHash, ExpectedClientSignatureHash - the expected + signing hash used by server or client certificate + ## Configuring the client and server The client and server configurations can be any valid `SSL_CTX` diff --git a/test/handshake_helper.c b/test/handshake_helper.c index 01a30c850f..c8fd47430a 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -1070,6 +1070,9 @@ static HANDSHAKE_RESULT *do_handshake_internal( EVP_PKEY_free(tmp_key); } + SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash); + SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash); + ret->server_cert_type = peer_pkey_type(client.ssl); ret->client_cert_type = peer_pkey_type(server.ssl); diff --git a/test/handshake_helper.h b/test/handshake_helper.h index 1cdd6fa055..604eed9bba 100644 --- a/test/handshake_helper.h +++ b/test/handshake_helper.h @@ -47,8 +47,12 @@ typedef struct handshake_result { int tmp_key_type; /* server certificate key type */ int server_cert_type; + /* server signing hash */ + int server_sign_hash; /* client certificate key type */ int client_cert_type; + /* client signing hash */ + int client_sign_hash; } HANDSHAKE_RESULT; HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void); diff --git a/test/ssl_test.c b/test/ssl_test.c index 0d0c35ecca..58ddca4ec0 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -187,36 +187,48 @@ static int check_resumption(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) return 1; } -static int check_key_type(const char *name, int expected_key_type, int key_type) +static int check_nid(const char *name, int expected_nid, int nid) { - if (expected_key_type == 0 || expected_key_type == key_type) + if (expected_nid == 0 || expected_nid == nid) return 1; fprintf(stderr, "%s type mismatch, %s vs %s\n", - name, OBJ_nid2ln(expected_key_type), - key_type == NID_undef ? "absent" : OBJ_nid2ln(key_type)); + name, OBJ_nid2ln(expected_nid), + nid == NID_undef ? "absent" : OBJ_nid2ln(nid)); return 0; } static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) { - return check_key_type("Tmp key", test_ctx->expected_tmp_key_type, - result->tmp_key_type); + return check_nid("Tmp key", test_ctx->expected_tmp_key_type, + result->tmp_key_type); } static int check_server_cert_type(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) { - return check_key_type("Server certificate", - test_ctx->expected_server_cert_type, - result->server_cert_type); + return check_nid("Server certificate", test_ctx->expected_server_cert_type, + result->server_cert_type); +} + +static int check_server_sign_hash(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Server signing hash", test_ctx->expected_server_sign_hash, + result->server_sign_hash); } static int check_client_cert_type(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) { - return check_key_type("Client certificate", - test_ctx->expected_client_cert_type, - result->client_cert_type); + return check_nid("Client certificate", test_ctx->expected_client_cert_type, + result->client_cert_type); +} + +static int check_client_sign_hash(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Client signing hash", test_ctx->expected_client_sign_hash, + result->client_sign_hash); } /* @@ -241,7 +253,9 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) ret &= check_resumption(result, test_ctx); ret &= check_tmp_key(result, test_ctx); ret &= check_server_cert_type(result, test_ctx); + ret &= check_server_sign_hash(result, test_ctx); ret &= check_client_cert_type(result, test_ctx); + ret &= check_client_sign_hash(result, test_ctx); } return ret; } diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index f8d5ecda14..242602d88e 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -480,6 +480,39 @@ __owur static int parse_expected_client_cert_type(SSL_TEST_CTX *test_ctx, value); } +/*************************/ +/* Expected signing hash */ +/*************************/ + +__owur static int parse_expected_sign_hash(int *ptype, const char *value) +{ + int nid; + + if (value == NULL) + return 0; + nid = OBJ_sn2nid(value); + if (nid == NID_undef) + nid = OBJ_ln2nid(value); + if (nid == NID_undef) + return 0; + *ptype = nid; + return 1; +} + +__owur static int parse_expected_server_sign_hash(SSL_TEST_CTX *test_ctx, + const char *value) +{ + return parse_expected_sign_hash(&test_ctx->expected_server_sign_hash, + value); +} + +__owur static int parse_expected_client_sign_hash(SSL_TEST_CTX *test_ctx, + const char *value) +{ + return parse_expected_sign_hash(&test_ctx->expected_server_sign_hash, + value); +} + /*************************************************************/ /* Known test options and their corresponding parse methods. */ /*************************************************************/ @@ -506,7 +539,9 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = { { "MaxFragmentSize", &parse_test_max_fragment_size }, { "ExpectedTmpKeyType", &parse_expected_tmp_key_type }, { "ExpectedServerCertType", &parse_expected_server_cert_type }, + { "ExpectedServerSignHash", &parse_expected_server_sign_hash }, { "ExpectedClientCertType", &parse_expected_client_cert_type }, + { "ExpectedClientSignHash", &parse_expected_client_sign_hash }, }; /* Nested client options. */ diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h index f67f01ad87..b34efe327c 100644 --- a/test/ssl_test_ctx.h +++ b/test/ssl_test_ctx.h @@ -163,8 +163,12 @@ typedef struct { int expected_tmp_key_type; /* Expected server certificate key type */ int expected_server_cert_type; + /* Expected server signing hash */ + int expected_server_sign_hash; /* Expected client certificate key type */ int expected_client_cert_type; + /* Expected client signing hash */ + int expected_client_sign_hash; } SSL_TEST_CTX; const char *ssl_test_result_name(ssl_test_result_t result); |