The branch master has been updated via 062540cbc511e38e25062fcd63a8c815ad071912 (commit) via ee5b6a42be3c0ca18145ace8793135fbb4768248 (commit) from 424baabdf5af540bda4a69122d274b071d804390 (commit)
- Log ----------------------------------------------------------------- commit 062540cbc511e38e25062fcd63a8c815ad071912 Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Jan 15 15:59:48 2017 +0000 Add signing hash tests Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2235) commit ee5b6a42be3c0ca18145ace8793135fbb4768248 Author: Dr. Stephen Henson <st...@openssl.org> Date: Fri Jan 13 15:20:42 2017 +0000 Add options to check TLS signing hashes Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2235) ----------------------------------------------------------------------- Summary of changes: test/README.ssltest.md | 3 +++ test/handshake_helper.c | 3 +++ test/handshake_helper.h | 4 ++++ test/ssl-tests/04-client_auth.conf | 2 ++ test/ssl-tests/04-client_auth.conf.in | 9 +++++++++ test/ssl-tests/20-cert-select.conf | 2 ++ test/ssl-tests/20-cert-select.conf.in | 6 ++++-- test/ssl_test.c | 38 ++++++++++++++++++++++++----------- test/ssl_test_ctx.c | 35 ++++++++++++++++++++++++++++++++ test/ssl_test_ctx.h | 4 ++++ 10 files changed, 92 insertions(+), 14 deletions(-) diff --git a/test/README.ssltest.md b/test/README.ssltest.md index 1c4c482..5e2b2d7 100644 --- a/test/README.ssltest.md +++ b/test/README.ssltest.md @@ -92,6 +92,9 @@ handshake. * ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or curve of server or client certificate +* ExpectedServerSignatureHash, ExpectedClientSignatureHash - the expected + signing hash used by server or client certificate + ## Configuring the client and server The client and server configurations can be any valid `SSL_CTX` diff --git a/test/handshake_helper.c b/test/handshake_helper.c index 01a30c8..c8fd474 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -1070,6 +1070,9 @@ static HANDSHAKE_RESULT *do_handshake_internal( EVP_PKEY_free(tmp_key); } + SSL_get_peer_signature_nid(client.ssl, &ret->server_sign_hash); + SSL_get_peer_signature_nid(server.ssl, &ret->client_sign_hash); + ret->server_cert_type = peer_pkey_type(client.ssl); ret->client_cert_type = peer_pkey_type(server.ssl); diff --git a/test/handshake_helper.h b/test/handshake_helper.h index 1cdd6fa..604eed9 100644 --- a/test/handshake_helper.h +++ b/test/handshake_helper.h @@ -47,8 +47,12 @@ typedef struct handshake_result { int tmp_key_type; /* server certificate key type */ int server_cert_type; + /* server signing hash */ + int server_sign_hash; /* client certificate key type */ int client_cert_type; + /* client signing hash */ + int client_sign_hash; } HANDSHAKE_RESULT; HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void); diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf index 5b725c7..a917098 100644 --- a/test/ssl-tests/04-client_auth.conf +++ b/test/ssl-tests/04-client_auth.conf @@ -543,6 +543,7 @@ client = 18-client-auth-TLSv1.2-require-client [18-client-auth-TLSv1.2-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +ClientSignatureAlgorithms = SHA256+RSA MaxProtocol = TLSv1.2 MinProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem @@ -560,6 +561,7 @@ VerifyMode = Peer [test-18] ExpectedClientCertType = RSA +ExpectedClientSignHash = SHA256 ExpectedResult = Success diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index 8738f90..d45e399 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -33,6 +33,13 @@ sub generate_tests() { } else { $caalert = "UnknownCA"; } + my $clihash; + my $clisigalgs; + # TODO add TLSv1.3 versions + if ($protocol_name eq "TLSv1.2") { + $clihash = "SHA256"; + $clisigalgs = "SHA256+RSA"; + } # Sanity-check simple handshake. push @tests, { name => "server-auth-${protocol_name}", @@ -87,6 +94,7 @@ sub generate_tests() { server => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol, + "ClientSignatureAlgorithms" => $clisigalgs, "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem", "VerifyMode" => "Request", }, @@ -98,6 +106,7 @@ sub generate_tests() { }, test => { "ExpectedResult" => "Success", "ExpectedClientCertType" => "RSA", + "ExpectedClientSignHash" => $clihash, }, }; diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index dbb339d..c663b7e 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -111,6 +111,7 @@ VerifyMode = Peer [test-3] ExpectedResult = Success ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 # =========================================================== @@ -163,5 +164,6 @@ VerifyMode = Peer [test-5] ExpectedResult = Success ExpectedServerCertType = RSA +ExpectedServerSignHash = SHA256 diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index d348491..e8bac76 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -59,7 +59,8 @@ our @tests = ( "SignatureAlgorithms" => "ECDSA+SHA256", }, test => { - "ExpectedServerCertType" =>, "P-256", + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA256", "ExpectedResult" => "Success" }, }, @@ -80,7 +81,8 @@ our @tests = ( "SignatureAlgorithms" => "RSA+SHA256", }, test => { - "ExpectedServerCertType" =>, "RSA", + "ExpectedServerCertType" => "RSA", + "ExpectedServerSignHash" => "SHA256", "ExpectedResult" => "Success" }, } diff --git a/test/ssl_test.c b/test/ssl_test.c index 0d0c35e..58ddca4 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -187,36 +187,48 @@ static int check_resumption(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) return 1; } -static int check_key_type(const char *name, int expected_key_type, int key_type) +static int check_nid(const char *name, int expected_nid, int nid) { - if (expected_key_type == 0 || expected_key_type == key_type) + if (expected_nid == 0 || expected_nid == nid) return 1; fprintf(stderr, "%s type mismatch, %s vs %s\n", - name, OBJ_nid2ln(expected_key_type), - key_type == NID_undef ? "absent" : OBJ_nid2ln(key_type)); + name, OBJ_nid2ln(expected_nid), + nid == NID_undef ? "absent" : OBJ_nid2ln(nid)); return 0; } static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) { - return check_key_type("Tmp key", test_ctx->expected_tmp_key_type, - result->tmp_key_type); + return check_nid("Tmp key", test_ctx->expected_tmp_key_type, + result->tmp_key_type); } static int check_server_cert_type(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) { - return check_key_type("Server certificate", - test_ctx->expected_server_cert_type, - result->server_cert_type); + return check_nid("Server certificate", test_ctx->expected_server_cert_type, + result->server_cert_type); +} + +static int check_server_sign_hash(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Server signing hash", test_ctx->expected_server_sign_hash, + result->server_sign_hash); } static int check_client_cert_type(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) { - return check_key_type("Client certificate", - test_ctx->expected_client_cert_type, - result->client_cert_type); + return check_nid("Client certificate", test_ctx->expected_client_cert_type, + result->client_cert_type); +} + +static int check_client_sign_hash(HANDSHAKE_RESULT *result, + SSL_TEST_CTX *test_ctx) +{ + return check_nid("Client signing hash", test_ctx->expected_client_sign_hash, + result->client_sign_hash); } /* @@ -241,7 +253,9 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) ret &= check_resumption(result, test_ctx); ret &= check_tmp_key(result, test_ctx); ret &= check_server_cert_type(result, test_ctx); + ret &= check_server_sign_hash(result, test_ctx); ret &= check_client_cert_type(result, test_ctx); + ret &= check_client_sign_hash(result, test_ctx); } return ret; } diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index f8d5ecd..242602d 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -480,6 +480,39 @@ __owur static int parse_expected_client_cert_type(SSL_TEST_CTX *test_ctx, value); } +/*************************/ +/* Expected signing hash */ +/*************************/ + +__owur static int parse_expected_sign_hash(int *ptype, const char *value) +{ + int nid; + + if (value == NULL) + return 0; + nid = OBJ_sn2nid(value); + if (nid == NID_undef) + nid = OBJ_ln2nid(value); + if (nid == NID_undef) + return 0; + *ptype = nid; + return 1; +} + +__owur static int parse_expected_server_sign_hash(SSL_TEST_CTX *test_ctx, + const char *value) +{ + return parse_expected_sign_hash(&test_ctx->expected_server_sign_hash, + value); +} + +__owur static int parse_expected_client_sign_hash(SSL_TEST_CTX *test_ctx, + const char *value) +{ + return parse_expected_sign_hash(&test_ctx->expected_server_sign_hash, + value); +} + /*************************************************************/ /* Known test options and their corresponding parse methods. */ /*************************************************************/ @@ -506,7 +539,9 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = { { "MaxFragmentSize", &parse_test_max_fragment_size }, { "ExpectedTmpKeyType", &parse_expected_tmp_key_type }, { "ExpectedServerCertType", &parse_expected_server_cert_type }, + { "ExpectedServerSignHash", &parse_expected_server_sign_hash }, { "ExpectedClientCertType", &parse_expected_client_cert_type }, + { "ExpectedClientSignHash", &parse_expected_client_sign_hash }, }; /* Nested client options. */ diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h index f67f01a..b34efe3 100644 --- a/test/ssl_test_ctx.h +++ b/test/ssl_test_ctx.h @@ -163,8 +163,12 @@ typedef struct { int expected_tmp_key_type; /* Expected server certificate key type */ int expected_server_cert_type; + /* Expected server signing hash */ + int expected_server_sign_hash; /* Expected client certificate key type */ int expected_client_cert_type; + /* Expected client signing hash */ + int expected_client_sign_hash; } SSL_TEST_CTX; const char *ssl_test_result_name(ssl_test_result_t result); _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits