ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Import OpenSSL1.1.1k

Browse Source
This commit is contained in:
Steve Dower
2021-03-29 21:47:40 +01:00
parent ae8aba4cbc
commit b439f09b29
104 changed files with 1075 additions and 379 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
test/build.info
View File

@@ -499,7 +499,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
IF[{- !$disabled{cmac} -}]
SOURCE[cmactest]=cmactest.c
INCLUDE[cmactest]=../include ../apps/include
INCLUDE[cmactest]=../include
DEPEND[cmactest]=../libcrypto.a libtestutil.a
ENDIF
@@ -567,7 +567,6 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
SOURCE[gosttest]=gosttest.c ssltestlib.c
INCLUDE[gosttest]=../include ..
DEPEND[gosttest]=../libcrypto ../libssl libtestutil.a
ENDIF
SOURCE[ssl_ctx_test]=ssl_ctx_test.c
INCLUDE[ssl_ctx_test]=../include
@@ -609,3 +608,4 @@ _____
_____
}
-}
ENDIF

21
test/certs/ca-pss-cert.pem Normal file
View File

@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDXjCCAhagAwIBAgIBAjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa
MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDASMRAwDgYDVQQDDAdSb290
IENBMCAXDTIxMDEyNjEwMDUwOFoYDzIxMjEwMTI3MTAwNTA4WjARMQ8wDQYDVQQD
DAZDQS1QU1MwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAtclsFtJOQgAC
ZxTPn2T2ksmibRNVAnEfVCgfJxsPN3aEERgqqhWbC4LmGHRIIjQ9DpobarydJivw
epDaiu11rgwXgenIobIVvVr2+L3ngalYdkwmmPVImNN8Ef575ybE/kVgTu9X37DJ
t+8psfVGeFg4RKykOi7SfPCSKHKSeZUXPj9AYwZDw4HX2rhstRopXAmUzz2/uAaR
fmU7tYOG5qhfMUpP+Ce0ZBlLE9JjasY+d20/mDFuvFEc5qjfzNqv/7okyBjaWB4h
gwnjXASrqKlqHKVU1UyrJc76yAniimy+IoXKAELetIJGSN15GYaWJcAIs0Eybjyk
gyAu7Zlf/wIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAd
BgNVHQ4EFgQUGfmhA/VcxWkh7VUBHxUdHHQLgrAwHwYDVR0jBBgwFoAUjvUlrx6b
a4Q9fICayVOcTXL3o1IwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAY
BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAF6rSSBj+dkv0UGuE1El
lB9zVpqVlV72RY8gAkmSJmbzblHEO/PYV/UnNJ2C2IXEhAQaE0xKCg+WC2RO56oc
qZc6UXBCN8G9rJKVxgXVbciP4pQYN6POpmhJfQqzNPwzTADt3HY6X9gQtyG0fuQF
OPDc+mXjRvBrcYMkAgYiKe+oA45WDWYpIvipWVQ3xP/BSGJqrdKx5SOrJA72+BLM
bPbD3tBC2SVirDjv0N926Wcb/JQFkM+5YY2/yKNybstngr4Pb1T/tESsIZvGG2Tk
3IhBl1dJtC9gpGTRa8NzQvcmPK9VUjWtv5YNA+FxD9FTxGibh7Aw1fbFCV91Qjc3
JQQ=
-----END CERTIFICATE-----

28
test/certs/ca-pss-key.pem Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADALBgkqhkiG9w0BAQoEggSpMIIEpQIBAAKCAQEAtclsFtJOQgACZxTP
n2T2ksmibRNVAnEfVCgfJxsPN3aEERgqqhWbC4LmGHRIIjQ9DpobarydJivwepDa
iu11rgwXgenIobIVvVr2+L3ngalYdkwmmPVImNN8Ef575ybE/kVgTu9X37DJt+8p
sfVGeFg4RKykOi7SfPCSKHKSeZUXPj9AYwZDw4HX2rhstRopXAmUzz2/uAaRfmU7
tYOG5qhfMUpP+Ce0ZBlLE9JjasY+d20/mDFuvFEc5qjfzNqv/7okyBjaWB4hgwnj
XASrqKlqHKVU1UyrJc76yAniimy+IoXKAELetIJGSN15GYaWJcAIs0EybjykgyAu
7Zlf/wIDAQABAoIBAErkiNt+GS+nwVWmhUMt3UfsOjal2EgBQt7xCKSbyVEYSqCg
TDN2Y0IC07kPbwhobR8u7kyzGCs5vwE/3EmQOwNRh/3FyxqSu9IfP9CKrG4GzqMu
DFjH9PjBaEQhi/pXRqFbA6qBgLpvoytcJNlkK3w5HDVuytoNoDpJAm4XhbEAwVG2
u3De40lPKXBFaGjSrUQETnrm0Fhj+J7+VMheQZVjEHwMIOmbIDcckV0OSIWn00XG
/Md0y0i/U8S0TkP9sVC+cKkKMCNL+BJYf5YucUIna/9PgBD36RRRq2D0e8/iP8m+
ftnmW7fxlL2neTZ2sAS+4sm7sOoudaeAta+JoEECgYEA5ZjbBJf+FhyFOBFRoYow
OHP+JfU7rdi8n5GpNswVmtNx3FK+eoUz+PlXTluUydS3L40ba7/mzYFzAZETF6YO
Z8STkmvLxRTDzvZoE0SCJQAcG9I1oVWMufDVnHvljflH+IBjvMQM527dfFgaebvD
TkRvnCup2oV3uT430++15K0CgYEAyrESfgP5f9+zZqz30N+QTWHZCzCUqSDcGhke
Irvjs5tSrCQibbSGkGNHZ/V019K8rKJQlvNbEEzlRRcohuqIuUPgPmXBbbruqCBP
a1+DD/HRg6BrTsNo67SbUJ6EsV5D80Ie76Yzye3By7E71xvFzFxbMwcwPFHBDViR
m4oRwNsCgYEAtdb/N78tVNPXytUkot0wXbW4RtXYI1Lx6StTKnwubEYk+otqIt1W
kUzhkcTEralUQEvwuMDvCjoJHOeKiINTC2pMOn43j+pnPoY3XXM35BgXKw2svg9k
emu8ssgJwgz5rF37ICjh03Yh4vZgWaOVBmr7PmPyjYiBjuwxCSDkHa0CgYEAkqwP
9aBqq131NBd2PG+KvHRR2wcMjFZ672e9puTPoOiEqox7XWeE+Hbe9RtpscONRF8w
cgsnmmQKhDR93yNYTLgRTRXVItJiYMcAsXIsJR2XvugWvqgpBGds/Km426CbCyyN
tl1OnJCv6/YUl1RBjeBHHmXVQdDnIgE1XJhMwIECgYEAt4zgPqswoicfDBqakP6X
ZND0s7fiki2YBmXyASIoUACnpJEWsOOEJrAcW7xtgXgjNxKdk1JqYV3ggU8wgCvv
9Ugsx0FiuPmIBhYNZMWIItNmpYqPm8KbEwIPqChs9OA+5FREFwFjJgGK2ublfmVj
dN2I3LilMIXTE4/MQ8Lhcjc=
-----END PRIVATE KEY-----

21
test/certs/ee-pss-cert.pem Normal file
View File

@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDdDCCAiygAwIBAgIBAjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa
MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDARMQ8wDQYDVQQDDAZDQS1Q
U1MwIBcNMjEwMTI2MTAwNjMzWhgPMjEyMTAxMjcxMDA2MzNaMBExDzANBgNVBAMM
BkVFLVBTUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e
2ywP1XP74reoG3p1YCvUfTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//
DcZD/jE0+CjYdemju4iC76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aO
wjagEf/AWTX9SRzdHEIzBniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5Zq
ghsVi9GZq+Seb5Sq0pblV/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktH
aKcpxz9K4iIntO+QY9fv0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h
/nk0H0qJH7cCAwEAAaN1MHMwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOi
MB8GA1UdIwQYMBaAFBn5oQP1XMVpIe1VAR8VHRx0C4KwMAkGA1UdEwQCMAAwEwYD
VR0lBAwwCgYIKwYBBQUHAwEwEQYDVR0RBAowCIIGRUUtUFNTMD0GCSqGSIb3DQEB
CjAwoA0wCwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaID
AgEgA4IBAQCzCXb5XpMvhuwWso9wj4B8AJjCugMlGdrLXIj3ueqyS1qSEcFp1meO
9jMDCjAkitTdZjf3gqEghC/joUd+XAw3JfOPOl36WlNrm9bwZTnfnCYFRrdprfMo
Q1Kqy9SNvDeHZZVcGeU3PZSt+EabmR9mQODg/qfpa9/3WktzFbvxlPOS7Tb0n2tn
vQnTmyrmGN2/o8X1qGQgETw5bH3csKgsPh668zN/gv3DxNN0EVACLaOSahNsNQa7
KCcl1ez5KcFc0QIlQajhorTYOIeTb8UmR4wdy5C4Nd9P5OKv1sQvVO9PtswAv/s7
Vs48cDO1+ASn0KjN41hXN5+fOIlNqOeU
-----END CERTIFICATE-----

19
test/certs/invalid-cert.pem Normal file
View File

@@ -0,0 +1,19 @@
-----BEGIN TRUSTED CERTIFICATE-----
MIIDJTCCAg2gAwIBAgIUEUSW5o7qpgNCWyXic9Fc9tCLS0gwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIUGVyc29TaW0wHhcNMjAxMjE2MDY1NjM5WhcNMzAxMjE2
MDY1NjM5WjATMREwDwYDVQQDDAhQZXJzb1NpbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMsgRKnnZbQtG9bB9Hn+CoOOsanmnRELSlGq521qi/eBgs2w
SdHYM6rsJFwY89RvINLGeUZh/pu7c+ODtTafAWE3JkynG01d2Zrvp1V1r97+FGyD
f+b1hAggxBy70bTRyr1gAoKQTAm74U/1lj13EpWz7zshgXJ/Pn/hUyTmpNW+fTRE
xaifN0jkl5tZUURGA6w3+BRhVDQtt92vLihqUGaEFpL8yqqFnN44AoQ5+lgMafWi
UyYMHcK75ZB8WWklq8zjRP3xC1h56k01rT6KJO6i+BxMcADerYsn5qTlcUiKcpRU
b6RzLvCUwj91t1aX6npDI3BzSP+wBUUANBfuHEMCAwEAAaNxMG8wFwYDVR0OBBA8
yBBnvz1Zt6pHm2GwBaRyMBcGA1UdIwQQPMgQZ789WbeqR5thsAWkcjAPBgNVHRMB
Af8EBTADAQH/MAsGA1UdDwQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIEzVbttOUc7kK4aY+74TANFZK/qtBQ7
94a/P30TGWSRUq2HnDsR8Vo4z8xm5oKeC+SIi6NGzviWYquuzpJ7idcbr0MIuSyD
+Vg6n1sG64DxWNdGO9lR5c4mWFdIajShczS2+4QIRB/lFZCf7GhPMtIcbP1o9ckY
2vyv5ZAEU9Z5n0PY+abrKsj0XyvJwdycEsUTywa36fuv6hP3UboLtvK6naXLMrTj
WtSA6PXjHy7h8h0NC8XLk64mc0lcRC4WM+xJ/C+NHglpmBqBxnStpnZykMZYD1Vy
JJ1wNc+Y3e2uMBDxZviH3dIPIgqP1Vpi2TWfqr3DTBNCRf4dl/wwNU8=
-----END TRUSTED CERTIFICATE-----

24
test/certs/mkcert.sh
View File

@@ -1,6 +1,6 @@
#! /bin/bash
#
# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
# Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
# All rights reserved.
#
@@ -114,6 +114,19 @@ genroot() {
}
genca() {
local OPTIND=1
local purpose=
while getopts p: o
do
case $o in
p) purpose="$OPTARG";;
*) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
return 1;;
esac
done
shift $((OPTIND - 1))
local cn=$1; shift
local key=$1; shift
local cert=$1; shift
@@ -123,17 +136,16 @@ genca() {
local akid="authorityKeyIdentifier = keyid"
exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
for eku in "$@"
do
exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
done
if [ -n "$purpose" ]; then
exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$purpose")
fi
if [ -n "$NC" ]; then
exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
fi
csr=$(req "$key" "CN = $cn") || return 1
echo "$csr" |
cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
-set_serial 2 -days "${DAYS}"
-set_serial 2 -days "${DAYS}" "$@"
}
gen_nonbc_ca() {

13
test/certs/setup.sh
View File

@@ -125,7 +125,7 @@ OPENSSL_KEYBITS=768 \
# client intermediate ca: cca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
#
./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth
./mkcert.sh genca -p clientAuth "CA" ca-key cca-cert root-key root-cert
#
openssl x509 -in cca-cert.pem -trustout \
-addtrust serverAuth -out cca+serverAuth.pem
@@ -143,7 +143,7 @@ openssl x509 -in cca-cert.pem -trustout \
# server intermediate ca: sca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
#
./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth
./mkcert.sh genca -p serverAuth "CA" ca-key sca-cert root-key root-cert
#
openssl x509 -in sca-cert.pem -trustout \
-addtrust serverAuth -out sca+serverAuth.pem
@@ -380,9 +380,14 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
# SHA1
./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
-sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
# SHA256
# EE SHA256
./mkcert.sh genee PSS-SHA256 ee-key ee-pss-sha256-cert ca-key ca-cert \
-sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
-sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
# CA-PSS
./mkcert.sh genca "CA-PSS" ca-pss-key ca-pss-cert root-key root-cert \
-sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
./mkcert.sh genee "EE-PSS" ee-key ee-pss-cert ca-pss-key ca-pss-cert \
-sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \

7
test/recipes/25-test_verify.t
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -27,7 +27,7 @@ sub verify {
run(app([@args]));
}
plan tests => 145;
plan tests => 146;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -377,6 +377,9 @@ ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_l
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");
ok(verify("ee-pss-cert", "sslserver", ["root-cert"], ["ca-pss-cert"], ),
"CA PSS signature");
ok(!verify("many-names1", "sslserver", ["many-constraints"], ["many-constraints"], ),
"Too many names and constraints to check (1)");
ok(!verify("many-names2", "sslserver", ["many-constraints"], ["many-constraints"], ),

38
test/recipes/70-test_renegotiation.t
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -38,7 +38,7 @@ my $proxy = TLSProxy::Proxy->new(
$proxy->clientflags("-no_tls1_3");
$proxy->reneg(1);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 3;
plan tests => 4;
ok(TLSProxy::Message->success(), "Basic renegotiation");
#Test 2: Client does not send the Reneg SCSV. Reneg should fail
@@ -77,6 +77,20 @@ SKIP: {
"Check ClientHello version is the same");
}
SKIP: {
skip "TLSv1.2 disabled", 1
if disabled("tls1_2");
#Test 4: Test for CVE-2021-3449. client_sig_algs instead of sig_algs in
# resumption ClientHello
$proxy->clear();
$proxy->filter(\&sigalgs_filter);
$proxy->clientflags("-tls1_2");
$proxy->reneg(1);
$proxy->start();
ok(TLSProxy::Message->fail(), "client_sig_algs instead of sig_algs");
}
sub reneg_filter
{
my $proxy = shift;
@@ -96,3 +110,23 @@ sub reneg_filter
}
}
}
sub sigalgs_filter
{
my $proxy = shift;
my $cnt = 0;
# We're only interested in the second ClientHello message
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
next if ($cnt++ == 0);
my $sigs = pack "C10", 0x00, 0x08,
# rsa_pkcs_sha{256,384,512,1}
0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01;
$message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs);
$message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS);
$message->repack();
}
}
}

5
test/recipes/70-test_verify_extra.t
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -16,4 +16,5 @@ plan tests => 1;
ok(run(test(["verify_extra_test",
srctop_file("test", "certs", "roots.pem"),
srctop_file("test", "certs", "untrusted.pem"),
srctop_file("test", "certs", "bad.pem")])));
srctop_file("test", "certs", "bad.pem"),
srctop_file("test", "certs", "rootCA.pem")])));

15
test/recipes/80-test_x509aux.t
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -14,14 +14,17 @@ use OpenSSL::Test::Utils;
setup("test_x509aux");
my @path = qw(test certs);
plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build"
if disabled("ec");
plan tests => 1; # The number of tests being performed
ok(run(test(["x509aux",
srctop_file("test", "certs", "roots.pem"),
srctop_file("test", "certs", "root+anyEKU.pem"),
srctop_file("test", "certs", "root-anyEKU.pem"),
srctop_file("test", "certs", "root-cert.pem")]
)), "x509aux tests");
srctop_file(@path, "roots.pem"),
srctop_file(@path, "root+anyEKU.pem"),
srctop_file(@path, "root-anyEKU.pem"),
srctop_file(@path, "root-cert.pem"),
srctop_file(@path, "invalid-cert.pem"),
])), "x509aux tests");

111
test/rsa_test.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -42,7 +42,8 @@ int setup_tests(void)
BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \
BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \
BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); \
memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
if (c != NULL) \
memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
return sizeof(ctext_ex) - 1;
static int key1(RSA *key, unsigned char *c)
@@ -211,16 +212,7 @@ static int key3(RSA *key, unsigned char *c)
SetKey;
}
static int pad_unknown(void)
{
unsigned long l;
while ((l = ERR_get_error()) != 0)
if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE)
return 1;
return 0;
}
static int rsa_setkey(RSA** key, unsigned char* ctext, int idx)
static int rsa_setkey(RSA** key, unsigned char *ctext, int idx)
{
int clen = 0;
@@ -240,70 +232,79 @@ static int rsa_setkey(RSA** key, unsigned char* ctext, int idx)
return clen;
}
static int test_rsa_pkcs1(int idx)
static int test_rsa_simple(int idx, int en_pad_type, int de_pad_type,
int success, unsigned char *ctext_ex, int *clen,
RSA **retkey)
{
int ret = 0;
RSA *key;
unsigned char ptext[256];
unsigned char ctext[256];
static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
unsigned char ctext_ex[256];
int plen;
int clen = 0;
int clentmp = 0;
int num;
plen = sizeof(ptext_ex) - 1;
clen = rsa_setkey(&key, ctext_ex, idx);
clentmp = rsa_setkey(&key, ctext_ex, idx);
if (clen != NULL)
*clen = clentmp;
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_PKCS1_PADDING);
if (!TEST_int_eq(num, clen))
num = RSA_public_encrypt(plen, ptext_ex, ctext, key, en_pad_type);
if (!TEST_int_eq(num, clentmp))
goto err;
num = RSA_private_decrypt(num, ctext, ptext, key, RSA_PKCS1_PADDING);
if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
goto err;
num = RSA_private_decrypt(num, ctext, ptext, key, de_pad_type);
if (success) {
if (!TEST_int_gt(num, 0) || !TEST_mem_eq(ptext, num, ptext_ex, plen))
goto err;
} else {
if (!TEST_int_lt(num, 0))
goto err;
}
ret = 1;
if (retkey != NULL) {
*retkey = key;
key = NULL;
}
err:
RSA_free(key);
return ret;
}
static int test_rsa_pkcs1(int idx)
{
return test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_PKCS1_PADDING, 1, NULL,
NULL, NULL);
}
static int test_rsa_sslv23(int idx)
{
int ret = 0;
RSA *key;
unsigned char ptext[256];
unsigned char ctext[256];
static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
unsigned char ctext_ex[256];
int plen;
int clen = 0;
int num;
int ret;
plen = sizeof(ptext_ex) - 1;
clen = rsa_setkey(&key, ctext_ex, idx);
/* Simulate an SSLv2 only client talking to a TLS capable server */
ret = test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_SSLV23_PADDING, 1, NULL,
NULL, NULL);
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_SSLV23_PADDING);
if (!TEST_int_eq(num, clen))
goto err;
/* Simulate a TLS capable client talking to an SSLv2 only server */
ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_PKCS1_PADDING, 1, NULL,
NULL, NULL);
num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING);
if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
goto err;
/*
* Simulate a TLS capable client talking to a TLS capable server. Should
* fail due to detecting a rollback attack.
*/
ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_SSLV23_PADDING, 0, NULL,
NULL, NULL);
ret = 1;
err:
RSA_free(key);
return ret;
}
static int test_rsa_oaep(int idx)
{
int ret = 0;
RSA *key;
RSA *key = NULL;
unsigned char ptext[256];
unsigned char ctext[256];
static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
@@ -313,28 +314,16 @@ static int test_rsa_oaep(int idx)
int num;
int n;
if (!test_rsa_simple(idx, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_OAEP_PADDING, 1,
ctext_ex, &clen, &key))
goto err;
plen = sizeof(ptext_ex) - 1;
clen = rsa_setkey(&key, ctext_ex, idx);
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_PKCS1_OAEP_PADDING);
if (num == -1 && pad_unknown()) {
TEST_info("Skipping: No OAEP support");
ret = 1;
goto err;
}
if (!TEST_int_eq(num, clen))
goto err;
num = RSA_private_decrypt(num, ctext, ptext, key,
RSA_PKCS1_OAEP_PADDING);
if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
goto err;
/* Different ciphertexts. Try decrypting ctext_ex */
num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
RSA_PKCS1_OAEP_PADDING);
if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
if (num <= 0 || !TEST_mem_eq(ptext, num, ptext_ex, plen))
goto err;
/* Try decrypting corrupted ciphertexts. */

59
test/sslapitest.c
View File

@@ -6658,6 +6658,62 @@ static int test_ssl_dup(void)
}
#endif
#ifndef OPENSSL_NO_TLS1_3
/*
* Test that setting an SNI callback works with TLSv1.3. Specifically we check
* that it works even without a certificate configured for the original
* SSL_CTX
*/
static int test_sni_tls13(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
/* Reset callback counter */
snicb = 0;
/* Create an initial SSL_CTX with no certificate configured */
sctx = SSL_CTX_new(TLS_server_method());
if (!TEST_ptr(sctx))
goto end;
/* Require TLSv1.3 as a minimum */
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
TLS1_3_VERSION, 0, &sctx2, &cctx, cert,
privkey)))
goto end;
/* Set up SNI */
if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
|| !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
goto end;
/*
* Connection should still succeed because the final SSL_CTX has the right
* certificates configured.
*/
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
&clientssl, NULL, NULL))
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE)))
goto end;
/* We should have had the SNI callback called exactly once */
if (!TEST_int_eq(snicb, 1))
goto end;
testresult = 1;
end:
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx2);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
#endif
int setup_tests(void)
{
if (!TEST_ptr(certsdir = test_get_argument(0))
@@ -6780,6 +6836,9 @@ int setup_tests(void)
ADD_ALL_TESTS(test_servername, 10);
#ifndef OPENSSL_NO_TLS1_2
ADD_TEST(test_ssl_dup);
#endif
#ifndef OPENSSL_NO_TLS1_3
ADD_TEST(test_sni_tls13);
#endif
return 1;
}

2
test/v3nametest.c
View File

@@ -359,7 +359,7 @@ static int call_run_cert(int i)
return failed == 0;
}
struct gennamedata {
static struct gennamedata {
const unsigned char der[22];
size_t derlen;
} gennames[] = {

71
test/verify_extra_test.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -18,6 +18,21 @@
static const char *roots_f;
static const char *untrusted_f;
static const char *bad_f;
static const char *good_f;
static X509 *load_cert_pem(const char *file)
{
X509 *cert = NULL;
BIO *bio = NULL;
if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
return NULL;
if (TEST_int_gt(BIO_read_filename(bio, file), 0))
(void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL));
BIO_free(bio);
return cert;
}
static STACK_OF(X509) *load_certs_from_file(const char *filename)
{
@@ -58,7 +73,7 @@ static STACK_OF(X509) *load_certs_from_file(const char *filename)
return certs;
}
/*
/*-
* Test for CVE-2015-1793 (Alternate Chains Certificate Forgery)
*
* Chain is as follows:
@@ -125,10 +140,22 @@ static int test_alt_chains_cert_forgery(void)
i = X509_verify_cert(sctx);
if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) {
if (i != 0 || X509_STORE_CTX_get_error(sctx) != X509_V_ERR_INVALID_CA)
goto err;
/* repeat with X509_V_FLAG_X509_STRICT */
X509_STORE_CTX_cleanup(sctx);
X509_STORE_set_flags(store, X509_V_FLAG_X509_STRICT);
if (!X509_STORE_CTX_init(sctx, store, x, untrusted))
goto err;
i = X509_verify_cert(sctx);
if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA)
/* This is the result we were expecting: Test passed */
ret = 1;
}
err:
X509_STORE_CTX_free(sctx);
X509_free(x);
@@ -175,16 +202,48 @@ static int test_store_ctx(void)
return testresult;
}
static int test_self_signed(const char *filename, int expected)
{
X509 *cert = load_cert_pem(filename);
STACK_OF(X509) *trusted = sk_X509_new_null();
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
int ret;
ret = TEST_ptr(cert)
&& TEST_true(sk_X509_push(trusted, cert))
&& TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL));
X509_STORE_CTX_set0_trusted_stack(ctx, trusted);
ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected);
X509_STORE_CTX_free(ctx);
sk_X509_free(trusted);
X509_free(cert);
return ret;
}
static int test_self_signed_good(void)
{
return test_self_signed(good_f, 1);
}
static int test_self_signed_bad(void)
{
return test_self_signed(bad_f, 0);
}
int setup_tests(void)
{
if (!TEST_ptr(roots_f = test_get_argument(0))
|| !TEST_ptr(untrusted_f = test_get_argument(1))
|| !TEST_ptr(bad_f = test_get_argument(2))) {
TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem\n");
|| !TEST_ptr(bad_f = test_get_argument(2))
|| !TEST_ptr(good_f = test_get_argument(3))) {
TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem good.pem\n");
return 0;
}
ADD_TEST(test_alt_chains_cert_forgery);
ADD_TEST(test_store_ctx);
ADD_TEST(test_self_signed_good);
ADD_TEST(test_self_signed_bad);
return 1;
}

19
test/x509aux.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL licenses, (the "License");
* you may not use this file except in compliance with the License.
@@ -30,17 +30,16 @@ static int test_certs(int num)
typedef int (*i2d_X509_t)(X509 *, unsigned char **);
int err = 0;
BIO *fp = BIO_new_file(test_get_argument(num), "r");
X509 *reuse = NULL;
if (!TEST_ptr(fp))
return 0;
for (c = 0; !err && PEM_read_bio(fp, &name, &header, &data, &len); ++c) {
const int trusted = (strcmp(name, PEM_STRING_X509_TRUSTED) == 0);
d2i_X509_t d2i = trusted ? d2i_X509_AUX : d2i_X509;
i2d_X509_t i2d = trusted ? i2d_X509_AUX : i2d_X509;
X509 *cert = NULL;
X509 *reuse = NULL;
const unsigned char *p = data;
unsigned char *buf = NULL;
unsigned char *bufp;
@@ -93,9 +92,15 @@ static int test_certs(int num)
goto next;
}
p = buf;
reuse = d2i(&reuse, &p, enclen);
if (reuse == NULL || X509_cmp (reuse, cert)) {
TEST_error("X509_cmp does not work with %s", name);
reuse = d2i(NULL, &p, enclen);
if (reuse == NULL) {
TEST_error("second d2i call failed for %s", name);
err = 1;
goto next;
}
err = X509_cmp(reuse, cert);
if (err != 0) {
TEST_error("X509_cmp for %s resulted in %d", name, err);
err = 1;
goto next;
}
@@ -141,13 +146,13 @@ static int test_certs(int num)
*/
next:
X509_free(cert);
X509_free(reuse);
OPENSSL_free(buf);
OPENSSL_free(name);
OPENSSL_free(header);
OPENSSL_free(data);
}
BIO_free(fp);
X509_free(reuse);
if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) {
/* Reached end of PEM file */