Suppress CT callback as appropriate
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates. Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing
when the chain is fails verification.
Move and consolidate CT callbacks from libcrypto to libssl. We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.
Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information. When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
diff --git a/test/ct_test.c b/test/ct_test.c
index 5446f9d..bdd5b84 100644
--- a/test/ct_test.c
+++ b/test/ct_test.c
@@ -402,6 +402,17 @@
goto end;
}
+ if (fixture.test_validity && cert != NULL) {
+ int is_sct_validated = SCT_validate(sct, ct_policy_ctx);
+ if (is_sct_validated < 0) {
+ fprintf(stderr, "Error validating SCT\n");
+ goto end;
+ } else if (!is_sct_validated) {
+ fprintf(stderr, "SCT failed verification\n");
+ goto end;
+ }
+ }
+
if (fixture.sct_text_file
&& compare_sct_printout(sct, expected_sct_text)) {
goto end;
@@ -413,17 +424,6 @@
fprintf(stderr, "Failed to encode SCT into TLS format correctly\n");
goto end;
}
-
- if (fixture.test_validity && cert != NULL) {
- int is_sct_validated = SCT_validate(sct, ct_policy_ctx);
- if (is_sct_validated < 0) {
- fprintf(stderr, "Error validating SCT\n");
- goto end;
- } else if (!is_sct_validated) {
- fprintf(stderr, "SCT failed verification\n");
- goto end;
- }
- }
}
success = 1;
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 855e7c6..13fcfbe 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -811,20 +811,21 @@
plan tests => 3;
SKIP: {
- skip "Certificate Transparency is not supported by this OpenSSL build", 3
- if $no_ct;
- skip "TLSv1.0 is not supported by this OpenSSL build", 3
- if $no_tls1;
+ skip "Certificate Transparency is not supported by this OpenSSL build", 3
+ if $no_ct;
+ skip "TLSv1.0 is not supported by this OpenSSL build", 3
+ if $no_tls1;
- $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
- ok(run(test([@ssltest, "-bio_pair", "-tls1", "-noct"])));
- ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requestct"])));
- # No SCTs provided, so this should fail.
- ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requirect",
- "-should_negotiate", "fail-client"])));
- }
+ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
+ my @ca = qw(-CAfile certCA.ss);
+ ok(run(test([@ssltest, @ca, "-bio_pair", "-tls1", "-noct"])));
+ # No SCTs provided, so this should fail.
+ ok(run(test([@ssltest, @ca, "-bio_pair", "-tls1", "-ct",
+ "-should_negotiate", "fail-client"])));
+ # No SCTs provided, unverified chains still succeed.
+ ok(run(test([@ssltest, "-bio_pair", "-tls1", "-ct"])));
+ }
};
-
}
sub testsslproxy {
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 8018b3b..e3f8d77 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -1113,7 +1113,7 @@
* Disable CT validation by default, because it will interfere with
* anything using custom extension handlers to deal with SCT extensions.
*/
- ct_validation_cb ct_validation = NULL;
+ int ct_validation = 0;
#endif
SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL;
STACK_OF(OPENSSL_STRING) *conf_args = NULL;
@@ -1300,13 +1300,10 @@
}
#ifndef OPENSSL_NO_CT
else if (strcmp(*argv, "-noct") == 0) {
- ct_validation = NULL;
+ ct_validation = 0;
}
- else if (strcmp(*argv, "-requestct") == 0) {
- ct_validation = CT_verify_no_bad_scts;
- }
- else if (strcmp(*argv, "-requirect") == 0) {
- ct_validation = CT_verify_at_least_one_good_sct;
+ else if (strcmp(*argv, "-ct") == 0) {
+ ct_validation = 1;
}
#endif
#ifndef OPENSSL_NO_COMP
@@ -1633,7 +1630,8 @@
}
#ifndef OPENSSL_NO_CT
- if (!SSL_CTX_set_ct_validation_callback(c_ctx, ct_validation, NULL)) {
+ if (ct_validation &&
+ !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) {
ERR_print_errors(bio_err);
goto end;
}
