Add ExpectedServerCANames
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index 0d6f466..288dffa 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -102,6 +102,10 @@
send. If this is "empty" the list is expected to be empty otherwise it
is a file of certificates whose subject names form the list.
+* ExpectedServerCANames - list of CA names the client must send, TLS 1.3 only.
+ If this is "empty" the list is expected to be empty otherwise it is a file
+ of certificates whose subject names form the list.
+
## Configuring the client and server
The client and server configurations can be any valid `SSL_CTX`
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 4bccac1..47af3fe 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -34,6 +34,7 @@
OPENSSL_free(result->server_npn_negotiated);
OPENSSL_free(result->client_alpn_negotiated);
OPENSSL_free(result->server_alpn_negotiated);
+ sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free);
sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free);
OPENSSL_free(result);
}
@@ -1123,7 +1124,7 @@
/* API dictates unsigned int rather than size_t. */
unsigned int proto_len = 0;
EVP_PKEY *tmp_key;
- STACK_OF(X509_NAME) *names;
+ const STACK_OF(X509_NAME) *names;
memset(&server_ctx_data, 0, sizeof(server_ctx_data));
memset(&server2_ctx_data, 0, sizeof(server2_ctx_data));
@@ -1297,12 +1298,18 @@
SSL_get_peer_signature_type_nid(client.ssl, &ret->server_sign_type);
SSL_get_peer_signature_type_nid(server.ssl, &ret->client_sign_type);
- names = SSL_get_client_CA_list(client.ssl);
+ names = SSL_get0_peer_CA_list(client.ssl);
if (names == NULL)
ret->client_ca_names = NULL;
else
ret->client_ca_names = SSL_dup_CA_list(names);
+ names = SSL_get0_peer_CA_list(server.ssl);
+ if (names == NULL)
+ ret->server_ca_names = NULL;
+ else
+ ret->server_ca_names = SSL_dup_CA_list(names);
+
ret->server_cert_type = peer_pkey_type(client.ssl);
ret->client_cert_type = peer_pkey_type(server.ssl);
diff --git a/test/handshake_helper.h b/test/handshake_helper.h
index a7df584..2736057 100644
--- a/test/handshake_helper.h
+++ b/test/handshake_helper.h
@@ -52,6 +52,8 @@
int server_sign_hash;
/* server signature type */
int server_sign_type;
+ /* server CA names */
+ STACK_OF(X509_NAME) *server_ca_names;
/* client certificate key type */
int client_cert_type;
/* client signing hash */
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 0cdec46..9406f94 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -195,54 +195,6 @@
return 0;
}
-static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
-{
- return check_nid("Tmp key", test_ctx->expected_tmp_key_type,
- result->tmp_key_type);
-}
-
-static int check_server_cert_type(HANDSHAKE_RESULT *result,
- SSL_TEST_CTX *test_ctx)
-{
- return check_nid("Server certificate", test_ctx->expected_server_cert_type,
- result->server_cert_type);
-}
-
-static int check_server_sign_hash(HANDSHAKE_RESULT *result,
- SSL_TEST_CTX *test_ctx)
-{
- return check_nid("Server signing hash", test_ctx->expected_server_sign_hash,
- result->server_sign_hash);
-}
-
-static int check_server_sign_type(HANDSHAKE_RESULT *result,
- SSL_TEST_CTX *test_ctx)
-{
- return check_nid("Server signing", test_ctx->expected_server_sign_type,
- result->server_sign_type);
-}
-
-static int check_client_cert_type(HANDSHAKE_RESULT *result,
- SSL_TEST_CTX *test_ctx)
-{
- return check_nid("Client certificate", test_ctx->expected_client_cert_type,
- result->client_cert_type);
-}
-
-static int check_client_sign_hash(HANDSHAKE_RESULT *result,
- SSL_TEST_CTX *test_ctx)
-{
- return check_nid("Client signing hash", test_ctx->expected_client_sign_hash,
- result->client_sign_hash);
-}
-
-static int check_client_sign_type(HANDSHAKE_RESULT *result,
- SSL_TEST_CTX *test_ctx)
-{
- return check_nid("Client signing", test_ctx->expected_client_sign_type,
- result->client_sign_type);
-}
-
static void print_ca_names(STACK_OF(X509_NAME) *names)
{
BIO *err;
@@ -291,6 +243,62 @@
return 0;
}
+static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Tmp key", test_ctx->expected_tmp_key_type,
+ result->tmp_key_type);
+}
+
+static int check_server_cert_type(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Server certificate", test_ctx->expected_server_cert_type,
+ result->server_cert_type);
+}
+
+static int check_server_sign_hash(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Server signing hash", test_ctx->expected_server_sign_hash,
+ result->server_sign_hash);
+}
+
+static int check_server_sign_type(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Server signing", test_ctx->expected_server_sign_type,
+ result->server_sign_type);
+}
+
+static int check_server_ca_names(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_ca_names("Server CA names",
+ test_ctx->expected_server_ca_names,
+ result->server_ca_names);
+}
+
+static int check_client_cert_type(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Client certificate", test_ctx->expected_client_cert_type,
+ result->client_cert_type);
+}
+
+static int check_client_sign_hash(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Client signing hash", test_ctx->expected_client_sign_hash,
+ result->client_sign_hash);
+}
+
+static int check_client_sign_type(HANDSHAKE_RESULT *result,
+ SSL_TEST_CTX *test_ctx)
+{
+ return check_nid("Client signing", test_ctx->expected_client_sign_type,
+ result->client_sign_type);
+}
+
static int check_client_ca_names(HANDSHAKE_RESULT *result,
SSL_TEST_CTX *test_ctx)
{
@@ -324,6 +332,7 @@
ret &= check_server_cert_type(result, test_ctx);
ret &= check_server_sign_hash(result, test_ctx);
ret &= check_server_sign_type(result, test_ctx);
+ ret &= check_server_ca_names(result, test_ctx);
ret &= check_client_cert_type(result, test_ctx);
ret &= check_client_sign_hash(result, test_ctx);
ret &= check_client_sign_type(result, test_ctx);
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index 7189777..6a3b9d1 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -546,6 +546,11 @@
*pnames = SSL_load_client_CA_file(value);
return *pnames != NULL;
}
+__owur static int parse_expected_server_ca_names(SSL_TEST_CTX *test_ctx,
+ const char *value)
+{
+ return parse_expected_ca_names(&test_ctx->expected_server_ca_names, value);
+}
__owur static int parse_expected_client_ca_names(SSL_TEST_CTX *test_ctx,
const char *value)
{
@@ -580,6 +585,7 @@
{ "ExpectedServerCertType", &parse_expected_server_cert_type },
{ "ExpectedServerSignHash", &parse_expected_server_sign_hash },
{ "ExpectedServerSignType", &parse_expected_server_sign_type },
+ { "ExpectedServerCANames", &parse_expected_server_ca_names },
{ "ExpectedClientCertType", &parse_expected_client_cert_type },
{ "ExpectedClientSignHash", &parse_expected_client_sign_hash },
{ "ExpectedClientSignType", &parse_expected_client_sign_type },
@@ -661,6 +667,7 @@
ssl_test_ctx_free_extra_data(ctx);
OPENSSL_free(ctx->expected_npn_protocol);
OPENSSL_free(ctx->expected_alpn_protocol);
+ sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free);
sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free);
OPENSSL_free(ctx);
}
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index 0b37b15..54cefb6 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -188,6 +188,8 @@
int expected_server_sign_hash;
/* Expected server signature type */
int expected_server_sign_type;
+ /* Expected server CA names */
+ STACK_OF(X509_NAME) *expected_server_ca_names;
/* Expected client certificate key type */
int expected_client_cert_type;
/* Expected client signing hash */
