generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Extends s_client to allow a basic CT policy to be enabled

Browse Source 
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Rob Percival
2016-03-02 13:34:05 +00:00
committed by Rich Salz
parent 98d8ddd254
commit dd696a55a2
8 changed files with 192 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
test/recipes/80-test_ssl.t
View File

@@ -13,10 +13,10 @@ setup("test_ssl");
my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,
$no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2,
$no_dtls, $no_dtls1, $no_dtls1_2) =
$no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) =
anydisabled qw/rsa dsa dh ec srp psk
ssl3 tls1 tls1_1 tls1_2
dtls dtls1 dtls1_2/;
dtls dtls1 dtls1_2 ct/;
my $no_anytls = alldisabled(available_protocols("tls"));
my $no_anydtls = alldisabled(available_protocols("dtls"));
@@ -64,7 +64,7 @@ my $P2intermediate="tmp_intP2.ss";
plan tests =>
1 # For testss
+ 1 # For ssltest -test_cipherlist
+ 10 # For the first testssl
+ 11 # For the first testssl
+ 16 # For the first testsslproxy
+ 16 # For the second testsslproxy
;
@@ -325,7 +325,7 @@ sub testssl {
}
# plan tests => 10;
# plan tests => 11;
subtest 'standard SSL tests' => sub {
######################################################################
@@ -762,6 +762,27 @@ sub testssl {
ok($ok);
}}}}}
};
subtest 'Certificate Transparency tests' => sub {
######################################################################
plan tests => 3;
SKIP: {
skip "Certificate Transparency is not supported by this OpenSSL build", 3
if $no_ct;
skip "TLSv1.0 is not supported by this OpenSSL build", 3
if $no_tls1;
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-noct"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requestct"])));
# No SCTs provided, so this should fail.
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requirect",
"-should_negotiate", "fail-client"])));
}
};
}
sub testsslproxy {

54
test/ssltest.c
View File

@@ -187,6 +187,9 @@
# include <openssl/srp.h>
#endif
#include <openssl/bn.h>
#ifndef OPENSSL_NO_CT
# include <openssl/ct.h>
#endif
#include "../ssl/ssl_locl.h"
@@ -493,8 +496,6 @@ static int verify_alpn(SSL *client, SSL *server)
return -1;
}
#define SCT_EXT_TYPE 18
/*
* WARNING : below extension types are *NOT* IETF assigned, and could
* conflict if these types are reassigned and handled specially by OpenSSL
@@ -529,7 +530,7 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
const unsigned char *in, size_t inlen,
int *al, void *arg)
{
if (ext_type == SCT_EXT_TYPE)
if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp)
serverinfo_sct_seen++;
else if (ext_type == TACK_EXT_TYPE)
serverinfo_tack_seen++;
@@ -838,6 +839,11 @@ static void sv_usage(void)
fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
#ifndef OPENSSL_NO_CT
fprintf(stderr, " -noct - no certificate transparency\n");
fprintf(stderr, " -requestct - request certificate transparency\n");
fprintf(stderr, " -requirect - require certificate transparency\n");
#endif
}
static void print_key_details(BIO *out, EVP_PKEY *key)
@@ -1057,6 +1063,14 @@ int main(int argc, char *argv[])
#endif
int no_protocol;
#ifndef OPENSSL_NO_CT
/*
* Disable CT validation by default, because it will interfere with
* anything using custom extension handlers to deal with SCT extensions.
*/
ct_validation_cb ct_validation = NULL;
#endif
SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL;
STACK_OF(OPENSSL_STRING) *conf_args = NULL;
char *arg = NULL, *argn = NULL;
@@ -1229,6 +1243,17 @@ int main(int argc, char *argv[])
} else if (strcmp(*argv, "-time") == 0) {
print_time = 1;
}
#ifndef OPENSSL_NO_CT
else if (strcmp(*argv, "-noct") == 0) {
ct_validation = NULL;
}
else if (strcmp(*argv, "-requestct") == 0) {
ct_validation = CT_verify_no_bad_scts;
}
else if (strcmp(*argv, "-requirect") == 0) {
ct_validation = CT_verify_at_least_one_good_sct;
}
#endif
#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv, "-zlib") == 0) {
comp = COMP_ZLIB;
@@ -1512,6 +1537,13 @@ int main(int argc, char *argv[])
}
}
#ifndef OPENSSL_NO_CT
if (!SSL_CTX_set_ct_validation_callback(c_ctx, ct_validation, NULL)) {
ERR_print_errors(bio_err);
goto end;
}
#endif
/* Process SSL_CONF arguments */
SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
@@ -1586,15 +1618,18 @@ int main(int argc, char *argv[])
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_set_default_ctlog_list_file(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(c_ctx)) ||
(!SSL_CTX_set_default_ctlog_list_file(c_ctx))) {
(!SSL_CTX_set_default_verify_paths(c_ctx))) {
/* fprintf(stderr,"SSL_load_verify_locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
!SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
ERR_print_errors(bio_err);
}
if (client_auth) {
printf("client authentication\n");
SSL_CTX_set_verify(s_ctx,
@@ -1684,9 +1719,10 @@ int main(int argc, char *argv[])
#endif
if (serverinfo_sct) {
if (!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
NULL, NULL, NULL,
serverinfo_cli_parse_cb, NULL)) {
if (!SSL_CTX_add_client_custom_ext(c_ctx,
TLSEXT_TYPE_signed_certificate_timestamp,
NULL, NULL, NULL,
serverinfo_cli_parse_cb, NULL)) {
BIO_printf(bio_err, "Error adding SCT extension\n");
goto end;
}