diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-28 11:25:59 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-14 14:44:21 +0100 |
| commit | 76ed0c0ad119569f6e6f6c96b27b76d3b110413b (patch) | |
| tree | bdae34b497cf9cec3af395d52d43cc1f228de95e /test | |
| parent | fb1e2411042f0367c2560e4ec5e4b1189ca9cd45 (diff) | |
x509_vfy.c: Fix a regression in find_isser()
...in case the candidate issuer cert is identical to the target cert.
Fixes #13739
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13749)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/70-test_verify_extra.t | 3 | ||||
| -rw-r--r-- | test/verify_extra_test.c | 53 |
2 files changed, 52 insertions, 4 deletions
diff --git a/test/recipes/70-test_verify_extra.t b/test/recipes/70-test_verify_extra.t index 79a33cd016..e3bdcbaaf9 100644 --- a/test/recipes/70-test_verify_extra.t +++ b/test/recipes/70-test_verify_extra.t @@ -16,4 +16,5 @@ plan tests => 1; ok(run(test(["verify_extra_test", srctop_file("test", "certs", "roots.pem"), srctop_file("test", "certs", "untrusted.pem"), - srctop_file("test", "certs", "bad.pem")]))); + srctop_file("test", "certs", "bad.pem"), + srctop_file("test", "certs", "rootCA.pem")]))); diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index d9d1498954..94faa4c78b 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -18,6 +18,21 @@ static const char *roots_f; static const char *untrusted_f; static const char *bad_f; +static const char *good_f; + +static X509 *load_cert_pem(const char *file) +{ + X509 *cert = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) + return NULL; + if (TEST_int_gt(BIO_read_filename(bio, file), 0)) + (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)); + + BIO_free(bio); + return cert; +} static STACK_OF(X509) *load_certs_from_file(const char *filename) { @@ -58,7 +73,7 @@ static STACK_OF(X509) *load_certs_from_file(const char *filename) return certs; } -/* +/*- * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) * * Chain is as follows: @@ -175,16 +190,48 @@ static int test_store_ctx(void) return testresult; } +static int test_self_signed(const char *filename, int expected) +{ + X509 *cert = load_cert_pem(filename); + STACK_OF(X509) *trusted = sk_X509_new_null(); + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + int ret; + + ret = TEST_ptr(cert) + && TEST_true(sk_X509_push(trusted, cert)) + && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL)); + X509_STORE_CTX_trusted_stack(ctx, trusted); + ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected); + + X509_STORE_CTX_free(ctx); + sk_X509_free(trusted); + X509_free(cert); + return ret; +} + +static int test_self_signed_good(void) +{ + return test_self_signed(good_f, 1); +} + +static int test_self_signed_bad(void) +{ + return test_self_signed(bad_f, 0); +} + int setup_tests(void) { if (!TEST_ptr(roots_f = test_get_argument(0)) || !TEST_ptr(untrusted_f = test_get_argument(1)) - || !TEST_ptr(bad_f = test_get_argument(2))) { - TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem\n"); + || !TEST_ptr(bad_f = test_get_argument(2)) + || !TEST_ptr(good_f = test_get_argument(3))) { + TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem good.pem\n"); return 0; } ADD_TEST(test_alt_chains_cert_forgery); ADD_TEST(test_store_ctx); + ADD_TEST(test_self_signed_good); + ADD_TEST(test_self_signed_bad); return 1; } |