diff options
author | Matt Caswell <matt@openssl.org> | 2018-08-13 15:23:27 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-08-20 15:14:01 +0100 |
commit | 32097b33bdff520d149ad6c8a11bd344e4ef764b (patch) | |
tree | c46929e459ee7c2688765c56afbf329f38a6edda /test | |
parent | 756510c102885005c2fc31eb01e3a6b95f8ed985 (diff) |
Change Post Handshake auth so that it is opt-in
Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.
Fixes #6933.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
Diffstat (limited to 'test')
-rw-r--r-- | test/handshake_helper.c | 4 | ||||
-rw-r--r-- | test/recipes/70-test_tls13messages.t | 2 | ||||
-rw-r--r-- | test/ssl-tests/26-tls13_client_auth.conf | 16 | ||||
-rw-r--r-- | test/ssl-tests/26-tls13_client_auth.conf.in | 33 | ||||
-rw-r--r-- | test/ssl_test_ctx.c | 6 | ||||
-rw-r--r-- | test/ssl_test_ctx.h | 4 | ||||
-rw-r--r-- | test/sslapitest.c | 6 |
7 files changed, 46 insertions, 25 deletions
diff --git a/test/handshake_helper.c b/test/handshake_helper.c index c40a0e7c92..a5b8d8007a 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -726,8 +726,8 @@ static void configure_handshake_ssl(SSL *server, SSL *client, if (extra->client.servername != SSL_TEST_SERVERNAME_NONE) SSL_set_tlsext_host_name(client, ssl_servername_name(extra->client.servername)); - if (extra->client.force_pha) - SSL_force_post_handshake_auth(client); + if (extra->client.enable_pha) + SSL_set_post_handshake_auth(client, 1); } /* The status for each connection phase. */ diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t index 35f36b6c33..be6a2db5d6 100644 --- a/test/recipes/70-test_tls13messages.t +++ b/test/recipes/70-test_tls13messages.t @@ -214,7 +214,7 @@ SKIP: { #Test 6: A client auth handshake $proxy->clear(); -$proxy->clientflags("-cert ".srctop_file("apps", "server.pem")); +$proxy->clientflags("-enable_pha -cert ".srctop_file("apps", "server.pem")); $proxy->serverflags("-Verify 5"); $proxy->start(); checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, diff --git a/test/ssl-tests/26-tls13_client_auth.conf b/test/ssl-tests/26-tls13_client_auth.conf index 55361dde73..9c42391906 100644 --- a/test/ssl-tests/26-tls13_client_auth.conf +++ b/test/ssl-tests/26-tls13_client_auth.conf @@ -299,6 +299,10 @@ ExpectedClientSignHash = SHA256 ExpectedClientSignType = RSA-PSS ExpectedResult = Success HandshakeMode = PostHandshakeAuth +client = 8-client-auth-TLSv1.3-require-post-handshake-client-extra + +[8-client-auth-TLSv1.3-require-post-handshake-client-extra] +EnablePHA = Yes # =========================================================== @@ -337,6 +341,10 @@ ExpectedClientSignHash = SHA256 ExpectedClientSignType = RSA-PSS ExpectedResult = Success HandshakeMode = PostHandshakeAuth +client = 9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client-extra + +[9-client-auth-TLSv1.3-require-non-empty-names-post-handshake-client-extra] +EnablePHA = Yes # =========================================================== @@ -369,6 +377,10 @@ VerifyMode = Peer ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA HandshakeMode = PostHandshakeAuth +client = 10-client-auth-TLSv1.3-noroot-post-handshake-client-extra + +[10-client-auth-TLSv1.3-noroot-post-handshake-client-extra] +EnablePHA = Yes # =========================================================== @@ -401,7 +413,7 @@ HandshakeMode = PostHandshakeAuth client = 11-client-auth-TLSv1.3-request-force-client-post-handshake-client-extra [11-client-auth-TLSv1.3-request-force-client-post-handshake-client-extra] -ForcePHA = Yes +EnablePHA = Yes # =========================================================== @@ -471,6 +483,6 @@ client = 13-client-auth-TLSv1.3-request-force-both-post-handshake-client-extra ForcePHA = Yes [13-client-auth-TLSv1.3-request-force-both-post-handshake-client-extra] -ForcePHA = Yes +EnablePHA = Yes diff --git a/test/ssl-tests/26-tls13_client_auth.conf.in b/test/ssl-tests/26-tls13_client_auth.conf.in index e53cda2304..018dd825be 100644 --- a/test/ssl-tests/26-tls13_client_auth.conf.in +++ b/test/ssl-tests/26-tls13_client_auth.conf.in @@ -176,6 +176,9 @@ our @tests = ( "MaxProtocol" => "TLSv1.3", "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), + extra => { + "EnablePHA" => "Yes", + }, }, test => { "ExpectedResult" => "Success", @@ -201,6 +204,9 @@ our @tests = ( "MaxProtocol" => "TLSv1.3", "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), + extra => { + "EnablePHA" => "Yes", + }, }, test => { "ExpectedResult" => "Success", @@ -223,6 +229,9 @@ our @tests = ( "MaxProtocol" => "TLSv1.3", "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), + extra => { + "EnablePHA" => "Yes", + }, }, test => { "ExpectedResult" => "ServerFail", @@ -240,9 +249,9 @@ our @tests = ( client => { "MinProtocol" => "TLSv1.3", "MaxProtocol" => "TLSv1.3", - extra => { - "ForcePHA" => "Yes", - }, + extra => { + "EnablePHA" => "Yes", + }, }, test => { "ExpectedResult" => "Success", @@ -255,9 +264,9 @@ our @tests = ( "MinProtocol" => "TLSv1.3", "MaxProtocol" => "TLSv1.3", "VerifyMode" => "RequestPostHandshake", - extra => { - "ForcePHA" => "Yes", - }, + extra => { + "ForcePHA" => "Yes", + }, }, client => { "MinProtocol" => "TLSv1.3", @@ -274,16 +283,16 @@ our @tests = ( "MinProtocol" => "TLSv1.3", "MaxProtocol" => "TLSv1.3", "VerifyMode" => "RequestPostHandshake", - extra => { - "ForcePHA" => "Yes", - }, + extra => { + "ForcePHA" => "Yes", + }, }, client => { "MinProtocol" => "TLSv1.3", "MaxProtocol" => "TLSv1.3", - extra => { - "ForcePHA" => "Yes", - }, + extra => { + "EnablePHA" => "Yes", + }, }, test => { "ExpectedResult" => "Success", diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index cb4b8606e2..753338530d 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -629,9 +629,9 @@ __owur static int parse_expected_client_ca_names(SSL_TEST_CTX *test_ctx, IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_cipher) -/* Client and Server ForcePHA */ +/* Client and Server PHA */ -IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, force_pha) +IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, enable_pha) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, force_pha) /* Known test options and their corresponding parse methods. */ @@ -689,7 +689,7 @@ static const ssl_test_client_option ssl_test_client_options[] = { { "SRPUser", &parse_client_srp_user }, { "SRPPassword", &parse_client_srp_password }, { "MaxFragmentLenExt", &parse_max_fragment_len_mode }, - { "ForcePHA", &parse_client_force_pha }, + { "EnablePHA", &parse_client_enable_pha }, }; /* Nested server options. */ diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h index e26c207657..86d227d865 100644 --- a/test/ssl_test_ctx.h +++ b/test/ssl_test_ctx.h @@ -108,8 +108,8 @@ typedef struct { char *reneg_ciphers; char *srp_user; char *srp_password; - /* Forced PHA */ - int force_pha; + /* PHA enabled */ + int enable_pha; } SSL_TEST_CLIENT_CONF; typedef struct { diff --git a/test/sslapitest.c b/test/sslapitest.c index c65bf59ffd..81761f2f65 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1270,7 +1270,7 @@ static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ) || !TEST_true(SSL_set_session(clientssl, sesscache[i]))) goto end; - SSL_force_post_handshake_auth(clientssl); + SSL_set_post_handshake_auth(clientssl, 1); if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) @@ -1377,7 +1377,7 @@ static int test_tickets(int stateful, int idx) &clientssl, NULL, NULL))) goto end; - SSL_force_post_handshake_auth(clientssl); + SSL_set_post_handshake_auth(clientssl, 1); if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) @@ -4336,7 +4336,7 @@ static int test_pha_key_update(void) NULL, NULL))) goto end; - SSL_force_post_handshake_auth(clientssl); + SSL_set_post_handshake_auth(clientssl, 1); if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) |