diff options
Diffstat (limited to 'test')
| -rw-r--r-- | test/ct_test.c | 22 | ||||
| -rw-r--r-- | test/recipes/80-test_ssl_old.t | 27 | ||||
| -rw-r--r-- | test/ssltest_old.c | 14 |
3 files changed, 31 insertions, 32 deletions
diff --git a/test/ct_test.c b/test/ct_test.c index 5446f9d0da..bdd5b84806 100644 --- a/test/ct_test.c +++ b/test/ct_test.c @@ -402,6 +402,17 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) goto end; } + if (fixture.test_validity && cert != NULL) { + int is_sct_validated = SCT_validate(sct, ct_policy_ctx); + if (is_sct_validated < 0) { + fprintf(stderr, "Error validating SCT\n"); + goto end; + } else if (!is_sct_validated) { + fprintf(stderr, "SCT failed verification\n"); + goto end; + } + } + if (fixture.sct_text_file && compare_sct_printout(sct, expected_sct_text)) { goto end; @@ -413,17 +424,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) fprintf(stderr, "Failed to encode SCT into TLS format correctly\n"); goto end; } - - if (fixture.test_validity && cert != NULL) { - int is_sct_validated = SCT_validate(sct, ct_policy_ctx); - if (is_sct_validated < 0) { - fprintf(stderr, "Error validating SCT\n"); - goto end; - } else if (!is_sct_validated) { - fprintf(stderr, "SCT failed verification\n"); - goto end; - } - } } success = 1; diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 855e7c66f4..13fcfbe6df 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -811,20 +811,21 @@ sub testssl { plan tests => 3; SKIP: { - skip "Certificate Transparency is not supported by this OpenSSL build", 3 - if $no_ct; - skip "TLSv1.0 is not supported by this OpenSSL build", 3 - if $no_tls1; - - $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-noct"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requestct"]))); - # No SCTs provided, so this should fail. - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requirect", - "-should_negotiate", "fail-client"]))); - } + skip "Certificate Transparency is not supported by this OpenSSL build", 3 + if $no_ct; + skip "TLSv1.0 is not supported by this OpenSSL build", 3 + if $no_tls1; + + $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); + my @ca = qw(-CAfile certCA.ss); + ok(run(test([@ssltest, @ca, "-bio_pair", "-tls1", "-noct"]))); + # No SCTs provided, so this should fail. + ok(run(test([@ssltest, @ca, "-bio_pair", "-tls1", "-ct", + "-should_negotiate", "fail-client"]))); + # No SCTs provided, unverified chains still succeed. + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-ct"]))); + } }; - } sub testsslproxy { diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 8018b3bd16..e3f8d774cb 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -1113,7 +1113,7 @@ int main(int argc, char *argv[]) * Disable CT validation by default, because it will interfere with * anything using custom extension handlers to deal with SCT extensions. */ - ct_validation_cb ct_validation = NULL; + int ct_validation = 0; #endif SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL; STACK_OF(OPENSSL_STRING) *conf_args = NULL; @@ -1300,13 +1300,10 @@ int main(int argc, char *argv[]) } #ifndef OPENSSL_NO_CT else if (strcmp(*argv, "-noct") == 0) { - ct_validation = NULL; + ct_validation = 0; } - else if (strcmp(*argv, "-requestct") == 0) { - ct_validation = CT_verify_no_bad_scts; - } - else if (strcmp(*argv, "-requirect") == 0) { - ct_validation = CT_verify_at_least_one_good_sct; + else if (strcmp(*argv, "-ct") == 0) { + ct_validation = 1; } #endif #ifndef OPENSSL_NO_COMP @@ -1633,7 +1630,8 @@ int main(int argc, char *argv[]) } #ifndef OPENSSL_NO_CT - if (!SSL_CTX_set_ct_validation_callback(c_ctx, ct_validation, NULL)) { + if (ct_validation && + !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) { ERR_print_errors(bio_err); goto end; } |