Extend custom extension testing

Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16634) (cherry picked from commit 0db3a9904f)
2021-09-20 14:36:42 +01:00 · 2021-09-20 14:36:42 +01:00 · 549675c546
parent e164577e72
commit 549675c546
1 changed files with 28 additions and 9 deletions
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@ -5544,6 +5544,11 @@ static int sni_cb(SSL *s, int *al, void *arg)
    return SSL_TLSEXT_ERR_OK;
 }

+static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+    return 1;
+}
+
 /*
 * Custom call back tests.
 * Test 0: Old style callbacks in TLSv1.2
@ -5551,6 +5556,7 @@ static int sni_cb(SSL *s, int *al, void *arg)
 * Test 2: New style callbacks in TLSv1.2 with SNI
 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
+ * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
 */
 static int test_custom_exts(int tst)
 {
@ -5592,7 +5598,19 @@ static int test_custom_exts(int tst)
            SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
    }

-    if (tst == 4) {
+    if (tst == 5) {
+        context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+                  | SSL_EXT_TLS1_3_CERTIFICATE;
+        SSL_CTX_set_verify(sctx,
+                           SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+                           verify_cb);
+        if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
+                                                      SSL_FILETYPE_PEM), 1)
+                || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
+                                                            SSL_FILETYPE_PEM), 1)
+                || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
+            goto end;
+    } else if (tst == 4) {
        context = SSL_EXT_CLIENT_HELLO
                  | SSL_EXT_TLS1_2_SERVER_HELLO
                  | SSL_EXT_TLS1_3_SERVER_HELLO
@ -5688,6 +5706,12 @@ static int test_custom_exts(int tst)
                || (tst != 2 && snicb != 0)
                || (tst == 2 && snicb != 1))
            goto end;
+    } else if (tst == 5) {
+        if (clntaddnewcb != 1
+                || clntparsenewcb != 1
+                || srvaddnewcb != 1
+                || srvparsenewcb != 1)
+            goto end;
    } else {
        /* In this case there 2 NewSessionTicket messages created */
        if (clntaddnewcb != 1
@ -5704,8 +5728,8 @@ static int test_custom_exts(int tst)
    SSL_free(clientssl);
    serverssl = clientssl = NULL;

-    if (tst == 3) {
-        /* We don't bother with the resumption aspects for this test */
+    if (tst == 3 || tst == 5) {
+        /* We don't bother with the resumption aspects for these tests */
        testresult = 1;
        goto end;
    }
@ -8134,11 +8158,6 @@ err:
    return 0;
 }

-static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
-{
-    return 1;
-}
-
 static int test_client_cert_cb(int tst)
 {
    SSL_CTX *cctx = NULL, *sctx = NULL;
@ -9659,7 +9678,7 @@ int setup_tests(void)
    /* Test with only TLSv1.3 versions */
    ADD_ALL_TESTS(test_key_exchange, 12);
 # endif
-    ADD_ALL_TESTS(test_custom_exts, 5);
+    ADD_ALL_TESTS(test_custom_exts, 6);
    ADD_TEST(test_stateless);
    ADD_TEST(test_pha_key_update);
 #else