root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Use ERR marks also when verifying server X.509 certs 

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(cherry picked from commit 739c4b2e92)
This commit is contained in:
Viktor Dukhovni 2024-12-20 04:26:20 +11:00 committed by Neil Horman
parent 738d4f9fde
commit d3d16e36cc
2 changed files with 26 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ssl/statem/statem_clnt.c
View File

@ -2082,10 +2082,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s,
if (s->rwstate == SSL_RETRY_VERIFY)
s->rwstate = SSL_NOTHING;
i = ssl_verify_cert_chain(s, s->session->peer_chain);
if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) {
return WORK_MORE_A;
}
/*
* The documented interface is that SSL_VERIFY_PEER should be set in order
* for client side verification of the server certificate to take place.
@ -2100,12 +2097,17 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s,
* (less clean) historic behaviour of performing validation if any flag is
* set. The *documented* interface remains the same.
*/
if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
ERR_set_mark();
i = ssl_verify_cert_chain(s, s->session->peer_chain);
if (i <= 0 && s->verify_mode != SSL_VERIFY_NONE) {
ERR_clear_last_mark();
SSLfatal(s, ssl_x509err2alert(s->verify_result),
SSL_R_CERTIFICATE_VERIFY_FAILED);
return WORK_ERROR;
}
ERR_clear_error(); /* but we keep s->verify_result */
ERR_pop_to_mark(); /* but we keep s->verify_result */
if (i > 0 && s->rwstate == SSL_RETRY_VERIFY)
return WORK_MORE_A;
/*
* Inconsistency alert: cert_chain does include the peer's certificate,

39
test/rpktest.c
View File

@ -490,24 +490,22 @@ static int test_rpk(int idx)
}
/* Make sure client gets RPK or certificate as configured */
if (expected == 1) {
if (idx_server_server_rpk && idx_client_server_rpk) {
if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result))
goto end;
if (!TEST_ptr(SSL_get0_peer_rpk(clientssl)))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk))
goto end;
} else {
if (!TEST_ptr(SSL_get0_peer_certificate(clientssl)))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509))
goto end;
}
if (idx_server_server_rpk && idx_client_server_rpk) {
if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result))
goto end;
if (!TEST_ptr(SSL_get0_peer_rpk(clientssl)))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk))
goto end;
} else {
if (!TEST_ptr(SSL_get0_peer_certificate(clientssl)))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509))
goto end;
}
if (idx == 9) {
@ -534,8 +532,7 @@ static int test_rpk(int idx)
if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_rpk))
goto end;
} else {
/* only if connection is expected to succeed */
if (expected == 1 && !TEST_ptr(SSL_get0_peer_certificate(serverssl)))
if (!TEST_ptr(SSL_get0_peer_certificate(serverssl)))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_x509))
goto end;
@ -625,7 +622,7 @@ static int test_rpk(int idx)
}
ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
if (!TEST_int_eq(expected, ret))
if (!TEST_true(ret))
goto end;
verify = SSL_get_verify_result(clientssl);
if (!TEST_int_eq(client_expected, verify))