diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-28 11:25:59 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-13 09:09:36 +0100 |
| commit | 4dd009180a06ad973620c5beec28f2a6839c16ca (patch) | |
| tree | fbefafe832629a9d91ca06310e0be85b9cb6fe9b /test/verify_extra_test.c | |
| parent | Make PEM_X509_INFO_read_bio_ex() conservative on the error queue (diff) | |
| download | openssl-4dd009180a06ad973620c5beec28f2a6839c16ca.tar.xz openssl-4dd009180a06ad973620c5beec28f2a6839c16ca.zip | |
x509_vfy.c: Fix a regression in find_issuer()
...in case the candidate issuer cert is identical to the target cert.
This is the v3.0.0 variant of #13749 fixing #13739 for v1.1.1.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
Diffstat (limited to 'test/verify_extra_test.c')
| -rw-r--r-- | test/verify_extra_test.c | 60 |
1 files changed, 24 insertions, 36 deletions
diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index 300cca3fe4..1b308ca84b 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -24,7 +24,7 @@ static const char *req_f; #define load_cert_from_file(file) load_cert_pem(file, NULL) -/* +/*- * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) * * Chain is as follows: @@ -99,37 +99,6 @@ static int test_alt_chains_cert_forgery(void) return ret; } -static int test_store_ctx(void) -{ - X509_STORE_CTX *sctx = NULL; - X509 *x = NULL; - int testresult = 0, ret; - - x = load_cert_from_file(bad_f); - if (x == NULL) - goto err; - - sctx = X509_STORE_CTX_new(); - if (sctx == NULL) - goto err; - - if (!X509_STORE_CTX_init(sctx, NULL, x, NULL)) - goto err; - - /* Verifying a cert where we have no trusted certs should fail */ - ret = X509_verify_cert(sctx); - - if (ret == 0) { - /* This is the result we were expecting: Test passed */ - testresult = 1; - } - - err: - X509_STORE_CTX_free(sctx); - X509_free(x); - return testresult; -} - OPT_TEST_DECLARE_USAGE("roots.pem untrusted.pem bad.pem\n") static int test_distinguishing_id(void) @@ -206,30 +175,49 @@ static int test_req_distinguishing_id(void) return ret; } -static int test_self_signed(const char *filename, int expected) +static int test_self_signed(const char *filename, int use_trusted, int expected) { X509 *cert; + STACK_OF(X509) *trusted = sk_X509_new_null(); + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); int ret; cert = load_cert_from_file(filename); /* may result in NULL */ ret = TEST_int_eq(X509_self_signed(cert, 1), expected); + + if (cert != NULL) { + if (use_trusted) + ret = ret && TEST_true(sk_X509_push(trusted, cert)); + ret = ret && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL)); + X509_STORE_CTX_set0_trusted_stack(ctx, trusted); + ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected); + } + + X509_STORE_CTX_free(ctx); + sk_X509_free(trusted); X509_free(cert); return ret; } static int test_self_signed_good(void) { - return test_self_signed(root_f, 1); + return test_self_signed(root_f, 1, 1); } static int test_self_signed_bad(void) { - return test_self_signed(bad_f, 0); + return test_self_signed(bad_f, 1, 0); } static int test_self_signed_error(void) { - return test_self_signed("nonexistent file name", -1); + return test_self_signed("nonexistent file name", 1, -1); +} + +static int test_store_ctx(void) +{ + /* Verifying a cert where we have no trusted certs should fail */ + return test_self_signed(bad_f, 0, 0); } int setup_tests(void) |