diff options
Diffstat (limited to 'test')
| -rw-r--r-- | test/scripts/5600-OCSP-OpenSSL/5610 | 8 | ||||
| -rw-r--r-- | test/scripts/5600-OCSP-OpenSSL/5611 | 6 | ||||
| -rw-r--r-- | test/src/client.c | 40 | ||||
| -rw-r--r-- | test/stderr/5610 | 76 |
4 files changed, 45 insertions, 85 deletions
diff --git a/test/scripts/5600-OCSP-OpenSSL/5610 b/test/scripts/5600-OCSP-OpenSSL/5610 index c8668ea38..fccd94486 100644 --- a/test/scripts/5600-OCSP-OpenSSL/5610 +++ b/test/scripts/5600-OCSP-OpenSSL/5610 @@ -5,7 +5,7 @@ # '1: Server sends good staple on request' # exim -bd -oX PORT_D -DSERVER=server \ - -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp **** client-ssl \ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \ @@ -34,7 +34,7 @@ killdaemon # '2: Server does not staple an outdated response' # exim -bd -oX PORT_D -DSERVER=server \ - -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.dated.resp **** # XXX test sequence might not be quite right; this is for a server refusal # and we're expecting a client refusal. @@ -59,7 +59,7 @@ killdaemon # '3: Server does not staple a response for a revoked cert' # exim -bd -oX PORT_D -DSERVER=server \ - -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.revoked.resp **** client-ssl \ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \ @@ -84,7 +84,7 @@ killdaemon # '4: Connection functions when server is prepared to staple but client does not request it' # exim -bd -oX PORT_D -DSERVER=server \ - -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp **** # client-ssl \ diff --git a/test/scripts/5600-OCSP-OpenSSL/5611 b/test/scripts/5600-OCSP-OpenSSL/5611 index 248c44219..cb8f44fe1 100644 --- a/test/scripts/5600-OCSP-OpenSSL/5611 +++ b/test/scripts/5600-OCSP-OpenSSL/5611 @@ -15,7 +15,7 @@ killdaemon # # Client works when we don't request OCSP stapling exim -bd -oX PORT_D -DSERVER=server \ - -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp **** exim nostaple@test.ex test message. @@ -48,7 +48,7 @@ sudo rm spool/db/retry # # Client fails on revoked stapled info EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ - -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.revoked.resp **** exim CALLER@test.ex test message. @@ -63,7 +63,7 @@ sudo rm spool/db/retry # # Client fails on expired stapled info EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ - -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.dated.resp **** exim CALLER@test.ex test message. diff --git a/test/src/client.c b/test/src/client.c index fe646d64f..5e6b6472a 100644 --- a/test/src/client.c +++ b/test/src/client.c @@ -199,6 +199,33 @@ setup_verify(BIO *bp, char *CAfile, char *CApath) #ifndef DISABLE_OCSP +static STACK_OF(X509) * +cert_stack_from_store(X509_STORE * store) +{ +STACK_OF(X509_OBJECT) * roots= store->objs; +STACK_OF(X509) * sk = sk_X509_new_null(); +int i; + +for(i = sk_X509_OBJECT_num(roots) - 1; i >= 0; i--) + { + X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i); + if(tmp_obj->type == X509_LU_X509) + { + X509 * x = tmp_obj->data.x509; + sk_X509_push(sk, x); + } + } +return sk; +} + +static void +cert_stack_free(STACK_OF(X509) * sk) +{ +while (sk_X509_num(sk) > 0) (void) sk_X509_pop(sk); +sk_X509_free(sk); +} + + static int tls_client_stapling_cb(SSL *s, void *arg) { @@ -208,6 +235,7 @@ OCSP_RESPONSE *rsp; OCSP_BASICRESP *bs; char *CAfile = NULL; X509_STORE *store = NULL; +STACK_OF(X509) * sk; int ret = 1; len = SSL_get_tlsext_status_ocsp_resp(s, &p); @@ -229,6 +257,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) return 0; } + CAfile = ocsp_stapling; if(!(store = setup_verify(arg, CAfile, NULL))) { @@ -236,8 +265,14 @@ if(!(store = setup_verify(arg, CAfile, NULL))) return 0; } -/* No file of alternate certs, no options */ -if(OCSP_basic_verify(bs, NULL, store, 0) <= 0) +sk = cert_stack_from_store(store); + +/* OCSP_basic_verify takes a "store" arg, but does not +use it for the chain verification, which is all we do +when OCSP_NOVERIFY is set. The content from the wire +(in "bs") and a cert-stack "sk" are all that is used. */ + +if(OCSP_basic_verify(bs, sk, NULL, OCSP_NOVERIFY) <= 0) { BIO_printf(arg, "Response Verify Failure\n"); ERR_print_errors(arg); @@ -246,6 +281,7 @@ if(OCSP_basic_verify(bs, NULL, store, 0) <= 0) else BIO_printf(arg, "Response verify OK\n"); +cert_stack_free(sk); X509_STORE_free(store); return ret; } diff --git a/test/stderr/5610 b/test/stderr/5610 index 9282f1ea0..045fadc9b 100644 --- a/test/stderr/5610 +++ b/test/stderr/5610 @@ -1,78 +1,2 @@ ******** SERVER ******** -Exim version x.yz .... -configuration file is TESTSUITE/test-config -admin user -daemon_smtp_port overridden by -oX: - <: 1225 -listening on all interfaces (IPv6) port 1225 -listening on all interfaces (IPv4) port 1225 -pid written to TESTSUITE/spool/exim-daemon.pid -LOG: MAIN - exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -daemon running with uid=EXIM_UID gid=EXIM_GID euid=EXIM_UID egid=EXIM_GID -Listening... -Connection request from ip4.ip4.ip4.ip4 port 51808 -1 SMTP accept process running -Listening... -11402 Process 11402 is handling incoming connection from [ip4.ip4.ip4.ip4] -LOG: MAIN - acl_conn: ocsp in status: 0 (notreq) -Process 11402 is ready for new message -setting SSL CTX options: 0x1100000 -Diffie-Hellman initialized from default with 2048-bit prime -ECDH: curve 'prime256v1' -ECDH: enabled 'prime256v1' curve -tls_certificate file TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -tls_privatekey file TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key -tls_ocsp_file TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp -Initialized TLS -Added 1 certificate authorities. -Calling SSL_accept -SSL info: before/accept initialization -SSL info: before/accept initialization -Received TLS status request (OCSP stapling); have response -SSL info: SSLv3 read client hello A -SSL info: SSLv3 write server hello A -SSL info: SSLv3 write certificate A -SSL info: unknown state -SSL info: SSLv3 write key exchange A -SSL info: SSLv3 write certificate request A -SSL info: SSLv3 flush data -SSL authenticated verify ok: depth=0 SN=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -SSL info: SSLv3 read client certificate A -SSL info: SSLv3 read client key exchange A -SSL info: SSLv3 read certificate verify A -SSL info: SSLv3 read finished A -SSL info: SSLv3 write session ticket A -SSL info: SSLv3 write change cipher spec A -SSL info: SSLv3 write finished A -SSL info: SSLv3 flush data -SSL info: SSL negotiation finished successfully -SSL info: SSL negotiation finished successfully -SSL_accept was successful -Cipher: TLSv1:AES256-SHA:256 -Shared ciphers: AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-SHA:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:DHE-DSS-AES256-SHA:AES256-SHA:AES256-SHA:DHE-DSS-AES256-SHA256:AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA -TLS active -Calling SSL_read(0x970690, 0x981230, 4096) -LOG: MAIN - acl_mail: ocsp in status: 4 (verified) -tls_do_write(0x83cc40, 8) -SSL_write(SSL, 0x83cc40, 8) -outbytes=8 error=0 -Calling SSL_read(0x970690, 0x981230, 4096) -tls_do_write(0x83cc40, 14) -SSL_write(SSL, 0x83cc40, 14) -outbytes=14 error=0 -Calling SSL_read(0x970690, 0x981230, 4096) -tls_do_write(0x83cc40, 44) -SSL_write(SSL, 0x83cc40, 44) -outbytes=44 error=0 -tls_close(): shutting down SSL -SSL info: SSL negotiation finished successfully -LOG: smtp_connection MAIN - SMTP connection from [ip4.ip4.ip4.ip4] closed by QUIT -11398 child 11402 ended: status=0x0 -11398 normal exit, 0 -11398 0 SMTP accept processes now running -11398 Listening... |