瀏覽代碼

Test cert_cb and certificate verify ordering.

In particular, although CertificateRequest comes before Certificate and
CertificateVerify in TLS 1.3, we must not resolve the CertificateRequest until
afterwards. (This is rather annoying ordering, but does mean the
CertificateRequest is covered in the signature, which is nice to have.)

Change-Id: Iab95813de5efd674aa8e2459cfc7456b146ee754
Reviewed-on: https://boringssl-review.googlesource.com/29826
Reviewed-by: Jesse Selover <jselover@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
kris/onging/CECPQ3_patch15
David Benjamin 6 年之前
committed by CQ bot account: commit-bot@chromium.org
父節點
當前提交
5869eb3951
共有 1 個檔案被更改,包括 24 行新增0 行删除
  1. +24
    -0
      ssl/ssl_test.cc

+ 24
- 0
ssl/ssl_test.cc 查看文件

@@ -4114,6 +4114,30 @@ TEST(SSLTest, HandoffDeclined) {
EXPECT_EQ(43, byte);
}

TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
// Configure the server to request client certificates.
SSL_CTX_set_custom_verify(
server_ctx_.get(), SSL_VERIFY_PEER,
[](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });

// Configure the client to reject the server certificate.
SSL_CTX_set_custom_verify(
client_ctx_.get(), SSL_VERIFY_PEER,
[](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });

// cert_cb should not be called. Verification should fail first.
SSL_CTX_set_cert_cb(client_ctx_.get(),
[](SSL *ssl, void *arg) {
ADD_FAILURE() << "cert_cb unexpectedly called";
return 0;
},
nullptr);

bssl::UniquePtr<SSL> client, server;
EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
server_ctx_.get()));
}

// TODO(davidben): Convert this file to GTest properly.
TEST(SSLTest, AllTests) {
if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||


Loading…
取消
儲存