1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci#include <stdio.h> 11e1051a39Sopenharmony_ci#include <string.h> 12e1051a39Sopenharmony_ci#include <ctype.h> 13e1051a39Sopenharmony_ci#include <limits.h> 14e1051a39Sopenharmony_ci#include <errno.h> 15e1051a39Sopenharmony_ci 16e1051a39Sopenharmony_ci#include <openssl/crypto.h> 17e1051a39Sopenharmony_ci#include <openssl/evp.h> 18e1051a39Sopenharmony_ci#include <openssl/x509.h> 19e1051a39Sopenharmony_ci#include <openssl/ssl.h> 20e1051a39Sopenharmony_ci#include <openssl/err.h> 21e1051a39Sopenharmony_ci#include <openssl/conf.h> 22e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_ENGINE 23e1051a39Sopenharmony_ci# include <openssl/engine.h> 24e1051a39Sopenharmony_ci#endif 25e1051a39Sopenharmony_ci#include "testutil.h" 26e1051a39Sopenharmony_ci 27e1051a39Sopenharmony_ci#include "internal/nelem.h" 28e1051a39Sopenharmony_ci 29e1051a39Sopenharmony_ci#define _UC(c) ((unsigned char)(c)) 30e1051a39Sopenharmony_ci 31e1051a39Sopenharmony_cistatic const char *basedomain; 32e1051a39Sopenharmony_cistatic const char *CAfile; 33e1051a39Sopenharmony_cistatic const char *tlsafile; 34e1051a39Sopenharmony_ci 35e1051a39Sopenharmony_ci/* 36e1051a39Sopenharmony_ci * Forward declaration, of function that uses internal interfaces, from headers 37e1051a39Sopenharmony_ci * included at the end of this module. 38e1051a39Sopenharmony_ci */ 39e1051a39Sopenharmony_cistatic void store_ctx_dane_init(X509_STORE_CTX *, SSL *); 40e1051a39Sopenharmony_ci 41e1051a39Sopenharmony_cistatic int saved_errno; 42e1051a39Sopenharmony_ci 43e1051a39Sopenharmony_cistatic void save_errno(void) 44e1051a39Sopenharmony_ci{ 45e1051a39Sopenharmony_ci saved_errno = errno; 46e1051a39Sopenharmony_ci} 47e1051a39Sopenharmony_ci 48e1051a39Sopenharmony_cistatic int restore_errno(void) 49e1051a39Sopenharmony_ci{ 50e1051a39Sopenharmony_ci int ret = errno; 51e1051a39Sopenharmony_ci errno = saved_errno; 52e1051a39Sopenharmony_ci return ret; 53e1051a39Sopenharmony_ci} 54e1051a39Sopenharmony_ci 55e1051a39Sopenharmony_cistatic int verify_chain(SSL *ssl, STACK_OF(X509) *chain) 56e1051a39Sopenharmony_ci{ 57e1051a39Sopenharmony_ci X509_STORE_CTX *store_ctx = NULL; 58e1051a39Sopenharmony_ci SSL_CTX *ssl_ctx = NULL; 59e1051a39Sopenharmony_ci X509_STORE *store = NULL; 60e1051a39Sopenharmony_ci int ret = 0; 61e1051a39Sopenharmony_ci int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 62e1051a39Sopenharmony_ci 63e1051a39Sopenharmony_ci if (!TEST_ptr(store_ctx = X509_STORE_CTX_new()) 64e1051a39Sopenharmony_ci || !TEST_ptr(ssl_ctx = SSL_get_SSL_CTX(ssl)) 65e1051a39Sopenharmony_ci || !TEST_ptr(store = SSL_CTX_get_cert_store(ssl_ctx)) 66e1051a39Sopenharmony_ci || !TEST_true(X509_STORE_CTX_init(store_ctx, store, NULL, chain)) 67e1051a39Sopenharmony_ci || !TEST_true(X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, 68e1051a39Sopenharmony_ci ssl))) 69e1051a39Sopenharmony_ci goto end; 70e1051a39Sopenharmony_ci 71e1051a39Sopenharmony_ci X509_STORE_CTX_set_default(store_ctx, SSL_is_server(ssl) 72e1051a39Sopenharmony_ci ? "ssl_client" : "ssl_server"); 73e1051a39Sopenharmony_ci X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx), 74e1051a39Sopenharmony_ci SSL_get0_param(ssl)); 75e1051a39Sopenharmony_ci store_ctx_dane_init(store_ctx, ssl); 76e1051a39Sopenharmony_ci 77e1051a39Sopenharmony_ci if (SSL_get_verify_callback(ssl) != NULL) 78e1051a39Sopenharmony_ci X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl)); 79e1051a39Sopenharmony_ci 80e1051a39Sopenharmony_ci /* Mask "internal failures" (-1) from our return value. */ 81e1051a39Sopenharmony_ci if (!TEST_int_ge(ret = X509_STORE_CTX_verify(store_ctx), 0)) 82e1051a39Sopenharmony_ci ret = 0; 83e1051a39Sopenharmony_ci 84e1051a39Sopenharmony_ci SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx)); 85e1051a39Sopenharmony_ci 86e1051a39Sopenharmony_ciend: 87e1051a39Sopenharmony_ci X509_STORE_CTX_free(store_ctx); 88e1051a39Sopenharmony_ci return ret; 89e1051a39Sopenharmony_ci} 90e1051a39Sopenharmony_ci 91e1051a39Sopenharmony_cistatic STACK_OF(X509) *load_chain(BIO *fp, int nelem) 92e1051a39Sopenharmony_ci{ 93e1051a39Sopenharmony_ci int count; 94e1051a39Sopenharmony_ci char *name = 0; 95e1051a39Sopenharmony_ci char *header = 0; 96e1051a39Sopenharmony_ci unsigned char *data = 0; 97e1051a39Sopenharmony_ci long len; 98e1051a39Sopenharmony_ci char *errtype = 0; /* if error: cert or pkey? */ 99e1051a39Sopenharmony_ci STACK_OF(X509) *chain; 100e1051a39Sopenharmony_ci typedef X509 *(*d2i_X509_t)(X509 **, const unsigned char **, long); 101e1051a39Sopenharmony_ci 102e1051a39Sopenharmony_ci if (!TEST_ptr(chain = sk_X509_new_null())) 103e1051a39Sopenharmony_ci goto err; 104e1051a39Sopenharmony_ci 105e1051a39Sopenharmony_ci for (count = 0; 106e1051a39Sopenharmony_ci count < nelem && errtype == 0 107e1051a39Sopenharmony_ci && PEM_read_bio(fp, &name, &header, &data, &len) == 1; 108e1051a39Sopenharmony_ci ++count) { 109e1051a39Sopenharmony_ci if (strcmp(name, PEM_STRING_X509) == 0 110e1051a39Sopenharmony_ci || strcmp(name, PEM_STRING_X509_TRUSTED) == 0 111e1051a39Sopenharmony_ci || strcmp(name, PEM_STRING_X509_OLD) == 0) { 112e1051a39Sopenharmony_ci d2i_X509_t d = strcmp(name, PEM_STRING_X509_TRUSTED) != 0 113e1051a39Sopenharmony_ci ? d2i_X509_AUX : d2i_X509; 114e1051a39Sopenharmony_ci X509 *cert; 115e1051a39Sopenharmony_ci const unsigned char *p = data; 116e1051a39Sopenharmony_ci 117e1051a39Sopenharmony_ci if (!TEST_ptr(cert = d(0, &p, len)) 118e1051a39Sopenharmony_ci || !TEST_long_eq(p - data, len)) { 119e1051a39Sopenharmony_ci TEST_info("Certificate parsing error"); 120e1051a39Sopenharmony_ci goto err; 121e1051a39Sopenharmony_ci } 122e1051a39Sopenharmony_ci 123e1051a39Sopenharmony_ci if (!TEST_true(sk_X509_push(chain, cert))) 124e1051a39Sopenharmony_ci goto err; 125e1051a39Sopenharmony_ci } else { 126e1051a39Sopenharmony_ci TEST_info("Unknown chain file object %s", name); 127e1051a39Sopenharmony_ci goto err; 128e1051a39Sopenharmony_ci } 129e1051a39Sopenharmony_ci 130e1051a39Sopenharmony_ci OPENSSL_free(name); 131e1051a39Sopenharmony_ci OPENSSL_free(header); 132e1051a39Sopenharmony_ci OPENSSL_free(data); 133e1051a39Sopenharmony_ci name = header = NULL; 134e1051a39Sopenharmony_ci data = NULL; 135e1051a39Sopenharmony_ci } 136e1051a39Sopenharmony_ci 137e1051a39Sopenharmony_ci if (count == nelem) { 138e1051a39Sopenharmony_ci ERR_clear_error(); 139e1051a39Sopenharmony_ci return chain; 140e1051a39Sopenharmony_ci } 141e1051a39Sopenharmony_ci 142e1051a39Sopenharmony_cierr: 143e1051a39Sopenharmony_ci OPENSSL_free(name); 144e1051a39Sopenharmony_ci OPENSSL_free(header); 145e1051a39Sopenharmony_ci OPENSSL_free(data); 146e1051a39Sopenharmony_ci sk_X509_pop_free(chain, X509_free); 147e1051a39Sopenharmony_ci return NULL; 148e1051a39Sopenharmony_ci} 149e1051a39Sopenharmony_ci 150e1051a39Sopenharmony_cistatic char *read_to_eol(BIO *f) 151e1051a39Sopenharmony_ci{ 152e1051a39Sopenharmony_ci static char buf[4096]; 153e1051a39Sopenharmony_ci int n; 154e1051a39Sopenharmony_ci 155e1051a39Sopenharmony_ci if (BIO_gets(f, buf, sizeof(buf)) <= 0) 156e1051a39Sopenharmony_ci return NULL; 157e1051a39Sopenharmony_ci 158e1051a39Sopenharmony_ci n = strlen(buf); 159e1051a39Sopenharmony_ci if (buf[n - 1] != '\n') { 160e1051a39Sopenharmony_ci if (n + 1 == sizeof(buf)) 161e1051a39Sopenharmony_ci TEST_error("input too long"); 162e1051a39Sopenharmony_ci else 163e1051a39Sopenharmony_ci TEST_error("EOF before newline"); 164e1051a39Sopenharmony_ci return NULL; 165e1051a39Sopenharmony_ci } 166e1051a39Sopenharmony_ci 167e1051a39Sopenharmony_ci /* Trim trailing whitespace */ 168e1051a39Sopenharmony_ci while (n > 0 && isspace(_UC(buf[n - 1]))) 169e1051a39Sopenharmony_ci buf[--n] = '\0'; 170e1051a39Sopenharmony_ci 171e1051a39Sopenharmony_ci return buf; 172e1051a39Sopenharmony_ci} 173e1051a39Sopenharmony_ci 174e1051a39Sopenharmony_ci/* 175e1051a39Sopenharmony_ci * Hex decoder that tolerates optional whitespace 176e1051a39Sopenharmony_ci */ 177e1051a39Sopenharmony_cistatic ossl_ssize_t hexdecode(const char *in, void *result) 178e1051a39Sopenharmony_ci{ 179e1051a39Sopenharmony_ci unsigned char **out = (unsigned char **)result; 180e1051a39Sopenharmony_ci unsigned char *ret; 181e1051a39Sopenharmony_ci unsigned char *cp; 182e1051a39Sopenharmony_ci uint8_t byte; 183e1051a39Sopenharmony_ci int nibble = 0; 184e1051a39Sopenharmony_ci 185e1051a39Sopenharmony_ci if (!TEST_ptr(ret = OPENSSL_malloc(strlen(in) / 2))) 186e1051a39Sopenharmony_ci return -1; 187e1051a39Sopenharmony_ci cp = ret; 188e1051a39Sopenharmony_ci 189e1051a39Sopenharmony_ci for (byte = 0; *in; ++in) { 190e1051a39Sopenharmony_ci int x; 191e1051a39Sopenharmony_ci 192e1051a39Sopenharmony_ci if (isspace(_UC(*in))) 193e1051a39Sopenharmony_ci continue; 194e1051a39Sopenharmony_ci x = OPENSSL_hexchar2int(*in); 195e1051a39Sopenharmony_ci if (x < 0) { 196e1051a39Sopenharmony_ci OPENSSL_free(ret); 197e1051a39Sopenharmony_ci return 0; 198e1051a39Sopenharmony_ci } 199e1051a39Sopenharmony_ci byte |= (char)x; 200e1051a39Sopenharmony_ci if ((nibble ^= 1) == 0) { 201e1051a39Sopenharmony_ci *cp++ = byte; 202e1051a39Sopenharmony_ci byte = 0; 203e1051a39Sopenharmony_ci } else { 204e1051a39Sopenharmony_ci byte <<= 4; 205e1051a39Sopenharmony_ci } 206e1051a39Sopenharmony_ci } 207e1051a39Sopenharmony_ci if (nibble != 0) { 208e1051a39Sopenharmony_ci OPENSSL_free(ret); 209e1051a39Sopenharmony_ci return 0; 210e1051a39Sopenharmony_ci } 211e1051a39Sopenharmony_ci 212e1051a39Sopenharmony_ci return cp - (*out = ret); 213e1051a39Sopenharmony_ci} 214e1051a39Sopenharmony_ci 215e1051a39Sopenharmony_cistatic ossl_ssize_t checked_uint8(const char *in, void *out) 216e1051a39Sopenharmony_ci{ 217e1051a39Sopenharmony_ci uint8_t *result = (uint8_t *)out; 218e1051a39Sopenharmony_ci const char *cp = in; 219e1051a39Sopenharmony_ci char *endp; 220e1051a39Sopenharmony_ci long v; 221e1051a39Sopenharmony_ci int e; 222e1051a39Sopenharmony_ci 223e1051a39Sopenharmony_ci save_errno(); 224e1051a39Sopenharmony_ci v = strtol(cp, &endp, 10); 225e1051a39Sopenharmony_ci e = restore_errno(); 226e1051a39Sopenharmony_ci 227e1051a39Sopenharmony_ci if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) || 228e1051a39Sopenharmony_ci endp == cp || !isspace(_UC(*endp)) || 229e1051a39Sopenharmony_ci v != (*(uint8_t *)result = (uint8_t) v)) { 230e1051a39Sopenharmony_ci return -1; 231e1051a39Sopenharmony_ci } 232e1051a39Sopenharmony_ci for (cp = endp; isspace(_UC(*cp)); ++cp) 233e1051a39Sopenharmony_ci continue; 234e1051a39Sopenharmony_ci return cp - in; 235e1051a39Sopenharmony_ci} 236e1051a39Sopenharmony_ci 237e1051a39Sopenharmony_cistruct tlsa_field { 238e1051a39Sopenharmony_ci void *var; 239e1051a39Sopenharmony_ci const char *name; 240e1051a39Sopenharmony_ci ossl_ssize_t (*parser)(const char *, void *); 241e1051a39Sopenharmony_ci}; 242e1051a39Sopenharmony_ci 243e1051a39Sopenharmony_cistatic int tlsa_import_rr(SSL *ssl, const char *rrdata) 244e1051a39Sopenharmony_ci{ 245e1051a39Sopenharmony_ci static uint8_t usage; 246e1051a39Sopenharmony_ci static uint8_t selector; 247e1051a39Sopenharmony_ci static uint8_t mtype; 248e1051a39Sopenharmony_ci static unsigned char *data = NULL; 249e1051a39Sopenharmony_ci static struct tlsa_field tlsa_fields[] = { 250e1051a39Sopenharmony_ci { &usage, "usage", checked_uint8 }, 251e1051a39Sopenharmony_ci { &selector, "selector", checked_uint8 }, 252e1051a39Sopenharmony_ci { &mtype, "mtype", checked_uint8 }, 253e1051a39Sopenharmony_ci { &data, "data", hexdecode }, 254e1051a39Sopenharmony_ci { NULL, } 255e1051a39Sopenharmony_ci }; 256e1051a39Sopenharmony_ci int ret; 257e1051a39Sopenharmony_ci struct tlsa_field *f; 258e1051a39Sopenharmony_ci const char *cp = rrdata; 259e1051a39Sopenharmony_ci ossl_ssize_t len = 0; 260e1051a39Sopenharmony_ci 261e1051a39Sopenharmony_ci for (f = tlsa_fields; f->var; ++f) { 262e1051a39Sopenharmony_ci if ((len = f->parser(cp += len, f->var)) <= 0) { 263e1051a39Sopenharmony_ci TEST_info("bad TLSA %s field in: %s", f->name, rrdata); 264e1051a39Sopenharmony_ci return 0; 265e1051a39Sopenharmony_ci } 266e1051a39Sopenharmony_ci } 267e1051a39Sopenharmony_ci 268e1051a39Sopenharmony_ci ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len); 269e1051a39Sopenharmony_ci OPENSSL_free(data); 270e1051a39Sopenharmony_ci if (ret == 0) { 271e1051a39Sopenharmony_ci TEST_info("unusable TLSA rrdata: %s", rrdata); 272e1051a39Sopenharmony_ci return 0; 273e1051a39Sopenharmony_ci } 274e1051a39Sopenharmony_ci if (ret < 0) { 275e1051a39Sopenharmony_ci TEST_info("error loading TLSA rrdata: %s", rrdata); 276e1051a39Sopenharmony_ci return 0; 277e1051a39Sopenharmony_ci } 278e1051a39Sopenharmony_ci 279e1051a39Sopenharmony_ci return ret; 280e1051a39Sopenharmony_ci} 281e1051a39Sopenharmony_ci 282e1051a39Sopenharmony_cistatic int allws(const char *cp) 283e1051a39Sopenharmony_ci{ 284e1051a39Sopenharmony_ci while (*cp) 285e1051a39Sopenharmony_ci if (!isspace(_UC(*cp++))) 286e1051a39Sopenharmony_ci return 0; 287e1051a39Sopenharmony_ci return 1; 288e1051a39Sopenharmony_ci} 289e1051a39Sopenharmony_ci 290e1051a39Sopenharmony_cistatic int test_tlsafile(SSL_CTX *ctx, const char *base_name, 291e1051a39Sopenharmony_ci BIO *f, const char *path) 292e1051a39Sopenharmony_ci{ 293e1051a39Sopenharmony_ci char *line; 294e1051a39Sopenharmony_ci int testno = 0; 295e1051a39Sopenharmony_ci int ret = 1; 296e1051a39Sopenharmony_ci SSL *ssl; 297e1051a39Sopenharmony_ci 298e1051a39Sopenharmony_ci while (ret > 0 && (line = read_to_eol(f)) != NULL) { 299e1051a39Sopenharmony_ci STACK_OF(X509) *chain; 300e1051a39Sopenharmony_ci int ntlsa; 301e1051a39Sopenharmony_ci int ncert; 302e1051a39Sopenharmony_ci int noncheck; 303e1051a39Sopenharmony_ci int want; 304e1051a39Sopenharmony_ci int want_depth; 305e1051a39Sopenharmony_ci int off; 306e1051a39Sopenharmony_ci int i; 307e1051a39Sopenharmony_ci int ok; 308e1051a39Sopenharmony_ci int err; 309e1051a39Sopenharmony_ci int mdpth; 310e1051a39Sopenharmony_ci 311e1051a39Sopenharmony_ci if (*line == '\0' || *line == '#') 312e1051a39Sopenharmony_ci continue; 313e1051a39Sopenharmony_ci 314e1051a39Sopenharmony_ci ++testno; 315e1051a39Sopenharmony_ci if (sscanf(line, "%d %d %d %d %d%n", 316e1051a39Sopenharmony_ci &ntlsa, &ncert, &noncheck, &want, &want_depth, &off) != 5 317e1051a39Sopenharmony_ci || !allws(line + off)) { 318e1051a39Sopenharmony_ci TEST_error("Malformed line for test %d", testno); 319e1051a39Sopenharmony_ci return 0; 320e1051a39Sopenharmony_ci } 321e1051a39Sopenharmony_ci 322e1051a39Sopenharmony_ci if (!TEST_ptr(ssl = SSL_new(ctx))) 323e1051a39Sopenharmony_ci return 0; 324e1051a39Sopenharmony_ci SSL_set_connect_state(ssl); 325e1051a39Sopenharmony_ci if (SSL_dane_enable(ssl, base_name) <= 0) { 326e1051a39Sopenharmony_ci SSL_free(ssl); 327e1051a39Sopenharmony_ci return 0; 328e1051a39Sopenharmony_ci } 329e1051a39Sopenharmony_ci if (noncheck) 330e1051a39Sopenharmony_ci SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS); 331e1051a39Sopenharmony_ci 332e1051a39Sopenharmony_ci for (i = 0; i < ntlsa; ++i) { 333e1051a39Sopenharmony_ci if ((line = read_to_eol(f)) == NULL || !tlsa_import_rr(ssl, line)) { 334e1051a39Sopenharmony_ci SSL_free(ssl); 335e1051a39Sopenharmony_ci return 0; 336e1051a39Sopenharmony_ci } 337e1051a39Sopenharmony_ci } 338e1051a39Sopenharmony_ci 339e1051a39Sopenharmony_ci /* Don't report old news */ 340e1051a39Sopenharmony_ci ERR_clear_error(); 341e1051a39Sopenharmony_ci if (!TEST_ptr(chain = load_chain(f, ncert))) { 342e1051a39Sopenharmony_ci SSL_free(ssl); 343e1051a39Sopenharmony_ci return 0; 344e1051a39Sopenharmony_ci } 345e1051a39Sopenharmony_ci 346e1051a39Sopenharmony_ci ok = verify_chain(ssl, chain); 347e1051a39Sopenharmony_ci sk_X509_pop_free(chain, X509_free); 348e1051a39Sopenharmony_ci err = SSL_get_verify_result(ssl); 349e1051a39Sopenharmony_ci /* 350e1051a39Sopenharmony_ci * Peek under the hood, normally TLSA match data is hidden when 351e1051a39Sopenharmony_ci * verification fails, we can obtain any suppressed data by setting the 352e1051a39Sopenharmony_ci * verification result to X509_V_OK before looking. 353e1051a39Sopenharmony_ci */ 354e1051a39Sopenharmony_ci SSL_set_verify_result(ssl, X509_V_OK); 355e1051a39Sopenharmony_ci mdpth = SSL_get0_dane_authority(ssl, NULL, NULL); 356e1051a39Sopenharmony_ci /* Not needed any more, but lead by example and put the error back. */ 357e1051a39Sopenharmony_ci SSL_set_verify_result(ssl, err); 358e1051a39Sopenharmony_ci SSL_free(ssl); 359e1051a39Sopenharmony_ci 360e1051a39Sopenharmony_ci if (!TEST_int_eq(err, want)) { 361e1051a39Sopenharmony_ci if (want == X509_V_OK) 362e1051a39Sopenharmony_ci TEST_info("Verification failure in test %d: %d=%s", 363e1051a39Sopenharmony_ci testno, err, X509_verify_cert_error_string(err)); 364e1051a39Sopenharmony_ci else 365e1051a39Sopenharmony_ci TEST_info("Unexpected error in test %d", testno); 366e1051a39Sopenharmony_ci ret = 0; 367e1051a39Sopenharmony_ci continue; 368e1051a39Sopenharmony_ci } 369e1051a39Sopenharmony_ci if (!TEST_false(want == 0 && ok == 0)) { 370e1051a39Sopenharmony_ci TEST_info("Verification failure in test %d: ok=0", testno); 371e1051a39Sopenharmony_ci ret = 0; 372e1051a39Sopenharmony_ci continue; 373e1051a39Sopenharmony_ci } 374e1051a39Sopenharmony_ci if (!TEST_int_eq(mdpth, want_depth)) { 375e1051a39Sopenharmony_ci TEST_info("In test test %d", testno); 376e1051a39Sopenharmony_ci ret = 0; 377e1051a39Sopenharmony_ci } 378e1051a39Sopenharmony_ci } 379e1051a39Sopenharmony_ci ERR_clear_error(); 380e1051a39Sopenharmony_ci 381e1051a39Sopenharmony_ci return ret; 382e1051a39Sopenharmony_ci} 383e1051a39Sopenharmony_ci 384e1051a39Sopenharmony_cistatic int run_tlsatest(void) 385e1051a39Sopenharmony_ci{ 386e1051a39Sopenharmony_ci SSL_CTX *ctx = NULL; 387e1051a39Sopenharmony_ci BIO *f = NULL; 388e1051a39Sopenharmony_ci int ret = 0; 389e1051a39Sopenharmony_ci 390e1051a39Sopenharmony_ci if (!TEST_ptr(f = BIO_new_file(tlsafile, "r")) 391e1051a39Sopenharmony_ci || !TEST_ptr(ctx = SSL_CTX_new(TLS_client_method())) 392e1051a39Sopenharmony_ci || !TEST_int_gt(SSL_CTX_dane_enable(ctx), 0) 393e1051a39Sopenharmony_ci || !TEST_true(SSL_CTX_load_verify_file(ctx, CAfile)) 394e1051a39Sopenharmony_ci || !TEST_int_gt(SSL_CTX_dane_mtype_set(ctx, EVP_sha512(), 2, 1), 0) 395e1051a39Sopenharmony_ci || !TEST_int_gt(SSL_CTX_dane_mtype_set(ctx, EVP_sha256(), 1, 2), 0) 396e1051a39Sopenharmony_ci || !TEST_int_gt(test_tlsafile(ctx, basedomain, f, tlsafile), 0)) 397e1051a39Sopenharmony_ci goto end; 398e1051a39Sopenharmony_ci ret = 1; 399e1051a39Sopenharmony_ci 400e1051a39Sopenharmony_ciend: 401e1051a39Sopenharmony_ci BIO_free(f); 402e1051a39Sopenharmony_ci SSL_CTX_free(ctx); 403e1051a39Sopenharmony_ci 404e1051a39Sopenharmony_ci return ret; 405e1051a39Sopenharmony_ci} 406e1051a39Sopenharmony_ci 407e1051a39Sopenharmony_ciOPT_TEST_DECLARE_USAGE("basedomain CAfile tlsafile\n") 408e1051a39Sopenharmony_ci 409e1051a39Sopenharmony_ciint setup_tests(void) 410e1051a39Sopenharmony_ci{ 411e1051a39Sopenharmony_ci if (!test_skip_common_options()) { 412e1051a39Sopenharmony_ci TEST_error("Error parsing test options\n"); 413e1051a39Sopenharmony_ci return 0; 414e1051a39Sopenharmony_ci } 415e1051a39Sopenharmony_ci 416e1051a39Sopenharmony_ci if (!TEST_ptr(basedomain = test_get_argument(0)) 417e1051a39Sopenharmony_ci || !TEST_ptr(CAfile = test_get_argument(1)) 418e1051a39Sopenharmony_ci || !TEST_ptr(tlsafile = test_get_argument(2))) 419e1051a39Sopenharmony_ci return 0; 420e1051a39Sopenharmony_ci 421e1051a39Sopenharmony_ci ADD_TEST(run_tlsatest); 422e1051a39Sopenharmony_ci return 1; 423e1051a39Sopenharmony_ci} 424e1051a39Sopenharmony_ci 425e1051a39Sopenharmony_ci#include "internal/dane.h" 426e1051a39Sopenharmony_ci 427e1051a39Sopenharmony_cistatic void store_ctx_dane_init(X509_STORE_CTX *store_ctx, SSL *ssl) 428e1051a39Sopenharmony_ci{ 429e1051a39Sopenharmony_ci X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl)); 430e1051a39Sopenharmony_ci} 431