From 57d7b988b498ed34e98d1957fbbded8342f2a952 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 6 Sep 2018 12:06:24 +0100 Subject: [PATCH] Test that we can handle a PHA CertificateRequest after we sent close_notify Even though we already sent close_notify the server may not have recieved it yet and could issue a CertificateRequest to us. Since we've already sent close_notify we can't send any reasonable response so we just ignore it. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7114) --- test/sslapitest.c | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 78c378bb66..bb518857c8 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -5343,7 +5343,9 @@ static int test_ticket_callbacks(int tst) * Test 3: TLSv1.3, pending NewSessionTicket messages * Test 4: TLSv1.3, server continues to read/write after client shutdown, server * sends key update, client reads it - * Test 5: TLSv1.3, server continues to read/write after client shutdown, client + * Test 5: TLSv1.3, server continues to read/write after client shutdown, server + * sends CertificateRequest, client reads and ignores it + * Test 6: TLSv1.3, server continues to read/write after client shutdown, client * doesn't read it */ static int test_shutdown(int tst) @@ -5370,8 +5372,13 @@ static int test_shutdown(int tst) TLS1_VERSION, (tst <= 1) ? TLS1_2_VERSION : TLS1_3_VERSION, - &sctx, &cctx, cert, privkey)) - || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + &sctx, &cctx, cert, privkey))) + goto end; + + if (tst == 5) + SSL_CTX_set_post_handshake_auth(cctx, 1); + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL))) goto end; @@ -5407,13 +5414,21 @@ static int test_shutdown(int tst) */ || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) goto end; - if (tst == 4 && - (!TEST_true(SSL_key_update(serverssl, SSL_KEY_UPDATE_REQUESTED)) - || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))) + if (tst == 4 + && !TEST_true(SSL_key_update(serverssl, + SSL_KEY_UPDATE_REQUESTED))) + goto end; + if (tst == 5) { + SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); + if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) + goto end; + } + if ((tst == 4 || tst == 5) + && !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))) goto end; if (!TEST_int_eq(SSL_shutdown(serverssl), 1)) goto end; - if (tst == 4) { + if (tst == 4 || tst == 5) { /* Should still be able to read data from server */ if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) @@ -5448,7 +5463,7 @@ static int test_shutdown(int tst) || !TEST_true(SSL_SESSION_is_resumable(sess)) || !TEST_int_eq(SSL_shutdown(serverssl), 1)) goto end; - } else if (tst == 4) { + } else if (tst == 4 || tst == 5) { /* * In this test the client has sent close_notify and it has been * received by the server which has responded with a close_notify. The @@ -5460,7 +5475,7 @@ static int test_shutdown(int tst) goto end; } else { /* - * tst == 5 + * tst == 6 * * The client has sent close_notify and is expecting a close_notify * back, but instead there is application data first. The shutdown @@ -5583,7 +5598,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_ssl_pending, 2); ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data)); ADD_ALL_TESTS(test_ticket_callbacks, 12); - ADD_ALL_TESTS(test_shutdown, 6); + ADD_ALL_TESTS(test_shutdown, 7); return 1; }