Revision e88dfd5ee50f9d934edd966369339ee5573c67d4 authored by erbsland-dev on 10 September 2024, 19:24:59 UTC, committed by Tomas Mraz on 13 September 2024, 08:13:32 UTC
Related to #8331 Addressing found issues by adding specific error messages to improve feedback when tag length checks fail for the `EVP_CTRL_AEAD_SET_TAG` parameter in the AES-OCB algorithm. - Added PROV_R_INVALID_TAG_LENGTH error to indicate when the current tag length exceeds the maximum tag length of the algorithm. - Added `PROV_R_INVALID_TAG_LENGTH` error to indicate when the current tag length in the context does not match a custom tag length provided as a parameter. - Added `ERR_R_PASSED_INVALID_ARGUMENT` error to handle cases where an invalid pointer is passed in encryption mode. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25425) (cherry picked from commit 645edf50f0274448174d9739543bf01b1708b2f5)
1 parent 1727cbb
26-tls13_client_auth.cnf.in
# -*- mode: perl; -*-
# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## Test TLSv1.3 certificate authentication
## Similar to 04-client_auth.cnf.in output, but specific for
## TLSv1.3 and post-handshake authentication
use strict;
use warnings;
package ssltests;
use OpenSSL::Test::Utils;
our @tests = (
{
name => "server-auth-TLSv1.3",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
},
test => {
"ExpectedResult" => "Success",
},
},
{
name => "client-auth-TLSv1.3-request",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyMode" => "Request",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
},
test => {
"ExpectedResult" => "Success",
},
},
{
name => "client-auth-TLSv1.3-require-fail",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
},
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" => "CertificateRequired",
},
},
{
name => "client-auth-TLSv1.3-require",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Request",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"Certificate" => test_pem("ee-client-chain.pem"),
"PrivateKey" => test_pem("ee-key.pem"),
},
test => {
"ExpectedResult" => "Success",
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientCANames" => "empty"
},
},
{
name => "client-auth-TLSv1.3-require-non-empty-names",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"ClientSignatureAlgorithms" => "PSS+SHA256",
"ClientCAFile" => test_pem("root-cert.pem"),
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Request",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"Certificate" => test_pem("ee-client-chain.pem"),
"PrivateKey" => test_pem("ee-key.pem"),
},
test => {
"ExpectedResult" => "Success",
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientCANames" => test_pem("root-cert.pem"),
},
},
{
name => "client-auth-TLSv1.3-noroot",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyMode" => "Require",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"Certificate" => test_pem("ee-client-chain.pem"),
"PrivateKey" => test_pem("ee-key.pem"),
},
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" => "UnknownCA",
},
},
{
name => "client-auth-TLSv1.3-request-post-handshake",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyMode" => "RequestPostHandshake",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
},
test => {
"ExpectedResult" => "ServerFail",
"HandshakeMode" => "PostHandshakeAuth",
},
},
{
name => "client-auth-TLSv1.3-require-fail-post-handshake",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "RequirePostHandshake",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
},
test => {
"ExpectedResult" => "ServerFail",
"HandshakeMode" => "PostHandshakeAuth",
},
},
{
name => "client-auth-TLSv1.3-require-post-handshake",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "RequestPostHandshake",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"Certificate" => test_pem("ee-client-chain.pem"),
"PrivateKey" => test_pem("ee-key.pem"),
extra => {
"EnablePHA" => "Yes",
},
},
test => {
"ExpectedResult" => "Success",
"HandshakeMode" => "PostHandshakeAuth",
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientCANames" => "empty"
},
},
{
name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"ClientSignatureAlgorithms" => "PSS+SHA256",
"ClientCAFile" => test_pem("root-cert.pem"),
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "RequestPostHandshake",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"Certificate" => test_pem("ee-client-chain.pem"),
"PrivateKey" => test_pem("ee-key.pem"),
extra => {
"EnablePHA" => "Yes",
},
},
test => {
"ExpectedResult" => "Success",
"HandshakeMode" => "PostHandshakeAuth",
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientCANames" => test_pem("root-cert.pem"),
},
},
{
name => "client-auth-TLSv1.3-noroot-post-handshake",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyMode" => "RequirePostHandshake",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"Certificate" => test_pem("ee-client-chain.pem"),
"PrivateKey" => test_pem("ee-key.pem"),
extra => {
"EnablePHA" => "Yes",
},
},
test => {
"ExpectedResult" => "ServerFail",
"HandshakeMode" => "PostHandshakeAuth",
"ExpectedServerAlert" => "UnknownCA",
},
},
{
name => "client-auth-TLSv1.3-request-force-client-post-handshake",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyMode" => "RequestPostHandshake",
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
extra => {
"EnablePHA" => "Yes",
},
},
test => {
"ExpectedResult" => "Success",
"HandshakeMode" => "PostHandshakeAuth",
},
},
{
name => "client-auth-TLSv1.3-request-force-server-post-handshake",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyMode" => "RequestPostHandshake",
extra => {
"ForcePHA" => "Yes",
},
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
},
test => {
"ExpectedResult" => "ClientFail",
"HandshakeMode" => "PostHandshakeAuth",
},
},
{
name => "client-auth-TLSv1.3-request-force-both-post-handshake",
server => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
"VerifyMode" => "RequestPostHandshake",
extra => {
"ForcePHA" => "Yes",
},
},
client => {
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3",
extra => {
"EnablePHA" => "Yes",
},
},
test => {
"ExpectedResult" => "Success",
"HandshakeMode" => "PostHandshakeAuth",
},
},
);
Computing file changes ...
