From: Matt Caswell <matt@openssl.org>
Date: Fri, 3 Dec 2021 15:28:31 +0000 (+0000)
Subject: Add a test case for the name constraints bug
X-Git-Tag: openssl-3.2.0-alpha1~3198
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fcf2351ecff5db21cba431704e4da631b74904a;p=thirdparty%2Fopenssl.git

Add a test case for the name constraints bug

Where a chain has name constraints but a certificate does not have a SAN
extension but the CN meets the constraints, then this should be acceptable.
However, and OpenSSL bug meant that an internal error was being reported.
This adds a test case for that scenario.

Test for CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>
---

diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index bcd823bcfb0..700bbd849c9 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 159;
+plan tests => 160;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -337,6 +337,9 @@ ok(verify("alt3-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
 ok(verify("goodcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
    "Name Constraints CNs permitted");
 
+ok(verify("goodcn2-cert", "", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints CNs permitted - no SAN extension");
+
 ok(!verify("badcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
    "Name Constraints CNs not permitted");