From: Matt Caswell Date: Fri, 3 Dec 2021 15:18:27 +0000 (+0000) Subject: Add a TLS test for name constraints with an EE cert without a SAN X-Git-Tag: openssl-3.2.0-alpha1~3199 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=752aa4a6f0f3098258fb6be5592fd18929da59c0;p=thirdparty%2Fopenssl.git Add a TLS test for name constraints with an EE cert without a SAN It is valid for name constraints to be in force but for there to be no SAN extension in a certificate. Previous versions of OpenSSL mishandled this. Test for CVE-2021-4044 Reviewed-by: Tomas Mraz --- diff --git a/test/certs/goodcn2-chain.pem b/test/certs/goodcn2-chain.pem new file mode 100644 index 00000000000..01b7f47f7d6 --- /dev/null +++ b/test/certs/goodcn2-chain.pem @@ -0,0 +1,40 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh +BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu +Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe +kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0 +UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B +0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR +Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9 +QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX +dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn +ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G +CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8 +S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM +D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2 +1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L +yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg +fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTk0NFoYDzIxMjAxMjEzMjAxOTQ0WjAXMRUwEwYDVQQD +DAxUZXN0IE5DIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC +XjL5JEImsGFW5whlXCfDTeqjZAVb+rSXAhZQ25bP9YvhsbmPVYe8A61zwGStl2rF +mChzN9/+LA40/lh0mjCV82mfNp1XLRPhE9sPGXwfLgJGCy/d6pp/8yGuFmkWPus9 +bhxlOk7ADw4e3R3kVdwn9I3O3mIrI+I45ywZpzrbs/NGFiqhRxXbZTAKyI4INxgB +VZfkoxqesnjD1j36fq7qEVas6gVm27YA9b+31ofFLM7WN811LQELwTdWiF0/xXiO +XawU1QnkrNPxCSPWyeaM4tN50ZPRQA/ArV4I7szKhKskRzGwFgdaxorYn8c+2gTq +fedLPvNw1WPryAumidqTAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zALBgNV +HQ8EBAMCAQYwHQYDVR0OBBYEFAjRm/nm1WRwoPFrGp7tUtrd9VBDMB8GA1UdIwQY +MBaAFI71Ja8em2uEPXyAmslTnE1y96NSMFwGA1UdHgRVMFOgUTAOggx3d3cuZ29v +ZC5vcmcwCoIIZ29vZC5jb20wD4ENZ29vZEBnb29kLm9yZzAKgQhnb29kLmNvbTAK +hwh/AAAB/////zAKhwjAqAAA//8AADANBgkqhkiG9w0BAQsFAAOCAQEAVyRsB6B8 +iCYZxBTOO10Bor+Q4xxgs0udVR90/tM57P8GHd10e8suaW2Dtg9stxZJ3cmsn3zd ++QNxNIQuwHTNtVU0OSqKv6puj6ZQETSya4jDAmRqY47R866MHkSwLUYDMFtuM1Wy +gnoD5m1/Uy1K/Wvbnp1Zq4jtTB6su8TmIdJgtpEmte7tIQu5kPXsuJrz/x5a1TfR +hu7h4LJYwKlQtd/LRINnHKd241YSE7PVdG8SPxyrX11hJSC+1Z5Epxc6BCVDVN1E +fyVDdLXvKf30Nlbg2hZfO/cGTmwOt7RImygzhV/s41v4wtMW0EPuVanGQusRgHFm +3JC//UMgfkkwAA== +-----END CERTIFICATE----- diff --git a/test/ssl-tests/01-simple.cnf b/test/ssl-tests/01-simple.cnf index 7fc23f0b69d..dfdd3ee3378 100644 --- a/test/ssl-tests/01-simple.cnf +++ b/test/ssl-tests/01-simple.cnf @@ -1,10 +1,11 @@ # Generated with generate_ssl_tests.pl -num_tests = 3 +num_tests = 4 test-0 = 0-default test-1 = 1-Server signature algorithms bug test-2 = 2-verify-cert +test-3 = 3-name-constraints-no-san-in-ee # =========================================================== [0-default] @@ -76,3 +77,26 @@ ExpectedClientAlert = UnknownCA ExpectedResult = ClientFail +# =========================================================== + +[3-name-constraints-no-san-in-ee] +ssl_conf = 3-name-constraints-no-san-in-ee-ssl + +[3-name-constraints-no-san-in-ee-ssl] +server = 3-name-constraints-no-san-in-ee-server +client = 3-name-constraints-no-san-in-ee-client + +[3-name-constraints-no-san-in-ee-server] +Certificate = ${ENV::TEST_CERTS_DIR}/goodcn2-chain.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/goodcn2-key.pem + +[3-name-constraints-no-san-in-ee-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success + + diff --git a/test/ssl-tests/01-simple.cnf.in b/test/ssl-tests/01-simple.cnf.in index 645b11382cd..3ffd5961396 100644 --- a/test/ssl-tests/01-simple.cnf.in +++ b/test/ssl-tests/01-simple.cnf.in @@ -39,4 +39,16 @@ our @tests = ( "ExpectedClientAlert" => "UnknownCA", }, }, + + { + name => "name-constraints-no-san-in-ee", + server => { + "Certificate" => test_pem("goodcn2-chain.pem"), + "PrivateKey" => test_pem("goodcn2-key.pem"), + }, + client => { + "VerifyCAFile" => test_pem("root-cert.pem"), + }, + test => { "ExpectedResult" => "Success" }, + }, );