1 files changed, 66 insertions, 25 deletions
diff --git a/src/regress/lib/libcrypto/x509/expirecallback.c b/src/regress/lib/libcrypto/x509/expirecallback.c
index 3da49708ff..f7dcff8e94 100644
--- a/src/regress/lib/libcrypto/x509/expirecallback.c
+++ b/src/regress/lib/libcrypto/x509/expirecallback.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: expirecallback.c,v 1.1 2022/06/25 20:01:43 beck Exp $ */
+/* $OpenBSD: expirecallback.c,v 1.2 2022/10/17 18:44:36 jsing Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
@@ -112,16 +112,20 @@ verify_cert_cb(int ok, X509_STORE_CTX *xsc)
 static void
 verify_cert(const char *roots_dir, const char *roots_file,
-    const char *bundle_file, int *chains, int mode)
+    const char *bundle_file, int *chains, int *error, int *error_depth,
+    int mode)
 {
        STACK_OF(X509) *roots = NULL, *bundle = NULL;
-        time_t future = 2000000000; /* May 17 2033 */
        X509_STORE_CTX *xsc = NULL;
        X509_STORE *store = NULL;
-        int verify_err, use_dir;
        X509 *leaf = NULL;
+        int use_dir;
+        int ret;
        *chains = 0;
+        *error = 0;
+        *error_depth = 0;
        use_dir = (mode == MODE_MODERN_VFY_DIR);
        if (!use_dir && !certs_from_file(roots_file, &roots))
@@ -141,12 +145,6 @@ verify_cert(const char *roots_dir, const char *roots_file,
                errx(1, "failed to init store context");
        }
-        /*
-         * Set the time int the future to exercise the expired cert
-         * callback
-         */
-        X509_STORE_CTX_set_time(xsc, 0, future);
        if (use_dir) {
                if (!X509_STORE_load_locations(store, NULL, roots_dir))
                        errx(1, "failed to set by_dir directory of %s", roots_dir);
@@ -161,18 +159,22 @@ verify_cert(const char *roots_dir, const char *roots_file,
                X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);
        if (!use_dir)
                X509_STORE_CTX_set0_trusted_stack(xsc, roots);
-        if (X509_verify_cert(xsc) == 1) {
+        ret = X509_verify_cert(xsc);
+        *error = X509_STORE_CTX_get_error(xsc);
+        *error_depth = X509_STORE_CTX_get_error_depth(xsc);
+        if (ret == 1) {
                *chains = 1; /* XXX */
                goto done;
        }
-        verify_err = X509_STORE_CTX_get_error(xsc);
+        if (*error == 0)
-        if (verify_err == 0)
                errx(1, "Error unset on failure!\n");
        fprintf(stderr, "failed to verify at %d: %s\n",
-            X509_STORE_CTX_get_error_depth(xsc),
+            *error_depth, X509_verify_cert_error_string(*error));
-            X509_verify_cert_error_string(verify_err));
 done:
        sk_X509_pop_free(roots, X509_free);
@@ -185,26 +187,37 @@ verify_cert(const char *roots_dir, const char *roots_file,
 struct verify_cert_test {
        const char *id;
        int want_chains;
+        int want_error;
+        int want_error_depth;
+        int want_legacy_error;
+        int want_legacy_error_depth;
        int failing;
 };
 struct verify_cert_test verify_cert_tests[] = {
        {
-                .id = "1a",
-                .want_chains = 1,
-        },
-        {
                .id = "2a",
                .want_chains = 1,
-                .failing = 1,
+                .want_error = 0,
+                .want_error_depth = 0,
+                .want_legacy_error = 0,
+                .want_legacy_error_depth = 0,
        },
        {
-                .id = "2b",
+                .id = "8a",
-                .want_chains = 0,
+                .want_chains = 1,
+                .want_error = X509_V_ERR_CERT_HAS_EXPIRED,
+                .want_error_depth = 0,
+                .want_legacy_error = X509_V_ERR_CERT_HAS_EXPIRED,
+                .want_legacy_error_depth = 0,
        },
        {
-                .id = "2c",
+                .id = "9a",
                .want_chains = 1,
+                .want_error = X509_V_ERR_CERT_HAS_EXPIRED,
+                .want_error_depth = 0,
+                .want_legacy_error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
+                .want_legacy_error_depth = 0,
                .failing = 1,
        },
 };
@@ -217,8 +230,8 @@ verify_cert_test(const char *certs_path, int mode)
 {
        char *roots_file, *bundle_file, *roots_dir;
        struct verify_cert_test *vct;
+        int chains, error, error_depth;
        int failed = 0;
-        int chains;
        size_t i;
        for (i = 0; i < N_VERIFY_CERT_TESTS; i++) {
@@ -234,7 +247,9 @@ verify_cert_test(const char *certs_path, int mode)
                        errx(1, "asprintf");
                fprintf(stderr, "== Test %zu (%s)\n", i, vct->id);
-                verify_cert(roots_dir, roots_file, bundle_file, &chains, mode);
+                verify_cert(roots_dir, roots_file, bundle_file, &chains, &error,
+                    &error_depth, mode);
                if ((mode == MODE_VERIFY && chains == vct->want_chains) ||
                    (chains == 0 && vct->want_chains == 0) ||
                    (chains == 1 && vct->want_chains > 0)) {
@@ -248,6 +263,32 @@ verify_cert_test(const char *certs_path, int mode)
                        if (!vct->failing)
                                failed |= 1;
                }
+                if (mode == MODE_LEGACY_VFY) {
+                        if (error != vct->want_legacy_error) {
+                                fprintf(stderr, "FAIL: Got legacy error %d, "
+                                    "want %d\n", error, vct->want_legacy_error);
+                                failed |= 1;
+                        }
+                        if (error_depth != vct->want_legacy_error_depth) {
+                                fprintf(stderr, "FAIL: Got legacy error depth "
+                                    "%d, want %d\n", error_depth,
+                                    vct->want_legacy_error_depth);
+                                failed |= 1;
+                        }
+                } else if (mode == MODE_MODERN_VFY || mode == MODE_MODERN_VFY_DIR) {
+                        if (error != vct->want_error) {
+                                fprintf(stderr, "FAIL: Got error %d, want %d\n",
+                                    error, vct->want_error);
+                                failed |= 1;
+                        }
+                        if (error_depth != vct->want_error_depth) {
+                                fprintf(stderr, "FAIL: Got error depth %d, want"
+                                    " %d\n", error_depth, vct->want_error_depth);
+                                failed |= 1;
+                        }
+                }
                fprintf(stderr, "\n");
                free(roots_file);

diff --git a/src/regress/lib/libcrypto/x509/expirecallback.c b/src/regress/lib/libcrypto/x509/expirecallback.c index 3da49708ff..f7dcff8e94 100644 --- a/src/regress/lib/libcrypto/x509/expirecallback.c +++ b/src/regress/lib/libcrypto/x509/expirecallback.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: expirecallback.c,v 1.1 2022/06/25 20:01:43 beck Exp $ */	1	/* $OpenBSD: expirecallback.c,v 1.2 2022/10/17 18:44:36 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
@@ -112,16 +112,20 @@ verify_cert_cb(int ok, X509_STORE_CTX *xsc)
112		112
113	static void	113	static void
114	verify_cert(const char roots_dir, const char roots_file,	114	verify_cert(const char roots_dir, const char roots_file,
115	const char bundle_file, int chains, int mode)	115	const char bundle_file, int chains, int error, int error_depth,
		116	int mode)
116	{	117	{
117	STACK_OF(X509) roots = NULL, bundle = NULL;	118	STACK_OF(X509) roots = NULL, bundle = NULL;
118	time_t future = 2000000000; /* May 17 2033 */
119	X509_STORE_CTX *xsc = NULL;	119	X509_STORE_CTX *xsc = NULL;
120	X509_STORE *store = NULL;	120	X509_STORE *store = NULL;
121	int verify_err, use_dir;
122	X509 *leaf = NULL;	121	X509 *leaf = NULL;
		122	int use_dir;
		123	int ret;
123		124
124	*chains = 0;	125	*chains = 0;
		126	*error = 0;
		127	*error_depth = 0;
		128
125	use_dir = (mode == MODE_MODERN_VFY_DIR);	129	use_dir = (mode == MODE_MODERN_VFY_DIR);
126		130
127	if (!use_dir && !certs_from_file(roots_file, &roots))	131	if (!use_dir && !certs_from_file(roots_file, &roots))
@@ -141,12 +145,6 @@ verify_cert(const char roots_dir, const char roots_file,
141	errx(1, "failed to init store context");	145	errx(1, "failed to init store context");
142	}	146	}
143		147
144	/*
145	* Set the time int the future to exercise the expired cert
146	* callback
147	*/
148	X509_STORE_CTX_set_time(xsc, 0, future);
149
150	if (use_dir) {	148	if (use_dir) {
151	if (!X509_STORE_load_locations(store, NULL, roots_dir))	149	if (!X509_STORE_load_locations(store, NULL, roots_dir))
152	errx(1, "failed to set by_dir directory of %s", roots_dir);	150	errx(1, "failed to set by_dir directory of %s", roots_dir);
@@ -161,18 +159,22 @@ verify_cert(const char roots_dir, const char roots_file,
161	X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);	159	X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);
162	if (!use_dir)	160	if (!use_dir)
163	X509_STORE_CTX_set0_trusted_stack(xsc, roots);	161	X509_STORE_CTX_set0_trusted_stack(xsc, roots);
164	if (X509_verify_cert(xsc) == 1) {	162
		163	ret = X509_verify_cert(xsc);
		164
		165	*error = X509_STORE_CTX_get_error(xsc);
		166	*error_depth = X509_STORE_CTX_get_error_depth(xsc);
		167
		168	if (ret == 1) {
165	chains = 1; / XXX */	169	chains = 1; / XXX */
166	goto done;	170	goto done;
167	}	171	}
168		172
169	verify_err = X509_STORE_CTX_get_error(xsc);	173	if (*error == 0)
170	if (verify_err == 0)
171	errx(1, "Error unset on failure!\n");	174	errx(1, "Error unset on failure!\n");
172		175
173	fprintf(stderr, "failed to verify at %d: %s\n",	176	fprintf(stderr, "failed to verify at %d: %s\n",
174	X509_STORE_CTX_get_error_depth(xsc),	177	error_depth, X509_verify_cert_error_string(error));
175	X509_verify_cert_error_string(verify_err));
176		178
177	done:	179	done:
178	sk_X509_pop_free(roots, X509_free);	180	sk_X509_pop_free(roots, X509_free);
@@ -185,26 +187,37 @@ verify_cert(const char roots_dir, const char roots_file,
185	struct verify_cert_test {	187	struct verify_cert_test {
186	const char *id;	188	const char *id;
187	int want_chains;	189	int want_chains;
		190	int want_error;
		191	int want_error_depth;
		192	int want_legacy_error;
		193	int want_legacy_error_depth;
188	int failing;	194	int failing;
189	};	195	};
190		196
191	struct verify_cert_test verify_cert_tests[] = {	197	struct verify_cert_test verify_cert_tests[] = {
192	{	198	{
193	.id = "1a",
194	.want_chains = 1,
195	},
196	{
197	.id = "2a",	199	.id = "2a",
198	.want_chains = 1,	200	.want_chains = 1,
199	.failing = 1,	201	.want_error = 0,
		202	.want_error_depth = 0,
		203	.want_legacy_error = 0,
		204	.want_legacy_error_depth = 0,
200	},	205	},
201	{	206	{
202	.id = "2b",	207	.id = "8a",
203	.want_chains = 0,	208	.want_chains = 1,
		209	.want_error = X509_V_ERR_CERT_HAS_EXPIRED,
		210	.want_error_depth = 0,
		211	.want_legacy_error = X509_V_ERR_CERT_HAS_EXPIRED,
		212	.want_legacy_error_depth = 0,
204	},	213	},
205	{	214	{
206	.id = "2c",	215	.id = "9a",
207	.want_chains = 1,	216	.want_chains = 1,
		217	.want_error = X509_V_ERR_CERT_HAS_EXPIRED,
		218	.want_error_depth = 0,
		219	.want_legacy_error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
		220	.want_legacy_error_depth = 0,
208	.failing = 1,	221	.failing = 1,
209	},	222	},
210	};	223	};
@@ -217,8 +230,8 @@ verify_cert_test(const char *certs_path, int mode)
217	{	230	{
218	char roots_file, bundle_file, *roots_dir;	231	char roots_file, bundle_file, *roots_dir;
219	struct verify_cert_test *vct;	232	struct verify_cert_test *vct;
		233	int chains, error, error_depth;
220	int failed = 0;	234	int failed = 0;
221	int chains;
222	size_t i;	235	size_t i;
223		236
224	for (i = 0; i < N_VERIFY_CERT_TESTS; i++) {	237	for (i = 0; i < N_VERIFY_CERT_TESTS; i++) {
@@ -234,7 +247,9 @@ verify_cert_test(const char *certs_path, int mode)
234	errx(1, "asprintf");	247	errx(1, "asprintf");
235		248
236	fprintf(stderr, "== Test %zu (%s)\n", i, vct->id);	249	fprintf(stderr, "== Test %zu (%s)\n", i, vct->id);
237	verify_cert(roots_dir, roots_file, bundle_file, &chains, mode);	250	verify_cert(roots_dir, roots_file, bundle_file, &chains, &error,
		251	&error_depth, mode);
		252
238	if ((mode == MODE_VERIFY && chains == vct->want_chains) \|\|	253	if ((mode == MODE_VERIFY && chains == vct->want_chains) \|\|
239	(chains == 0 && vct->want_chains == 0) \|\|	254	(chains == 0 && vct->want_chains == 0) \|\|
240	(chains == 1 && vct->want_chains > 0)) {	255	(chains == 1 && vct->want_chains > 0)) {
@@ -248,6 +263,32 @@ verify_cert_test(const char *certs_path, int mode)
248	if (!vct->failing)	263	if (!vct->failing)
249	failed \|= 1;	264	failed \|= 1;
250	}	265	}
		266
		267	if (mode == MODE_LEGACY_VFY) {
		268	if (error != vct->want_legacy_error) {
		269	fprintf(stderr, "FAIL: Got legacy error %d, "
		270	"want %d\n", error, vct->want_legacy_error);
		271	failed \|= 1;
		272	}
		273	if (error_depth != vct->want_legacy_error_depth) {
		274	fprintf(stderr, "FAIL: Got legacy error depth "
		275	"%d, want %d\n", error_depth,
		276	vct->want_legacy_error_depth);
		277	failed \|= 1;
		278	}
		279	} else if (mode == MODE_MODERN_VFY \|\| mode == MODE_MODERN_VFY_DIR) {
		280	if (error != vct->want_error) {
		281	fprintf(stderr, "FAIL: Got error %d, want %d\n",
		282	error, vct->want_error);
		283	failed \|= 1;
		284	}
		285	if (error_depth != vct->want_error_depth) {
		286	fprintf(stderr, "FAIL: Got error depth %d, want"
		287	" %d\n", error_depth, vct->want_error_depth);
		288	failed \|= 1;
		289	}
		290	}
		291
251	fprintf(stderr, "\n");	292	fprintf(stderr, "\n");
252		293
253	free(roots_file);	294	free(roots_file);