update main-with-bazel from master branch
diff --git a/BUILD.generated_tests.bzl b/BUILD.generated_tests.bzl
index 3e9f569..4dbefb3 100644
--- a/BUILD.generated_tests.bzl
+++ b/BUILD.generated_tests.bzl
@@ -1458,14 +1458,18 @@
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/main.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem",
@@ -1679,8 +1683,10 @@
"src/pki/testdata/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/any.test",
@@ -1691,12 +1697,15 @@
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/serverauth-strict.test",
@@ -1719,6 +1728,7 @@
"src/pki/testdata/verify_certificate_chain_unittest/target-msapplicationpolicies-no-eku/main.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/chain.pem",
"src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/main.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-only/chain.pem",
"src/pki/testdata/verify_certificate_chain_unittest/target-only/trusted_anchor.test",
diff --git a/sources.json b/sources.json
index c5bb78f..ca32208 100644
--- a/sources.json
+++ b/sources.json
@@ -2065,14 +2065,18 @@
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/main.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem",
@@ -2286,8 +2290,10 @@
"src/pki/testdata/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/any.test",
@@ -2298,12 +2304,15 @@
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/any.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/serverauth-strict.test",
@@ -2326,6 +2335,7 @@
"src/pki/testdata/verify_certificate_chain_unittest/target-msapplicationpolicies-no-eku/main.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/chain.pem",
"src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/main.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/target-only/chain.pem",
"src/pki/testdata/verify_certificate_chain_unittest/target-only/trusted_anchor.test",
diff --git a/src/gen/sources.cmake b/src/gen/sources.cmake
index 927363d..6c8b176 100644
--- a/src/gen/sources.cmake
+++ b/src/gen/sources.cmake
@@ -2150,14 +2150,18 @@
pki/testdata/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/main.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/any.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth.test
+ pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/any.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test
+ pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem
@@ -2371,8 +2375,10 @@
pki/testdata/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/any.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth.test
+ pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth.test
pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/any.test
@@ -2383,12 +2389,15 @@
pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/serverauth.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/any.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth.test
+ pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/any.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/serverauth-strict.test
@@ -2411,6 +2420,7 @@
pki/testdata/verify_certificate_chain_unittest/target-msapplicationpolicies-no-eku/main.test
pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/chain.pem
pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/main.test
+ pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict.test
pki/testdata/verify_certificate_chain_unittest/target-only/chain.pem
pki/testdata/verify_certificate_chain_unittest/target-only/trusted_anchor.test
diff --git a/src/gen/sources.json b/src/gen/sources.json
index 1fe6517..77b1343 100644
--- a/src/gen/sources.json
+++ b/src/gen/sources.json
@@ -2091,14 +2091,18 @@
"pki/testdata/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/main.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/any.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth.test",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/any.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem",
@@ -2312,8 +2316,10 @@
"pki/testdata/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/any.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth.test",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/any.test",
@@ -2324,12 +2330,15 @@
"pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/any.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth.test",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/any.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/serverauth-strict.test",
@@ -2352,6 +2361,7 @@
"pki/testdata/verify_certificate_chain_unittest/target-msapplicationpolicies-no-eku/main.test",
"pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/chain.pem",
"pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/main.test",
+ "pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-only/chain.pem",
"pki/testdata/verify_certificate_chain_unittest/target-only/trusted_anchor.test",
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index 97f1c89..04c191f 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -4376,8 +4376,17 @@
//
// The format is described in
// https://www.ietf.org/archive/id/draft-ietf-tls-keylogfile-01.html
-OPENSSL_EXPORT void SSL_CTX_set_keylog_callback(
- SSL_CTX *ctx, void (*cb)(const SSL *ssl, const char *line));
+//
+// WARNING: The data in |line| allows an attacker to break security properties
+// of the TLS protocol, including confidentiality, integrity, and forward
+// secrecy. This impacts both the current connection, and, in TLS 1.2, future
+// connections that resume a session from it. Both direct access to the data and
+// side channel leaks from application code are possible attack vectors. This
+// callback is intended for debugging and should not be used in production
+// connections.
+OPENSSL_EXPORT void SSL_CTX_set_keylog_callback(SSL_CTX *ctx,
+ void (*cb)(const SSL *ssl,
+ const char *line));
// SSL_CTX_get_keylog_callback returns the callback configured by
// |SSL_CTX_set_keylog_callback|.
diff --git a/src/pki/test_helpers.cc b/src/pki/test_helpers.cc
index 490fba5..0615008 100644
--- a/src/pki/test_helpers.cc
+++ b/src/pki/test_helpers.cc
@@ -305,6 +305,10 @@
test->key_purpose = KeyPurpose::SERVER_AUTH_STRICT;
} else if (value == "CLIENT_AUTH_STRICT") {
test->key_purpose = KeyPurpose::CLIENT_AUTH_STRICT;
+ } else if (value == "SERVER_AUTH_STRICT_LEAF") {
+ test->key_purpose = KeyPurpose::SERVER_AUTH_STRICT_LEAF;
+ } else if (value == "CLIENT_AUTH_STRICT_LEAF") {
+ test->key_purpose = KeyPurpose::CLIENT_AUTH_STRICT_LEAF;
} else {
ADD_FAILURE() << "Unrecognized key_purpose: " << value;
return false;
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test
new file mode 100644
index 0000000..267df5c
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test
@@ -0,0 +1,5 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test
new file mode 100644
index 0000000..47b307a
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test
@@ -0,0 +1,8 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+WARNING: The extended key usage does not include server auth but instead includes anyExtendeKeyUsage
+
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test
new file mode 100644
index 0000000..267df5c
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test
@@ -0,0 +1,5 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test
new file mode 100644
index 0000000..64393a3
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test
@@ -0,0 +1,8 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+ERROR: The extended key usage does not include server auth
+
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test
new file mode 100644
index 0000000..f32749d
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test
@@ -0,0 +1,9 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+WARNING: The extended key usage does not include client auth but instead includes anyExtendedKeyUsage
+ERROR: The extended key usage does not include client auth
+
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test
new file mode 100644
index 0000000..1c13dcb
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test
@@ -0,0 +1,9 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+WARNING: The extended key usage does not include server auth but instead includes anyExtendeKeyUsage
+ERROR: The extended key usage does not include server auth
+
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test
new file mode 100644
index 0000000..87253df
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test
@@ -0,0 +1,10 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+ERROR: The extended key usage includes code signing which is not permitted for this use
+ERROR: The extended key usage includes OCSP signing which is not permitted for this use
+ERROR: The extended key usage includes time stamping which is not permitted for this use
+
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test
new file mode 100644
index 0000000..b1cff00
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test
@@ -0,0 +1,10 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+ERROR: The extended key usage includes code signing which is not permitted for this use
+ERROR: The extended key usage includes OCSP signing which is not permitted for this use
+ERROR: The extended key usage includes time stamping which is not permitted for this use
+
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test
new file mode 100644
index 0000000..ef15a68
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test
@@ -0,0 +1,9 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+WARNING: Certificate does not have extended key usage
+ERROR: The extended key usage does not include client auth
+
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test b/src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test
new file mode 100644
index 0000000..f4c98ae
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test
@@ -0,0 +1,10 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+WARNING: Certificate does not have extended key usage
+ERROR: The extended key usage does not include server auth
+ERROR: Certificate has Basic Constraints indicating it is a CA when it should not be a CA
+
diff --git a/src/pki/verify_certificate_chain.cc b/src/pki/verify_certificate_chain.cc
index c42f757..f83aef8 100644
--- a/src/pki/verify_certificate_chain.cc
+++ b/src/pki/verify_certificate_chain.cc
@@ -229,6 +229,23 @@
}
}
+ // Apply strict only to leaf certificates in these cases.
+ if (required_key_purpose == KeyPurpose::CLIENT_AUTH_STRICT_LEAF) {
+ if (!is_target_cert) {
+ required_key_purpose = KeyPurpose::CLIENT_AUTH;
+ } else {
+ required_key_purpose = KeyPurpose::CLIENT_AUTH_STRICT;
+ }
+ }
+
+ if (required_key_purpose == KeyPurpose::SERVER_AUTH_STRICT_LEAF) {
+ if (!is_target_cert) {
+ required_key_purpose = KeyPurpose::SERVER_AUTH;
+ } else {
+ required_key_purpose = KeyPurpose::SERVER_AUTH_STRICT;
+ }
+ }
+
auto add_error_if_strict = [&](CertErrorId id) {
if (required_key_purpose == KeyPurpose::SERVER_AUTH_STRICT ||
required_key_purpose == KeyPurpose::CLIENT_AUTH_STRICT) {
@@ -300,6 +317,8 @@
switch (required_key_purpose) {
case KeyPurpose::ANY_EKU:
+ case KeyPurpose::CLIENT_AUTH_STRICT_LEAF:
+ case KeyPurpose::SERVER_AUTH_STRICT_LEAF:
assert(0); // NOTREACHED
return;
case KeyPurpose::SERVER_AUTH:
@@ -1192,6 +1211,8 @@
break;
case KeyPurpose::SERVER_AUTH_STRICT:
case KeyPurpose::CLIENT_AUTH_STRICT:
+ case KeyPurpose::CLIENT_AUTH_STRICT_LEAF:
+ case KeyPurpose::SERVER_AUTH_STRICT_LEAF:
errors->AddError(cert_errors::kTargetCertShouldNotBeCa);
break;
}
diff --git a/src/pki/verify_certificate_chain.h b/src/pki/verify_certificate_chain.h
index 6c4cccf..9510fa9 100644
--- a/src/pki/verify_certificate_chain.h
+++ b/src/pki/verify_certificate_chain.h
@@ -30,8 +30,10 @@
CLIENT_AUTH,
SERVER_AUTH_STRICT, // Skip ANY_EKU when checking, require EKU present in
// certificate.
+ SERVER_AUTH_STRICT_LEAF, // Same as above, but only for leaf cert.
CLIENT_AUTH_STRICT, // Skip ANY_EKU when checking, require EKU present in
// certificate.
+ CLIENT_AUTH_STRICT_LEAF, // Same as above, but only for leaf ce
};
enum class InitialExplicitPolicy {
diff --git a/src/pki/verify_certificate_chain_typed_unittest.h b/src/pki/verify_certificate_chain_typed_unittest.h
index e22788c..95b3976 100644
--- a/src/pki/verify_certificate_chain_typed_unittest.h
+++ b/src/pki/verify_certificate_chain_typed_unittest.h
@@ -140,6 +140,7 @@
TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetNotEndEntity) {
this->RunTest("target-not-end-entity/main.test");
this->RunTest("target-not-end-entity/strict.test");
+ this->RunTest("target-not-end-entity/strict-leaf.test");
}
TYPED_TEST_P(VerifyCertificateChainSingleRootTest, KeyUsage) {
@@ -166,12 +167,16 @@
this->RunTest("intermediate-eku-clientauth/serverauth.test");
this->RunTest("intermediate-eku-clientauth/clientauth.test");
this->RunTest("intermediate-eku-clientauth/serverauth-strict.test");
+ this->RunTest("intermediate-eku-clientauth/serverauth-strict-leaf.test");
this->RunTest("intermediate-eku-clientauth/clientauth-strict.test");
+ this->RunTest("intermediate-eku-clientauth/clientauth-strict-leaf.test");
this->RunTest("intermediate-eku-any-and-clientauth/any.test");
this->RunTest("intermediate-eku-any-and-clientauth/serverauth.test");
this->RunTest("intermediate-eku-any-and-clientauth/serverauth-strict.test");
+ this->RunTest("intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test");
this->RunTest("intermediate-eku-any-and-clientauth/clientauth.test");
this->RunTest("intermediate-eku-any-and-clientauth/clientauth-strict.test");
+ this->RunTest("intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test");
this->RunTest("target-eku-clientauth/any.test");
this->RunTest("target-eku-clientauth/serverauth.test");
this->RunTest("target-eku-clientauth/clientauth.test");
@@ -179,19 +184,24 @@
this->RunTest("target-eku-clientauth/clientauth-strict.test");
this->RunTest("target-eku-any/any.test");
this->RunTest("target-eku-any/serverauth.test");
+ this->RunTest("target-eku-any/serverauth-strict-leaf.test");
this->RunTest("target-eku-any/clientauth.test");
this->RunTest("target-eku-any/serverauth-strict.test");
this->RunTest("target-eku-any/clientauth-strict.test");
+ this->RunTest("target-eku-any/clientauth-strict-leaf.test");
this->RunTest("target-eku-many/any.test");
this->RunTest("target-eku-many/serverauth.test");
this->RunTest("target-eku-many/clientauth.test");
this->RunTest("target-eku-many/serverauth-strict.test");
+ this->RunTest("target-eku-many/serverauth-strict-leaf.test");
this->RunTest("target-eku-many/clientauth-strict.test");
+ this->RunTest("target-eku-many/clientauth-strict-leaf.test");
this->RunTest("target-eku-none/any.test");
this->RunTest("target-eku-none/serverauth.test");
this->RunTest("target-eku-none/clientauth.test");
this->RunTest("target-eku-none/serverauth-strict.test");
this->RunTest("target-eku-none/clientauth-strict.test");
+ this->RunTest("target-eku-none/clientauth-strict-leaf.test");
this->RunTest("root-eku-clientauth/serverauth.test");
this->RunTest("root-eku-clientauth/serverauth-strict.test");
this->RunTest("root-eku-clientauth/serverauth-ta-with-constraints.test");
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 98f97eb..ec0ee89 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -279,17 +279,21 @@
return ret;
}
-static bool cbb_add_hex(CBB *cbb, Span<const uint8_t> in) {
- static const char hextable[] = "0123456789abcdef";
- uint8_t *out;
+static uint8_t hex_char_consttime(uint8_t b) {
+ declassify_assert(b < 16);
+ return constant_time_select_8(constant_time_lt_8(b, 10), b + '0',
+ b - 10 + 'a');
+}
- if (!CBB_add_space(cbb, &out, in.size() * 2)) {
+static bool cbb_add_hex_consttime(CBB *cbb, Span<const uint8_t> in) {
+ uint8_t *out;
+if (!CBB_add_space(cbb, &out, in.size() * 2)) {
return false;
}
for (uint8_t b : in) {
- *(out++) = (uint8_t)hextable[b >> 4];
- *(out++) = (uint8_t)hextable[b & 0xf];
+ *(out++) = hex_char_consttime(b >> 4);
+ *(out++) = hex_char_consttime(b & 0xf);
}
return true;
@@ -308,9 +312,11 @@
!CBB_add_bytes(cbb.get(), reinterpret_cast<const uint8_t *>(label),
strlen(label)) ||
!CBB_add_u8(cbb.get(), ' ') ||
- !cbb_add_hex(cbb.get(), ssl->s3->client_random) ||
+ !cbb_add_hex_consttime(cbb.get(), ssl->s3->client_random) ||
!CBB_add_u8(cbb.get(), ' ') ||
- !cbb_add_hex(cbb.get(), secret) ||
+ // Convert to hex in constant time to avoid leaking |secret|. If the
+ // callback discards the data, we should not introduce side channels.
+ !cbb_add_hex_consttime(cbb.get(), secret) ||
!CBB_add_u8(cbb.get(), 0 /* NUL */) ||
!CBBFinishArray(cbb.get(), &line)) {
return false;