Google Git
Sign in
boringssl / boringssl / 5869eb3951bc8687d872f1e77b7c2490e396c0ad^! / .
commit5869eb3951bc8687d872f1e77b7c2490e396c0ad[log] [tgz]
authorDavid Benjamin <davidben@google.com>Tue Jul 17 00:59:45 2018 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Tue Jul 17 20:40:35 2018 +0000
treefcebd4fb4c4326554648a5e97bdab9ad40d77014
parentc59b9aace6612716764d4f2264cde0e5aae17eee [diff]
Test cert_cb and certificate verify ordering.

In particular, although CertificateRequest comes before Certificate and
CertificateVerify in TLS 1.3, we must not resolve the CertificateRequest until
afterwards. (This is rather annoying ordering, but does mean the
CertificateRequest is covered in the signature, which is nice to have.)

Change-Id: Iab95813de5efd674aa8e2459cfc7456b146ee754
Reviewed-on: https://boringssl-review.googlesource.com/29826
Reviewed-by: Jesse Selover <jselover@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 3bf93d9..2ab76b5 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc

@@ -4114,6 +4114,30 @@
   EXPECT_EQ(43, byte);
 }
 
+TEST_P(SSLVersionTest, VerifyBeforeCertRequest) {
+  // Configure the server to request client certificates.
+  SSL_CTX_set_custom_verify(
+      server_ctx_.get(), SSL_VERIFY_PEER,
+      [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_ok; });
+
+  // Configure the client to reject the server certificate.
+  SSL_CTX_set_custom_verify(
+      client_ctx_.get(), SSL_VERIFY_PEER,
+      [](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
+
+  // cert_cb should not be called. Verification should fail first.
+  SSL_CTX_set_cert_cb(client_ctx_.get(),
+                      [](SSL *ssl, void *arg) {
+                        ADD_FAILURE() << "cert_cb unexpectedly called";
+                        return 0;
+                      },
+                      nullptr);
+
+  bssl::UniquePtr<SSL> client, server;
+  EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
+                                      server_ctx_.get()));
+}
+
 // TODO(davidben): Convert this file to GTest properly.
 TEST(SSLTest, AllTests) {
   if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||