diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-12-16 12:57:45 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-12-16 12:57:45 +0000 |
commit | 0e2c39ee0f5db37c90a5fcc92f3ac7cdf4b157a7 (patch) | |
tree | 1bc01a4ff5390a6fd300a4d3ae94190e9a42eef7 | |
parent | f665c63fcce8ca216be523018ad3637c366eb6a3 (diff) | |
parent | 74fffc2ab64f903d4222243e16086a4bd7600935 (diff) | |
download | boringssl-android13-mainline-conscrypt-release.tar.gz |
Snap for 9412736 from 74fffc2ab64f903d4222243e16086a4bd7600935 to mainline-conscrypt-releaseaml_con_331413000aml_con_331411000android13-mainline-conscrypt-release
Change-Id: Ia69ab9c5a188a5ba3156bdc44820e163cdff54c7
-rw-r--r-- | Android.bp | 5 | ||||
-rw-r--r-- | CryptoNativeTests.xml (renamed from NativeTests.xml) | 9 | ||||
-rw-r--r-- | SslNativeTests.xml | 33 | ||||
-rw-r--r-- | src/crypto/x509/x509_test.cc | 106 | ||||
-rw-r--r-- | src/crypto/x509/x509_vfy.c | 6 | ||||
-rw-r--r-- | src/include/openssl/x509.h | 4 | ||||
-rw-r--r-- | src/ssl/ssl_test.cc | 2 |
7 files changed, 154 insertions, 11 deletions
@@ -488,14 +488,13 @@ cc_library_static { shared_libs: [ "libcrypto", - "libssl", ], } // Tests cc_test { name: "boringssl_crypto_test", - test_config: "NativeTests.xml", + test_config: "CryptoNativeTests.xml", host_supported: false, per_testcase_directory: true, compile_multilib: "both", @@ -524,7 +523,7 @@ cc_test { cc_test { name: "boringssl_ssl_test", - test_config: "NativeTests.xml", + test_config: "SslNativeTests.xml", host_supported: false, per_testcase_directory: true, compile_multilib: "both", diff --git a/NativeTests.xml b/CryptoNativeTests.xml index d3eb9444..0adc18f2 100644 --- a/NativeTests.xml +++ b/CryptoNativeTests.xml @@ -14,26 +14,19 @@ ~ See the License for the specific language governing permissions and ~ limitations under the License. ~ - ~ Re-runs a subset of MtsConscryptTestCases using Conscrypt's file-descriptor based - ~ implementation to ensure there are no regressions in this implementation before - ~ it is fully deprecated. - ~ - ~ Apart from the include filters and SSLSocket implementation this test suite is - ~ identical to MtsConscryptTestCases. + ~ Native test configuration for boringssl_crypto_test. --> <configuration description="Configuration for BoringSSL native tests"> <option name="test-suite-tag" value="mts-conscrypt" /> <target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher"> <option name="cleanup" value="true" /> <option name="push" value="boringssl_crypto_test->/data/local/tmp/boringssl_crypto_test" /> - <option name="push" value="boringssl_ssl_test->/data/local/tmp/boringssl_ssl_test" /> <option name="append-bitness" value="true" /> </target_preparer> <target_preparer class="com.android.tradefed.targetprep.RootTargetPreparer"/> <test class="com.android.tradefed.testtype.GTest" > <option name="native-test-device-path" value="/data/local/tmp" /> <option name="module-name" value="boringssl_crypto_test" /> - <option name="module-name" value="boringssl_ssl_test" /> <option name="runtime-hint" value="10m" /> <option name="native-test-timeout" value="600000" /> </test> diff --git a/SslNativeTests.xml b/SslNativeTests.xml new file mode 100644 index 00000000..9257111d --- /dev/null +++ b/SslNativeTests.xml @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + ~ Copyright (C) 2022 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + ~ + ~ Native test configuration for boringssl_ssl_test. + --> +<configuration description="Configuration for BoringSSL native tests"> + <option name="test-suite-tag" value="mts-conscrypt" /> + <target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher"> + <option name="cleanup" value="true" /> + <option name="push" value="boringssl_ssl_test->/data/local/tmp/boringssl_ssl_test" /> + <option name="append-bitness" value="true" /> + </target_preparer> + <target_preparer class="com.android.tradefed.targetprep.RootTargetPreparer"/> + <test class="com.android.tradefed.testtype.GTest" > + <option name="native-test-device-path" value="/data/local/tmp" /> + <option name="module-name" value="boringssl_ssl_test" /> + <option name="runtime-hint" value="10m" /> + <option name="native-test-timeout" value="600000" /> + </test> +</configuration> diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc index ce70ae3b..379f26bc 100644 --- a/src/crypto/x509/x509_test.cc +++ b/src/crypto/x509/x509_test.cc @@ -1470,6 +1470,23 @@ TEST(X509Test, TestCRL) { Verify(leaf.get(), {root.get()}, {root.get()}, {algorithm_mismatch_crl2.get()}, X509_V_FLAG_CRL_CHECK)); + // The CRL is valid for a month. + EXPECT_EQ(X509_V_ERR_CRL_HAS_EXPIRED, + Verify(leaf.get(), {root.get()}, {root.get()}, {basic_crl.get()}, + X509_V_FLAG_CRL_CHECK, [](X509_VERIFY_PARAM *param) { + X509_VERIFY_PARAM_set_time( + param, kReferenceTime + 2 * 30 * 24 * 3600); + })); + + // X509_V_FLAG_NO_CHECK_TIME suppresses the validity check. + EXPECT_EQ(X509_V_OK, + Verify(leaf.get(), {root.get()}, {root.get()}, {basic_crl.get()}, + X509_V_FLAG_CRL_CHECK | X509_V_FLAG_NO_CHECK_TIME, + [](X509_VERIFY_PARAM *param) { + X509_VERIFY_PARAM_set_time( + param, kReferenceTime + 2 * 30 * 24 * 3600); + })); + // Parsing kBadExtensionCRL should fail. EXPECT_FALSE(CRLFromPEM(kBadExtensionCRL)); } @@ -3551,6 +3568,95 @@ TEST(X509Test, TrustedFirst) { })); } +// Test that notBefore and notAfter checks work correctly. +TEST(X509Test, Expiry) { + bssl::UniquePtr<EVP_PKEY> key = PrivateKeyFromPEM(kP256Key); + ASSERT_TRUE(key); + + // The following are measured in seconds relative to kReferenceTime. The + // validity periods are staggered so we can independently test both leaf and + // root time checks. + const time_t kSecondsInDay = 24 * 3600; + const time_t kRootStart = -30 * kSecondsInDay; + const time_t kIntermediateStart = -20 * kSecondsInDay; + const time_t kLeafStart = -10 * kSecondsInDay; + const time_t kIntermediateEnd = 10 * kSecondsInDay; + const time_t kLeafEnd = 20 * kSecondsInDay; + const time_t kRootEnd = 30 * kSecondsInDay; + + bssl::UniquePtr<X509> root = + MakeTestCert("Root", "Root", key.get(), /*is_ca=*/true); + ASSERT_TRUE(root); + ASSERT_TRUE(ASN1_TIME_adj(X509_getm_notBefore(root.get()), kReferenceTime, + /*offset_day=*/0, + /*offset_sec=*/kRootStart)); + ASSERT_TRUE(ASN1_TIME_adj(X509_getm_notAfter(root.get()), kReferenceTime, + /*offset_day=*/0, + /*offset_sec=*/kRootEnd)); + ASSERT_TRUE(X509_sign(root.get(), key.get(), EVP_sha256())); + + bssl::UniquePtr<X509> intermediate = + MakeTestCert("Root", "Intermediate", key.get(), /*is_ca=*/true); + ASSERT_TRUE(intermediate); + ASSERT_TRUE(ASN1_TIME_adj(X509_getm_notBefore(intermediate.get()), + kReferenceTime, + /*offset_day=*/0, + /*offset_sec=*/kIntermediateStart)); + ASSERT_TRUE(ASN1_TIME_adj(X509_getm_notAfter(intermediate.get()), + kReferenceTime, + /*offset_day=*/0, + /*offset_sec=*/kIntermediateEnd)); + ASSERT_TRUE(X509_sign(intermediate.get(), key.get(), EVP_sha256())); + + bssl::UniquePtr<X509> leaf = + MakeTestCert("Intermediate", "Leaf", key.get(), /*is_ca=*/false); + ASSERT_TRUE(leaf); + ASSERT_TRUE(ASN1_TIME_adj(X509_getm_notBefore(leaf.get()), kReferenceTime, + /*offset_day=*/0, + /*offset_sec=*/kLeafStart)); + ASSERT_TRUE(ASN1_TIME_adj(X509_getm_notAfter(leaf.get()), kReferenceTime, + /*offset_day=*/0, + /*offset_sec=*/kLeafEnd)); + ASSERT_TRUE(X509_sign(leaf.get(), key.get(), EVP_sha256())); + + struct VerifyAt { + time_t time; + void operator()(X509_VERIFY_PARAM *param) const { + X509_VERIFY_PARAM_set_time(param, time); + } + }; + + for (bool check_time : {true, false}) { + SCOPED_TRACE(check_time); + unsigned long flags = check_time ? 0 : X509_V_FLAG_NO_CHECK_TIME; + int not_yet_valid = check_time ? X509_V_ERR_CERT_NOT_YET_VALID : X509_V_OK; + int has_expired = check_time ? X509_V_ERR_CERT_HAS_EXPIRED : X509_V_OK; + + EXPECT_EQ(not_yet_valid, + Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, flags, + VerifyAt{kReferenceTime + kRootStart - 1})); + EXPECT_EQ(not_yet_valid, + Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, flags, + VerifyAt{kReferenceTime + kIntermediateStart - 1})); + EXPECT_EQ(not_yet_valid, + Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, flags, + VerifyAt{kReferenceTime + kLeafStart - 1})); + + EXPECT_EQ(X509_V_OK, Verify(leaf.get(), {root.get()}, {intermediate.get()}, + {}, flags, VerifyAt{kReferenceTime})); + + EXPECT_EQ(has_expired, + Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, flags, + VerifyAt{kReferenceTime + kRootEnd + 1})); + EXPECT_EQ(has_expired, + Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, flags, + VerifyAt{kReferenceTime + kIntermediateEnd + 1})); + EXPECT_EQ(has_expired, + Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, flags, + VerifyAt{kReferenceTime + kLeafEnd + 1})); + } +} + // kConstructedBitString is an X.509 certificate where the signature is encoded // as a BER constructed BIT STRING. Note that, while OpenSSL's parser accepts // this input, it interprets the value incorrectly. diff --git a/src/crypto/x509/x509_vfy.c b/src/crypto/x509/x509_vfy.c index f41ae6e1..7dcac260 100644 --- a/src/crypto/x509/x509_vfy.c +++ b/src/crypto/x509/x509_vfy.c @@ -1000,6 +1000,9 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { time_t *ptime; int i; + if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) { + return 1; + } if (notify) ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) @@ -1743,6 +1746,9 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) time_t *ptime; int i; + if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) { + return 1; + } if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; else diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h index 4d312c7e..608c6700 100644 --- a/src/include/openssl/x509.h +++ b/src/include/openssl/x509.h @@ -2071,6 +2071,10 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); // will force the behaviour to match that of previous versions. #define X509_V_FLAG_NO_ALT_CHAINS 0x100000 +// X509_V_FLAG_NO_CHECK_TIME disables all time checks in certificate +// verification. +#define X509_V_FLAG_NO_CHECK_TIME 0x200000 + #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 #define X509_VP_FLAG_RESET_FLAGS 0x4 diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc index e2db5a4d..f07196cf 100644 --- a/src/ssl/ssl_test.cc +++ b/src/ssl/ssl_test.cc @@ -8064,6 +8064,8 @@ RVHWbCvFvNZAoWiIJ2z34RLGInyZvCZ8xLAvsuaWULDDaoeDl1M0t4Hm SSL_CTX_set_verify(client_ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); + X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(client_ctx.get()), + X509_V_FLAG_NO_CHECK_TIME); struct TestCase { X509 *cert; |