Fix SSL tests due to verifier behavior changes in OpenSSL 1.1.1i

Summary: Some tests were relying on internal OpenSSL behavior that changed in OpenSSL 1.1.1i. OpenSSL commit [2e06150e](https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58) causes additional `handshakeVer` callback invocations. If an UNABLE_TO_VERIFY_LEAF_SIGNATURE handshakeVer callback overrides the result to *true*, OpenSSL will now continue to perform certificate verifications **as if the overriden cert was the properly found root**. This means: * It is subject to certificate expiration checks, and, * A final `handshakeVer` callback is invoked with `preverifyOk=1` when it passes the expiration checks. Several of our tests that relied on `handshakeVer` only being called *once* broke. Since the tests are testing a different, higher level aspect of verification (i.e. it is not actually trying to test how many times `handshakeVer` is being called), I've relaxed some of the expectations to allow for multiple invocations. CertificateVerifier semantics were also affected. Because there is a final successful `handshakeVer` callback that is issued, it is not just sufficient to check for depth and preverifyOk before invoking the CertificateVerifier. Reviewed By: pixelb Differential Revision: D25775429 fbshipit-source-id: 98d35249a623307fb1de366c498b1dbae4fabf82

Fix SSL tests due to verifier behavior changes in OpenSSL 1.1.1i
Summary: Some tests were relying on internal OpenSSL behavior that changed in OpenSSL 1.1.1i. OpenSSL commit [2e06150e](https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58) causes additional `handshakeVer` callback invocations. If an UNABLE_TO_VERIFY_LEAF_SIGNATURE handshakeVer callback overrides the result to *true*, OpenSSL will now continue to perform certificate verifications **as if the overriden cert was the properly found root**. This means: * It is subject to certificate expiration checks, and, * A final `handshakeVer` callback is invoked with `preverifyOk=1` when it passes the expiration checks. Several of our tests that relied on `handshakeVer` only being called *once* broke. Since the tests are testing a different, higher level aspect of verification (i.e. it is not actually trying to test how many times `handshakeVer` is being called), I've relaxed some of the expectations to allow for multiple invocations. CertificateVerifier semantics were also affected. Because there is a final successful `handshakeVer` callback that is issued, it is not just sufficient to check for depth and preverifyOk before invoking the CertificateVerifier. Reviewed By: pixelb Differential Revision: D25775429 fbshipit-source-id: 98d35249a623307fb1de366c498b1dbae4fabf82
0ab97552 · Mingtao Yang · Facebook GitHub Bot · 6aa911b4 · 0ab97552
Commit 0ab97552 authored Jan 06, 2021 by Mingtao Yang Committed by Facebook GitHub Bot Jan 06, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

folly/io/async/test/AsyncSSLSocketTest.h folly/io/async/test/AsyncSSLSocketTest.h +6 -2

No files found.
--- a/folly/io/async/test/AsyncSSLSocketTest.h
+++ b/folly/io/async/test/AsyncSSLSocketTest.h
@@ -1260,6 +1260,7 @@ class SSLHandshakeBase : public AsyncSSLSocket::HandshakeCB,
  bool handshakeVerify_;
  bool handshakeSuccess_;
  bool handshakeError_;
+  int handshakeVerifyInvocations_{};
  std::chrono::nanoseconds handshakeTime;

 protected:
@@ -1272,9 +1273,12 @@ class SSLHandshakeBase : public AsyncSSLSocket::HandshakeCB,
      AsyncSSLSocket* /* sock */,
      bool preverifyOk,
      X509_STORE_CTX* /* ctx */) noexcept override {
-    handshakeVerify_ = true;
+    auto invocation = handshakeVerifyInvocations_++;

-    EXPECT_EQ(preverifyResult_, preverifyOk);
+    if (invocation == 0) {
+      handshakeVerify_ = true;
+      EXPECT_EQ(preverifyResult_, preverifyOk);
+    }
    return verifyResult_;
  }