Commit 0ab97552 authored by Mingtao Yang's avatar Mingtao Yang Committed by Facebook GitHub Bot

Fix SSL tests due to verifier behavior changes in OpenSSL 1.1.1i

Summary:
Some tests were relying on internal OpenSSL behavior that changed in OpenSSL
1.1.1i.

OpenSSL commit [2e06150e](https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58)
causes additional `handshakeVer` callback invocations. If an UNABLE_TO_VERIFY_LEAF_SIGNATURE handshakeVer
callback overrides the result to *true*, OpenSSL will now continue to perform certificate
verifications **as if the overriden cert was the properly found root**. This means:

* It is subject to certificate expiration checks, and,
* A final `handshakeVer` callback is invoked with `preverifyOk=1` when it passes the expiration checks.

Several of our tests that relied on `handshakeVer` only being called *once* broke. Since the tests
are testing a different, higher level aspect of verification (i.e. it is not actually trying to
test how many times `handshakeVer` is being called), I've relaxed some of the expectations to allow
for multiple invocations.

CertificateVerifier semantics were also affected. Because there is a final
successful `handshakeVer` callback that is issued, it is not just sufficient
to check for depth and preverifyOk before invoking the CertificateVerifier.

Reviewed By: pixelb

Differential Revision: D25775429

fbshipit-source-id: 98d35249a623307fb1de366c498b1dbae4fabf82
parent 6aa911b4
...@@ -1260,6 +1260,7 @@ class SSLHandshakeBase : public AsyncSSLSocket::HandshakeCB, ...@@ -1260,6 +1260,7 @@ class SSLHandshakeBase : public AsyncSSLSocket::HandshakeCB,
bool handshakeVerify_; bool handshakeVerify_;
bool handshakeSuccess_; bool handshakeSuccess_;
bool handshakeError_; bool handshakeError_;
int handshakeVerifyInvocations_{};
std::chrono::nanoseconds handshakeTime; std::chrono::nanoseconds handshakeTime;
protected: protected:
...@@ -1272,9 +1273,12 @@ class SSLHandshakeBase : public AsyncSSLSocket::HandshakeCB, ...@@ -1272,9 +1273,12 @@ class SSLHandshakeBase : public AsyncSSLSocket::HandshakeCB,
AsyncSSLSocket* /* sock */, AsyncSSLSocket* /* sock */,
bool preverifyOk, bool preverifyOk,
X509_STORE_CTX* /* ctx */) noexcept override { X509_STORE_CTX* /* ctx */) noexcept override {
handshakeVerify_ = true; auto invocation = handshakeVerifyInvocations_++;
EXPECT_EQ(preverifyResult_, preverifyOk); if (invocation == 0) {
handshakeVerify_ = true;
EXPECT_EQ(preverifyResult_, preverifyOk);
}
return verifyResult_; return verifyResult_;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment