Add a TLS test for name constraints with an EE cert without a SAN

It is valid for name constraints to be in force but for there to be no SAN extension in a certificate. Previous versions of OpenSSL mishandled this. Test for CVE-2021-4044 Reviewed-by: Tomas Mraz <tomas@openssl.org>
2024-11-21 01:15:20 +08:00 · 2021-12-03 15:18:27 +00:00 · 2021-12-03 15:18:27 +00:00 · 752aa4a6f0
commit 752aa4a6f0
parent 3269c8bd94
3 changed files with 77 additions and 1 deletions
--- a/test/certs/goodcn2-chain.pem
+++ b/test/certs/goodcn2-chain.pem
@ -0,0 +1,40 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
+Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe
+kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0
+UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B
+0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR
+Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9
+QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX
+dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn
+ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8
+S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM
+D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2
+1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L
+yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg
+fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTIwMTIxMjIwMTk0NFoYDzIxMjAxMjEzMjAxOTQ0WjAXMRUwEwYDVQQD
+DAxUZXN0IE5DIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC
+XjL5JEImsGFW5whlXCfDTeqjZAVb+rSXAhZQ25bP9YvhsbmPVYe8A61zwGStl2rF
+mChzN9/+LA40/lh0mjCV82mfNp1XLRPhE9sPGXwfLgJGCy/d6pp/8yGuFmkWPus9
+bhxlOk7ADw4e3R3kVdwn9I3O3mIrI+I45ywZpzrbs/NGFiqhRxXbZTAKyI4INxgB
+VZfkoxqesnjD1j36fq7qEVas6gVm27YA9b+31ofFLM7WN811LQELwTdWiF0/xXiO
+XawU1QnkrNPxCSPWyeaM4tN50ZPRQA/ArV4I7szKhKskRzGwFgdaxorYn8c+2gTq
+fedLPvNw1WPryAumidqTAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zALBgNV
+HQ8EBAMCAQYwHQYDVR0OBBYEFAjRm/nm1WRwoPFrGp7tUtrd9VBDMB8GA1UdIwQY
+MBaAFI71Ja8em2uEPXyAmslTnE1y96NSMFwGA1UdHgRVMFOgUTAOggx3d3cuZ29v
+ZC5vcmcwCoIIZ29vZC5jb20wD4ENZ29vZEBnb29kLm9yZzAKgQhnb29kLmNvbTAK
+hwh/AAAB/////zAKhwjAqAAA//8AADANBgkqhkiG9w0BAQsFAAOCAQEAVyRsB6B8
+iCYZxBTOO10Bor+Q4xxgs0udVR90/tM57P8GHd10e8suaW2Dtg9stxZJ3cmsn3zd
+QNxNIQuwHTNtVU0OSqKv6puj6ZQETSya4jDAmRqY47R866MHkSwLUYDMFtuM1Wy
+gnoD5m1/Uy1K/Wvbnp1Zq4jtTB6su8TmIdJgtpEmte7tIQu5kPXsuJrz/x5a1TfR
+hu7h4LJYwKlQtd/LRINnHKd241YSE7PVdG8SPxyrX11hJSC+1Z5Epxc6BCVDVN1E
+fyVDdLXvKf30Nlbg2hZfO/cGTmwOt7RImygzhV/s41v4wtMW0EPuVanGQusRgHFm
+3JC//UMgfkkwAA==
+-----END CERTIFICATE-----
--- a/test/ssl-tests/01-simple.cnf
+++ b/test/ssl-tests/01-simple.cnf
@ -1,10 +1,11 @@
 # Generated with generate_ssl_tests.pl

-num_tests = 3
+num_tests = 4

 test-0 = 0-default
 test-1 = 1-Server signature algorithms bug
 test-2 = 2-verify-cert
+test-3 = 3-name-constraints-no-san-in-ee
 # ===========================================================

 [0-default]
@ -76,3 +77,26 @@ ExpectedClientAlert = UnknownCA
 ExpectedResult = ClientFail


+# ===========================================================
+
+[3-name-constraints-no-san-in-ee]
+ssl_conf = 3-name-constraints-no-san-in-ee-ssl
+
+[3-name-constraints-no-san-in-ee-ssl]
+server = 3-name-constraints-no-san-in-ee-server
+client = 3-name-constraints-no-san-in-ee-client
+
+[3-name-constraints-no-san-in-ee-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/goodcn2-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/goodcn2-key.pem
+
+[3-name-constraints-no-san-in-ee-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+
+
--- a/test/ssl-tests/01-simple.cnf.in
+++ b/test/ssl-tests/01-simple.cnf.in
@ -39,4 +39,16 @@ our @tests = (
          "ExpectedClientAlert" => "UnknownCA",
        },
    },
+
+    {
+        name => "name-constraints-no-san-in-ee",
+        server => {
+            "Certificate" => test_pem("goodcn2-chain.pem"),
+            "PrivateKey"  => test_pem("goodcn2-key.pem"),
+        },
+        client => {
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+        },
+        test   => { "ExpectedResult" => "Success" },
+    },
 );