Add tests for failing cert_cb.
We missed that the TLS 1.3 code was inconsistent with the TLS 1.2 code.
Only on the server did we push an error code. But consistency between
client and server is probably worthwhile so, fix the 1.2 code to match
for now.
Change-Id: I17952c72048697dc66eacf0f144a66ced9cb3be8
Reviewed-on: https://boringssl-review.googlesource.com/12260
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 5161f13..70d8d96 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -1476,6 +1476,7 @@
return -1;
}
if (ret == 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return -1;
}
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index abfcf0e..d1ccdb4 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -665,6 +665,10 @@
}
}
+ if (config->fail_cert_callback) {
+ return 0;
+ }
+
// The certificate will be installed via other means.
if (!config->async || config->use_early_callback ||
config->use_old_client_cert_callback) {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 19ec131..8f43e5c 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1709,6 +1709,50 @@
expectedLocalError: "remote error: handshake failure",
},
{
+ name: "FailCertCallback-Client-TLS12",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ ClientAuth: RequestClientCert,
+ },
+ flags: []string{"-fail-cert-callback"},
+ shouldFail: true,
+ expectedError: ":CERT_CB_ERROR:",
+ expectedLocalError: "remote error: internal error",
+ },
+ {
+ testType: serverTest,
+ name: "FailCertCallback-Server-TLS12",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ },
+ flags: []string{"-fail-cert-callback"},
+ shouldFail: true,
+ expectedError: ":CERT_CB_ERROR:",
+ expectedLocalError: "remote error: internal error",
+ },
+ {
+ name: "FailCertCallback-Client-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ ClientAuth: RequestClientCert,
+ },
+ flags: []string{"-fail-cert-callback"},
+ shouldFail: true,
+ expectedError: ":CERT_CB_ERROR:",
+ expectedLocalError: "remote error: internal error",
+ },
+ {
+ testType: serverTest,
+ name: "FailCertCallback-Server-TLS13",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ },
+ flags: []string{"-fail-cert-callback"},
+ shouldFail: true,
+ expectedError: ":CERT_CB_ERROR:",
+ expectedLocalError: "remote error: internal error",
+ },
+ {
protocol: dtls,
name: "FragmentMessageTypeMismatch-DTLS",
config: Config{
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 470f034..4f40df9 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -75,6 +75,7 @@
{ "-install-ddos-callback", &TestConfig::install_ddos_callback },
{ "-fail-ddos-callback", &TestConfig::fail_ddos_callback },
{ "-fail-second-ddos-callback", &TestConfig::fail_second_ddos_callback },
+ { "-fail-cert-callback", &TestConfig::fail_cert_callback },
{ "-handshake-never-done", &TestConfig::handshake_never_done },
{ "-use-export-context", &TestConfig::use_export_context },
{ "-tls-unique", &TestConfig::tls_unique },
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index 806edf1..5b1e0e8 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@@ -73,6 +73,7 @@
bool install_ddos_callback = false;
bool fail_ddos_callback = false;
bool fail_second_ddos_callback = false;
+ bool fail_cert_callback = false;
std::string cipher;
std::string cipher_tls10;
std::string cipher_tls11;