diff options
| author | jsing <> | 2017-08-29 17:24:59 +0000 |
|---|---|---|
| committer | jsing <> | 2017-08-29 17:24:59 +0000 |
| commit | f4e8044e709f31e720fdc5d9927a4731c17b5041 (patch) | |
| tree | 85404b46eebe5569fb665b0e8d9546738ea661de | |
| parent | 84113b351970b142c1aa31f17c83e5487656f281 (diff) | |
| download | openbsd-f4e8044e709f31e720fdc5d9927a4731c17b5041.tar.gz openbsd-f4e8044e709f31e720fdc5d9927a4731c17b5041.tar.bz2 openbsd-f4e8044e709f31e720fdc5d9927a4731c17b5041.zip | |
When parsing extensions by calling the parse functions directly, ensure
that we have consumed all of the extension data. This catches the ALPN
extension handling issue that was just fixed.
Diffstat (limited to '')
| -rw-r--r-- | src/regress/lib/libssl/tlsext/tlsexttest.c | 84 |
1 files changed, 82 insertions, 2 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 1b2820d78b..63c64e9411 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tlsexttest.c,v 1.15 2017/08/27 02:58:04 doug Exp $ */ | 1 | /* $OpenBSD: tlsexttest.c,v 1.16 2017/08/29 17:24:59 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -198,6 +198,10 @@ test_tlsext_alpn_clienthello(void) | |||
| 198 | FAIL("failed to parse ALPN"); | 198 | FAIL("failed to parse ALPN"); |
| 199 | goto err; | 199 | goto err; |
| 200 | } | 200 | } |
| 201 | if (CBS_len(&cbs) != 0) { | ||
| 202 | FAIL("extension data remaining"); | ||
| 203 | goto err; | ||
| 204 | } | ||
| 201 | 205 | ||
| 202 | if (ssl->internal->alpn_client_proto_list_len != | 206 | if (ssl->internal->alpn_client_proto_list_len != |
| 203 | sizeof(tlsext_alpn_single_proto_val)) { | 207 | sizeof(tlsext_alpn_single_proto_val)) { |
| @@ -261,6 +265,10 @@ test_tlsext_alpn_clienthello(void) | |||
| 261 | FAIL("failed to parse ALPN"); | 265 | FAIL("failed to parse ALPN"); |
| 262 | goto err; | 266 | goto err; |
| 263 | } | 267 | } |
| 268 | if (CBS_len(&cbs) != 0) { | ||
| 269 | FAIL("extension data remaining"); | ||
| 270 | goto err; | ||
| 271 | } | ||
| 264 | 272 | ||
| 265 | if (ssl->internal->alpn_client_proto_list_len != | 273 | if (ssl->internal->alpn_client_proto_list_len != |
| 266 | sizeof(tlsext_alpn_multiple_protos_val)) { | 274 | sizeof(tlsext_alpn_multiple_protos_val)) { |
| @@ -398,6 +406,10 @@ test_tlsext_alpn_serverhello(void) | |||
| 398 | FAIL("Should be able to parse serverhello when we request it"); | 406 | FAIL("Should be able to parse serverhello when we request it"); |
| 399 | goto err; | 407 | goto err; |
| 400 | } | 408 | } |
| 409 | if (CBS_len(&cbs) != 0) { | ||
| 410 | FAIL("extension data remaining"); | ||
| 411 | goto err; | ||
| 412 | } | ||
| 401 | 413 | ||
| 402 | if (S3I(ssl)->alpn_selected_len != | 414 | if (S3I(ssl)->alpn_selected_len != |
| 403 | sizeof(tlsext_alpn_single_proto_name)) { | 415 | sizeof(tlsext_alpn_single_proto_name)) { |
| @@ -597,6 +609,10 @@ test_tlsext_ec_clienthello(void) | |||
| 597 | FAIL("failed to parse clienthello Ellipticcurves\n"); | 609 | FAIL("failed to parse clienthello Ellipticcurves\n"); |
| 598 | goto err; | 610 | goto err; |
| 599 | } | 611 | } |
| 612 | if (CBS_len(&cbs) != 0) { | ||
| 613 | FAIL("extension data remaining"); | ||
| 614 | goto err; | ||
| 615 | } | ||
| 600 | 616 | ||
| 601 | if (SSI(ssl)->tlsext_supportedgroups_length != | 617 | if (SSI(ssl)->tlsext_supportedgroups_length != |
| 602 | sizeof(tlsext_ec_clienthello_secp384r1_val) / sizeof(uint16_t)) { | 618 | sizeof(tlsext_ec_clienthello_secp384r1_val) / sizeof(uint16_t)) { |
| @@ -693,6 +709,10 @@ test_tlsext_ec_clienthello(void) | |||
| 693 | FAIL("failed to parse clienthello Ellipticcurves\n"); | 709 | FAIL("failed to parse clienthello Ellipticcurves\n"); |
| 694 | goto err; | 710 | goto err; |
| 695 | } | 711 | } |
| 712 | if (CBS_len(&cbs) != 0) { | ||
| 713 | FAIL("extension data remaining"); | ||
| 714 | goto err; | ||
| 715 | } | ||
| 696 | 716 | ||
| 697 | if (SSI(ssl)->tlsext_supportedgroups_length != | 717 | if (SSI(ssl)->tlsext_supportedgroups_length != |
| 698 | sizeof(tlsext_ec_clienthello_nistp192and224_val) / sizeof(uint16_t)) { | 718 | sizeof(tlsext_ec_clienthello_nistp192and224_val) / sizeof(uint16_t)) { |
| @@ -895,6 +915,10 @@ test_tlsext_ecpf_clienthello(void) | |||
| 895 | FAIL("failed to parse clienthello ECPointFormats\n"); | 915 | FAIL("failed to parse clienthello ECPointFormats\n"); |
| 896 | goto err; | 916 | goto err; |
| 897 | } | 917 | } |
| 918 | if (CBS_len(&cbs) != 0) { | ||
| 919 | FAIL("extension data remaining"); | ||
| 920 | goto err; | ||
| 921 | } | ||
| 898 | 922 | ||
| 899 | if (SSI(ssl)->tlsext_ecpointformatlist_length != | 923 | if (SSI(ssl)->tlsext_ecpointformatlist_length != |
| 900 | sizeof(tlsext_ecpf_hello_uncompressed_val)) { | 924 | sizeof(tlsext_ecpf_hello_uncompressed_val)) { |
| @@ -984,6 +1008,10 @@ test_tlsext_ecpf_clienthello(void) | |||
| 984 | FAIL("failed to parse clienthello ECPointFormats\n"); | 1008 | FAIL("failed to parse clienthello ECPointFormats\n"); |
| 985 | goto err; | 1009 | goto err; |
| 986 | } | 1010 | } |
| 1011 | if (CBS_len(&cbs) != 0) { | ||
| 1012 | FAIL("extension data remaining"); | ||
| 1013 | goto err; | ||
| 1014 | } | ||
| 987 | 1015 | ||
| 988 | if (SSI(ssl)->tlsext_ecpointformatlist_length != | 1016 | if (SSI(ssl)->tlsext_ecpointformatlist_length != |
| 989 | sizeof(tlsext_ecpf_hello_prefer_order_val)) { | 1017 | sizeof(tlsext_ecpf_hello_prefer_order_val)) { |
| @@ -1100,6 +1128,10 @@ test_tlsext_ecpf_serverhello(void) | |||
| 1100 | FAIL("must include uncompressed in serverhello ECPointFormats\n"); | 1128 | FAIL("must include uncompressed in serverhello ECPointFormats\n"); |
| 1101 | goto err; | 1129 | goto err; |
| 1102 | } | 1130 | } |
| 1131 | if (CBS_len(&cbs) != 0) { | ||
| 1132 | FAIL("extension data remaining"); | ||
| 1133 | goto err; | ||
| 1134 | } | ||
| 1103 | 1135 | ||
| 1104 | /* | 1136 | /* |
| 1105 | * Test with a custom order that replaces the default uncompressed. | 1137 | * Test with a custom order that replaces the default uncompressed. |
| @@ -1184,6 +1216,10 @@ test_tlsext_ecpf_serverhello(void) | |||
| 1184 | FAIL("failed to parse serverhello ECPointFormats\n"); | 1216 | FAIL("failed to parse serverhello ECPointFormats\n"); |
| 1185 | goto err; | 1217 | goto err; |
| 1186 | } | 1218 | } |
| 1219 | if (CBS_len(&cbs) != 0) { | ||
| 1220 | FAIL("extension data remaining"); | ||
| 1221 | goto err; | ||
| 1222 | } | ||
| 1187 | 1223 | ||
| 1188 | if (SSI(ssl)->tlsext_ecpointformatlist_length != | 1224 | if (SSI(ssl)->tlsext_ecpointformatlist_length != |
| 1189 | sizeof(tlsext_ecpf_hello_prefer_order_val)) { | 1225 | sizeof(tlsext_ecpf_hello_prefer_order_val)) { |
| @@ -1308,6 +1344,10 @@ test_tlsext_ri_clienthello(void) | |||
| 1308 | FAIL("failed to parse clienthello RI\n"); | 1344 | FAIL("failed to parse clienthello RI\n"); |
| 1309 | goto err; | 1345 | goto err; |
| 1310 | } | 1346 | } |
| 1347 | if (CBS_len(&cbs) != 0) { | ||
| 1348 | FAIL("extension data remaining"); | ||
| 1349 | goto err; | ||
| 1350 | } | ||
| 1311 | 1351 | ||
| 1312 | if (S3I(ssl)->renegotiate_seen != 1) { | 1352 | if (S3I(ssl)->renegotiate_seen != 1) { |
| 1313 | FAIL("renegotiate seen not set\n"); | 1353 | FAIL("renegotiate seen not set\n"); |
| @@ -1417,6 +1457,10 @@ test_tlsext_ri_serverhello(void) | |||
| 1417 | FAIL("failed to parse serverhello RI\n"); | 1457 | FAIL("failed to parse serverhello RI\n"); |
| 1418 | goto err; | 1458 | goto err; |
| 1419 | } | 1459 | } |
| 1460 | if (CBS_len(&cbs) != 0) { | ||
| 1461 | FAIL("extension data remaining"); | ||
| 1462 | goto err; | ||
| 1463 | } | ||
| 1420 | 1464 | ||
| 1421 | if (S3I(ssl)->renegotiate_seen != 1) { | 1465 | if (S3I(ssl)->renegotiate_seen != 1) { |
| 1422 | FAIL("renegotiate seen not set\n"); | 1466 | FAIL("renegotiate seen not set\n"); |
| @@ -1534,6 +1578,10 @@ test_tlsext_sigalgs_clienthello(void) | |||
| 1534 | failure = 1; | 1578 | failure = 1; |
| 1535 | goto done; | 1579 | goto done; |
| 1536 | } | 1580 | } |
| 1581 | if (CBS_len(&cbs) != 0) { | ||
| 1582 | FAIL("extension data remaining"); | ||
| 1583 | goto done; | ||
| 1584 | } | ||
| 1537 | 1585 | ||
| 1538 | if (ssl->cert->pkeys[SSL_PKEY_RSA_SIGN].digest != EVP_sha512()) { | 1586 | if (ssl->cert->pkeys[SSL_PKEY_RSA_SIGN].digest != EVP_sha512()) { |
| 1539 | fprintf(stderr, "FAIL: RSA sign digest mismatch\n"); | 1587 | fprintf(stderr, "FAIL: RSA sign digest mismatch\n"); |
| @@ -1601,7 +1649,7 @@ test_tlsext_sigalgs_serverhello(void) | |||
| 1601 | 1649 | ||
| 1602 | CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello)); | 1650 | CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello)); |
| 1603 | if (tlsext_sigalgs_serverhello_parse(ssl, &cbs, &alert)) { | 1651 | if (tlsext_sigalgs_serverhello_parse(ssl, &cbs, &alert)) { |
| 1604 | fprintf(stderr, "FAIL: failed to parse serverhello sigalgs\n"); | 1652 | fprintf(stderr, "FAIL: serverhello should not parse sigalgs\n"); |
| 1605 | failure = 1; | 1653 | failure = 1; |
| 1606 | goto done; | 1654 | goto done; |
| 1607 | } | 1655 | } |
| @@ -1699,6 +1747,10 @@ test_tlsext_sni_clienthello(void) | |||
| 1699 | FAIL("failed to parse clienthello SNI\n"); | 1747 | FAIL("failed to parse clienthello SNI\n"); |
| 1700 | goto err; | 1748 | goto err; |
| 1701 | } | 1749 | } |
| 1750 | if (CBS_len(&cbs) != 0) { | ||
| 1751 | FAIL("extension data remaining"); | ||
| 1752 | goto err; | ||
| 1753 | } | ||
| 1702 | 1754 | ||
| 1703 | if (ssl->session->tlsext_hostname == NULL) { | 1755 | if (ssl->session->tlsext_hostname == NULL) { |
| 1704 | FAIL("no tlsext_hostname from clienthello SNI\n"); | 1756 | FAIL("no tlsext_hostname from clienthello SNI\n"); |
| @@ -1810,6 +1862,10 @@ test_tlsext_sni_serverhello(void) | |||
| 1810 | FAIL("failed to parse serverhello SNI\n"); | 1862 | FAIL("failed to parse serverhello SNI\n"); |
| 1811 | goto err; | 1863 | goto err; |
| 1812 | } | 1864 | } |
| 1865 | if (CBS_len(&cbs) != 0) { | ||
| 1866 | FAIL("extension data remaining"); | ||
| 1867 | goto err; | ||
| 1868 | } | ||
| 1813 | 1869 | ||
| 1814 | if (ssl->session->tlsext_hostname == NULL) { | 1870 | if (ssl->session->tlsext_hostname == NULL) { |
| 1815 | FAIL("no tlsext_hostname after serverhello SNI\n"); | 1871 | FAIL("no tlsext_hostname after serverhello SNI\n"); |
| @@ -1898,6 +1954,10 @@ test_tlsext_ocsp_clienthello(void) | |||
| 1898 | FAIL("failed to parse ocsp clienthello\n"); | 1954 | FAIL("failed to parse ocsp clienthello\n"); |
| 1899 | goto err; | 1955 | goto err; |
| 1900 | } | 1956 | } |
| 1957 | if (CBS_len(&cbs) != 0) { | ||
| 1958 | FAIL("extension data remaining"); | ||
| 1959 | goto err; | ||
| 1960 | } | ||
| 1901 | 1961 | ||
| 1902 | failure = 0; | 1962 | failure = 0; |
| 1903 | 1963 | ||
| @@ -2385,6 +2445,10 @@ test_tlsext_srtp_clienthello(void) | |||
| 2385 | FAIL("failed to parse SRTP\n"); | 2445 | FAIL("failed to parse SRTP\n"); |
| 2386 | goto err; | 2446 | goto err; |
| 2387 | } | 2447 | } |
| 2448 | if (CBS_len(&cbs) != 0) { | ||
| 2449 | FAIL("extension data remaining"); | ||
| 2450 | goto err; | ||
| 2451 | } | ||
| 2388 | 2452 | ||
| 2389 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { | 2453 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { |
| 2390 | FAIL("SRTP profile should be set now\n"); | 2454 | FAIL("SRTP profile should be set now\n"); |
| @@ -2448,6 +2512,10 @@ test_tlsext_srtp_clienthello(void) | |||
| 2448 | FAIL("failed to parse SRTP\n"); | 2512 | FAIL("failed to parse SRTP\n"); |
| 2449 | goto err; | 2513 | goto err; |
| 2450 | } | 2514 | } |
| 2515 | if (CBS_len(&cbs) != 0) { | ||
| 2516 | FAIL("extension data remaining"); | ||
| 2517 | goto err; | ||
| 2518 | } | ||
| 2451 | 2519 | ||
| 2452 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { | 2520 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { |
| 2453 | FAIL("SRTP profile should be set now\n"); | 2521 | FAIL("SRTP profile should be set now\n"); |
| @@ -2475,6 +2543,10 @@ test_tlsext_srtp_clienthello(void) | |||
| 2475 | FAIL("failed to parse SRTP\n"); | 2543 | FAIL("failed to parse SRTP\n"); |
| 2476 | goto err; | 2544 | goto err; |
| 2477 | } | 2545 | } |
| 2546 | if (CBS_len(&cbs) != 0) { | ||
| 2547 | FAIL("extension data remaining"); | ||
| 2548 | goto err; | ||
| 2549 | } | ||
| 2478 | 2550 | ||
| 2479 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { | 2551 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { |
| 2480 | FAIL("SRTP profile should be set now\n"); | 2552 | FAIL("SRTP profile should be set now\n"); |
| @@ -2500,6 +2572,10 @@ test_tlsext_srtp_clienthello(void) | |||
| 2500 | FAIL("should be able to fall back to negotiated\n"); | 2572 | FAIL("should be able to fall back to negotiated\n"); |
| 2501 | goto err; | 2573 | goto err; |
| 2502 | } | 2574 | } |
| 2575 | if (CBS_len(&cbs) != 0) { | ||
| 2576 | FAIL("extension data remaining"); | ||
| 2577 | goto err; | ||
| 2578 | } | ||
| 2503 | 2579 | ||
| 2504 | /* If we fallback, the server should NOT send the extension. */ | 2580 | /* If we fallback, the server should NOT send the extension. */ |
| 2505 | if (SSL_get_selected_srtp_profile(ssl) != NULL) { | 2581 | if (SSL_get_selected_srtp_profile(ssl) != NULL) { |
| @@ -2609,6 +2685,10 @@ test_tlsext_srtp_serverhello(void) | |||
| 2609 | FAIL("failed to parse SRTP\n"); | 2685 | FAIL("failed to parse SRTP\n"); |
| 2610 | goto err; | 2686 | goto err; |
| 2611 | } | 2687 | } |
| 2688 | if (CBS_len(&cbs) != 0) { | ||
| 2689 | FAIL("extension data remaining"); | ||
| 2690 | goto err; | ||
| 2691 | } | ||
| 2612 | 2692 | ||
| 2613 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { | 2693 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { |
| 2614 | FAIL("SRTP profile should be set now\n"); | 2694 | FAIL("SRTP profile should be set now\n"); |