diff options
| author | jsing <> | 2017-08-29 17:24:59 +0000 |
|---|---|---|
| committer | jsing <> | 2017-08-29 17:24:59 +0000 |
| commit | f4e8044e709f31e720fdc5d9927a4731c17b5041 (patch) | |
| tree | 85404b46eebe5569fb665b0e8d9546738ea661de | |
| parent | 84113b351970b142c1aa31f17c83e5487656f281 (diff) | |
| download | openbsd-f4e8044e709f31e720fdc5d9927a4731c17b5041.tar.gz openbsd-f4e8044e709f31e720fdc5d9927a4731c17b5041.tar.bz2 openbsd-f4e8044e709f31e720fdc5d9927a4731c17b5041.zip | |
When parsing extensions by calling the parse functions directly, ensure
that we have consumed all of the extension data. This catches the ALPN
extension handling issue that was just fixed.
| -rw-r--r-- | src/regress/lib/libssl/tlsext/tlsexttest.c | 84 |
1 files changed, 82 insertions, 2 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 1b2820d78b..63c64e9411 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tlsexttest.c,v 1.15 2017/08/27 02:58:04 doug Exp $ */ | 1 | /* $OpenBSD: tlsexttest.c,v 1.16 2017/08/29 17:24:59 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -198,6 +198,10 @@ test_tlsext_alpn_clienthello(void) | |||
| 198 | FAIL("failed to parse ALPN"); | 198 | FAIL("failed to parse ALPN"); |
| 199 | goto err; | 199 | goto err; |
| 200 | } | 200 | } |
| 201 | if (CBS_len(&cbs) != 0) { | ||
| 202 | FAIL("extension data remaining"); | ||
| 203 | goto err; | ||
| 204 | } | ||
| 201 | 205 | ||
| 202 | if (ssl->internal->alpn_client_proto_list_len != | 206 | if (ssl->internal->alpn_client_proto_list_len != |
| 203 | sizeof(tlsext_alpn_single_proto_val)) { | 207 | sizeof(tlsext_alpn_single_proto_val)) { |
| @@ -261,6 +265,10 @@ test_tlsext_alpn_clienthello(void) | |||
| 261 | FAIL("failed to parse ALPN"); | 265 | FAIL("failed to parse ALPN"); |
| 262 | goto err; | 266 | goto err; |
| 263 | } | 267 | } |
| 268 | if (CBS_len(&cbs) != 0) { | ||
| 269 | FAIL("extension data remaining"); | ||
| 270 | goto err; | ||
| 271 | } | ||
| 264 | 272 | ||
| 265 | if (ssl->internal->alpn_client_proto_list_len != | 273 | if (ssl->internal->alpn_client_proto_list_len != |
| 266 | sizeof(tlsext_alpn_multiple_protos_val)) { | 274 | sizeof(tlsext_alpn_multiple_protos_val)) { |
| @@ -398,6 +406,10 @@ test_tlsext_alpn_serverhello(void) | |||
| 398 | FAIL("Should be able to parse serverhello when we request it"); | 406 | FAIL("Should be able to parse serverhello when we request it"); |
| 399 | goto err; | 407 | goto err; |
| 400 | } | 408 | } |
| 409 | if (CBS_len(&cbs) != 0) { | ||
| 410 | FAIL("extension data remaining"); | ||
| 411 | goto err; | ||
| 412 | } | ||
| 401 | 413 | ||
| 402 | if (S3I(ssl)->alpn_selected_len != | 414 | if (S3I(ssl)->alpn_selected_len != |
| 403 | sizeof(tlsext_alpn_single_proto_name)) { | 415 | sizeof(tlsext_alpn_single_proto_name)) { |
| @@ -597,6 +609,10 @@ test_tlsext_ec_clienthello(void) | |||
| 597 | FAIL("failed to parse clienthello Ellipticcurves\n"); | 609 | FAIL("failed to parse clienthello Ellipticcurves\n"); |
| 598 | goto err; | 610 | goto err; |
| 599 | } | 611 | } |
| 612 | if (CBS_len(&cbs) != 0) { | ||
| 613 | FAIL("extension data remaining"); | ||
| 614 | goto err; | ||
| 615 | } | ||
| 600 | 616 | ||
| 601 | if (SSI(ssl)->tlsext_supportedgroups_length != | 617 | if (SSI(ssl)->tlsext_supportedgroups_length != |
| 602 | sizeof(tlsext_ec_clienthello_secp384r1_val) / sizeof(uint16_t)) { | 618 | sizeof(tlsext_ec_clienthello_secp384r1_val) / sizeof(uint16_t)) { |
| @@ -693,6 +709,10 @@ test_tlsext_ec_clienthello(void) | |||
| 693 | FAIL("failed to parse clienthello Ellipticcurves\n"); | 709 | FAIL("failed to parse clienthello Ellipticcurves\n"); |
| 694 | goto err; | 710 | goto err; |
| 695 | } | 711 | } |
| 712 | if (CBS_len(&cbs) != 0) { | ||
| 713 | FAIL("extension data remaining"); | ||
| 714 | goto err; | ||
| 715 | } | ||
| 696 | 716 | ||
| 697 | if (SSI(ssl)->tlsext_supportedgroups_length != | 717 | if (SSI(ssl)->tlsext_supportedgroups_length != |
| 698 | sizeof(tlsext_ec_clienthello_nistp192and224_val) / sizeof(uint16_t)) { | 718 | sizeof(tlsext_ec_clienthello_nistp192and224_val) / sizeof(uint16_t)) { |
| @@ -895,6 +915,10 @@ test_tlsext_ecpf_clienthello(void) | |||
| 895 | FAIL("failed to parse clienthello ECPointFormats\n"); | 915 | FAIL("failed to parse clienthello ECPointFormats\n"); |
| 896 | goto err; | 916 | goto err; |
| 897 | } | 917 | } |
| 918 | if (CBS_len(&cbs) != 0) { | ||
| 919 | FAIL("extension data remaining"); | ||
| 920 | goto err; | ||
| 921 | } | ||
| 898 | 922 | ||
| 899 | if (SSI(ssl)->tlsext_ecpointformatlist_length != | 923 | if (SSI(ssl)->tlsext_ecpointformatlist_length != |
| 900 | sizeof(tlsext_ecpf_hello_uncompressed_val)) { | 924 | sizeof(tlsext_ecpf_hello_uncompressed_val)) { |
| @@ -984,6 +1008,10 @@ test_tlsext_ecpf_clienthello(void) | |||
| 984 | FAIL("failed to parse clienthello ECPointFormats\n"); | 1008 | FAIL("failed to parse clienthello ECPointFormats\n"); |
| 985 | goto err; | 1009 | goto err; |
| 986 | } | 1010 | } |
| 1011 | if (CBS_len(&cbs) != 0) { | ||
| 1012 | FAIL("extension data remaining"); | ||
| 1013 | goto err; | ||
| 1014 | } | ||
| 987 | 1015 | ||
| 988 | if (SSI(ssl)->tlsext_ecpointformatlist_length != | 1016 | if (SSI(ssl)->tlsext_ecpointformatlist_length != |
| 989 | sizeof(tlsext_ecpf_hello_prefer_order_val)) { | 1017 | sizeof(tlsext_ecpf_hello_prefer_order_val)) { |
| @@ -1100,6 +1128,10 @@ test_tlsext_ecpf_serverhello(void) | |||
| 1100 | FAIL("must include uncompressed in serverhello ECPointFormats\n"); | 1128 | FAIL("must include uncompressed in serverhello ECPointFormats\n"); |
| 1101 | goto err; | 1129 | goto err; |
| 1102 | } | 1130 | } |
| 1131 | if (CBS_len(&cbs) != 0) { | ||
| 1132 | FAIL("extension data remaining"); | ||
| 1133 | goto err; | ||
| 1134 | } | ||
| 1103 | 1135 | ||
| 1104 | /* | 1136 | /* |
| 1105 | * Test with a custom order that replaces the default uncompressed. | 1137 | * Test with a custom order that replaces the default uncompressed. |
| @@ -1184,6 +1216,10 @@ test_tlsext_ecpf_serverhello(void) | |||
| 1184 | FAIL("failed to parse serverhello ECPointFormats\n"); | 1216 | FAIL("failed to parse serverhello ECPointFormats\n"); |
| 1185 | goto err; | 1217 | goto err; |
| 1186 | } | 1218 | } |
| 1219 | if (CBS_len(&cbs) != 0) { | ||
| 1220 | FAIL("extension data remaining"); | ||
| 1221 | goto err; | ||
| 1222 | } | ||
| 1187 | 1223 | ||
| 1188 | if (SSI(ssl)->tlsext_ecpointformatlist_length != | 1224 | if (SSI(ssl)->tlsext_ecpointformatlist_length != |
| 1189 | sizeof(tlsext_ecpf_hello_prefer_order_val)) { | 1225 | sizeof(tlsext_ecpf_hello_prefer_order_val)) { |
| @@ -1308,6 +1344,10 @@ test_tlsext_ri_clienthello(void) | |||
| 1308 | FAIL("failed to parse clienthello RI\n"); | 1344 | FAIL("failed to parse clienthello RI\n"); |
| 1309 | goto err; | 1345 | goto err; |
| 1310 | } | 1346 | } |
| 1347 | if (CBS_len(&cbs) != 0) { | ||
| 1348 | FAIL("extension data remaining"); | ||
| 1349 | goto err; | ||
| 1350 | } | ||
| 1311 | 1351 | ||
| 1312 | if (S3I(ssl)->renegotiate_seen != 1) { | 1352 | if (S3I(ssl)->renegotiate_seen != 1) { |
| 1313 | FAIL("renegotiate seen not set\n"); | 1353 | FAIL("renegotiate seen not set\n"); |
| @@ -1417,6 +1457,10 @@ test_tlsext_ri_serverhello(void) | |||
| 1417 | FAIL("failed to parse serverhello RI\n"); | 1457 | FAIL("failed to parse serverhello RI\n"); |
| 1418 | goto err; | 1458 | goto err; |
| 1419 | } | 1459 | } |
| 1460 | if (CBS_len(&cbs) != 0) { | ||
| 1461 | FAIL("extension data remaining"); | ||
| 1462 | goto err; | ||
| 1463 | } | ||
| 1420 | 1464 | ||
| 1421 | if (S3I(ssl)->renegotiate_seen != 1) { | 1465 | if (S3I(ssl)->renegotiate_seen != 1) { |
| 1422 | FAIL("renegotiate seen not set\n"); | 1466 | FAIL("renegotiate seen not set\n"); |
| @@ -1534,6 +1578,10 @@ test_tlsext_sigalgs_clienthello(void) | |||
| 1534 | failure = 1; | 1578 | failure = 1; |
| 1535 | goto done; | 1579 | goto done; |
| 1536 | } | 1580 | } |
| 1581 | if (CBS_len(&cbs) != 0) { | ||
| 1582 | FAIL("extension data remaining"); | ||
| 1583 | goto done; | ||
| 1584 | } | ||
| 1537 | 1585 | ||
| 1538 | if (ssl->cert->pkeys[SSL_PKEY_RSA_SIGN].digest != EVP_sha512()) { | 1586 | if (ssl->cert->pkeys[SSL_PKEY_RSA_SIGN].digest != EVP_sha512()) { |
| 1539 | fprintf(stderr, "FAIL: RSA sign digest mismatch\n"); | 1587 | fprintf(stderr, "FAIL: RSA sign digest mismatch\n"); |
| @@ -1601,7 +1649,7 @@ test_tlsext_sigalgs_serverhello(void) | |||
| 1601 | 1649 | ||
| 1602 | CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello)); | 1650 | CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello)); |
| 1603 | if (tlsext_sigalgs_serverhello_parse(ssl, &cbs, &alert)) { | 1651 | if (tlsext_sigalgs_serverhello_parse(ssl, &cbs, &alert)) { |
| 1604 | fprintf(stderr, "FAIL: failed to parse serverhello sigalgs\n"); | 1652 | fprintf(stderr, "FAIL: serverhello should not parse sigalgs\n"); |
| 1605 | failure = 1; | 1653 | failure = 1; |
| 1606 | goto done; | 1654 | goto done; |
| 1607 | } | 1655 | } |
| @@ -1699,6 +1747,10 @@ test_tlsext_sni_clienthello(void) | |||
| 1699 | FAIL("failed to parse clienthello SNI\n"); | 1747 | FAIL("failed to parse clienthello SNI\n"); |
| 1700 | goto err; | 1748 | goto err; |
| 1701 | } | 1749 | } |
| 1750 | if (CBS_len(&cbs) != 0) { | ||
| 1751 | FAIL("extension data remaining"); | ||
| 1752 | goto err; | ||
| 1753 | } | ||
| 1702 | 1754 | ||
| 1703 | if (ssl->session->tlsext_hostname == NULL) { | 1755 | if (ssl->session->tlsext_hostname == NULL) { |
| 1704 | FAIL("no tlsext_hostname from clienthello SNI\n"); | 1756 | FAIL("no tlsext_hostname from clienthello SNI\n"); |
| @@ -1810,6 +1862,10 @@ test_tlsext_sni_serverhello(void) | |||
| 1810 | FAIL("failed to parse serverhello SNI\n"); | 1862 | FAIL("failed to parse serverhello SNI\n"); |
| 1811 | goto err; | 1863 | goto err; |
| 1812 | } | 1864 | } |
| 1865 | if (CBS_len(&cbs) != 0) { | ||
| 1866 | FAIL("extension data remaining"); | ||
| 1867 | goto err; | ||
| 1868 | } | ||
| 1813 | 1869 | ||
| 1814 | if (ssl->session->tlsext_hostname == NULL) { | 1870 | if (ssl->session->tlsext_hostname == NULL) { |
| 1815 | FAIL("no tlsext_hostname after serverhello SNI\n"); | 1871 | FAIL("no tlsext_hostname after serverhello SNI\n"); |
| @@ -1898,6 +1954,10 @@ test_tlsext_ocsp_clienthello(void) | |||
| 1898 | FAIL("failed to parse ocsp clienthello\n"); | 1954 | FAIL("failed to parse ocsp clienthello\n"); |
| 1899 | goto err; | 1955 | goto err; |
| 1900 | } | 1956 | } |
| 1957 | if (CBS_len(&cbs) != 0) { | ||
| 1958 | FAIL("extension data remaining"); | ||
| 1959 | goto err; | ||
| 1960 | } | ||
| 1901 | 1961 | ||
| 1902 | failure = 0; | 1962 | failure = 0; |
| 1903 | 1963 | ||
| @@ -2385,6 +2445,10 @@ test_tlsext_srtp_clienthello(void) | |||
| 2385 | FAIL("failed to parse SRTP\n"); | 2445 | FAIL("failed to parse SRTP\n"); |
| 2386 | goto err; | 2446 | goto err; |
| 2387 | } | 2447 | } |
| 2448 | if (CBS_len(&cbs) != 0) { | ||
| 2449 | FAIL("extension data remaining"); | ||
| 2450 | goto err; | ||
| 2451 | } | ||
| 2388 | 2452 | ||
| 2389 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { | 2453 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { |
| 2390 | FAIL("SRTP profile should be set now\n"); | 2454 | FAIL("SRTP profile should be set now\n"); |
| @@ -2448,6 +2512,10 @@ test_tlsext_srtp_clienthello(void) | |||
| 2448 | FAIL("failed to parse SRTP\n"); | 2512 | FAIL("failed to parse SRTP\n"); |
| 2449 | goto err; | 2513 | goto err; |
| 2450 | } | 2514 | } |
| 2515 | if (CBS_len(&cbs) != 0) { | ||
| 2516 | FAIL("extension data remaining"); | ||
| 2517 | goto err; | ||
| 2518 | } | ||
| 2451 | 2519 | ||
| 2452 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { | 2520 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { |
| 2453 | FAIL("SRTP profile should be set now\n"); | 2521 | FAIL("SRTP profile should be set now\n"); |
| @@ -2475,6 +2543,10 @@ test_tlsext_srtp_clienthello(void) | |||
| 2475 | FAIL("failed to parse SRTP\n"); | 2543 | FAIL("failed to parse SRTP\n"); |
| 2476 | goto err; | 2544 | goto err; |
| 2477 | } | 2545 | } |
| 2546 | if (CBS_len(&cbs) != 0) { | ||
| 2547 | FAIL("extension data remaining"); | ||
| 2548 | goto err; | ||
| 2549 | } | ||
| 2478 | 2550 | ||
| 2479 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { | 2551 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { |
| 2480 | FAIL("SRTP profile should be set now\n"); | 2552 | FAIL("SRTP profile should be set now\n"); |
| @@ -2500,6 +2572,10 @@ test_tlsext_srtp_clienthello(void) | |||
| 2500 | FAIL("should be able to fall back to negotiated\n"); | 2572 | FAIL("should be able to fall back to negotiated\n"); |
| 2501 | goto err; | 2573 | goto err; |
| 2502 | } | 2574 | } |
| 2575 | if (CBS_len(&cbs) != 0) { | ||
| 2576 | FAIL("extension data remaining"); | ||
| 2577 | goto err; | ||
| 2578 | } | ||
| 2503 | 2579 | ||
| 2504 | /* If we fallback, the server should NOT send the extension. */ | 2580 | /* If we fallback, the server should NOT send the extension. */ |
| 2505 | if (SSL_get_selected_srtp_profile(ssl) != NULL) { | 2581 | if (SSL_get_selected_srtp_profile(ssl) != NULL) { |
| @@ -2609,6 +2685,10 @@ test_tlsext_srtp_serverhello(void) | |||
| 2609 | FAIL("failed to parse SRTP\n"); | 2685 | FAIL("failed to parse SRTP\n"); |
| 2610 | goto err; | 2686 | goto err; |
| 2611 | } | 2687 | } |
| 2688 | if (CBS_len(&cbs) != 0) { | ||
| 2689 | FAIL("extension data remaining"); | ||
| 2690 | goto err; | ||
| 2691 | } | ||
| 2612 | 2692 | ||
| 2613 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { | 2693 | if ((prof = SSL_get_selected_srtp_profile(ssl)) == NULL) { |
| 2614 | FAIL("SRTP profile should be set now\n"); | 2694 | FAIL("SRTP profile should be set now\n"); |