diff options
| author | jsing <> | 2017-08-12 21:49:28 +0000 |
|---|---|---|
| committer | jsing <> | 2017-08-12 21:49:28 +0000 |
| commit | 4f5399c5c0671a2e79afef156ad57c0d29cb3e9f (patch) | |
| tree | 99b2cd31680bfbb9e5c6de7d2cf3f7928e5a7c09 /src | |
| parent | aab075e32e49adbf67c9518c715a237c8f3b0368 (diff) | |
| download | openbsd-4f5399c5c0671a2e79afef156ad57c0d29cb3e9f.tar.gz openbsd-4f5399c5c0671a2e79afef156ad57c0d29cb3e9f.tar.bz2 openbsd-4f5399c5c0671a2e79afef156ad57c0d29cb3e9f.zip | |
Add regress coverage for the TLS signature algorithms extension.
Diffstat (limited to 'src')
| -rw-r--r-- | src/regress/lib/libssl/tlsext/tlsexttest.c | 164 |
1 files changed, 163 insertions, 1 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 1267f50a49..073ba2f2f5 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tlsexttest.c,v 1.10 2017/08/12 21:17:03 doug Exp $ */ | 1 | /* $OpenBSD: tlsexttest.c,v 1.11 2017/08/12 21:49:28 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -1079,6 +1079,165 @@ test_tlsext_ri_serverhello(void) | |||
| 1079 | } | 1079 | } |
| 1080 | 1080 | ||
| 1081 | /* | 1081 | /* |
| 1082 | * Signature Algorithms - RFC 5246 section 7.4.1.4.1. | ||
| 1083 | */ | ||
| 1084 | |||
| 1085 | static unsigned char tlsext_sigalgs_clienthello[] = { | ||
| 1086 | 0x00, 0x1a, 0x06, 0x01, 0x06, 0x03, 0xef, 0xef, | ||
| 1087 | 0x05, 0x01, 0x05, 0x03, 0x04, 0x01, 0x04, 0x03, | ||
| 1088 | 0xee, 0xee, 0xed, 0xed, 0x03, 0x01, 0x03, 0x03, | ||
| 1089 | 0x02, 0x01, 0x02, 0x03, | ||
| 1090 | }; | ||
| 1091 | |||
| 1092 | static int | ||
| 1093 | test_tlsext_sigalgs_clienthello(void) | ||
| 1094 | { | ||
| 1095 | unsigned char *data = NULL; | ||
| 1096 | SSL_CTX *ssl_ctx = NULL; | ||
| 1097 | SSL *ssl = NULL; | ||
| 1098 | int failure = 0; | ||
| 1099 | size_t dlen; | ||
| 1100 | int alert; | ||
| 1101 | CBB cbb; | ||
| 1102 | CBS cbs; | ||
| 1103 | |||
| 1104 | CBB_init(&cbb, 0); | ||
| 1105 | |||
| 1106 | if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) | ||
| 1107 | errx(1, "failed to create SSL_CTX"); | ||
| 1108 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | ||
| 1109 | errx(1, "failed to create SSL"); | ||
| 1110 | |||
| 1111 | ssl->client_version = TLS1_1_VERSION; | ||
| 1112 | |||
| 1113 | if (tlsext_sigalgs_clienthello_needs(ssl)) { | ||
| 1114 | fprintf(stderr, "FAIL: clienthello should not need sigalgs\n"); | ||
| 1115 | failure = 1; | ||
| 1116 | goto done; | ||
| 1117 | } | ||
| 1118 | |||
| 1119 | ssl->client_version = TLS1_2_VERSION; | ||
| 1120 | |||
| 1121 | if (!tlsext_sigalgs_clienthello_needs(ssl)) { | ||
| 1122 | fprintf(stderr, "FAIL: clienthello should need sigalgs\n"); | ||
| 1123 | failure = 1; | ||
| 1124 | goto done; | ||
| 1125 | } | ||
| 1126 | |||
| 1127 | if (!tlsext_sigalgs_clienthello_build(ssl, &cbb)) { | ||
| 1128 | fprintf(stderr, "FAIL: clienthello failed to build sigalgs\n"); | ||
| 1129 | failure = 1; | ||
| 1130 | goto done; | ||
| 1131 | } | ||
| 1132 | |||
| 1133 | if (!CBB_finish(&cbb, &data, &dlen)) | ||
| 1134 | errx(1, "failed to finish CBB"); | ||
| 1135 | |||
| 1136 | if (dlen != sizeof(tlsext_sigalgs_clienthello)) { | ||
| 1137 | fprintf(stderr, "FAIL: got clienthello sigalgs with length %zu, " | ||
| 1138 | "want length %zu\n", dlen, sizeof(tlsext_sigalgs_clienthello)); | ||
| 1139 | failure = 1; | ||
| 1140 | goto done; | ||
| 1141 | } | ||
| 1142 | |||
| 1143 | if (memcmp(data, tlsext_sigalgs_clienthello, dlen) != 0) { | ||
| 1144 | fprintf(stderr, "FAIL: clienthello SNI differs:\n"); | ||
| 1145 | fprintf(stderr, "received:\n"); | ||
| 1146 | hexdump(data, dlen); | ||
| 1147 | fprintf(stderr, "test data:\n"); | ||
| 1148 | hexdump(tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello)); | ||
| 1149 | failure = 1; | ||
| 1150 | goto done; | ||
| 1151 | } | ||
| 1152 | |||
| 1153 | CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello)); | ||
| 1154 | if (!tlsext_sigalgs_clienthello_parse(ssl, &cbs, &alert)) { | ||
| 1155 | fprintf(stderr, "FAIL: failed to parse clienthello SNI\n"); | ||
| 1156 | failure = 1; | ||
| 1157 | goto done; | ||
| 1158 | } | ||
| 1159 | |||
| 1160 | if (ssl->cert->pkeys[SSL_PKEY_RSA_SIGN].digest != EVP_sha512()) { | ||
| 1161 | fprintf(stderr, "FAIL: RSA sign digest mismatch\n"); | ||
| 1162 | failure = 1; | ||
| 1163 | goto done; | ||
| 1164 | } | ||
| 1165 | if (ssl->cert->pkeys[SSL_PKEY_RSA_ENC].digest != EVP_sha512()) { | ||
| 1166 | fprintf(stderr, "FAIL: RSA enc digest mismatch\n"); | ||
| 1167 | failure = 1; | ||
| 1168 | goto done; | ||
| 1169 | } | ||
| 1170 | if (ssl->cert->pkeys[SSL_PKEY_ECC].digest != EVP_sha512()) { | ||
| 1171 | fprintf(stderr, "FAIL: ECC digest mismatch\n"); | ||
| 1172 | failure = 1; | ||
| 1173 | goto done; | ||
| 1174 | } | ||
| 1175 | if (ssl->cert->pkeys[SSL_PKEY_GOST01].digest != EVP_streebog512()) { | ||
| 1176 | fprintf(stderr, "FAIL: GOST01 digest mismatch\n"); | ||
| 1177 | failure = 1; | ||
| 1178 | goto done; | ||
| 1179 | } | ||
| 1180 | |||
| 1181 | done: | ||
| 1182 | CBB_cleanup(&cbb); | ||
| 1183 | SSL_CTX_free(ssl_ctx); | ||
| 1184 | SSL_free(ssl); | ||
| 1185 | free(data); | ||
| 1186 | |||
| 1187 | return (failure); | ||
| 1188 | } | ||
| 1189 | |||
| 1190 | static int | ||
| 1191 | test_tlsext_sigalgs_serverhello(void) | ||
| 1192 | { | ||
| 1193 | unsigned char *data = NULL; | ||
| 1194 | SSL_CTX *ssl_ctx = NULL; | ||
| 1195 | SSL *ssl = NULL; | ||
| 1196 | int failure = 0; | ||
| 1197 | size_t dlen; | ||
| 1198 | int alert; | ||
| 1199 | CBB cbb; | ||
| 1200 | CBS cbs; | ||
| 1201 | |||
| 1202 | CBB_init(&cbb, 0); | ||
| 1203 | |||
| 1204 | if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) | ||
| 1205 | errx(1, "failed to create SSL_CTX"); | ||
| 1206 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | ||
| 1207 | errx(1, "failed to create SSL"); | ||
| 1208 | |||
| 1209 | if (tlsext_sigalgs_serverhello_needs(ssl)) { | ||
| 1210 | fprintf(stderr, "FAIL: serverhello should not need sigalgs\n"); | ||
| 1211 | failure = 1; | ||
| 1212 | goto done; | ||
| 1213 | } | ||
| 1214 | |||
| 1215 | if (tlsext_sigalgs_serverhello_build(ssl, &cbb)) { | ||
| 1216 | fprintf(stderr, "FAIL: serverhello should not build sigalgs\n"); | ||
| 1217 | failure = 1; | ||
| 1218 | goto done; | ||
| 1219 | } | ||
| 1220 | |||
| 1221 | if (!CBB_finish(&cbb, &data, &dlen)) | ||
| 1222 | errx(1, "failed to finish CBB"); | ||
| 1223 | |||
| 1224 | CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello)); | ||
| 1225 | if (tlsext_sigalgs_serverhello_parse(ssl, &cbs, &alert)) { | ||
| 1226 | fprintf(stderr, "FAIL: failed to parse serverhello sigalgs\n"); | ||
| 1227 | failure = 1; | ||
| 1228 | goto done; | ||
| 1229 | } | ||
| 1230 | |||
| 1231 | done: | ||
| 1232 | CBB_cleanup(&cbb); | ||
| 1233 | SSL_CTX_free(ssl_ctx); | ||
| 1234 | SSL_free(ssl); | ||
| 1235 | free(data); | ||
| 1236 | |||
| 1237 | return (failure); | ||
| 1238 | } | ||
| 1239 | |||
| 1240 | /* | ||
| 1082 | * Server Name Indication - RFC 6066 section 3. | 1241 | * Server Name Indication - RFC 6066 section 3. |
| 1083 | */ | 1242 | */ |
| 1084 | 1243 | ||
| @@ -1612,6 +1771,9 @@ main(int argc, char **argv) | |||
| 1612 | failed |= test_tlsext_ri_clienthello(); | 1771 | failed |= test_tlsext_ri_clienthello(); |
| 1613 | failed |= test_tlsext_ri_serverhello(); | 1772 | failed |= test_tlsext_ri_serverhello(); |
| 1614 | 1773 | ||
| 1774 | failed |= test_tlsext_sigalgs_clienthello(); | ||
| 1775 | failed |= test_tlsext_sigalgs_serverhello(); | ||
| 1776 | |||
| 1615 | failed |= test_tlsext_sni_clienthello(); | 1777 | failed |= test_tlsext_sni_clienthello(); |
| 1616 | failed |= test_tlsext_sni_serverhello(); | 1778 | failed |= test_tlsext_sni_serverhello(); |
| 1617 | 1779 | ||