diff options
| author | jsing <> | 2021-11-01 16:39:01 +0000 |
|---|---|---|
| committer | jsing <> | 2021-11-01 16:39:01 +0000 |
| commit | 786a7f6edc5d3d263e75be40d68a07f4f4fe4d96 (patch) | |
| tree | ad44ce1291497a1ef088f330ad72edbf5e374946 /src | |
| parent | 29acda326d204926a29dc59b3fee2491ab5d5b5d (diff) | |
| download | openbsd-786a7f6edc5d3d263e75be40d68a07f4f4fe4d96.tar.gz openbsd-786a7f6edc5d3d263e75be40d68a07f4f4fe4d96.tar.bz2 openbsd-786a7f6edc5d3d263e75be40d68a07f4f4fe4d96.zip | |
Rework SNI hostname regress to be table driven.
Also adjust for the changes to tlsext_sni_is_valid_hostname() and include
tests for IPv4 and IPv6 literals.
ok beck@
Diffstat (limited to 'src')
| -rw-r--r-- | src/regress/lib/libssl/tlsext/tlsexttest.c | 209 |
1 files changed, 147 insertions, 62 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 1dc4ca4aa8..21e096cf60 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tlsexttest.c,v 1.51 2021/10/26 14:34:02 beck Exp $ */ | 1 | /* $OpenBSD: tlsexttest.c,v 1.52 2021/11/01 16:39:01 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -3543,32 +3543,149 @@ done: | |||
| 3543 | return (failure); | 3543 | return (failure); |
| 3544 | } | 3544 | } |
| 3545 | 3545 | ||
| 3546 | unsigned char *valid_hostnames[] = { | 3546 | struct tls_sni_test { |
| 3547 | "openbsd.org", | 3547 | const char *hostname; |
| 3548 | "op3nbsd.org", | 3548 | int is_ip; |
| 3549 | "org", | 3549 | int valid; |
| 3550 | "3openbsd.com", | ||
| 3551 | "3-0penb-d.c-m", | ||
| 3552 | "a", | ||
| 3553 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", | ||
| 3554 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3555 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3556 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3557 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", | ||
| 3558 | NULL, | ||
| 3559 | }; | 3550 | }; |
| 3560 | 3551 | ||
| 3552 | static const struct tls_sni_test tls_sni_tests[] = { | ||
| 3553 | { | ||
| 3554 | .hostname = "openbsd.org", | ||
| 3555 | .valid = 1, | ||
| 3556 | }, | ||
| 3557 | { | ||
| 3558 | .hostname = "op3nbsd.org", | ||
| 3559 | .valid = 1, | ||
| 3560 | }, | ||
| 3561 | { | ||
| 3562 | .hostname = "org", | ||
| 3563 | .valid = 1, | ||
| 3564 | }, | ||
| 3565 | { | ||
| 3566 | .hostname = "3openbsd.com", | ||
| 3567 | .valid = 1, | ||
| 3568 | }, | ||
| 3569 | { | ||
| 3570 | .hostname = "3-0penb-d.c-m", | ||
| 3571 | .valid = 1, | ||
| 3572 | }, | ||
| 3573 | { | ||
| 3574 | .hostname = "a", | ||
| 3575 | .valid = 1, | ||
| 3576 | }, | ||
| 3577 | { | ||
| 3578 | .hostname = | ||
| 3579 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", | ||
| 3580 | .valid = 1, | ||
| 3581 | }, | ||
| 3582 | { | ||
| 3583 | .hostname = | ||
| 3584 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3585 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3586 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3587 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", | ||
| 3588 | .valid = 1, | ||
| 3589 | }, | ||
| 3590 | { | ||
| 3591 | .hostname = "openbsd.org.", | ||
| 3592 | .valid = 0, | ||
| 3593 | }, | ||
| 3594 | { | ||
| 3595 | .hostname = "openbsd..org", | ||
| 3596 | .valid = 0, | ||
| 3597 | }, | ||
| 3598 | { | ||
| 3599 | .hostname = "openbsd.org-", | ||
| 3600 | .valid = 0, | ||
| 3601 | }, | ||
| 3602 | { | ||
| 3603 | .hostname = | ||
| 3604 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", | ||
| 3605 | .valid = 0, | ||
| 3606 | }, | ||
| 3607 | { | ||
| 3608 | .hostname = | ||
| 3609 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3610 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3611 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3612 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", | ||
| 3613 | .valid = 0, | ||
| 3614 | }, | ||
| 3615 | { | ||
| 3616 | .hostname = "-p3nbsd.org", | ||
| 3617 | .valid = 0, | ||
| 3618 | }, | ||
| 3619 | { | ||
| 3620 | .hostname = "openbs-.org", | ||
| 3621 | .valid = 0, | ||
| 3622 | }, | ||
| 3623 | { | ||
| 3624 | .hostname = "openbsd\n.org", | ||
| 3625 | .valid = 0, | ||
| 3626 | }, | ||
| 3627 | { | ||
| 3628 | .hostname = "open_bsd.org", | ||
| 3629 | .valid = 0, | ||
| 3630 | }, | ||
| 3631 | { | ||
| 3632 | .hostname = "open\178bsd.org", | ||
| 3633 | .valid = 0, | ||
| 3634 | }, | ||
| 3635 | { | ||
| 3636 | .hostname = "open\255bsd.org", | ||
| 3637 | .valid = 0, | ||
| 3638 | }, | ||
| 3639 | { | ||
| 3640 | .hostname = "dead::beef", | ||
| 3641 | .is_ip = 1, | ||
| 3642 | .valid = 0, | ||
| 3643 | }, | ||
| 3644 | { | ||
| 3645 | .hostname = "192.168.0.1", | ||
| 3646 | .is_ip = 1, | ||
| 3647 | .valid = 0, | ||
| 3648 | }, | ||
| 3649 | }; | ||
| 3650 | |||
| 3651 | #define N_TLS_SNI_TESTS (sizeof(tls_sni_tests) / sizeof(*tls_sni_tests)) | ||
| 3652 | |||
| 3561 | static int | 3653 | static int |
| 3562 | test_tlsext_valid_hostnames(void) | 3654 | test_tlsext_is_valid_hostname(const struct tls_sni_test *tst) |
| 3563 | { | 3655 | { |
| 3564 | int i, failure = 0; | 3656 | int failure = 0; |
| 3565 | 3657 | int is_ip; | |
| 3566 | for (i = 0; valid_hostnames[i] != NULL; i++) { | 3658 | CBS cbs; |
| 3567 | CBS cbs; | 3659 | |
| 3568 | CBS_init(&cbs, valid_hostnames[i], strlen(valid_hostnames[i])); | 3660 | CBS_init(&cbs, tst->hostname, strlen(tst->hostname)); |
| 3569 | if (!tlsext_sni_is_valid_hostname(&cbs)) { | 3661 | if (tlsext_sni_is_valid_hostname(&cbs, &is_ip) != tst->valid) { |
| 3662 | if (tst->valid) { | ||
| 3570 | FAIL("Valid hostname '%s' rejected\n", | 3663 | FAIL("Valid hostname '%s' rejected\n", |
| 3571 | valid_hostnames[i]); | 3664 | tst->hostname); |
| 3665 | } else { | ||
| 3666 | FAIL("Invalid hostname '%s' accepted\n", | ||
| 3667 | tst->hostname); | ||
| 3668 | } | ||
| 3669 | failure = 1; | ||
| 3670 | goto done; | ||
| 3671 | } | ||
| 3672 | if (tst->is_ip != is_ip) { | ||
| 3673 | if (tst->is_ip) { | ||
| 3674 | FAIL("Hostname '%s' is an IP literal but not " | ||
| 3675 | "identified as one\n", tst->hostname); | ||
| 3676 | } else { | ||
| 3677 | FAIL("Hostname '%s' is not an IP literal but is " | ||
| 3678 | "identified as one\n", tst->hostname); | ||
| 3679 | } | ||
| 3680 | failure = 1; | ||
| 3681 | goto done; | ||
| 3682 | } | ||
| 3683 | |||
| 3684 | if (tst->valid) { | ||
| 3685 | CBS_init(&cbs, tst->hostname, | ||
| 3686 | strlen(tst->hostname) + 1); | ||
| 3687 | if (tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { | ||
| 3688 | FAIL("hostname with NUL byte accepted\n"); | ||
| 3572 | failure = 1; | 3689 | failure = 1; |
| 3573 | goto done; | 3690 | goto done; |
| 3574 | } | 3691 | } |
| @@ -3577,52 +3694,21 @@ test_tlsext_valid_hostnames(void) | |||
| 3577 | return failure; | 3694 | return failure; |
| 3578 | } | 3695 | } |
| 3579 | 3696 | ||
| 3580 | unsigned char *invalid_hostnames[] = { | ||
| 3581 | "openbsd.org.", | ||
| 3582 | "openbsd..org", | ||
| 3583 | "openbsd.org-", | ||
| 3584 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", | ||
| 3585 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3586 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3587 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | ||
| 3588 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", | ||
| 3589 | "-p3nbsd.org", | ||
| 3590 | "openbs-.org", | ||
| 3591 | "openbsd\n.org", | ||
| 3592 | "open_bsd.org", | ||
| 3593 | "open\178bsd.org", | ||
| 3594 | "open\255bsd.org", | ||
| 3595 | NULL, | ||
| 3596 | }; | ||
| 3597 | |||
| 3598 | static int | 3697 | static int |
| 3599 | test_tlsext_invalid_hostnames(void) | 3698 | test_tlsext_valid_hostnames(void) |
| 3600 | { | 3699 | { |
| 3601 | int i, failure = 0; | 3700 | const struct tls_sni_test *tst; |
| 3602 | CBS cbs; | 3701 | int failure = 0; |
| 3702 | size_t i; | ||
| 3603 | 3703 | ||
| 3604 | for (i = 0; invalid_hostnames[i] != NULL; i++) { | 3704 | for (i = 0; i < N_TLS_SNI_TESTS; i++) { |
| 3605 | CBS_init(&cbs, invalid_hostnames[i], | 3705 | tst = &tls_sni_tests[i]; |
| 3606 | strlen(invalid_hostnames[i])); | 3706 | failure |= test_tlsext_is_valid_hostname(tst); |
| 3607 | if (tlsext_sni_is_valid_hostname(&cbs)) { | ||
| 3608 | FAIL("Invalid hostname '%s' accepted\n", | ||
| 3609 | invalid_hostnames[i]); | ||
| 3610 | failure = 1; | ||
| 3611 | goto done; | ||
| 3612 | } | ||
| 3613 | } | ||
| 3614 | CBS_init(&cbs, valid_hostnames[0], | ||
| 3615 | strlen(valid_hostnames[0]) + 1); | ||
| 3616 | if (tlsext_sni_is_valid_hostname(&cbs)) { | ||
| 3617 | FAIL("hostname with NUL byte accepted\n"); | ||
| 3618 | failure = 1; | ||
| 3619 | goto done; | ||
| 3620 | } | 3707 | } |
| 3621 | done: | 3708 | |
| 3622 | return failure; | 3709 | return failure; |
| 3623 | } | 3710 | } |
| 3624 | 3711 | ||
| 3625 | |||
| 3626 | int | 3712 | int |
| 3627 | main(int argc, char **argv) | 3713 | main(int argc, char **argv) |
| 3628 | { | 3714 | { |
| @@ -3674,7 +3760,6 @@ main(int argc, char **argv) | |||
| 3674 | failed |= test_tlsext_serverhello_build(); | 3760 | failed |= test_tlsext_serverhello_build(); |
| 3675 | 3761 | ||
| 3676 | failed |= test_tlsext_valid_hostnames(); | 3762 | failed |= test_tlsext_valid_hostnames(); |
| 3677 | failed |= test_tlsext_invalid_hostnames(); | ||
| 3678 | 3763 | ||
| 3679 | return (failed); | 3764 | return (failed); |
| 3680 | } | 3765 | } |