diff options
| author | jsing <> | 2017-11-28 16:40:21 +0000 |
|---|---|---|
| committer | jsing <> | 2017-11-28 16:40:21 +0000 |
| commit | f988a1a2514fd64e3d5b45425e74f5261894320a (patch) | |
| tree | 25c161da68a01f53919366f366fcde9d04b9c3e2 /src | |
| parent | 4ac2f938dc4f11b0c21ddfca93b2d1dd6e4d86e5 (diff) | |
| download | openbsd-f988a1a2514fd64e3d5b45425e74f5261894320a.tar.gz openbsd-f988a1a2514fd64e3d5b45425e74f5261894320a.tar.bz2 openbsd-f988a1a2514fd64e3d5b45425e74f5261894320a.zip | |
Add regress test coverage for building clienthello and serverhello
extensions, both with extensions being present and not present. The not
present case currently fails.
Diffstat (limited to 'src')
| -rw-r--r-- | src/regress/lib/libssl/tlsext/tlsexttest.c | 205 |
1 files changed, 201 insertions, 4 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 63c64e9411..6a68344506 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tlsexttest.c,v 1.16 2017/08/29 17:24:59 jsing Exp $ */ | 1 | /* $OpenBSD: tlsexttest.c,v 1.17 2017/11/28 16:40:21 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -1353,7 +1353,7 @@ test_tlsext_ri_clienthello(void) | |||
| 1353 | FAIL("renegotiate seen not set\n"); | 1353 | FAIL("renegotiate seen not set\n"); |
| 1354 | goto err; | 1354 | goto err; |
| 1355 | } | 1355 | } |
| 1356 | if (S3I(ssl)->send_connection_binding != 1) { | 1356 | if (S3I(ssl)->send_connection_binding != 1) { |
| 1357 | FAIL("send connection binding not set\n"); | 1357 | FAIL("send connection binding not set\n"); |
| 1358 | goto err; | 1358 | goto err; |
| 1359 | } | 1359 | } |
| @@ -1412,7 +1412,7 @@ test_tlsext_ri_serverhello(void) | |||
| 1412 | goto err; | 1412 | goto err; |
| 1413 | } | 1413 | } |
| 1414 | 1414 | ||
| 1415 | S3I(ssl)->send_connection_binding = 1; | 1415 | S3I(ssl)->send_connection_binding = 1; |
| 1416 | 1416 | ||
| 1417 | if (!tlsext_ri_serverhello_needs(ssl)) { | 1417 | if (!tlsext_ri_serverhello_needs(ssl)) { |
| 1418 | FAIL("serverhello should need RI\n"); | 1418 | FAIL("serverhello should need RI\n"); |
| @@ -1466,7 +1466,7 @@ test_tlsext_ri_serverhello(void) | |||
| 1466 | FAIL("renegotiate seen not set\n"); | 1466 | FAIL("renegotiate seen not set\n"); |
| 1467 | goto err; | 1467 | goto err; |
| 1468 | } | 1468 | } |
| 1469 | if (S3I(ssl)->send_connection_binding != 1) { | 1469 | if (S3I(ssl)->send_connection_binding != 1) { |
| 1470 | FAIL("send connection binding not set\n"); | 1470 | FAIL("send connection binding not set\n"); |
| 1471 | goto err; | 1471 | goto err; |
| 1472 | } | 1472 | } |
| @@ -2731,12 +2731,206 @@ test_tlsext_srtp_serverhello(void) | |||
| 2731 | } | 2731 | } |
| 2732 | #endif /* OPENSSL_NO_SRTP */ | 2732 | #endif /* OPENSSL_NO_SRTP */ |
| 2733 | 2733 | ||
| 2734 | unsigned char tlsext_clienthello_default[] = { | ||
| 2735 | 0x00, 0x36, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, | ||
| 2736 | 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, | ||
| 2737 | 0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00, | ||
| 2738 | 0x00, 0x0d, 0x00, 0x1c, 0x00, 0x1a, 0x06, 0x01, | ||
| 2739 | 0x06, 0x03, 0xef, 0xef, 0x05, 0x01, 0x05, 0x03, | ||
| 2740 | 0x04, 0x01, 0x04, 0x03, 0xee, 0xee, 0xed, 0xed, | ||
| 2741 | 0x03, 0x01, 0x03, 0x03, 0x02, 0x01, 0x02, 0x03, | ||
| 2742 | }; | ||
| 2743 | |||
| 2744 | unsigned char tlsext_clienthello_disabled[] = {}; | ||
| 2745 | |||
| 2746 | static int | ||
| 2747 | test_tlsext_clienthello_build(void) | ||
| 2748 | { | ||
| 2749 | unsigned char *data = NULL; | ||
| 2750 | SSL_CTX *ssl_ctx = NULL; | ||
| 2751 | SSL *ssl = NULL; | ||
| 2752 | size_t dlen; | ||
| 2753 | int failure; | ||
| 2754 | CBB cbb; | ||
| 2755 | |||
| 2756 | failure = 1; | ||
| 2757 | |||
| 2758 | if (!CBB_init(&cbb, 0)) | ||
| 2759 | errx(1, "failed to create CBB"); | ||
| 2760 | |||
| 2761 | if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) | ||
| 2762 | errx(1, "failed to create SSL_CTX"); | ||
| 2763 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | ||
| 2764 | errx(1, "failed to create SSL"); | ||
| 2765 | |||
| 2766 | if (!tlsext_clienthello_build(ssl, &cbb)) { | ||
| 2767 | FAIL("failed to build clienthello extensions\n"); | ||
| 2768 | goto err; | ||
| 2769 | } | ||
| 2770 | if (!CBB_finish(&cbb, &data, &dlen)) | ||
| 2771 | errx(1, "failed to finish CBB"); | ||
| 2772 | |||
| 2773 | if (dlen != sizeof(tlsext_clienthello_default)) { | ||
| 2774 | FAIL("got clienthello extensions with length %zu, " | ||
| 2775 | "want length %zu\n", dlen, | ||
| 2776 | sizeof(tlsext_clienthello_default)); | ||
| 2777 | compare_data(data, dlen, tlsext_clienthello_default, | ||
| 2778 | sizeof(tlsext_clienthello_default)); | ||
| 2779 | goto err; | ||
| 2780 | } | ||
| 2781 | if (memcmp(data, tlsext_clienthello_default, dlen) != 0) { | ||
| 2782 | FAIL("clienthello extensions differs:\n"); | ||
| 2783 | compare_data(data, dlen, tlsext_clienthello_default, | ||
| 2784 | sizeof(tlsext_clienthello_default)); | ||
| 2785 | goto err; | ||
| 2786 | } | ||
| 2787 | |||
| 2788 | CBB_cleanup(&cbb); | ||
| 2789 | CBB_init(&cbb, 0); | ||
| 2790 | |||
| 2791 | /* Switch to TLSv1.1, disable EC ciphers and session tickets. */ | ||
| 2792 | ssl->client_version = TLS1_1_VERSION; | ||
| 2793 | if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) { | ||
| 2794 | FAIL("failed to set cipher list\n"); | ||
| 2795 | goto err; | ||
| 2796 | } | ||
| 2797 | if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) { | ||
| 2798 | FAIL("failed to disable session tickets"); | ||
| 2799 | return 0; | ||
| 2800 | } | ||
| 2801 | |||
| 2802 | if (!tlsext_clienthello_build(ssl, &cbb)) { | ||
| 2803 | FAIL("failed to build clienthello extensions\n"); | ||
| 2804 | goto err; | ||
| 2805 | } | ||
| 2806 | if (!CBB_finish(&cbb, &data, &dlen)) | ||
| 2807 | errx(1, "failed to finish CBB"); | ||
| 2808 | |||
| 2809 | if (dlen != sizeof(tlsext_clienthello_disabled)) { | ||
| 2810 | FAIL("got clienthello extensions with length %zu, " | ||
| 2811 | "want length %zu\n", dlen, | ||
| 2812 | sizeof(tlsext_clienthello_disabled)); | ||
| 2813 | compare_data(data, dlen, tlsext_clienthello_disabled, | ||
| 2814 | sizeof(tlsext_clienthello_disabled)); | ||
| 2815 | goto err; | ||
| 2816 | } | ||
| 2817 | if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) { | ||
| 2818 | FAIL("clienthello extensions differs:\n"); | ||
| 2819 | compare_data(data, dlen, tlsext_clienthello_disabled, | ||
| 2820 | sizeof(tlsext_clienthello_disabled)); | ||
| 2821 | goto err; | ||
| 2822 | } | ||
| 2823 | |||
| 2824 | failure = 0; | ||
| 2825 | |||
| 2826 | err: | ||
| 2827 | CBB_cleanup(&cbb); | ||
| 2828 | SSL_CTX_free(ssl_ctx); | ||
| 2829 | SSL_free(ssl); | ||
| 2830 | free(data); | ||
| 2831 | |||
| 2832 | return (failure); | ||
| 2833 | } | ||
| 2834 | |||
| 2835 | unsigned char tlsext_serverhello_default[] = {}; | ||
| 2836 | |||
| 2837 | unsigned char tlsext_serverhello_enabled[] = { | ||
| 2838 | 0x00, 0x0d, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, | ||
| 2839 | 0x05, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, | ||
| 2840 | }; | ||
| 2841 | |||
| 2842 | static int | ||
| 2843 | test_tlsext_serverhello_build(void) | ||
| 2844 | { | ||
| 2845 | unsigned char *data = NULL; | ||
| 2846 | SSL_CTX *ssl_ctx = NULL; | ||
| 2847 | SSL *ssl = NULL; | ||
| 2848 | size_t dlen; | ||
| 2849 | int failure; | ||
| 2850 | CBB cbb; | ||
| 2851 | |||
| 2852 | failure = 1; | ||
| 2853 | |||
| 2854 | if (!CBB_init(&cbb, 0)) | ||
| 2855 | errx(1, "failed to create CBB"); | ||
| 2856 | |||
| 2857 | if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL) | ||
| 2858 | errx(1, "failed to create SSL_CTX"); | ||
| 2859 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | ||
| 2860 | errx(1, "failed to create SSL"); | ||
| 2861 | if ((ssl->session = SSL_SESSION_new()) == NULL) | ||
| 2862 | errx(1, "failed to create session"); | ||
| 2863 | |||
| 2864 | if (!tlsext_serverhello_build(ssl, &cbb)) { | ||
| 2865 | FAIL("failed to build serverhello extensions\n"); | ||
| 2866 | goto err; | ||
| 2867 | } | ||
| 2868 | if (!CBB_finish(&cbb, &data, &dlen)) | ||
| 2869 | errx(1, "failed to finish CBB"); | ||
| 2870 | |||
| 2871 | if (dlen != sizeof(tlsext_serverhello_default)) { | ||
| 2872 | FAIL("got serverhello extensions with length %zu, " | ||
| 2873 | "want length %zu\n", dlen, | ||
| 2874 | sizeof(tlsext_serverhello_default)); | ||
| 2875 | compare_data(data, dlen, tlsext_serverhello_default, | ||
| 2876 | sizeof(tlsext_serverhello_default)); | ||
| 2877 | goto err; | ||
| 2878 | } | ||
| 2879 | if (memcmp(data, tlsext_serverhello_default, dlen) != 0) { | ||
| 2880 | FAIL("serverhello extensions differs:\n"); | ||
| 2881 | compare_data(data, dlen, tlsext_serverhello_default, | ||
| 2882 | sizeof(tlsext_serverhello_default)); | ||
| 2883 | goto err; | ||
| 2884 | } | ||
| 2885 | |||
| 2886 | CBB_cleanup(&cbb); | ||
| 2887 | CBB_init(&cbb, 0); | ||
| 2888 | |||
| 2889 | /* Turn a few things on so we get extensions... */ | ||
| 2890 | S3I(ssl)->send_connection_binding = 1; | ||
| 2891 | ssl->internal->tlsext_status_expected = 1; | ||
| 2892 | ssl->internal->tlsext_ticket_expected = 1; | ||
| 2893 | |||
| 2894 | if (!tlsext_serverhello_build(ssl, &cbb)) { | ||
| 2895 | FAIL("failed to build serverhello extensions\n"); | ||
| 2896 | goto err; | ||
| 2897 | } | ||
| 2898 | if (!CBB_finish(&cbb, &data, &dlen)) | ||
| 2899 | errx(1, "failed to finish CBB"); | ||
| 2900 | |||
| 2901 | if (dlen != sizeof(tlsext_serverhello_enabled)) { | ||
| 2902 | FAIL("got serverhello extensions with length %zu, " | ||
| 2903 | "want length %zu\n", dlen, | ||
| 2904 | sizeof(tlsext_serverhello_enabled)); | ||
| 2905 | compare_data(data, dlen, tlsext_serverhello_enabled, | ||
| 2906 | sizeof(tlsext_serverhello_enabled)); | ||
| 2907 | goto err; | ||
| 2908 | } | ||
| 2909 | if (memcmp(data, tlsext_serverhello_enabled, dlen) != 0) { | ||
| 2910 | FAIL("serverhello extensions differs:\n"); | ||
| 2911 | compare_data(data, dlen, tlsext_serverhello_enabled, | ||
| 2912 | sizeof(tlsext_serverhello_enabled)); | ||
| 2913 | goto err; | ||
| 2914 | } | ||
| 2915 | |||
| 2916 | failure = 0; | ||
| 2917 | |||
| 2918 | err: | ||
| 2919 | CBB_cleanup(&cbb); | ||
| 2920 | SSL_CTX_free(ssl_ctx); | ||
| 2921 | SSL_free(ssl); | ||
| 2922 | free(data); | ||
| 2923 | |||
| 2924 | return (failure); | ||
| 2925 | } | ||
| 2926 | |||
| 2734 | int | 2927 | int |
| 2735 | main(int argc, char **argv) | 2928 | main(int argc, char **argv) |
| 2736 | { | 2929 | { |
| 2737 | int failed = 0; | 2930 | int failed = 0; |
| 2738 | 2931 | ||
| 2739 | SSL_library_init(); | 2932 | SSL_library_init(); |
| 2933 | SSL_load_error_strings(); | ||
| 2740 | 2934 | ||
| 2741 | failed |= test_tlsext_alpn_clienthello(); | 2935 | failed |= test_tlsext_alpn_clienthello(); |
| 2742 | failed |= test_tlsext_alpn_serverhello(); | 2936 | failed |= test_tlsext_alpn_serverhello(); |
| @@ -2769,5 +2963,8 @@ main(int argc, char **argv) | |||
| 2769 | fprintf(stderr, "Skipping SRTP tests due to OPENSSL_NO_SRTP\n"); | 2963 | fprintf(stderr, "Skipping SRTP tests due to OPENSSL_NO_SRTP\n"); |
| 2770 | #endif | 2964 | #endif |
| 2771 | 2965 | ||
| 2966 | failed |= test_tlsext_clienthello_build(); | ||
| 2967 | failed |= test_tlsext_serverhello_build(); | ||
| 2968 | |||
| 2772 | return (failed); | 2969 | return (failed); |
| 2773 | } | 2970 | } |