1 files changed, 201 insertions, 4 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 63c64e9411..6a68344506 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.16 2017/08/29 17:24:59 jsing Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.17 2017/11/28 16:40:21 jsing Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1353,7 +1353,7 @@ test_tlsext_ri_clienthello(void)
                FAIL("renegotiate seen not set\n");
                goto err;
        }
-        if (S3I(ssl)->send_connection_binding != 1) {
+        if (S3I(ssl)->send_connection_binding != 1) {
                FAIL("send connection binding not set\n");
                goto err;
        }
@@ -1412,7 +1412,7 @@ test_tlsext_ri_serverhello(void)
                goto err;
        }
-        S3I(ssl)->send_connection_binding = 1;
+        S3I(ssl)->send_connection_binding = 1;
        if (!tlsext_ri_serverhello_needs(ssl)) {
                FAIL("serverhello should need RI\n");
@@ -1466,7 +1466,7 @@ test_tlsext_ri_serverhello(void)
                FAIL("renegotiate seen not set\n");
                goto err;
        }
-        if (S3I(ssl)->send_connection_binding != 1) {
+        if (S3I(ssl)->send_connection_binding != 1) {
                FAIL("send connection binding not set\n");
                goto err;
        }
@@ -2731,12 +2731,206 @@ test_tlsext_srtp_serverhello(void)
 }
 #endif /* OPENSSL_NO_SRTP */
+unsigned char tlsext_clienthello_default[] = {
+        0x00, 0x36, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
+        0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d,
+        0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
+        0x00, 0x0d, 0x00, 0x1c, 0x00, 0x1a, 0x06, 0x01,
+        0x06, 0x03, 0xef, 0xef, 0x05, 0x01, 0x05, 0x03,
+        0x04, 0x01, 0x04, 0x03, 0xee, 0xee, 0xed, 0xed,
+        0x03, 0x01, 0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
+};
+unsigned char tlsext_clienthello_disabled[] = {};
+static int
+test_tlsext_clienthello_build(void)
+{
+        unsigned char *data = NULL;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        size_t dlen;
+        int failure;
+        CBB cbb;
+        failure = 1;
+        if (!CBB_init(&cbb, 0))
+                errx(1, "failed to create CBB");
+        if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+                errx(1, "failed to create SSL_CTX");
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+                errx(1, "failed to create SSL");
+        if (!tlsext_clienthello_build(ssl, &cbb)) {
+                FAIL("failed to build clienthello extensions\n");
+                goto err;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        if (dlen != sizeof(tlsext_clienthello_default)) {
+                FAIL("got clienthello extensions with length %zu, "
+                    "want length %zu\n", dlen,
+                    sizeof(tlsext_clienthello_default));
+                compare_data(data, dlen, tlsext_clienthello_default,
+                    sizeof(tlsext_clienthello_default));
+                goto err;
+        }
+        if (memcmp(data, tlsext_clienthello_default, dlen) != 0) {
+                FAIL("clienthello extensions differs:\n");
+                compare_data(data, dlen, tlsext_clienthello_default,
+                    sizeof(tlsext_clienthello_default));
+                goto err;
+        }
+        CBB_cleanup(&cbb);
+        CBB_init(&cbb, 0);
+        /* Switch to TLSv1.1, disable EC ciphers and session tickets. */
+        ssl->client_version = TLS1_1_VERSION;
+        if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) {
+                FAIL("failed to set cipher list\n");
+                goto err;
+        }
+        if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) {
+                FAIL("failed to disable session tickets");
+                return 0;
+        }
+        if (!tlsext_clienthello_build(ssl, &cbb)) {
+                FAIL("failed to build clienthello extensions\n");
+                goto err;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        if (dlen != sizeof(tlsext_clienthello_disabled)) {
+                FAIL("got clienthello extensions with length %zu, "
+                    "want length %zu\n", dlen,
+                    sizeof(tlsext_clienthello_disabled));
+                compare_data(data, dlen, tlsext_clienthello_disabled,
+                    sizeof(tlsext_clienthello_disabled));
+                goto err;
+        }
+        if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
+                FAIL("clienthello extensions differs:\n");
+                compare_data(data, dlen, tlsext_clienthello_disabled,
+                    sizeof(tlsext_clienthello_disabled));
+                goto err;
+        }
+        failure = 0;
+ err:
+        CBB_cleanup(&cbb);
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        free(data);
+        return (failure);
+}
+unsigned char tlsext_serverhello_default[] = {};
+unsigned char tlsext_serverhello_enabled[] = {
+        0x00, 0x0d, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
+        0x05, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00,
+};
+static int
+test_tlsext_serverhello_build(void)
+{
+        unsigned char *data = NULL;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        size_t dlen;
+        int failure;
+        CBB cbb;
+        failure = 1;
+        if (!CBB_init(&cbb, 0))
+                errx(1, "failed to create CBB");
+        if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
+                errx(1, "failed to create SSL_CTX");
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+                errx(1, "failed to create SSL");
+        if ((ssl->session = SSL_SESSION_new()) == NULL)
+                errx(1, "failed to create session");
+        if (!tlsext_serverhello_build(ssl, &cbb)) {
+                FAIL("failed to build serverhello extensions\n");
+                goto err;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        if (dlen != sizeof(tlsext_serverhello_default)) {
+                FAIL("got serverhello extensions with length %zu, "
+                    "want length %zu\n", dlen,
+                    sizeof(tlsext_serverhello_default));
+                compare_data(data, dlen, tlsext_serverhello_default,
+                    sizeof(tlsext_serverhello_default));
+                goto err;
+        }
+        if (memcmp(data, tlsext_serverhello_default, dlen) != 0) {
+                FAIL("serverhello extensions differs:\n");
+                compare_data(data, dlen, tlsext_serverhello_default,
+                    sizeof(tlsext_serverhello_default));
+                goto err;
+        }
+        CBB_cleanup(&cbb);
+        CBB_init(&cbb, 0);
+        /* Turn a few things on so we get extensions... */
+        S3I(ssl)->send_connection_binding = 1;
+        ssl->internal->tlsext_status_expected = 1;
+        ssl->internal->tlsext_ticket_expected = 1;
+        if (!tlsext_serverhello_build(ssl, &cbb)) {
+                FAIL("failed to build serverhello extensions\n");
+                goto err;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        if (dlen != sizeof(tlsext_serverhello_enabled)) {
+                FAIL("got serverhello extensions with length %zu, "
+                    "want length %zu\n", dlen,
+                    sizeof(tlsext_serverhello_enabled));
+                compare_data(data, dlen, tlsext_serverhello_enabled,
+                    sizeof(tlsext_serverhello_enabled));
+                goto err;
+        }
+        if (memcmp(data, tlsext_serverhello_enabled, dlen) != 0) {
+                FAIL("serverhello extensions differs:\n");
+                compare_data(data, dlen, tlsext_serverhello_enabled,
+                    sizeof(tlsext_serverhello_enabled));
+                goto err;
+        }
+        failure = 0;
+ err:
+        CBB_cleanup(&cbb);
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        free(data);
+        return (failure);
+}
 int
 main(int argc, char **argv)
 {
        int failed = 0;
        SSL_library_init();
+        SSL_load_error_strings();
        failed |= test_tlsext_alpn_clienthello();
        failed |= test_tlsext_alpn_serverhello();
@@ -2769,5 +2963,8 @@ main(int argc, char **argv)
        fprintf(stderr, "Skipping SRTP tests due to OPENSSL_NO_SRTP\n");
 #endif
+        failed |= test_tlsext_clienthello_build();
+        failed |= test_tlsext_serverhello_build();
        return (failed);
 }

diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 63c64e9411..6a68344506 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tlsexttest.c,v 1.16 2017/08/29 17:24:59 jsing Exp $ */	1	/* $OpenBSD: tlsexttest.c,v 1.17 2017/11/28 16:40:21 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1353,7 +1353,7 @@ test_tlsext_ri_clienthello(void)
1353	FAIL("renegotiate seen not set\n");	1353	FAIL("renegotiate seen not set\n");
1354	goto err;	1354	goto err;
1355	}	1355	}
1356	if (S3I(ssl)->send_connection_binding != 1) {	1356	if (S3I(ssl)->send_connection_binding != 1) {
1357	FAIL("send connection binding not set\n");	1357	FAIL("send connection binding not set\n");
1358	goto err;	1358	goto err;
1359	}	1359	}
@@ -1412,7 +1412,7 @@ test_tlsext_ri_serverhello(void)
1412	goto err;	1412	goto err;
1413	}	1413	}
1414		1414
1415	S3I(ssl)->send_connection_binding = 1;	1415	S3I(ssl)->send_connection_binding = 1;
1416		1416
1417	if (!tlsext_ri_serverhello_needs(ssl)) {	1417	if (!tlsext_ri_serverhello_needs(ssl)) {
1418	FAIL("serverhello should need RI\n");	1418	FAIL("serverhello should need RI\n");
@@ -1466,7 +1466,7 @@ test_tlsext_ri_serverhello(void)
1466	FAIL("renegotiate seen not set\n");	1466	FAIL("renegotiate seen not set\n");
1467	goto err;	1467	goto err;
1468	}	1468	}
1469	if (S3I(ssl)->send_connection_binding != 1) {	1469	if (S3I(ssl)->send_connection_binding != 1) {
1470	FAIL("send connection binding not set\n");	1470	FAIL("send connection binding not set\n");
1471	goto err;	1471	goto err;
1472	}	1472	}
@@ -2731,12 +2731,206 @@ test_tlsext_srtp_serverhello(void)
2731	}	2731	}
2732	#endif /* OPENSSL_NO_SRTP */	2732	#endif /* OPENSSL_NO_SRTP */
2733		2733
		2734	unsigned char tlsext_clienthello_default[] = {
		2735	0x00, 0x36, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
		2736	0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d,
		2737	0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
		2738	0x00, 0x0d, 0x00, 0x1c, 0x00, 0x1a, 0x06, 0x01,
		2739	0x06, 0x03, 0xef, 0xef, 0x05, 0x01, 0x05, 0x03,
		2740	0x04, 0x01, 0x04, 0x03, 0xee, 0xee, 0xed, 0xed,
		2741	0x03, 0x01, 0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
		2742	};
		2743
		2744	unsigned char tlsext_clienthello_disabled[] = {};
		2745
		2746	static int
		2747	test_tlsext_clienthello_build(void)
		2748	{
		2749	unsigned char *data = NULL;
		2750	SSL_CTX *ssl_ctx = NULL;
		2751	SSL *ssl = NULL;
		2752	size_t dlen;
		2753	int failure;
		2754	CBB cbb;
		2755
		2756	failure = 1;
		2757
		2758	if (!CBB_init(&cbb, 0))
		2759	errx(1, "failed to create CBB");
		2760
		2761	if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
		2762	errx(1, "failed to create SSL_CTX");
		2763	if ((ssl = SSL_new(ssl_ctx)) == NULL)
		2764	errx(1, "failed to create SSL");
		2765
		2766	if (!tlsext_clienthello_build(ssl, &cbb)) {
		2767	FAIL("failed to build clienthello extensions\n");
		2768	goto err;
		2769	}
		2770	if (!CBB_finish(&cbb, &data, &dlen))
		2771	errx(1, "failed to finish CBB");
		2772
		2773	if (dlen != sizeof(tlsext_clienthello_default)) {
		2774	FAIL("got clienthello extensions with length %zu, "
		2775	"want length %zu\n", dlen,
		2776	sizeof(tlsext_clienthello_default));
		2777	compare_data(data, dlen, tlsext_clienthello_default,
		2778	sizeof(tlsext_clienthello_default));
		2779	goto err;
		2780	}
		2781	if (memcmp(data, tlsext_clienthello_default, dlen) != 0) {
		2782	FAIL("clienthello extensions differs:\n");
		2783	compare_data(data, dlen, tlsext_clienthello_default,
		2784	sizeof(tlsext_clienthello_default));
		2785	goto err;
		2786	}
		2787
		2788	CBB_cleanup(&cbb);
		2789	CBB_init(&cbb, 0);
		2790
		2791	/* Switch to TLSv1.1, disable EC ciphers and session tickets. */
		2792	ssl->client_version = TLS1_1_VERSION;
		2793	if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) {
		2794	FAIL("failed to set cipher list\n");
		2795	goto err;
		2796	}
		2797	if ((SSL_set_options(ssl, SSL_OP_NO_TICKET) & SSL_OP_NO_TICKET) == 0) {
		2798	FAIL("failed to disable session tickets");
		2799	return 0;
		2800	}
		2801
		2802	if (!tlsext_clienthello_build(ssl, &cbb)) {
		2803	FAIL("failed to build clienthello extensions\n");
		2804	goto err;
		2805	}
		2806	if (!CBB_finish(&cbb, &data, &dlen))
		2807	errx(1, "failed to finish CBB");
		2808
		2809	if (dlen != sizeof(tlsext_clienthello_disabled)) {
		2810	FAIL("got clienthello extensions with length %zu, "
		2811	"want length %zu\n", dlen,
		2812	sizeof(tlsext_clienthello_disabled));
		2813	compare_data(data, dlen, tlsext_clienthello_disabled,
		2814	sizeof(tlsext_clienthello_disabled));
		2815	goto err;
		2816	}
		2817	if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
		2818	FAIL("clienthello extensions differs:\n");
		2819	compare_data(data, dlen, tlsext_clienthello_disabled,
		2820	sizeof(tlsext_clienthello_disabled));
		2821	goto err;
		2822	}
		2823
		2824	failure = 0;
		2825
		2826	err:
		2827	CBB_cleanup(&cbb);
		2828	SSL_CTX_free(ssl_ctx);
		2829	SSL_free(ssl);
		2830	free(data);
		2831
		2832	return (failure);
		2833	}
		2834
		2835	unsigned char tlsext_serverhello_default[] = {};
		2836
		2837	unsigned char tlsext_serverhello_enabled[] = {
		2838	0x00, 0x0d, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
		2839	0x05, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00,
		2840	};
		2841
		2842	static int
		2843	test_tlsext_serverhello_build(void)
		2844	{
		2845	unsigned char *data = NULL;
		2846	SSL_CTX *ssl_ctx = NULL;
		2847	SSL *ssl = NULL;
		2848	size_t dlen;
		2849	int failure;
		2850	CBB cbb;
		2851
		2852	failure = 1;
		2853
		2854	if (!CBB_init(&cbb, 0))
		2855	errx(1, "failed to create CBB");
		2856
		2857	if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
		2858	errx(1, "failed to create SSL_CTX");
		2859	if ((ssl = SSL_new(ssl_ctx)) == NULL)
		2860	errx(1, "failed to create SSL");
		2861	if ((ssl->session = SSL_SESSION_new()) == NULL)
		2862	errx(1, "failed to create session");
		2863
		2864	if (!tlsext_serverhello_build(ssl, &cbb)) {
		2865	FAIL("failed to build serverhello extensions\n");
		2866	goto err;
		2867	}
		2868	if (!CBB_finish(&cbb, &data, &dlen))
		2869	errx(1, "failed to finish CBB");
		2870
		2871	if (dlen != sizeof(tlsext_serverhello_default)) {
		2872	FAIL("got serverhello extensions with length %zu, "
		2873	"want length %zu\n", dlen,
		2874	sizeof(tlsext_serverhello_default));
		2875	compare_data(data, dlen, tlsext_serverhello_default,
		2876	sizeof(tlsext_serverhello_default));
		2877	goto err;
		2878	}
		2879	if (memcmp(data, tlsext_serverhello_default, dlen) != 0) {
		2880	FAIL("serverhello extensions differs:\n");
		2881	compare_data(data, dlen, tlsext_serverhello_default,
		2882	sizeof(tlsext_serverhello_default));
		2883	goto err;
		2884	}
		2885
		2886	CBB_cleanup(&cbb);
		2887	CBB_init(&cbb, 0);
		2888
		2889	/* Turn a few things on so we get extensions... */
		2890	S3I(ssl)->send_connection_binding = 1;
		2891	ssl->internal->tlsext_status_expected = 1;
		2892	ssl->internal->tlsext_ticket_expected = 1;
		2893
		2894	if (!tlsext_serverhello_build(ssl, &cbb)) {
		2895	FAIL("failed to build serverhello extensions\n");
		2896	goto err;
		2897	}
		2898	if (!CBB_finish(&cbb, &data, &dlen))
		2899	errx(1, "failed to finish CBB");
		2900
		2901	if (dlen != sizeof(tlsext_serverhello_enabled)) {
		2902	FAIL("got serverhello extensions with length %zu, "
		2903	"want length %zu\n", dlen,
		2904	sizeof(tlsext_serverhello_enabled));
		2905	compare_data(data, dlen, tlsext_serverhello_enabled,
		2906	sizeof(tlsext_serverhello_enabled));
		2907	goto err;
		2908	}
		2909	if (memcmp(data, tlsext_serverhello_enabled, dlen) != 0) {
		2910	FAIL("serverhello extensions differs:\n");
		2911	compare_data(data, dlen, tlsext_serverhello_enabled,
		2912	sizeof(tlsext_serverhello_enabled));
		2913	goto err;
		2914	}
		2915
		2916	failure = 0;
		2917
		2918	err:
		2919	CBB_cleanup(&cbb);
		2920	SSL_CTX_free(ssl_ctx);
		2921	SSL_free(ssl);
		2922	free(data);
		2923
		2924	return (failure);
		2925	}
		2926
2734	int	2927	int
2735	main(int argc, char **argv)	2928	main(int argc, char **argv)
2736	{	2929	{
2737	int failed = 0;	2930	int failed = 0;
2738		2931
2739	SSL_library_init();	2932	SSL_library_init();
		2933	SSL_load_error_strings();
2740		2934
2741	failed \|= test_tlsext_alpn_clienthello();	2935	failed \|= test_tlsext_alpn_clienthello();
2742	failed \|= test_tlsext_alpn_serverhello();	2936	failed \|= test_tlsext_alpn_serverhello();
@@ -2769,5 +2963,8 @@ main(int argc, char **argv)
2769	fprintf(stderr, "Skipping SRTP tests due to OPENSSL_NO_SRTP\n");	2963	fprintf(stderr, "Skipping SRTP tests due to OPENSSL_NO_SRTP\n");
2770	#endif	2964	#endif
2771		2965
		2966	failed \|= test_tlsext_clienthello_build();
		2967	failed \|= test_tlsext_serverhello_build();
		2968
2772	return (failed);	2969	return (failed);
2773	}	2970	}