1 files changed, 163 insertions, 1 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 1267f50a49..073ba2f2f5 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.10 2017/08/12 21:17:03 doug Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.11 2017/08/12 21:49:28 jsing Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1079,6 +1079,165 @@ test_tlsext_ri_serverhello(void)
 }
 /*
+ * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
+ */
+static unsigned char tlsext_sigalgs_clienthello[] = {
+        0x00, 0x1a, 0x06, 0x01, 0x06, 0x03, 0xef, 0xef,
+        0x05, 0x01, 0x05, 0x03, 0x04, 0x01, 0x04, 0x03,
+        0xee, 0xee, 0xed, 0xed, 0x03, 0x01, 0x03, 0x03,
+        0x02, 0x01, 0x02, 0x03,
+};
+static int
+test_tlsext_sigalgs_clienthello(void)
+{
+        unsigned char *data = NULL;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        int failure = 0;
+        size_t dlen;
+        int alert;
+        CBB cbb;
+        CBS cbs;
+        CBB_init(&cbb, 0);
+        if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+                errx(1, "failed to create SSL_CTX");
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+                errx(1, "failed to create SSL");
+        ssl->client_version = TLS1_1_VERSION;
+        if (tlsext_sigalgs_clienthello_needs(ssl)) {
+                fprintf(stderr, "FAIL: clienthello should not need sigalgs\n");
+                failure = 1;
+                goto done;
+        }
+        ssl->client_version = TLS1_2_VERSION;
+        if (!tlsext_sigalgs_clienthello_needs(ssl)) {
+                fprintf(stderr, "FAIL: clienthello should need sigalgs\n");
+                failure = 1;
+                goto done;
+        }
+        if (!tlsext_sigalgs_clienthello_build(ssl, &cbb)) {
+                fprintf(stderr, "FAIL: clienthello failed to build sigalgs\n");
+                failure = 1;
+                goto done;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        if (dlen != sizeof(tlsext_sigalgs_clienthello)) {
+                fprintf(stderr, "FAIL: got clienthello sigalgs with length %zu, "
+                    "want length %zu\n", dlen, sizeof(tlsext_sigalgs_clienthello));
+                failure = 1;
+                goto done;
+        }
+        if (memcmp(data, tlsext_sigalgs_clienthello, dlen) != 0) {
+                fprintf(stderr, "FAIL: clienthello SNI differs:\n");
+                fprintf(stderr, "received:\n");
+                hexdump(data, dlen);
+                fprintf(stderr, "test data:\n");
+                hexdump(tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello));
+                failure = 1;
+                goto done;
+        }
+        CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello));
+        if (!tlsext_sigalgs_clienthello_parse(ssl, &cbs, &alert)) {
+                fprintf(stderr, "FAIL: failed to parse clienthello SNI\n");
+                failure = 1;
+                goto done;
+        }
+        if (ssl->cert->pkeys[SSL_PKEY_RSA_SIGN].digest != EVP_sha512()) {
+                fprintf(stderr, "FAIL: RSA sign digest mismatch\n");
+                failure = 1;
+                goto done;
+        }
+        if (ssl->cert->pkeys[SSL_PKEY_RSA_ENC].digest != EVP_sha512()) {
+                fprintf(stderr, "FAIL: RSA enc digest mismatch\n");
+                failure = 1;
+                goto done;
+        }
+        if (ssl->cert->pkeys[SSL_PKEY_ECC].digest != EVP_sha512()) {
+                fprintf(stderr, "FAIL: ECC digest mismatch\n");
+                failure = 1;
+                goto done;
+        }
+        if (ssl->cert->pkeys[SSL_PKEY_GOST01].digest != EVP_streebog512()) {
+                fprintf(stderr, "FAIL: GOST01 digest mismatch\n");
+                failure = 1;
+                goto done;
+        }
+                
+ done:
+        CBB_cleanup(&cbb);
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        free(data);
+        return (failure);
+}
+static int
+test_tlsext_sigalgs_serverhello(void)
+{
+        unsigned char *data = NULL;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        int failure = 0;
+        size_t dlen;
+        int alert;
+        CBB cbb;
+        CBS cbs;
+        CBB_init(&cbb, 0);
+        if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
+                errx(1, "failed to create SSL_CTX");
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+                errx(1, "failed to create SSL");
+        if (tlsext_sigalgs_serverhello_needs(ssl)) {
+                fprintf(stderr, "FAIL: serverhello should not need sigalgs\n");
+                failure = 1;
+                goto done;
+        }
+        if (tlsext_sigalgs_serverhello_build(ssl, &cbb)) {
+                fprintf(stderr, "FAIL: serverhello should not build sigalgs\n");
+                failure = 1;
+                goto done;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello));
+        if (tlsext_sigalgs_serverhello_parse(ssl, &cbs, &alert)) {
+                fprintf(stderr, "FAIL: failed to parse serverhello sigalgs\n");
+                failure = 1;
+                goto done;
+        }
+ done:
+        CBB_cleanup(&cbb);
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        free(data);
+        return (failure);
+}
+/*
 * Server Name Indication - RFC 6066 section 3.
 */
@@ -1612,6 +1771,9 @@ main(int argc, char **argv)
        failed |= test_tlsext_ri_clienthello();
        failed |= test_tlsext_ri_serverhello();
+        failed |= test_tlsext_sigalgs_clienthello();
+        failed |= test_tlsext_sigalgs_serverhello();
        failed |= test_tlsext_sni_clienthello();
        failed |= test_tlsext_sni_serverhello();

diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 1267f50a49..073ba2f2f5 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tlsexttest.c,v 1.10 2017/08/12 21:17:03 doug Exp $ */	1	/* $OpenBSD: tlsexttest.c,v 1.11 2017/08/12 21:49:28 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1079,6 +1079,165 @@ test_tlsext_ri_serverhello(void)
1079	}	1079	}
1080		1080
1081	/*	1081	/*
		1082	* Signature Algorithms - RFC 5246 section 7.4.1.4.1.
		1083	*/
		1084
		1085	static unsigned char tlsext_sigalgs_clienthello[] = {
		1086	0x00, 0x1a, 0x06, 0x01, 0x06, 0x03, 0xef, 0xef,
		1087	0x05, 0x01, 0x05, 0x03, 0x04, 0x01, 0x04, 0x03,
		1088	0xee, 0xee, 0xed, 0xed, 0x03, 0x01, 0x03, 0x03,
		1089	0x02, 0x01, 0x02, 0x03,
		1090	};
		1091
		1092	static int
		1093	test_tlsext_sigalgs_clienthello(void)
		1094	{
		1095	unsigned char *data = NULL;
		1096	SSL_CTX *ssl_ctx = NULL;
		1097	SSL *ssl = NULL;
		1098	int failure = 0;
		1099	size_t dlen;
		1100	int alert;
		1101	CBB cbb;
		1102	CBS cbs;
		1103
		1104	CBB_init(&cbb, 0);
		1105
		1106	if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
		1107	errx(1, "failed to create SSL_CTX");
		1108	if ((ssl = SSL_new(ssl_ctx)) == NULL)
		1109	errx(1, "failed to create SSL");
		1110
		1111	ssl->client_version = TLS1_1_VERSION;
		1112
		1113	if (tlsext_sigalgs_clienthello_needs(ssl)) {
		1114	fprintf(stderr, "FAIL: clienthello should not need sigalgs\n");
		1115	failure = 1;
		1116	goto done;
		1117	}
		1118
		1119	ssl->client_version = TLS1_2_VERSION;
		1120
		1121	if (!tlsext_sigalgs_clienthello_needs(ssl)) {
		1122	fprintf(stderr, "FAIL: clienthello should need sigalgs\n");
		1123	failure = 1;
		1124	goto done;
		1125	}
		1126
		1127	if (!tlsext_sigalgs_clienthello_build(ssl, &cbb)) {
		1128	fprintf(stderr, "FAIL: clienthello failed to build sigalgs\n");
		1129	failure = 1;
		1130	goto done;
		1131	}
		1132
		1133	if (!CBB_finish(&cbb, &data, &dlen))
		1134	errx(1, "failed to finish CBB");
		1135
		1136	if (dlen != sizeof(tlsext_sigalgs_clienthello)) {
		1137	fprintf(stderr, "FAIL: got clienthello sigalgs with length %zu, "
		1138	"want length %zu\n", dlen, sizeof(tlsext_sigalgs_clienthello));
		1139	failure = 1;
		1140	goto done;
		1141	}
		1142
		1143	if (memcmp(data, tlsext_sigalgs_clienthello, dlen) != 0) {
		1144	fprintf(stderr, "FAIL: clienthello SNI differs:\n");
		1145	fprintf(stderr, "received:\n");
		1146	hexdump(data, dlen);
		1147	fprintf(stderr, "test data:\n");
		1148	hexdump(tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello));
		1149	failure = 1;
		1150	goto done;
		1151	}
		1152
		1153	CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello));
		1154	if (!tlsext_sigalgs_clienthello_parse(ssl, &cbs, &alert)) {
		1155	fprintf(stderr, "FAIL: failed to parse clienthello SNI\n");
		1156	failure = 1;
		1157	goto done;
		1158	}
		1159
		1160	if (ssl->cert->pkeys[SSL_PKEY_RSA_SIGN].digest != EVP_sha512()) {
		1161	fprintf(stderr, "FAIL: RSA sign digest mismatch\n");
		1162	failure = 1;
		1163	goto done;
		1164	}
		1165	if (ssl->cert->pkeys[SSL_PKEY_RSA_ENC].digest != EVP_sha512()) {
		1166	fprintf(stderr, "FAIL: RSA enc digest mismatch\n");
		1167	failure = 1;
		1168	goto done;
		1169	}
		1170	if (ssl->cert->pkeys[SSL_PKEY_ECC].digest != EVP_sha512()) {
		1171	fprintf(stderr, "FAIL: ECC digest mismatch\n");
		1172	failure = 1;
		1173	goto done;
		1174	}
		1175	if (ssl->cert->pkeys[SSL_PKEY_GOST01].digest != EVP_streebog512()) {
		1176	fprintf(stderr, "FAIL: GOST01 digest mismatch\n");
		1177	failure = 1;
		1178	goto done;
		1179	}
		1180
		1181	done:
		1182	CBB_cleanup(&cbb);
		1183	SSL_CTX_free(ssl_ctx);
		1184	SSL_free(ssl);
		1185	free(data);
		1186
		1187	return (failure);
		1188	}
		1189
		1190	static int
		1191	test_tlsext_sigalgs_serverhello(void)
		1192	{
		1193	unsigned char *data = NULL;
		1194	SSL_CTX *ssl_ctx = NULL;
		1195	SSL *ssl = NULL;
		1196	int failure = 0;
		1197	size_t dlen;
		1198	int alert;
		1199	CBB cbb;
		1200	CBS cbs;
		1201
		1202	CBB_init(&cbb, 0);
		1203
		1204	if ((ssl_ctx = SSL_CTX_new(TLS_server_method())) == NULL)
		1205	errx(1, "failed to create SSL_CTX");
		1206	if ((ssl = SSL_new(ssl_ctx)) == NULL)
		1207	errx(1, "failed to create SSL");
		1208
		1209	if (tlsext_sigalgs_serverhello_needs(ssl)) {
		1210	fprintf(stderr, "FAIL: serverhello should not need sigalgs\n");
		1211	failure = 1;
		1212	goto done;
		1213	}
		1214
		1215	if (tlsext_sigalgs_serverhello_build(ssl, &cbb)) {
		1216	fprintf(stderr, "FAIL: serverhello should not build sigalgs\n");
		1217	failure = 1;
		1218	goto done;
		1219	}
		1220
		1221	if (!CBB_finish(&cbb, &data, &dlen))
		1222	errx(1, "failed to finish CBB");
		1223
		1224	CBS_init(&cbs, tlsext_sigalgs_clienthello, sizeof(tlsext_sigalgs_clienthello));
		1225	if (tlsext_sigalgs_serverhello_parse(ssl, &cbs, &alert)) {
		1226	fprintf(stderr, "FAIL: failed to parse serverhello sigalgs\n");
		1227	failure = 1;
		1228	goto done;
		1229	}
		1230
		1231	done:
		1232	CBB_cleanup(&cbb);
		1233	SSL_CTX_free(ssl_ctx);
		1234	SSL_free(ssl);
		1235	free(data);
		1236
		1237	return (failure);
		1238	}
		1239
		1240	/*
1082	* Server Name Indication - RFC 6066 section 3.	1241	* Server Name Indication - RFC 6066 section 3.
1083	*/	1242	*/
1084		1243
@@ -1612,6 +1771,9 @@ main(int argc, char **argv)
1612	failed \|= test_tlsext_ri_clienthello();	1771	failed \|= test_tlsext_ri_clienthello();
1613	failed \|= test_tlsext_ri_serverhello();	1772	failed \|= test_tlsext_ri_serverhello();
1614		1773
		1774	failed \|= test_tlsext_sigalgs_clienthello();
		1775	failed \|= test_tlsext_sigalgs_serverhello();
		1776
1615	failed \|= test_tlsext_sni_clienthello();	1777	failed \|= test_tlsext_sni_clienthello();
1616	failed \|= test_tlsext_sni_serverhello();	1778	failed \|= test_tlsext_sni_serverhello();
1617		1779