diff options
| author | Todd Short <tshort@akamai.com> | 2021-03-22 12:56:36 -0400 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-04-13 12:29:37 +0200 |
| commit | feba11cf2ea1dee9cc6e30bf5953404c9c2c88c6 (patch) | |
| tree | 48bee7ecfe5b83d7ea2cd24747f6c817ccd877bf /test | |
| parent | 3ab736acb89c277bd174f958591c65c66d611c72 (diff) | |
| download | openssl-new-feba11cf2ea1dee9cc6e30bf5953404c9c2c88c6.tar.gz | |
Handle set_alpn_protos inputs better.
It's possible to set an invalid protocol list that will be sent in a
ClientHello. This validates the inputs to make sure this does not
happen.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14815)
Diffstat (limited to 'test')
| -rw-r--r-- | test/clienthellotest.c | 12 | ||||
| -rw-r--r-- | test/sslapitest.c | 72 |
2 files changed, 81 insertions, 3 deletions
diff --git a/test/clienthellotest.c b/test/clienthellotest.c index 2b92395bac..2f6d336dbc 100644 --- a/test/clienthellotest.c +++ b/test/clienthellotest.c @@ -45,10 +45,16 @@ static const char *sessionfile = NULL; /* Dummy ALPN protocols used to pad out the size of the ClientHello */ +/* ASCII 'O' = 79 = 0x4F = EBCDIC '|'*/ +#ifdef CHARSET_EBCDIC static const char alpn_prots[] = - "0123456789012345678901234567890123456789012345678901234567890123456789" - "0123456789012345678901234567890123456789012345678901234567890123456789" - "01234567890123456789"; + "|1234567890123456789012345678901234567890123456789012345678901234567890123456789" + "|1234567890123456789012345678901234567890123456789012345678901234567890123456789"; +#else +static const char alpn_prots[] = + "O1234567890123456789012345678901234567890123456789012345678901234567890123456789" + "O1234567890123456789012345678901234567890123456789012345678901234567890123456789"; +#endif static int test_client_hello(int currtest) { diff --git a/test/sslapitest.c b/test/sslapitest.c index 624c7967da..4625d34046 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8616,6 +8616,77 @@ end: return testresult; } #endif +/* + * Test that setting an ALPN does not violate RFC + */ +static int test_set_alpn(void) +{ + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + int testresult = 0; + + unsigned char bad0[] = { 0x00, 'b', 'a', 'd' }; + unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' }; + unsigned char bad1[] = { 0x01, 'b', 'a', 'd' }; + unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00}; + unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'}; + unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'}; + + /* Create an initial SSL_CTX with no certificate configured */ + ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); + if (!TEST_ptr(ctx)) + goto end; + + /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */ + if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2))) + goto end; + if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0))) + goto end; + if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good)))) + goto end; + if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1))) + goto end; + if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0)))) + goto end; + if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1)))) + goto end; + if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2)))) + goto end; + if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3)))) + goto end; + if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4)))) + goto end; + + ssl = SSL_new(ctx); + if (!TEST_ptr(ssl)) + goto end; + + if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2))) + goto end; + if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0))) + goto end; + if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good)))) + goto end; + if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1))) + goto end; + if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0)))) + goto end; + if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1)))) + goto end; + if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2)))) + goto end; + if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3)))) + goto end; + if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4)))) + goto end; + + testresult = 1; + +end: + SSL_free(ssl); + SSL_CTX_free(ctx); + return testresult; +} static int test_inherit_verify_param(void) { @@ -8908,6 +8979,7 @@ int setup_tests(void) ADD_TEST(test_sni_tls13); #endif ADD_TEST(test_inherit_verify_param); + ADD_TEST(test_set_alpn); return 1; err: |