diff options
author | Todd Short <tshort@akamai.com> | 2022-09-23 12:03:13 -0400 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2022-09-28 09:59:31 -0400 |
commit | 8ff66343bdf635ad574e9db4d4fca8f82c4bcc98 (patch) | |
tree | 1de4ac93be55434f1e08f40ba08e908ae5e00038 /ssl/statem | |
parent | 54ba0f1625b515293d76f61dda62644c9c02704e (diff) |
Test TLS extension ordering
Adding extensions is fragile, with the TLSEXT_TYPE entry needing to be
located at TLSEXT_IDX in the array.
This adds a test to ensure extensions are in the correct order.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19269)
(cherry picked from commit ac44deaf00ad24fd18b9d74de4a23d98a2b75c8d)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/extensions.c | 16 | ||||
-rw-r--r-- | ssl/statem/statem_local.h | 5 |
2 files changed, 20 insertions, 1 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index c0bab081a2..8c9c16ec21 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -98,6 +98,9 @@ typedef struct extensions_definition_st { * Definitions of all built-in extensions. NOTE: Changes in the number or order * of these extensions should be mirrored with equivalent changes to the * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h. + * Extensions should be added to test/ext_internal_test.c as well, as that + * tests the ordering of the extensions. + * * Each extension has an initialiser, a client and * server side parser and a finaliser. The initialiser is called (if the * extension is relevant to the given context) even if we did not see the @@ -118,7 +121,7 @@ typedef struct extensions_definition_st { * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at * the end, keep these extensions before signature_algorithm. */ -#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } +#define INVALID_EXTENSION { TLSEXT_TYPE_invalid, 0, NULL, NULL, NULL, NULL, NULL, NULL } static const EXTENSION_DEFINITION ext_defs[] = { { TLSEXT_TYPE_renegotiate, @@ -385,6 +388,17 @@ static const EXTENSION_DEFINITION ext_defs[] = { } }; +/* Returns a TLSEXT_TYPE for the given index */ +unsigned int ossl_get_extension_type(size_t idx) +{ + size_t num_exts = OSSL_NELEM(ext_defs); + + if (idx >= num_exts) + return TLSEXT_TYPE_out_of_range; + + return ext_defs[idx].type; +} + /* Check whether an extension's context matches the current context */ static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx) { diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 1883b0166f..01f60ebabb 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -37,6 +37,11 @@ /* Dummy message type */ #define SSL3_MT_DUMMY -1 +/* Invalid extension ID for non-supported extensions */ +#define TLSEXT_TYPE_invalid 0x10000 +#define TLSEXT_TYPE_out_of_range 0x10001 +unsigned int ossl_get_extension_type(size_t idx); + extern const unsigned char hrrrandom[]; /* Message processing return codes */ |