diff options
author | Matt Caswell <matt@openssl.org> | 2017-02-03 11:21:07 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-02-16 09:39:05 +0000 |
commit | 9c5a691d578a4debfd6ecacc030a85900906bf0d (patch) | |
tree | 5f87c146078aa84fb1cc8d41c4410093062447f9 /test/ssl_test_ctx.c | |
parent | 3bdc1dc8fcc97a8945ddbc2748e7059207ea3914 (diff) |
Provide a test for the Encrypt-Then-Mac renegotiation crash
Changing the ciphersuite during a renegotiation can result in a crash
leading to a DoS attack. ETM has not been implemented in 1.1.0 for DTLS
so this is TLS only.
This commit provides a test for the issue.
CVE-2017-3733
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'test/ssl_test_ctx.c')
-rw-r--r-- | test/ssl_test_ctx.c | 59 |
1 files changed, 17 insertions, 42 deletions
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index 09e7a89e9b..c21decf522 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -88,9 +88,7 @@ static const char *enum_name(const test_enum *enums, size_t num_enums, } -/*******************/ -/* ExpectedResult. */ -/*******************/ +/* ExpectedResult */ static const test_enum ssl_test_results[] = { {"Success", SSL_TEST_SUCCESS}, @@ -115,9 +113,7 @@ const char *ssl_test_result_name(ssl_test_result_t result) return enum_name(ssl_test_results, OSSL_NELEM(ssl_test_results), result); } -/**********************************************/ -/* ExpectedClientAlert / ExpectedServerAlert. */ -/**********************************************/ +/* ExpectedClientAlert / ExpectedServerAlert */ static const test_enum ssl_alerts[] = { {"UnknownCA", SSL_AD_UNKNOWN_CA}, @@ -147,9 +143,7 @@ const char *ssl_alert_name(int alert) return enum_name(ssl_alerts, OSSL_NELEM(ssl_alerts), alert); } -/********************/ /* ExpectedProtocol */ -/********************/ static const test_enum ssl_protocols[] = { {"TLSv1.2", TLS1_2_VERSION}, @@ -171,9 +165,7 @@ const char *ssl_protocol_name(int protocol) return enum_name(ssl_protocols, OSSL_NELEM(ssl_protocols), protocol); } -/***********************/ -/* VerifyCallback. */ -/***********************/ +/* VerifyCallback */ static const test_enum ssl_verify_callbacks[] = { {"None", SSL_TEST_VERIFY_NONE}, @@ -199,9 +191,7 @@ const char *ssl_verify_callback_name(ssl_verify_callback_t callback) callback); } -/**************/ /* ServerName */ -/**************/ static const test_enum ssl_servername[] = { {"None", SSL_TEST_SERVERNAME_NONE}, @@ -240,9 +230,7 @@ const char *ssl_servername_name(ssl_servername_t server) server); } -/**********************/ /* ServerNameCallback */ -/**********************/ static const test_enum ssl_servername_callbacks[] = { {"None", SSL_TEST_SERVERNAME_CB_NONE}, @@ -268,9 +256,7 @@ const char *ssl_servername_callback_name(ssl_servername_callback_t callback) OSSL_NELEM(ssl_servername_callbacks), callback); } -/*************************/ /* SessionTicketExpected */ -/*************************/ static const test_enum ssl_session_ticket[] = { {"Ignore", SSL_TEST_SESSION_TICKET_IGNORE}, @@ -296,9 +282,7 @@ const char *ssl_session_ticket_name(ssl_session_ticket_t server) server); } -/***********************/ -/* Method */ -/***********************/ +/* Method */ static const test_enum ssl_test_methods[] = { {"TLS", SSL_TEST_METHOD_TLS}, @@ -321,9 +305,7 @@ const char *ssl_test_method_name(ssl_test_method_t method) return enum_name(ssl_test_methods, OSSL_NELEM(ssl_test_methods), method); } -/************************************/ -/* NPN and ALPN options */ -/************************************/ +/* NPN and ALPN options */ IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, npn_protocols) IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, npn_protocols) @@ -332,9 +314,7 @@ IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, alpn_protocols) IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, alpn_protocols) IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_alpn_protocol) -/***********************/ -/* Handshake mode */ -/***********************/ +/* Handshake mode */ static const test_enum ssl_handshake_modes[] = { {"Simple", SSL_TEST_HANDSHAKE_SIMPLE}, @@ -360,9 +340,11 @@ const char *ssl_handshake_mode_name(ssl_handshake_mode_t mode) mode); } -/***********************/ -/* CT Validation */ -/***********************/ +/* Renegotiation Ciphersuites */ + +IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, reneg_ciphers) + +/* CT Validation */ static const test_enum ssl_ct_validation_modes[] = { {"None", SSL_TEST_CT_VALIDATION_NONE}, @@ -391,9 +373,7 @@ const char *ssl_ct_validation_name(ssl_ct_validation_t mode) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CTX, test, resumption_expected) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, broken_session_ticket) -/**************/ /* CertStatus */ -/**************/ static const test_enum ssl_certstatus[] = { {"None", SSL_TEST_CERT_STATUS_NONE}, @@ -419,21 +399,17 @@ const char *ssl_certstatus_name(ssl_cert_status_t cert_status) OSSL_NELEM(ssl_certstatus), cert_status); } -/***********************/ -/* ApplicationData */ -/***********************/ +/* ApplicationData */ IMPLEMENT_SSL_TEST_INT_OPTION(SSL_TEST_CTX, test, app_data_size) -/***********************/ -/* MaxFragmentSize */ -/***********************/ + +/* MaxFragmentSize */ IMPLEMENT_SSL_TEST_INT_OPTION(SSL_TEST_CTX, test, max_fragment_size) -/***********************/ -/* ExpectedTmpKeyType */ -/***********************/ + +/* ExpectedTmpKeyType */ __owur static int parse_expected_tmp_key_type(SSL_TEST_CTX *test_ctx, const char *value) @@ -455,9 +431,7 @@ __owur static int parse_expected_tmp_key_type(SSL_TEST_CTX *test_ctx, return 1; } -/*************************************************************/ /* Known test options and their corresponding parse methods. */ -/*************************************************************/ /* Top-level options. */ typedef struct { @@ -494,6 +468,7 @@ static const ssl_test_client_option ssl_test_client_options[] = { { "NPNProtocols", &parse_client_npn_protocols }, { "ALPNProtocols", &parse_client_alpn_protocols }, { "CTValidation", &parse_ct_validation }, + { "RenegotiateCiphers", &parse_client_reneg_ciphers}, }; /* Nested server options. */ |