Don't restrict the number of KeyUpdate messages we can process

Prior to this commit we were keeping a count of how many KeyUpdates we have processed and failing if we had had too many. This simplistic approach is not sufficient for long running connections. Since many KeyUpdates would not be a particular good DoS route anyway, the simplest solution is to simply remove the key update count. Fixes #8068 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/8299) (cherry picked from commit 3409a5ff8a44ddaf043d83ed22e657ae871be289)
author: Matt Caswell <matt@openssl.org> 2019-02-21 16:02:24 +0000
committer: Matt Caswell <matt@openssl.org> 2019-02-22 18:30:05 +0000
commit: f6d64b5142ab59be47c1f10512ce6d58fb399131 (patch)
tree: 812995d8a3c161046387a6c4738db3de8779981e /test
parent: 4a81b8b6e8b908ff70d675c7173ad4923f3dc659 (diff)
1 files changed, 53 insertions, 0 deletions
diff --git a/test/sslapitest.c b/test/sslapitest.c
index b3aa5633ab..f51da0c407 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -4250,6 +4250,58 @@ static int test_export_key_mat_early(int idx)
 
     return testresult;
 }
+
+#define NUM_KEY_UPDATE_MESSAGES 40
+/*
+ * Test KeyUpdate.
+ */
+static int test_key_update(void)
+{
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL;
+    int testresult = 0, i, j;
+    char buf[20];
+    static char *mess = "A test message";
+
+    if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+                                       TLS_client_method(),
+                                       TLS1_3_VERSION,
+                                       0,
+                                       &sctx, &cctx, cert, privkey))
+            || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+                                             NULL, NULL))
+            || !TEST_true(create_ssl_connection(serverssl, clientssl,
+                                                SSL_ERROR_NONE)))
+        goto end;
+
+    for (j = 0; j < 2; j++) {
+        /* Send lots of KeyUpdate messages */
+        for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
+            if (!TEST_true(SSL_key_update(clientssl,
+                                          (j == 0)
+                                          ? SSL_KEY_UPDATE_NOT_REQUESTED
+                                          : SSL_KEY_UPDATE_REQUESTED))
+                    || !TEST_true(SSL_do_handshake(clientssl)))
+                goto end;
+        }
+
+        /* Check that sending and receiving app data is ok */
+        if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
+                || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
+                                         strlen(mess)))
+            goto end;
+    }
+
+    testresult = 1;
+
+ end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
+    return testresult;
+}
 #endif /* OPENSSL_NO_TLS1_3 */
 
 static int test_ssl_clear(int idx)
@@ -5929,6 +5981,7 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_export_key_mat, 6);
 #ifndef OPENSSL_NO_TLS1_3
     ADD_ALL_TESTS(test_export_key_mat_early, 3);
+    ADD_TEST(test_key_update);
 #endif
     ADD_ALL_TESTS(test_ssl_clear, 2);
     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
author	Matt Caswell <matt@openssl.org>	2019-02-21 16:02:24 +0000
committer	Matt Caswell <matt@openssl.org>	2019-02-22 18:30:05 +0000
commit	f6d64b5142ab59be47c1f10512ce6d58fb399131 (patch)
tree	812995d8a3c161046387a6c4738db3de8779981e /test
parent	4a81b8b6e8b908ff70d675c7173ad4923f3dc659 (diff)