diff options
| author | Matt Caswell <matt@openssl.org> | 2022-09-30 16:51:58 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2022-10-19 10:22:11 +0200 |
| commit | 78d00e05a537495287b979bcad79365d5d9607d4 (patch) | |
| tree | 61a23bbcd241e591f8dbfea3b58e011d44b76245 /test | |
| parent | 3df6aed7826640d944da382f78af5ab87ea790db (diff) | |
Add a test for where a client sends a non-TLSv1.3 key share
This should not happen but we should tolerate and send an HRR
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19404)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/70-test_key_share.t | 50 |
1 files changed, 40 insertions, 10 deletions
diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index ec722c7fcd..0f5f62ee37 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -25,7 +25,8 @@ use constant { ZERO_LEN_KEX_DATA => 9, TRAILING_DATA => 10, SELECT_X25519 => 11, - NO_KEY_SHARES_IN_HRR => 12 + NO_KEY_SHARES_IN_HRR => 12, + NON_TLS1_3_KEY_SHARE => 13 }; use constant { @@ -85,7 +86,7 @@ if (disabled("ec")) { $proxy->serverflags("-groups P-256"); } $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 22; +plan tests => 23; ok(TLSProxy::Message->success(), "Success after HRR"); #Test 2: The server sending an HRR requesting a group the client already sent @@ -290,11 +291,27 @@ if (disabled("ec")) { $proxy->start(); ok(TLSProxy::Message->fail(), "Server sends HRR with no key_shares"); +SKIP: { + skip "No EC support in this OpenSSL build", 1 if disabled("ec"); + #Test 23: Trailing data on key_share in ServerHello should fail + $proxy->clear(); + $direction = CLIENT_TO_SERVER; + $proxy->clientflags("-groups secp192r1:P-256:X25519"); + $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); + $testtype = NON_TLS1_3_KEY_SHARE; + $proxy->start(); + my $ishrr = defined ${$proxy->message_list}[2] + &&(${$proxy->message_list}[0]->mt == TLSProxy::Message::MT_CLIENT_HELLO) + && (${$proxy->message_list}[2]->mt == TLSProxy::Message::MT_CLIENT_HELLO); + ok(TLSProxy::Message->success() && $ishrr, + "Client sends a key_share for a Non TLSv1.3 group"); +} + sub modify_key_shares_filter { my $proxy = shift; - # We're only interested in the initial ClientHello + # We're only interested in the initial ClientHello/SererHello/HRR if (($direction == CLIENT_TO_SERVER && $proxy->flight != 0 && ($proxy->flight != 1 || $testtype != NO_KEY_SHARES_IN_HRR)) || ($direction == SERVER_TO_CLIENT && $proxy->flight != 1)) { @@ -307,12 +324,19 @@ sub modify_key_shares_filter my $ext; my $suppgroups; - #Setup supported groups to include some unrecognised groups - $suppgroups = pack "C8", - 0x00, 0x06, #List Length - 0xff, 0xfe, #Non existing group 1 - 0xff, 0xff, #Non existing group 2 - 0x00, 0x1d; #x25519 + if ($testtype != NON_TLS1_3_KEY_SHARE) { + #Setup supported groups to include some unrecognised groups + $suppgroups = pack "C8", + 0x00, 0x06, #List Length + 0xff, 0xfe, #Non existing group 1 + 0xff, 0xff, #Non existing group 2 + 0x00, 0x1d; #x25519 + } else { + $suppgroups = pack "C6", + 0x00, 0x04, #List Length + 0x00, 0x13, + 0x00, 0x1d; #x25519 + } if ($testtype == EMPTY_EXTENSION) { $ext = pack "C2", @@ -376,6 +400,13 @@ sub modify_key_shares_filter 0x00, 0x17, #P-256 0x00, 0x01, #key_exchange data length 0xff; #Dummy key_share data + } elsif ($testtype == NON_TLS1_3_KEY_SHARE) { + $ext = pack "C6H98", + 0x00, 0x35, #List Length + 0x00, 0x13, #P-192 + 0x00, 0x31, #key_exchange data length + "04EE3B38D1CB800A1A2B702FC8423599F2AC7161E175C865F8". + "3DAF78BCBAE561464E8144359BE70CB7989D28A2F43F8F2C"; #key_exchange data } if ($testtype != EMPTY_EXTENSION @@ -383,7 +414,6 @@ sub modify_key_shares_filter $message->set_extension( TLSProxy::Message::EXT_SUPPORTED_GROUPS, $suppgroups); } - if ($testtype == MISSING_EXTENSION) { $message->delete_extension( TLSProxy::Message::EXT_KEY_SHARE); |