mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add tests for deprecated sigalgs with TLS 1.3 ClientHellos

Browse Source 
Test for each of DSA, SHA1, and SHA224.

Use the symbolic names for SignatureScheme comparisons just added.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3326)
This commit is contained in:
Benjamin Kaduk 2017-04-26 15:17:57 -05:00 committed by Benjamin Kaduk
parent 818137766e
commit 05594f4af3
1 changed files with 84 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
test/recipes/70-test_sslsigalgs.t
View File

@ -39,7 +39,9 @@ use constant {
EMPTY_SIG_ALGS_EXT => 1,
NO_KNOWN_SIG_ALGS => 2,
NO_PSS_SIG_ALGS => 3,
PSS_ONLY_SIG_ALGS => 4
PSS_ONLY_SIG_ALGS => 4,
PURE_SIGALGS => 5,
COMPAT_SIGALGS => 6
};
#Note: Throughout this test we override the default ciphersuites where TLSv1.2
@ -48,7 +50,7 @@ use constant {
#Test 1: Default sig algs should succeed
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 16;
plan tests => 18;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;
@ -197,6 +199,29 @@ SKIP: {
ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA");
}
my ($dsa_status, $sha1_status, $sha224_status);
SKIP: {
skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa");
#Test 17: signature_algorithms with 1.3-only ClientHello
$testtype = PURE_SIGALGS;
$dsa_status = $sha1_status = $sha224_status = 0;
$proxy->clear();
$proxy->clientflags("-tls1_3");
$proxy->filter(\&modify_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
"DSA/SHA2 sigalg sent for 1.3-only ClientHello");
#Test 18: signature_algorithms with backwards compatible ClientHello
$testtype = COMPAT_SIGALGS;
$dsa_status = $sha1_status = $sha224_status = 0;
$proxy->clear();
$proxy->filter(\&modify_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
"DSA sigalg not sent for compat ClientHello");
}
sub sigalgs_filter
@ -232,3 +257,60 @@ sub sigalgs_filter
}
}
}
sub modify_sigalgs_filter
{
my $proxy = shift;
# We're only interested in the initial ClientHello
return if ($proxy->flight != 0);
foreach my $message (@{$proxy->message_list}) {
my $ext;
my @algs;
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
if ($testtype == PURE_SIGALGS) {
my $ok = 1;
$ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
@algs = unpack('S>*', $ext);
# unpack will unpack the length as well
shift @algs;
foreach (@algs) {
if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
|| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
|| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512
|| $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
|| $_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
|| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
|| $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
$ok = 0;
}
}
$sha1_status = $dsa_status = $sha224_status = 1 if ($ok);
} elsif ($testtype == COMPAT_SIGALGS) {
$ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
@algs = unpack('S>*', $ext);
# unpack will unpack the length as well
shift @algs;
foreach (@algs) {
if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
|| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
|| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512) {
$dsa_status = 1;
}
if ($_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
|| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
|| $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
$sha1_status = 1;
}
if ($_ == TLSProxy::Message::OSSL_SIG_ALG_RSA_PKCS1_SHA224
|| $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
|| $_ == TLSProxy::Message::OSSL_SIG_ALG_ECDSA_SHA224) {
$sha224_status = 1;
}
}
}
}
}
}