diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2022-12-17 16:05:29 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2022-12-17 16:05:29 +0000 |
| commit | 10c8e534f8f1b11f390e9e521f8e3a5f3b6506c5 (patch) | |
| tree | 81b6294f33b0eddd7af4015db43f670b50d9afc1 /regress | |
| parent | 4cb60beefbd11802c165aeec3ea8cb6813eb8691 (diff) | |
Revise cipher list regress coverage of SSL_set_security_level().
A SSL_set_security_level() call was added to the cipher list regress, which
expects a failure - however, it should succeed and fails for a completely
unrelated reason. Rework this regress so that it actually passes and tests
for the expected behaviour.
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/lib/libssl/unit/cipher_list.c | 64 |
1 files changed, 43 insertions, 21 deletions
diff --git a/regress/lib/libssl/unit/cipher_list.c b/regress/lib/libssl/unit/cipher_list.c index a63c5ae69fa..c715f60e0b7 100644 --- a/regress/lib/libssl/unit/cipher_list.c +++ b/regress/lib/libssl/unit/cipher_list.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher_list.c,v 1.13 2022/11/26 16:08:57 tb Exp $ */ +/* $OpenBSD: cipher_list.c,v 1.14 2022/12/17 16:05:28 jsing Exp $ */ /* * Copyright (c) 2015 Doug Hogan <doug@openbsd.org> * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> @@ -51,6 +51,12 @@ static uint8_t cipher_bytes[] = { 0x00, 0x3d, /* AES256-SHA256 */ }; +static uint8_t cipher_bytes_seclevel3[] = { + 0xcc, 0xa8, /* ECDHE-ECDSA-CHACHA20-POLY1305 */ + 0xcc, 0xa9, /* ECDHE-RSA-CHACHA20-POLY1305 */ + 0xcc, 0xaa, /* DHE-RSA-CHACHA20-POLY1305 */ +}; + static uint16_t cipher_values[] = { 0xcca8, /* ECDHE-ECDSA-CHACHA20-POLY1305 */ 0xcca9, /* ECDHE-RSA-CHACHA20-POLY1305 */ @@ -85,7 +91,8 @@ ssl_bytes_to_list_alloc(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) } static int -ssl_list_to_bytes_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) +ssl_list_to_bytes_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers, + const uint8_t *cb, size_t cb_len) { CBB cbb; unsigned char *buf = NULL; @@ -94,27 +101,31 @@ ssl_list_to_bytes_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) /* Space for cipher bytes, plus reneg SCSV and two spare bytes. */ CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS); - buflen = sizeof(cipher_bytes) + 2 + 2; + buflen = cb_len + 2 + 2; CHECK((buf = calloc(1, buflen)) != NULL); - CHECK(CBB_init_fixed(&cbb, buf, buflen)); - CHECK(ssl_cipher_list_to_bytes(s, *ciphers, &cbb)); - CHECK(CBB_finish(&cbb, NULL, &outlen)); + /* Clear renegotiate so it adds SCSV */ + s->renegotiate = 0; + + CHECK_GOTO(CBB_init_fixed(&cbb, buf, buflen)); + CHECK_GOTO(ssl_cipher_list_to_bytes(s, *ciphers, &cbb)); + CHECK_GOTO(CBB_finish(&cbb, NULL, &outlen)); - CHECK_GOTO(outlen > 0 && outlen == buflen - 2); - CHECK_GOTO(memcmp(buf, cipher_bytes, sizeof(cipher_bytes)) == 0); + CHECK_GOTO(outlen > 0 && outlen == cb_len + 2); + CHECK_GOTO(memcmp(buf, cb, cb_len) == 0); CHECK_GOTO(buf[buflen - 4] == 0x00 && buf[buflen - 3] == 0xff); CHECK_GOTO(buf[buflen - 2] == 0x00 && buf[buflen - 1] == 0x00); ret = 1; -err: + err: free(buf); return ret; } static int -ssl_list_to_bytes_no_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) +ssl_list_to_bytes_no_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers, + const uint8_t *cb, size_t cb_len) { CBB cbb; unsigned char *buf = NULL; @@ -123,7 +134,7 @@ ssl_list_to_bytes_no_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) /* Space for cipher bytes and two spare bytes */ CHECK(sk_SSL_CIPHER_num(*ciphers) == N_CIPHERS); - buflen = sizeof(cipher_bytes) + 2; + buflen = cb_len + 2; CHECK((buf = calloc(1, buflen)) != NULL); buf[buflen - 2] = 0xfe; buf[buflen - 1] = 0xab; @@ -131,17 +142,17 @@ ssl_list_to_bytes_no_scsv(SSL *s, STACK_OF(SSL_CIPHER) **ciphers) /* Set renegotiate so it doesn't add SCSV */ s->renegotiate = 1; - CHECK(CBB_init_fixed(&cbb, buf, buflen)); - CHECK(ssl_cipher_list_to_bytes(s, *ciphers, &cbb)); - CHECK(CBB_finish(&cbb, NULL, &outlen)); + CHECK_GOTO(CBB_init_fixed(&cbb, buf, buflen)); + CHECK_GOTO(ssl_cipher_list_to_bytes(s, *ciphers, &cbb)); + CHECK_GOTO(CBB_finish(&cbb, NULL, &outlen)); - CHECK_GOTO(outlen > 0 && outlen == buflen - 2); - CHECK_GOTO(memcmp(buf, cipher_bytes, sizeof(cipher_bytes)) == 0); + CHECK_GOTO(outlen > 0 && outlen == cb_len); + CHECK_GOTO(memcmp(buf, cb, cb_len) == 0); CHECK_GOTO(buf[buflen - 2] == 0xfe && buf[buflen - 1] == 0xab); ret = 1; -err: + err: free(buf); return ret; } @@ -184,20 +195,31 @@ main(void) if (!ssl_bytes_to_list_alloc(s, &ciphers)) goto err; - if (!ssl_list_to_bytes_scsv(s, &ciphers)) + if (!ssl_list_to_bytes_scsv(s, &ciphers, cipher_bytes, + sizeof(cipher_bytes))) goto err; - if (!ssl_list_to_bytes_no_scsv(s, &ciphers)) + if (!ssl_list_to_bytes_no_scsv(s, &ciphers, cipher_bytes, + sizeof(cipher_bytes))) goto err; if (!ssl_bytes_to_list_invalid(s, &ciphers)) goto err; + sk_SSL_CIPHER_free(ciphers); + ciphers = NULL; + SSL_set_security_level(s, 3); - if (ssl_list_to_bytes_scsv(s, &ciphers)) + if (!ssl_bytes_to_list_alloc(s, &ciphers)) + goto err; + if (!ssl_list_to_bytes_scsv(s, &ciphers, cipher_bytes_seclevel3, + sizeof(cipher_bytes_seclevel3))) + goto err; + if (!ssl_list_to_bytes_no_scsv(s, &ciphers, cipher_bytes_seclevel3, + sizeof(cipher_bytes_seclevel3))) goto err; rv = 0; -err: + err: sk_SSL_CIPHER_free(ciphers); SSL_CTX_free(ctx); SSL_free(s); |