UNRECOGNIZED_SIGALGS_CERT => 10,
UNRECOGNIZED_SIGALG => 11,
RSAPSSPSS_SIG_ALG => 12,
- MLDSA65_SIG_ALG => 13
+ MLDSA65_SIG_ALG => 13,
+ LARGE_NUM_SIG_ALGS => 14
};
srand(70);
#Test 1: Default sig algs should succeed
$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 27;
+plan tests => 28;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;
skip "TLSv1.3 disabled", 7
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
- $proxy->filter(\&sigalgs_filter);
+ $proxy->filter(\&modify_sigalgs_filter);
#Test 2: Sending no sig algs extension in TLSv1.3 should fail
$proxy->clear();
SKIP: {
skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") || disabled("ec");
- $proxy->filter(\&sigalgs_filter);
+ $proxy->filter(\&modify_sigalgs_filter);
#Test 11: Sending no sig algs extension in TLSv1.2 will make it use
# SHA1, which is only supported at security level 0.
$proxy->filter(undef);
$proxy->start();
ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
- $proxy->filter(\&sigalgs_filter);
+ $proxy->filter(\&modify_sigalgs_filter);
#Test 20: No sig algs extension, ECDSA cert, will use SHA1,
# TLSv1.2 should succeed at security level 0
$dsa_status = $sha1_status = $sha224_status = 0;
$proxy->clear();
$proxy->clientflags("-tls1_3");
- $proxy->filter(\&modify_sigalgs_filter);
+ $proxy->filter(\&examine_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
"DSA and SHA1 sigalgs not sent for 1.3-only ClientHello");
$dsa_status = $sha1_status = $sha224_status = 0;
$proxy->clear();
$proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0");
- $proxy->filter(\&modify_sigalgs_filter);
+ $proxy->filter(\&examine_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
"backwards compatible sigalg sent for compat ClientHello");
}
SKIP: {
- skip "TLSv1.3 disabled", 5
+ skip "TLSv1.3 disabled", 6
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 23: Insert signature_algorithms_cert that match normal sigalgs
$testtype = SIGALGS_CERT_ALL;
$testtype = UNRECOGNIZED_SIGALG;
$proxy->start();
ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
+
+ #Test 28: Insert large number of sig algs. We should ignore any beyond our
+ # limit but the handshake should still complete successfully.
+ $testtype = LARGE_NUM_SIG_ALGS;
+ $proxy->clear();
+ $proxy->filter(\&modify_sigalgs_filter);
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Large number of sigalgs");
}
-sub sigalgs_filter
+sub modify_sigalgs_filter
{
my $proxy = shift;
} elsif ($testtype == NO_PSS_SIG_ALGS) {
#No PSS sig algs - just send rsa_pkcs1_sha256
$sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01;
+ } elsif ($testtype == LARGE_NUM_SIG_ALGS) {
+ #Send 129 sig algs to test that we correctly ignore those
+ #beyond our limit of 128
+ $sigalg = pack "C260", 0x01, 0x02,
+ 0x08, 0x04, # rsa_pss_rsae_sha256
+ (0xfe, 0x00) x 128; # invalid/reserved sigalg codepoint
} else {
#PSS sig algs only - just send rsa_pss_rsae_sha256
$sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04;
}
}
-sub modify_sigalgs_filter
+sub examine_sigalgs_filter
{
my $proxy = shift;
projects / thirdparty / openssl.git / commitdiff
