diff options
| author | Matt Caswell <matt@openssl.org> | 2019-09-05 17:21:56 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-09-06 11:07:11 +0200 |
| commit | dc5bcb88d819de55eb37460c122e02fec91c6d86 (patch) | |
| tree | 2c55b0c48c950d7aba7a4e581e65683327a6b441 /util | |
| parent | Don't send a status_request extension in a CertificateRequest message (diff) | |
| download | openssl-dc5bcb88d819de55eb37460c122e02fec91c6d86.tar.xz openssl-dc5bcb88d819de55eb37460c122e02fec91c6d86.zip | |
Teach TLSProxy how to parse CertificateRequest messages
We also use this in test_tls13messages to check that the extensions we
expect to see in a CertificateRequest are there.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)
Diffstat (limited to 'util')
| -rw-r--r-- | util/perl/TLSProxy/CertificateRequest.pm | 105 | ||||
| -rw-r--r-- | util/perl/TLSProxy/Message.pm | 14 | ||||
| -rw-r--r-- | util/perl/TLSProxy/Proxy.pm | 1 | ||||
| -rw-r--r-- | util/perl/checkhandshake.pm | 18 |
4 files changed, 131 insertions, 7 deletions
diff --git a/util/perl/TLSProxy/CertificateRequest.pm b/util/perl/TLSProxy/CertificateRequest.pm new file mode 100644 index 0000000000..193bea168a --- /dev/null +++ b/util/perl/TLSProxy/CertificateRequest.pm @@ -0,0 +1,105 @@ +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; + +package TLSProxy::CertificateRequest; + +use vars '@ISA'; +push @ISA, 'TLSProxy::Message'; + +sub new +{ + my $class = shift; + my ($server, + $data, + $records, + $startoffset, + $message_frag_lens) = @_; + + my $self = $class->SUPER::new( + $server, + TLSProxy::Message::MT_CERTIFICATE_REQUEST, + $data, + $records, + $startoffset, + $message_frag_lens); + + $self->{extension_data} = ""; + + return $self; +} + +sub parse +{ + my $self = shift; + my $ptr = 1; + + if (TLSProxy::Proxy->is_tls13()) { + my $request_ctx_len = unpack('C', $self->data); + my $request_ctx = substr($self->data, $ptr, $request_ctx_len); + $ptr += $request_ctx_len; + + my $extensions_len = unpack('n', substr($self->data, $ptr)); + $ptr += 2; + my $extension_data = substr($self->data, $ptr); + if (length($extension_data) != $extensions_len) { + die "Invalid extension length\n"; + } + my %extensions = (); + while (length($extension_data) >= 4) { + my ($type, $size) = unpack("nn", $extension_data); + my $extdata = substr($extension_data, 4, $size); + $extension_data = substr($extension_data, 4 + $size); + $extensions{$type} = $extdata; + } + $self->extension_data(\%extensions); + + print " Extensions Len:".$extensions_len."\n"; + } + # else parse TLSv1.2 version - we don't support that at the moment +} + +#Reconstruct the on-the-wire message data following changes +sub set_message_contents +{ + my $self = shift; + my $data; + my $extensions = ""; + + foreach my $key (keys %{$self->extension_data}) { + my $extdata = ${$self->extension_data}{$key}; + $extensions .= pack("n", $key); + $extensions .= pack("n", length($extdata)); + $extensions .= $extdata; + } + + $data = pack('n', length($extensions)); + $data .= $extensions; + $self->data($data); +} + +#Read/write accessors +sub extension_data +{ + my $self = shift; + if (@_) { + $self->{extension_data} = shift; + } + return $self->{extension_data}; +} +sub set_extension +{ + my ($self, $ext_type, $ext_data) = @_; + $self->{extension_data}{$ext_type} = $ext_data; +} +sub delete_extension +{ + my ($self, $ext_type) = @_; + delete $self->{extension_data}{$ext_type}; +} +1; diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm index bc5561c892..4780302a51 100644 --- a/util/perl/TLSProxy/Message.pm +++ b/util/perl/TLSProxy/Message.pm @@ -129,6 +129,11 @@ use constant { CIPHER_TLS13_AES_256_GCM_SHA384 => 0x1302 }; +use constant { + CLIENT => 0, + SERVER => 1 +}; + my $payload = ""; my $messlen = -1; my $mt; @@ -338,6 +343,15 @@ sub create_message [@message_frag_lens] ); $message->parse(); + } elsif ($mt == MT_CERTIFICATE_REQUEST) { + $message = TLSProxy::CertificateRequest->new( + $server, + $data, + [@message_rec_list], + $startoffset, + [@message_frag_lens] + ); + $message->parse(); } elsif ($mt == MT_CERTIFICATE_VERIFY) { $message = TLSProxy::CertificateVerify->new( $server, diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm index a583e636cd..f91d4a8994 100644 --- a/util/perl/TLSProxy/Proxy.pm +++ b/util/perl/TLSProxy/Proxy.pm @@ -19,6 +19,7 @@ use TLSProxy::ClientHello; use TLSProxy::ServerHello; use TLSProxy::EncryptedExtensions; use TLSProxy::Certificate; +use TLSProxy::CertificateRequest; use TLSProxy::CertificateVerify; use TLSProxy::ServerKeyExchange; use TLSProxy::NewSessionTicket; diff --git a/util/perl/checkhandshake.pm b/util/perl/checkhandshake.pm index 5e8e6d4416..a2ae24ee2a 100644 --- a/util/perl/checkhandshake.pm +++ b/util/perl/checkhandshake.pm @@ -116,7 +116,8 @@ sub checkhandshake($$$$) && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO && $message->mt() != TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS - && $message->mt() != TLSProxy::Message::MT_CERTIFICATE); + && $message->mt() != TLSProxy::Message::MT_CERTIFICATE + && $message->mt() != TLSProxy::Message::MT_CERTIFICATE_REQUEST); next if $message->mt() == TLSProxy::Message::MT_CERTIFICATE && !TLSProxy::Proxy::is_tls13(); @@ -124,7 +125,7 @@ sub checkhandshake($$$$) my $extchnum = 1; my $extshnum = 1; for (my $extloop = 0; - $extensions[$extloop][2] != 0; + $extensions[$extloop][3] != 0; $extloop++) { $extchnum = 2 if $extensions[$extloop][0] != TLSProxy::Message::MT_CLIENT_HELLO && TLSProxy::Proxy::is_tls13(); @@ -135,6 +136,7 @@ sub checkhandshake($$$$) next if $extensions[$extloop][0] == TLSProxy::Message::MT_SERVER_HELLO && $extshnum != $shnum; next if ($message->mt() != $extensions[$extloop][0]); + next if ($message->server() != $extensions[$extloop][2]); $numtests++; } $numtests++; @@ -182,7 +184,8 @@ sub checkhandshake($$$$) && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO && $message->mt() != TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS - && $message->mt() != TLSProxy::Message::MT_CERTIFICATE); + && $message->mt() != TLSProxy::Message::MT_CERTIFICATE + && $message->mt() != TLSProxy::Message::MT_CERTIFICATE_REQUEST); next if $message->mt() == TLSProxy::Message::MT_CERTIFICATE && !TLSProxy::Proxy::is_tls13(); @@ -197,7 +200,7 @@ sub checkhandshake($$$$) my $msgexts = $message->extension_data(); my $extchnum = 1; my $extshnum = 1; - for (my $extloop = 0, $extcount = 0; $extensions[$extloop][2] != 0; + for (my $extloop = 0, $extcount = 0; $extensions[$extloop][3] != 0; $extloop++) { #In TLSv1.3 we can have two ClientHellos if there has been a #HelloRetryRequest, and they may have different extensions. Skip @@ -211,12 +214,13 @@ sub checkhandshake($$$$) next if $extensions[$extloop][0] == TLSProxy::Message::MT_SERVER_HELLO && $extshnum != $shnum; next if ($message->mt() != $extensions[$extloop][0]); - ok (($extensions[$extloop][2] & $exttype) == 0 + next if ($message->server() != $extensions[$extloop][2]); + ok (($extensions[$extloop][3] & $exttype) == 0 || defined ($msgexts->{$extensions[$extloop][1]}), "Extension presence check (Message: ".$message->mt() - ." Extension: ".($extensions[$extloop][2] & $exttype).", " + ." Extension: ".($extensions[$extloop][3] & $exttype).", " .$extloop.")"); - $extcount++ if (($extensions[$extloop][2] & $exttype) != 0); + $extcount++ if (($extensions[$extloop][3] & $exttype) != 0); } ok($extcount == keys %$msgexts, "Extensions count mismatch (" .$extcount.", ".(keys %$msgexts) |