File openssl-CVE-2020-1967-test1.patch of Package openssl-1_1.28463

Overview Repositories Revisions Requests Users Attributes Meta

File openssl-CVE-2020-1967-test1.patch of Package openssl-1_1.28463

@@ -, +, @@ 
---
 test/recipes/70-test_sslsigalgs.t | 66 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 2 deletions(-)
Index: openssl-1.1.1d/test/recipes/70-test_sslsigalgs.t
===================================================================
--- openssl-1.1.1d.orig/test/recipes/70-test_sslsigalgs.t
+++ openssl-1.1.1d/test/recipes/70-test_sslsigalgs.t
@@ -44,7 +44,9 @@ use constant {
     COMPAT_SIGALGS => 6,
     SIGALGS_CERT_ALL => 7,
     SIGALGS_CERT_PKCS => 8,
-    SIGALGS_CERT_INVALID => 9
+    SIGALGS_CERT_INVALID => 9,
+    UNRECOGNIZED_SIGALGS_CERT => 4,
+    UNRECOGNIZED_SIGALG => 5
 };
 
 #Note: Throughout this test we override the default ciphersuites where TLSv1.2
@@ -53,7 +55,7 @@ use constant {
 
 #Test 1: Default sig algs should succeed
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 22;
+plan tests => 24;
 ok(TLSProxy::Message->success, "Default sigalgs");
 my $testtype;
 
@@ -261,6 +263,39 @@ SKIP: {
     ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
 }
 
+SKIP: {
+    skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
+    #Test 25: Send an unrecognized signature_algorithms_cert
+    #        We should be able to skip over the unrecognized value and use a
+    #        valid one that appears later in the list.
+    $proxy->clear();
+    $proxy->filter(\&inject_unrecognized_sigalg);
+    $proxy->clientflags("-tls1_3");
+    # Use -xcert to get SSL_check_chain() to run in the cert_cb.  This is
+    # needed to trigger (e.g.) CVE-2020-1967
+    $proxy->serverflags("" .
+            " -xcert " . srctop_file("test", "certs", "servercert.pem") .
+            " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
+            " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
+    $testtype = UNRECOGNIZED_SIGALGS_CERT;
+    $proxy->start();
+    ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello");
+
+    #Test 26: Send an unrecognized signature_algorithms
+    #        We should be able to skip over the unrecognized value and use a
+    #        valid one that appears later in the list.
+    $proxy->clear();
+    $proxy->filter(\&inject_unrecognized_sigalg);
+    $proxy->clientflags("-tls1_3");
+    $proxy->serverflags("" .
+            " -xcert " . srctop_file("test", "certs", "servercert.pem") .
+            " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
+            " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
+    $testtype = UNRECOGNIZED_SIGALG;
+    $proxy->start();
+    ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
+}
+
 
 
 sub sigalgs_filter
@@ -406,3 +441,30 @@ sub modify_cert_verify_sigalg
         }
     }
 }
+
+sub inject_unrecognized_sigalg
+{
+    my $proxy = shift;
+    my $type;
+
+    # We're only interested in the initial ClientHello
+    if ($proxy->flight != 0) {
+        return;
+    }
+    if ($testtype == UNRECOGNIZED_SIGALGS_CERT) {
+        $type = TLSProxy::Message::EXT_SIG_ALGS_CERT;
+    } elsif ($testtype == UNRECOGNIZED_SIGALG) {
+        $type = TLSProxy::Message::EXT_SIG_ALGS;
+    } else {
+        return;
+    }
+
+    my $ext = pack "C8",
+        0x00, 0x06, #Extension length
+        0x18, 0x18, #unallocated
+        0x04, 0x01, #rsa_pkcs1_sha256
+        0x08, 0x04; #rsa_pss_rsae_sha256;
+    my $message = ${$proxy->message_list}[0];
+    $message->set_extension($type, $ext);
+    $message->repack;
+}

Places

File openssl-CVE-2020-1967-test1.patch of Package openssl-1_1.28463

Places