Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
openssl-1_1.22323
openssl-CVE-2020-1967-test1.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-CVE-2020-1967-test1.patch of Package openssl-1_1.22323
@@ -, +, @@ --- test/recipes/70-test_sslsigalgs.t | 66 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 2 deletions(-) Index: openssl-1.1.1d/test/recipes/70-test_sslsigalgs.t =================================================================== --- openssl-1.1.1d.orig/test/recipes/70-test_sslsigalgs.t +++ openssl-1.1.1d/test/recipes/70-test_sslsigalgs.t @@ -44,7 +44,9 @@ use constant { COMPAT_SIGALGS => 6, SIGALGS_CERT_ALL => 7, SIGALGS_CERT_PKCS => 8, - SIGALGS_CERT_INVALID => 9 + SIGALGS_CERT_INVALID => 9, + UNRECOGNIZED_SIGALGS_CERT => 4, + UNRECOGNIZED_SIGALG => 5 }; #Note: Throughout this test we override the default ciphersuites where TLSv1.2 @@ -53,7 +55,7 @@ use constant { #Test 1: Default sig algs should succeed $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 22; +plan tests => 24; ok(TLSProxy::Message->success, "Default sigalgs"); my $testtype; @@ -261,6 +263,39 @@ SKIP: { ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); } +SKIP: { + skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); + #Test 25: Send an unrecognized signature_algorithms_cert + # We should be able to skip over the unrecognized value and use a + # valid one that appears later in the list. + $proxy->clear(); + $proxy->filter(\&inject_unrecognized_sigalg); + $proxy->clientflags("-tls1_3"); + # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is + # needed to trigger (e.g.) CVE-2020-1967 + $proxy->serverflags("" . + " -xcert " . srctop_file("test", "certs", "servercert.pem") . + " -xkey " . srctop_file("test", "certs", "serverkey.pem") . + " -xchain " . srctop_file("test", "certs", "rootcert.pem")); + $testtype = UNRECOGNIZED_SIGALGS_CERT; + $proxy->start(); + ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello"); + + #Test 26: Send an unrecognized signature_algorithms + # We should be able to skip over the unrecognized value and use a + # valid one that appears later in the list. + $proxy->clear(); + $proxy->filter(\&inject_unrecognized_sigalg); + $proxy->clientflags("-tls1_3"); + $proxy->serverflags("" . + " -xcert " . srctop_file("test", "certs", "servercert.pem") . + " -xkey " . srctop_file("test", "certs", "serverkey.pem") . + " -xchain " . srctop_file("test", "certs", "rootcert.pem")); + $testtype = UNRECOGNIZED_SIGALG; + $proxy->start(); + ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello"); +} + sub sigalgs_filter @@ -406,3 +441,30 @@ sub modify_cert_verify_sigalg } } } + +sub inject_unrecognized_sigalg +{ + my $proxy = shift; + my $type; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + if ($testtype == UNRECOGNIZED_SIGALGS_CERT) { + $type = TLSProxy::Message::EXT_SIG_ALGS_CERT; + } elsif ($testtype == UNRECOGNIZED_SIGALG) { + $type = TLSProxy::Message::EXT_SIG_ALGS; + } else { + return; + } + + my $ext = pack "C8", + 0x00, 0x06, #Extension length + 0x18, 0x18, #unallocated + 0x04, 0x01, #rsa_pkcs1_sha256 + 0x08, 0x04; #rsa_pss_rsae_sha256; + my $message = ${$proxy->message_list}[0]; + $message->set_extension($type, $ext); + $message->repack; +}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor