[openssl] OpenSSL_1_1_1-stable update

Matt Caswell matt at openssl.org
Fri Sep 6 09:16:52 UTC 2019


The branch OpenSSL_1_1_1-stable has been updated
       via  6f34a16ea9a4d37e11a26dd4c3694ea5b107e53f (commit)
       via  f8affa299534532b42b09eac5457f8bbf5216941 (commit)
      from  5d16346679d72a4770ec01508ead7f61cf7cbf34 (commit)


- Log -----------------------------------------------------------------
commit 6f34a16ea9a4d37e11a26dd4c3694ea5b107e53f
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Sep 5 16:21:56 2019 +0100

    Teach TLSProxy how to parse CertificateRequest messages
    
    We also use this in test_tls13messages to check that the extensions we
    expect to see in a CertificateRequest are there.
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/9780)
    
    (cherry picked from commit dc5bcb88d819de55eb37460c122e02fec91c6d86)

commit f8affa299534532b42b09eac5457f8bbf5216941
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Sep 5 16:43:57 2019 +0100

    Don't send a status_request extension in a CertificateRequest message
    
    If a TLSv1.3 server configured to respond to the status_request extension
    also attempted to send a CertificateRequest then it was incorrectly
    inserting a non zero length status_request extension into that message.
    
    The TLSv1.3 RFC does allow that extension in that message but it must
    always be zero length.
    
    In fact we should not be sending the extension at all in that message
    because we don't support it.
    
    Fixes #9767
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/9780)
    
    (cherry picked from commit debb64a0ca43969eb3f043aa8895a4faa7f12b6e)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/extensions_srvr.c                       |  4 +
 test/recipes/70-test_sslmessages.t                 | 25 +++++-
 test/recipes/70-test_tls13kexmodes.t               | 36 ++++++++-
 test/recipes/70-test_tls13messages.t               | 89 +++++++++++++++++-----
 ...ncryptedExtensions.pm => CertificateRequest.pm} | 49 ++++++------
 util/perl/TLSProxy/Message.pm                      | 14 ++++
 util/perl/TLSProxy/Proxy.pm                        |  1 +
 util/perl/checkhandshake.pm                        | 18 +++--
 8 files changed, 183 insertions(+), 53 deletions(-)
 copy util/perl/TLSProxy/{EncryptedExtensions.pm => CertificateRequest.pm} (60%)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index ff4287c584..ab5453f63e 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1487,6 +1487,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
                                              unsigned int context, X509 *x,
                                              size_t chainidx)
 {
+    /* We don't currently support this extension inside a CertificateRequest */
+    if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
+        return EXT_RETURN_NOT_SENT;
+
     if (!s->ext.status_expected)
         return EXT_RETURN_NOT_SENT;
 
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
index 1e4676973a..5ee99feab8 100644
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -95,58 +95,81 @@ my $proxy = TLSProxy::Proxy->new(
 
 @extensions = (
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     (disabled("ec") ? () :
                       [TLSProxy::Message::MT_CLIENT_HELLO,
                        TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+                       TLSProxy::Message::CLIENT,
                        checkhandshake::DEFAULT_EXTENSIONS]),
     (disabled("ec") ? () :
                       [TLSProxy::Message::MT_CLIENT_HELLO,
                        TLSProxy::Message::EXT_EC_POINT_FORMATS,
+                       TLSProxy::Message::CLIENT,
                        checkhandshake::DEFAULT_EXTENSIONS]),
     (disabled("tls1_2") ? () :
      [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
          checkhandshake::DEFAULT_EXTENSIONS]),
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::RENEGOTIATE_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::NPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SRP_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::SERVER,
         checkhandshake::SESSION_TICKET_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::SERVER,
         checkhandshake::SERVER_NAME_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::SERVER,
         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::SERVER,
         checkhandshake::ALPN_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::SERVER,
         checkhandshake::SCT_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
+        TLSProxy::Message::SERVER,
         checkhandshake::NPN_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::SERVER,
         checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
-    [0,0,0]
+    [0,0,0,0]
 );
 
 #Test 1: Check we get all the right messages for a default handshake
diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t
index 716e260e5f..e5fcf8e271 100644
--- a/test/recipes/70-test_tls13kexmodes.t
+++ b/test/recipes/70-test_tls13kexmodes.t
@@ -62,78 +62,112 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
 
 @extensions = (
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_KEX_MODES_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::SERVER,
         checkhandshake::KEY_SHARE_HRR_EXTENSION],
 
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_KEX_MODES_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::SERVER,
         checkhandshake::KEY_SHARE_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::SERVER,
         checkhandshake::PSK_SRV_EXTENSION],
 
     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::SERVER,
         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
-    [0,0,0]
+    [0,0,0,0]
 );
 
 use constant {
diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t
index be6a2db5d6..435fef57c6 100644
--- a/test/recipes/70-test_tls13messages.t
+++ b/test/recipes/70-test_tls13messages.t
@@ -62,92 +62,136 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
 
 @extensions = (
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
+        TLSProxy::Message::CLIENT,
         checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::SERVER,
         checkhandshake::KEY_SHARE_HRR_EXTENSION],
 
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
+        TLSProxy::Message::CLIENT,
         checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::SERVER,
         checkhandshake::PSK_SRV_EXTENSION],
 
     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::SERVER,
         checkhandshake::SERVER_NAME_SRV_EXTENSION],
     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::SERVER,
         checkhandshake::ALPN_SRV_EXTENSION],
     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::SERVER,
         checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION],
 
+    [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::SERVER,
+        checkhandshake::DEFAULT_EXTENSIONS],
+
     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::SERVER,
         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::SERVER,
         checkhandshake::SCT_SRV_EXTENSION],
 
-    [0,0,0]
+    [0,0,0,0]
 );
 
 my $proxy = TLSProxy::Proxy->new(
@@ -163,7 +207,7 @@ $proxy->serverconnects(2);
 $proxy->clientflags("-sess_out ".$session);
 $proxy->sessionfile($session);
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 16;
+plan tests => 17;
 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                checkhandshake::DEFAULT_EXTENSIONS,
                "Default handshake test");
@@ -179,7 +223,7 @@ checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
                "Resumption handshake test");
 
 SKIP: {
-    skip "No OCSP support in this OpenSSL build", 3
+    skip "No OCSP support in this OpenSSL build", 4
         if disabled("ct") || disabled("ec") || disabled("ocsp");
     #Test 3: A status_request handshake (client request only)
     $proxy->clear();
@@ -210,9 +254,23 @@ SKIP: {
                    | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                    | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                    "status_request handshake test");
+
+    #Test 6: A status_request handshake (client and server) with client auth
+    $proxy->clear();
+    $proxy->clientflags("-status -enable_pha -cert "
+                        .srctop_file("apps", "server.pem"));
+    $proxy->serverflags("-Verify 5 -status_file "
+                        .srctop_file("test", "recipes", "ocsp-response.der"));
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
+                   checkhandshake::DEFAULT_EXTENSIONS
+                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
+                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION
+                   | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
+                   "status_request handshake with client auth test");
 }
 
-#Test 6: A client auth handshake
+#Test 7: A client auth handshake
 $proxy->clear();
 $proxy->clientflags("-enable_pha -cert ".srctop_file("apps", "server.pem"));
 $proxy->serverflags("-Verify 5");
@@ -222,7 +280,7 @@ checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
                checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
                "Client auth handshake test");
 
-#Test 7: Server name handshake (no client request)
+#Test 8: Server name handshake (no client request)
 $proxy->clear();
 $proxy->clientflags("-noservername");
 $proxy->start();
@@ -231,7 +289,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
                "Server name handshake test (client)");
 
-#Test 8: Server name handshake (server support only)
+#Test 9: Server name handshake (server support only)
 $proxy->clear();
 $proxy->clientflags("-noservername");
 $proxy->serverflags("-servername testhost");
@@ -241,7 +299,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
                "Server name handshake test (server)");
 
-#Test 9: Server name handshake (client and server)
+#Test 10: Server name handshake (client and server)
 $proxy->clear();
 $proxy->clientflags("-servername testhost");
 $proxy->serverflags("-servername testhost");
@@ -251,7 +309,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                | checkhandshake::SERVER_NAME_SRV_EXTENSION,
                "Server name handshake test");
 
-#Test 10: ALPN handshake (client request only)
+#Test 11: ALPN handshake (client request only)
 $proxy->clear();
 $proxy->clientflags("-alpn test");
 $proxy->start();
@@ -260,7 +318,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                | checkhandshake::ALPN_CLI_EXTENSION,
                "ALPN handshake test (client)");
 
-#Test 11: ALPN handshake (server support only)
+#Test 12: ALPN handshake (server support only)
 $proxy->clear();
 $proxy->serverflags("-alpn test");
 $proxy->start();
@@ -268,7 +326,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                checkhandshake::DEFAULT_EXTENSIONS,
                "ALPN handshake test (server)");
 
-#Test 12: ALPN handshake (client and server)
+#Test 13: ALPN handshake (client and server)
 $proxy->clear();
 $proxy->clientflags("-alpn test");
 $proxy->serverflags("-alpn test");
@@ -283,7 +341,7 @@ SKIP: {
     skip "No CT, EC or OCSP support in this OpenSSL build", 1
         if disabled("ct") || disabled("ec") || disabled("ocsp");
 
-    #Test 13: SCT handshake (client request only)
+    #Test 14: SCT handshake (client request only)
     $proxy->clear();
     #Note: -ct also sends status_request
     $proxy->clientflags("-ct");
@@ -300,10 +358,7 @@ SKIP: {
                    "SCT handshake test");
 }
 
-
-
-
-#Test 14: HRR Handshake
+#Test 15: HRR Handshake
 $proxy->clear();
 $proxy->serverflags("-curves P-256");
 $proxy->start();
@@ -312,7 +367,7 @@ checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
                | checkhandshake::KEY_SHARE_HRR_EXTENSION,
                "HRR handshake test");
 
-#Test 15: Resumption handshake with HRR
+#Test 16: Resumption handshake with HRR
 $proxy->clear();
 $proxy->clientflags("-sess_in ".$session);
 $proxy->serverflags("-curves P-256");
@@ -324,7 +379,7 @@ checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
                 | checkhandshake::PSK_SRV_EXTENSION),
                "Resumption handshake with HRR test");
 
-#Test 16: Acceptable but non preferred key_share
+#Test 17: Acceptable but non preferred key_share
 $proxy->clear();
 $proxy->clientflags("-curves P-256");
 $proxy->start();
diff --git a/util/perl/TLSProxy/EncryptedExtensions.pm b/util/perl/TLSProxy/CertificateRequest.pm
similarity index 60%
copy from util/perl/TLSProxy/EncryptedExtensions.pm
copy to util/perl/TLSProxy/CertificateRequest.pm
index 262b720cf6..193bea168a 100644
--- a/util/perl/TLSProxy/EncryptedExtensions.pm
+++ b/util/perl/TLSProxy/CertificateRequest.pm
@@ -1,13 +1,13 @@
-# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 #
-# Licensed under the OpenSSL license (the "License").  You may not use
+# Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html
 
 use strict;
 
-package TLSProxy::EncryptedExtensions;
+package TLSProxy::CertificateRequest;
 
 use vars '@ISA';
 push @ISA, 'TLSProxy::Message';
@@ -23,7 +23,7 @@ sub new
 
     my $self = $class->SUPER::new(
         $server,
-        TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
+        TLSProxy::Message::MT_CERTIFICATE_REQUEST,
         $data,
         $records,
         $startoffset,
@@ -37,36 +37,31 @@ sub new
 sub parse
 {
     my $self = shift;
+    my $ptr = 1;
 
-    my $extensions_len = unpack('n', $self->data);
-    if (!defined $extensions_len) {
-        $extensions_len = 0;
-    }
-
-    my $extension_data;
-    if ($extensions_len != 0) {
-        $extension_data = substr($self->data, 2);
+    if (TLSProxy::Proxy->is_tls13()) {
+        my $request_ctx_len = unpack('C', $self->data);
+        my $request_ctx = substr($self->data, $ptr, $request_ctx_len);
+        $ptr += $request_ctx_len;
 
+        my $extensions_len = unpack('n', substr($self->data, $ptr));
+        $ptr += 2;
+        my $extension_data = substr($self->data, $ptr);
         if (length($extension_data) != $extensions_len) {
             die "Invalid extension length\n";
         }
-    } else {
-        if (length($self->data) != 2) {
-            die "Invalid extension length\n";
+        my %extensions = ();
+        while (length($extension_data) >= 4) {
+            my ($type, $size) = unpack("nn", $extension_data);
+            my $extdata = substr($extension_data, 4, $size);
+            $extension_data = substr($extension_data, 4 + $size);
+            $extensions{$type} = $extdata;
         }
-        $extension_data = "";
-    }
-    my %extensions = ();
-    while (length($extension_data) >= 4) {
-        my ($type, $size) = unpack("nn", $extension_data);
-        my $extdata = substr($extension_data, 4, $size);
-        $extension_data = substr($extension_data, 4 + $size);
-        $extensions{$type} = $extdata;
-    }
-
-    $self->extension_data(\%extensions);
+        $self->extension_data(\%extensions);
 
-    print "    Extensions Len:".$extensions_len."\n";
+        print "    Extensions Len:".$extensions_len."\n";
+    }
+    # else parse TLSv1.2 version - we don't support that at the moment
 }
 
 #Reconstruct the on-the-wire message data following changes
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
index 5682ae3e15..10b6156074 100644
--- a/util/perl/TLSProxy/Message.pm
+++ b/util/perl/TLSProxy/Message.pm
@@ -129,6 +129,11 @@ use constant {
     CIPHER_TLS13_AES_256_GCM_SHA384 => 0x1302
 };
 
+use constant {
+    CLIENT => 0,
+    SERVER => 1
+};
+
 my $payload = "";
 my $messlen = -1;
 my $mt;
@@ -338,6 +343,15 @@ sub create_message
             [@message_frag_lens]
         );
         $message->parse();
+    } elsif ($mt == MT_CERTIFICATE_REQUEST) {
+        $message = TLSProxy::CertificateRequest->new(
+            $server,
+            $data,
+            [@message_rec_list],
+            $startoffset,
+            [@message_frag_lens]
+        );
+        $message->parse();
     } elsif ($mt == MT_CERTIFICATE_VERIFY) {
         $message = TLSProxy::CertificateVerify->new(
             $server,
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index f7bca02e58..71acaff9b4 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -19,6 +19,7 @@ use TLSProxy::ClientHello;
 use TLSProxy::ServerHello;
 use TLSProxy::EncryptedExtensions;
 use TLSProxy::Certificate;
+use TLSProxy::CertificateRequest;
 use TLSProxy::CertificateVerify;
 use TLSProxy::ServerKeyExchange;
 use TLSProxy::NewSessionTicket;
diff --git a/util/perl/checkhandshake.pm b/util/perl/checkhandshake.pm
index c53b96d5ee..07bf6608b3 100644
--- a/util/perl/checkhandshake.pm
+++ b/util/perl/checkhandshake.pm
@@ -116,7 +116,8 @@ sub checkhandshake($$$$)
                     && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO
                     && $message->mt() !=
                        TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS
-                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE);
+                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE
+                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE_REQUEST);
 
             next if $message->mt() == TLSProxy::Message::MT_CERTIFICATE
                     && !TLSProxy::Proxy::is_tls13();
@@ -124,7 +125,7 @@ sub checkhandshake($$$$)
             my $extchnum = 1;
             my $extshnum = 1;
             for (my $extloop = 0;
-                    $extensions[$extloop][2] != 0;
+                    $extensions[$extloop][3] != 0;
                     $extloop++) {
                 $extchnum = 2 if $extensions[$extloop][0] != TLSProxy::Message::MT_CLIENT_HELLO
                                  && TLSProxy::Proxy::is_tls13();
@@ -135,6 +136,7 @@ sub checkhandshake($$$$)
                 next if $extensions[$extloop][0] == TLSProxy::Message::MT_SERVER_HELLO
                                  && $extshnum != $shnum;
                 next if ($message->mt() != $extensions[$extloop][0]);
+                next if ($message->server() != $extensions[$extloop][2]);
                 $numtests++;
             }
             $numtests++;
@@ -182,7 +184,8 @@ sub checkhandshake($$$$)
                     && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO
                     && $message->mt() !=
                        TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS
-                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE);
+                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE
+                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE_REQUEST);
 
             next if $message->mt() == TLSProxy::Message::MT_CERTIFICATE
                     && !TLSProxy::Proxy::is_tls13();
@@ -197,7 +200,7 @@ sub checkhandshake($$$$)
             my $msgexts = $message->extension_data();
             my $extchnum = 1;
             my $extshnum = 1;
-            for (my $extloop = 0, $extcount = 0; $extensions[$extloop][2] != 0;
+            for (my $extloop = 0, $extcount = 0; $extensions[$extloop][3] != 0;
                                 $extloop++) {
                 #In TLSv1.3 we can have two ClientHellos if there has been a
                 #HelloRetryRequest, and they may have different extensions. Skip
@@ -211,12 +214,13 @@ sub checkhandshake($$$$)
                 next if $extensions[$extloop][0] == TLSProxy::Message::MT_SERVER_HELLO
                                  && $extshnum != $shnum;
                 next if ($message->mt() != $extensions[$extloop][0]);
-                ok (($extensions[$extloop][2] & $exttype) == 0
+                next if ($message->server() != $extensions[$extloop][2]);
+                ok (($extensions[$extloop][3] & $exttype) == 0
                       || defined ($msgexts->{$extensions[$extloop][1]}),
                     "Extension presence check (Message: ".$message->mt()
-                    ." Extension: ".($extensions[$extloop][2] & $exttype).", "
+                    ." Extension: ".($extensions[$extloop][3] & $exttype).", "
                     .$extloop.")");
-                $extcount++ if (($extensions[$extloop][2] & $exttype) != 0);
+                $extcount++ if (($extensions[$extloop][3] & $exttype) != 0);
             }
             ok($extcount == keys %$msgexts, "Extensions count mismatch ("
                                             .$extcount.", ".(keys %$msgexts)


More information about the openssl-commits mailing list