mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 14:00:48 +02:00
Merge pull request #10443 from anhu/protonamelist
Enforce only 1 protocolname in serverhello
This commit is contained in:
@@ -2030,6 +2030,7 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, const byte *input, word16 length,
|
||||
word16 size = 0, offset = 0, wlen;
|
||||
int r = WC_NO_ERR_TRACE(BUFFER_ERROR);
|
||||
const byte *s;
|
||||
word16 entryCount = 0;
|
||||
|
||||
if (OPAQUE16_LEN > length)
|
||||
return BUFFER_ERROR;
|
||||
@@ -2046,6 +2047,15 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, const byte *input, word16 length,
|
||||
wlen = *s++;
|
||||
if (wlen == 0 || (s + wlen - input) > length)
|
||||
return BUFFER_ERROR;
|
||||
entryCount++;
|
||||
}
|
||||
|
||||
/* RFC 7301 Section 3.1: the server's ProtocolNameList in its ALPN
|
||||
* response MUST contain exactly one ProtocolName. */
|
||||
if (!isRequest && entryCount != 1) {
|
||||
SendAlert(ssl, alert_fatal, decode_error);
|
||||
WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
|
||||
return BUFFER_ERROR;
|
||||
}
|
||||
|
||||
if (isRequest) {
|
||||
|
||||
@@ -35137,6 +35137,7 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_TLSX_SNI_GetSize_overflow),
|
||||
TEST_DECL(test_TLSX_ECH_msg_type_validation),
|
||||
TEST_DECL(test_TLSX_SRTP_msg_type_validation),
|
||||
TEST_DECL(test_TLSX_ALPN_server_response_count),
|
||||
TEST_DECL(test_wolfSSL_wolfSSL_UseSecureRenegotiation),
|
||||
TEST_DECL(test_wolfSSL_clear_secure_renegotiation),
|
||||
TEST_DECL(test_wolfSSL_SCR_Reconnect),
|
||||
|
||||
@@ -1033,3 +1033,41 @@ int test_TLSX_SRTP_msg_type_validation(void)
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
/* RFC 7301 Section 3.1: the server's ProtocolNameList in its ALPN response
|
||||
* MUST contain exactly one ProtocolName. A ServerHello carrying two entries
|
||||
* must be rejected rather than silently accepted. */
|
||||
int test_TLSX_ALPN_server_response_count(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(HAVE_ALPN) && !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS) && \
|
||||
!defined(WOLFSSL_NO_TLS12)
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
WOLFSSL* ssl = NULL;
|
||||
/* ServerHello-style ALPN extension whose ProtocolNameList contains
|
||||
* two entries ("h2" and "http/1.1"). */
|
||||
static const byte extBytes[] = {
|
||||
0x00, 0x10, /* extension type = ALPN (16) */
|
||||
0x00, 0x0E, /* extension length = 14 */
|
||||
0x00, 0x0C, /* ProtocolNameList length */
|
||||
0x02, 'h', '2', /* entry 1: "h2" */
|
||||
0x08, 'h', 't', 't', 'p', '/', '1', '.', '1' /* entry 2 */
|
||||
};
|
||||
static char alpn_h2[] = "h2";
|
||||
|
||||
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
|
||||
ExpectNotNull(ssl = wolfSSL_new(ctx));
|
||||
|
||||
ExpectIntEQ(wolfSSL_UseALPN(ssl, alpn_h2, (unsigned int)XSTRLEN(alpn_h2),
|
||||
WOLFSSL_ALPN_FAILED_ON_MISMATCH),
|
||||
WOLFSSL_SUCCESS);
|
||||
|
||||
ExpectIntEQ(TLSX_Parse(ssl, extBytes, (word16)sizeof(extBytes),
|
||||
server_hello, NULL),
|
||||
WC_NO_ERR_TRACE(BUFFER_ERROR));
|
||||
|
||||
wolfSSL_free(ssl);
|
||||
wolfSSL_CTX_free(ctx);
|
||||
#endif
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
|
||||
@@ -36,5 +36,6 @@ int test_TLSX_TCA_Find(void);
|
||||
int test_TLSX_SNI_GetSize_overflow(void);
|
||||
int test_TLSX_ECH_msg_type_validation(void);
|
||||
int test_TLSX_SRTP_msg_type_validation(void);
|
||||
int test_TLSX_ALPN_server_response_count(void);
|
||||
|
||||
#endif /* TESTS_API_TEST_TLS_EMS_H */
|
||||
|
||||
Reference in New Issue
Block a user