From 5f7725dc581c7891cb41e725db50076d654511ba Mon Sep 17 00:00:00 2001 From: Ben Murphy Date: Mon, 26 Sep 2011 08:39:18 +0100 Subject: fix unknown ssl extension parsing by changing length from bits to bytes --- lib/ssl/src/ssl_handshake.erl | 6 +++- lib/ssl/test/Makefile | 5 +-- lib/ssl/test/ssl_handshake_SUITE.erl | 67 ++++++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+), 3 deletions(-) create mode 100644 lib/ssl/test/ssl_handshake_SUITE.erl diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 453ea20f99..0ac1ba9d66 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -39,6 +39,8 @@ encode_handshake/2, init_hashes/0, update_hashes/2, decrypt_premaster_secret/2]). +-export([dec_hello_extensions/2]). + -type tls_handshake() :: #client_hello{} | #server_hello{} | #server_hello_done{} | #certificate{} | #certificate_request{} | #client_key_exchange{} | #finished{} | #certificate_verify{} | @@ -912,9 +914,11 @@ dec_hello_extensions(<>, Acc) -> +dec_hello_extensions(<>, Acc) -> dec_hello_extensions(Rest, Acc); %% Need this clause? +%% I don't think we need this clause anymore. It was previously catching parsing errors caused by the missing /binary. +%% Maybe we should be logging an error somewhere because we really should not be entering this clause. dec_hello_extensions(_, Acc) -> Acc. diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile index 5be07cad2c..922abea41b 100644 --- a/lib/ssl/test/Makefile +++ b/lib/ssl/test/Makefile @@ -35,8 +35,9 @@ VSN=$(GS_VSN) # ---------------------------------------------------- MODULES = \ - ssl_test_lib \ + ssl_test_lib \ ssl_basic_SUITE \ + ssl_handshake_SUITE \ ssl_packet_SUITE \ ssl_payload_SUITE \ ssl_to_openssl_SUITE \ @@ -45,7 +46,7 @@ MODULES = \ old_ssl_active_SUITE \ old_ssl_active_once_SUITE \ old_ssl_passive_SUITE \ - old_ssl_verify_SUITE \ + old_ssl_verify_SUITE \ old_ssl_peer_cert_SUITE \ old_ssl_misc_SUITE \ old_ssl_protocol_SUITE \ diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl new file mode 100644 index 0000000000..08c23b2d47 --- /dev/null +++ b/lib/ssl/test/ssl_handshake_SUITE.erl @@ -0,0 +1,67 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2011. All Rights Reserved. +%% +%% The contents of this file are subject to the Erlang Public License, +%% Version 1.1, (the "License"); you may not use this file except in +%% compliance with the License. You should have received a copy of the +%% Erlang Public License along with this software. If not, it can be +%% retrieved online at http://www.erlang.org/. +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and limitations +%% under the License. +%% +%% %CopyrightEnd% +%% + +%% + +-module(ssl_handshake_SUITE). + +-compile(export_all). + +-include_lib("common_test/include/ct.hrl"). +-include("ssl_internal.hrl"). +-include("ssl_handshake.hrl"). + +suite() -> [{ct_hooks,[ts_install_cth]}]. + +all() -> [ + decode_hello_handshake, + decode_single_hello_extension_correctly, + decode_unknown_hello_extension_correctly]. + +decode_hello_handshake(_Config) -> + HelloPacket = <<16#02, 16#00, 16#00, + 16#44, 16#03, 16#03, 16#4e, 16#7f, 16#c1, 16#03, 16#35, + 16#c2, 16#07, 16#b9, 16#4a, 16#58, 16#af, 16#34, 16#07, + 16#a6, 16#7e, 16#ef, 16#52, 16#cb, 16#e0, 16#ea, 16#b7, + 16#aa, 16#47, 16#c8, 16#c2, 16#2c, 16#66, 16#fa, 16#f8, + 16#09, 16#42, 16#cf, 16#00, 16#c0, 16#30, 16#00, 16#00, + 16#1c, + 16#00, 16#0b, 16#00, 16#04, 16#03, 16#00, 16#01, 16#02, % ec_point_formats + 16#ff, 16#01, 16#00, 16#01, 16#00, %% renegotiate + 16#00, 16#23, + 16#00, 16#00, 16#33, 16#74, 16#00, 16#07, 16#06, 16#73, + 16#70, 16#64, 16#79, 16#2f, 16#32>>, + + {Records, _Buffer} = ssl_handshake:get_tls_handshake(HelloPacket, <<>>), + + {Hello, _Data} = hd(Records), + #renegotiation_info{renegotiated_connection = <<0>>} = Hello#server_hello.renegotiation_info. + +decode_single_hello_extension_correctly(_Config) -> + Renegotiation = <>, + Extensions = ssl_handshake:dec_hello_extensions(Renegotiation, []), + [{renegotiation_info,#renegotiation_info{renegotiated_connection = <<0>>}}] = Extensions. + + +decode_unknown_hello_extension_correctly(_Config) -> + FourByteUnknown = <<16#CA,16#FE, ?UINT16(4), 3, 0, 1, 2>>, + Renegotiation = <>, + Extensions = ssl_handshake:dec_hello_extensions(<>, []), + [{renegotiation_info,#renegotiation_info{renegotiated_connection = <<0>>}}] = Extensions. + -- cgit v1.2.3 From 9b7b4db9d7e5734f6c5c2193786c44cf1e273efb Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 27 Sep 2011 16:45:05 +0200 Subject: Both the SSLv3 and TLS 1.0/TLS 1.1 specifications require implementations to ignore data following the ClientHello (i.e., extensions) if they do not understand them. Data not following the protocol format for extensions will be ignored by the last dec_hello_extensions-clause. OTP-8596 --- lib/ssl/src/ssl_handshake.erl | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 0ac1ba9d66..f873a6a913 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -914,11 +914,12 @@ dec_hello_extensions(<>, Acc) -> dec_hello_extensions(Rest, Acc); -%% Need this clause? -%% I don't think we need this clause anymore. It was previously catching parsing errors caused by the missing /binary. -%% Maybe we should be logging an error somewhere because we really should not be entering this clause. +%% This theoretically should not happen if the protocol is followed, but if it does it is ignored. dec_hello_extensions(_, Acc) -> Acc. -- cgit v1.2.3