diff options
Diffstat (limited to 'src/bogo_shim')
| -rw-r--r-- | src/bogo_shim/bogo_shim.cpp | 45 | ||||
| -rw-r--r-- | src/bogo_shim/config.json | 14 |
2 files changed, 39 insertions, 20 deletions
diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp index 3745bc4d8..16dc71fd9 100644 --- a/src/bogo_shim/bogo_shim.cpp +++ b/src/bogo_shim/bogo_shim.cpp @@ -132,6 +132,8 @@ std::string map_to_bogo_error(const std::string& e) { "Received a record that exceeds maximum size", ":ENCRYPTED_LENGTH_TOO_LONG:" }, { "Received unexpected record version in initial record", ":WRONG_VERSION_NUMBER:" }, { "Received unexpected record version", ":WRONG_VERSION_NUMBER:" }, + { "Received application data after connection closure", ":APPLICATION_DATA_ON_SHUTDOWN:" }, + { "Received handshake data after connection closure", ":NO_RENEGOTIATION:" }, { "Server certificate changed during renegotiation", ":SERVER_CERT_CHANGED:" }, { "Server changed its mind about extended master secret", ":RENEGOTIATION_EMS_MISMATCH:" }, { "Server changed its mind about secure renegotiation", ":RENEGOTIATION_MISMATCH:" }, @@ -1238,12 +1240,14 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks m_channel = channel; } + bool saw_close_notify() const { return m_got_close; } + void tls_emit_data(const uint8_t data[], size_t size) override { + shim_log("sending record of len " + std::to_string(size)); + if(m_is_datagram) { - shim_log("sending record of len " + std::to_string(size)); - std::vector<uint8_t> packet(size + 5); packet[0] = 'P'; @@ -1289,6 +1293,8 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks m_empty_records = 0; } + shim_log("Reflecting application_data len " + std::to_string(size)); + std::vector<uint8_t> buf(data, data + size); for(size_t i = 0; i != size; ++i) buf[i] ^= 0xFF; @@ -1361,13 +1367,21 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks void tls_alert(Botan::TLS::Alert alert) override { - shim_log("Got an alert " + alert.type_string()); + if(alert.is_fatal()) + shim_log("Got a fatal alert " + alert.type_string()); + else + shim_log("Got a warning alert " + alert.type_string()); if(alert.type() == Botan::TLS::Alert::RECORD_OVERFLOW) { shim_exit_with_error(":TLSV1_ALERT_RECORD_OVERFLOW:"); } + if(alert.type() == Botan::TLS::Alert::DECOMPRESSION_FAILURE) + { + shim_exit_with_error(":SSLV3_ALERT_DECOMPRESSION_FAILURE:"); + } + if(!alert.is_fatal()) { m_warning_alerts++; @@ -1377,11 +1391,16 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks if(alert.type() == Botan::TLS::Alert::CLOSE_NOTIFY) { - if(m_got_close == false) + if(m_got_close == false && !m_args.flag_set("shim-shuts-down")) { + shim_log("Sending return close notify"); m_channel->send_alert(alert); - m_got_close = true; } + m_got_close = true; + } + else if(alert.is_fatal()) + { + shim_exit_with_error("Unexpected fatal alert " + alert.type_string()); } } @@ -1466,7 +1485,10 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks } if(m_args.flag_set("shim-shuts-down")) + { + shim_log("Shim shutting down"); m_channel->close(); + } if(m_args.flag_set("write-different-record-sizes")) { @@ -1607,14 +1629,25 @@ int main(int /*argc*/, char* argv[]) break; } + shim_log("Got packet of " + std::to_string(got)); + if(args->flag_set("use-exporter-between-reads") && chan->is_active()) { chan->key_material_export("some label", "some context", 42); } - chan->received_data(buf.data(), got); + const size_t needed = chan->received_data(buf.data(), got); + + if(needed) + shim_log("Short read still need " + std::to_string(needed)); } } + if(args->flag_set("check-close-notify")) + { + if(!callbacks.saw_close_notify()) + throw Shim_Exception("Unexpected SSL_shutdown result: -1 != 1"); + } + if(args->option_used("expect-total-renegotiations")) { const size_t exp = args->get_int_opt("expect-total-renegotiations"); diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json index 905a7e8cd..ee488109f 100644 --- a/src/bogo_shim/config.json +++ b/src/bogo_shim/config.json @@ -88,11 +88,6 @@ "ALPNServer-SelectEmpty-*": "Botan treats empty ALPN from callback as a decline", - "ServerAuth-Verify-ECDSA-P521-SHA512-TLS12": "BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.", - "ServerAuth-Verify-ECDSA-SHA1-TLS12": "BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.", - "ClientAuth-Verify-ECDSA-P521-SHA512-TLS12": "BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.", - "ClientAuth-Verify-ECDSA-SHA1-TLS12": "BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.", - "AppDataAfterChangeCipherSpec-DTLS*": "BoringSSL DTLS drops out of order AppData, we reject", "Resume-Client-NoResume-TLS1-TLS11": "BoGo expects resumption attempt sends latest version", @@ -115,15 +110,6 @@ "DTLS-StrayRetransmitFinished-ClientFull": "Needs investigation", "DTLS-StrayRetransmitFinished-ServerResume": "Needs investigation", - "MixCompleteMessageWithFragments-DTLS": "Needs investigation", - "ReorderHandshakeFragments-Small-DTLS": "Needs investigation", - - "Shutdown-Shim-ApplicationData*": "Needs investigation", - "Shutdown-Shim-HelloRequest-CannotHandshake*": "Needs investigation", - "Shutdown-Shim-HelloRequest-Reject*": "Needs investigation", - "Shutdown-Shim-Renegotiate-Server-Forbidden*": "Needs investigation", - "Unclean-Shutdown": "Needs investigation", - "Unclean-Shutdown-Alert": "Needs investigation", "SRTP-Server-IgnoreMKI-*": "Non-empty MKI is rejected (bug)", |