Test that the peers send at most one fatal alert
Duplicate alerts have happened, see
70c22888c1
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
parent
6dc9974547
commit
dd8e5a5732
4 changed files with 29 additions and 5 deletions
|
@ -82,7 +82,11 @@ handshake.
|
|||
- InternalError - some other error
|
||||
|
||||
* ExpectedClientAlert, ExpectedServerAlert - expected alert. See
|
||||
`ssl_test_ctx.c` for known values.
|
||||
`ssl_test_ctx.c` for known values. Note: the expected alert is currently
|
||||
matched against the _last_ received alert (i.e., a fatal alert or a
|
||||
`close_notify`). Warning alert expectations are not yet supported. (A warning
|
||||
alert will not be correctly matched, if followed by a `close_notify` or
|
||||
another alert.)
|
||||
|
||||
* ExpectedProtocol - expected negotiated protocol. One of
|
||||
SSLv3, TLSv1, TLSv1.1, TLSv1.2.
|
||||
|
|
|
@ -41,6 +41,7 @@ void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result)
|
|||
*/
|
||||
typedef struct handshake_ex_data_st {
|
||||
int alert_sent;
|
||||
int num_fatal_alerts_sent;
|
||||
int alert_received;
|
||||
int session_ticket_do_not_call;
|
||||
ssl_servername_t servername;
|
||||
|
@ -71,6 +72,9 @@ static void info_cb(const SSL *s, int where, int ret)
|
|||
(HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx));
|
||||
if (where & SSL_CB_WRITE) {
|
||||
ex_data->alert_sent = ret;
|
||||
if (strcmp(SSL_alert_type_string(ret), "F") == 0
|
||||
|| strcmp(SSL_alert_desc_string(ret), "CN") == 0)
|
||||
ex_data->num_fatal_alerts_sent++;
|
||||
} else {
|
||||
ex_data->alert_received = ret;
|
||||
}
|
||||
|
@ -840,8 +844,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
|
|||
}
|
||||
err:
|
||||
ret->server_alert_sent = server_ex_data.alert_sent;
|
||||
ret->server_num_fatal_alerts_sent = server_ex_data.num_fatal_alerts_sent;
|
||||
ret->server_alert_received = client_ex_data.alert_received;
|
||||
ret->client_alert_sent = client_ex_data.alert_sent;
|
||||
ret->client_num_fatal_alerts_sent = client_ex_data.num_fatal_alerts_sent;
|
||||
ret->client_alert_received = server_ex_data.alert_received;
|
||||
ret->server_protocol = SSL_version(server.ssl);
|
||||
ret->client_protocol = SSL_version(client.ssl);
|
||||
|
|
|
@ -15,13 +15,17 @@
|
|||
typedef struct handshake_result {
|
||||
ssl_test_result_t result;
|
||||
/* These alerts are in the 2-byte format returned by the info_callback. */
|
||||
/* Alert sent by the client; 0 if no alert. */
|
||||
/* (Latest) alert sent by the client; 0 if no alert. */
|
||||
int client_alert_sent;
|
||||
/* Alert received by the server; 0 if no alert. */
|
||||
/* Number of fatal or close_notify alerts sent. */
|
||||
int client_num_fatal_alerts_sent;
|
||||
/* (Latest) alert received by the server; 0 if no alert. */
|
||||
int client_alert_received;
|
||||
/* Alert sent by the server; 0 if no alert. */
|
||||
/* (Latest) alert sent by the server; 0 if no alert. */
|
||||
int server_alert_sent;
|
||||
/* Alert received by the client; 0 if no alert. */
|
||||
/* Number of fatal or close_notify alerts sent. */
|
||||
int server_num_fatal_alerts_sent;
|
||||
/* (Latest) alert received by the client; 0 if no alert. */
|
||||
int server_alert_received;
|
||||
/* Negotiated protocol. On success, these should always match. */
|
||||
int server_protocol;
|
||||
|
|
|
@ -100,6 +100,16 @@ static int check_alerts(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (result->client_num_fatal_alerts_sent > 1) {
|
||||
fprintf(stderr, "Client sent %d fatal alerts.\n",
|
||||
result->client_num_fatal_alerts_sent);
|
||||
return 0;
|
||||
}
|
||||
if (result->server_num_fatal_alerts_sent > 1) {
|
||||
fprintf(stderr, "Server sent %d alerts.\n",
|
||||
result->server_num_fatal_alerts_sent);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue