Google Git
Sign in
boringssl/boringssl.git/af3b8a990c9f3117fe19afb0cb9ba42ba34637f7^!/.
commit
af3b8a990c9f3117fe19afb0cb9ba42ba34637f7
[log]
author
Steven Valdez <svaldez@google.com>
Tue Nov 01 12:49:22 2016 -0400
committer
David Benjamin <davidben@google.com>
Tue Nov 01 17:28:02 2016 +0000
tree
a83114ef4464fa4f49793b279a7836a35bdfc763
parent
70aba26c757b933fe142bb4656d5a4d555601134 [diff]
Fix multiple PSK identity parsing.

Change-Id: I3b43e8eb04c111731acc4fc06677fef8da09a646
Reviewed-on: https://boringssl-review.googlesource.com/12020
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a265a2e..fffde09 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -1982,7 +1982,7 @@
       !CBS_get_u8_length_prefixed(&identity, &ke_modes) ||
       !CBS_get_u8_length_prefixed(&identity, &auth_modes) ||
       !CBS_get_u16_length_prefixed(&identity, &ticket) ||
-      CBS_len(&identity) != 0) {
+      CBS_len(contents) != 0) {
     *out_alert = SSL_AD_DECODE_ERROR;
     return 0;
   }

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index f910fa9..921b03b 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -1052,6 +1052,10 @@
 	// the specified PSK identity index rather than the actual value.
 	SelectPSKIdentityOnResume uint16
 
+	// ExtraPSKIdentity, if true, causes the client to send an extra PSK
+	// identity.
+	ExtraPSKIdentity bool
+
 	// OmitServerHelloSignatureAlgorithms, if true, causes the server to omit the
 	// signature_algorithms extension in the ServerHello.
 	OmitServerHelloSignatureAlgorithms bool

diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 09c1c9a..16c5dbd 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go

@@ -260,6 +260,10 @@
 			}
 
 			hello.pskIdentities = []pskIdentity{psk}
+
+			if c.config.Bugs.ExtraPSKIdentity {
+				hello.pskIdentities = append(hello.pskIdentities, psk)
+			}
 		}
 
 		if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets {

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index a5c075c..cca437b 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -8783,6 +8783,18 @@
 		expectedError: ":PSK_IDENTITY_NOT_FOUND:",
 	})
 
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "TLS13-ExtraPSKIdentity",
+		config: Config{
+			MaxVersion: VersionTLS13,
+			Bugs: ProtocolBugs{
+				ExtraPSKIdentity: true,
+			},
+		},
+		resumeSession: true,
+	})
+
 	// Test that unknown NewSessionTicket extensions are tolerated.
 	testCases = append(testCases, testCase{
 		name: "TLS13-CustomTicketExtension",