Commit 68dd2e0025 for openssl.org
commit 68dd2e0025e5fa52ae65c02e127d6b7e314f3ebb
Author: Matt Caswell <matt@openssl.org>
Date: Tue Mar 3 13:59:58 2026 +0000
Add a test for a large number of sigalgs
Test that we correctly ignore large numbers of sigalgs
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 6 10:33:04 2026
(Merged from https://github.com/openssl/openssl/pull/30263)
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index 904f7e6e61..c379b2045c 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -50,7 +50,8 @@ use constant {
UNRECOGNIZED_SIGALGS_CERT => 10,
UNRECOGNIZED_SIGALG => 11,
RSAPSSPSS_SIG_ALG => 12,
- MLDSA65_SIG_ALG => 13
+ MLDSA65_SIG_ALG => 13,
+ LARGE_NUM_SIG_ALGS => 14
};
srand(70);
@@ -72,7 +73,7 @@ sub randcase {
#Test 1: Default sig algs should succeed
$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 27;
+plan tests => 28;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;
@@ -80,7 +81,7 @@ SKIP: {
skip "TLSv1.3 disabled", 7
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
- $proxy->filter(\&sigalgs_filter);
+ $proxy->filter(\&modify_sigalgs_filter);
#Test 2: Sending no sig algs extension in TLSv1.3 should fail
$proxy->clear();
@@ -174,7 +175,7 @@ SKIP: {
SKIP: {
skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") || disabled("ec");
- $proxy->filter(\&sigalgs_filter);
+ $proxy->filter(\&modify_sigalgs_filter);
#Test 11: Sending no sig algs extension in TLSv1.2 will make it use
# SHA1, which is only supported at security level 0.
@@ -257,7 +258,7 @@ SKIP: {
$proxy->filter(undef);
$proxy->start();
ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
- $proxy->filter(\&sigalgs_filter);
+ $proxy->filter(\&modify_sigalgs_filter);
#Test 20: No sig algs extension, ECDSA cert, will use SHA1,
# TLSv1.2 should succeed at security level 0
@@ -284,7 +285,7 @@ SKIP: {
$dsa_status = $sha1_status = $sha224_status = 0;
$proxy->clear();
$proxy->clientflags("-tls1_3");
- $proxy->filter(\&modify_sigalgs_filter);
+ $proxy->filter(\&examine_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
"DSA and SHA1 sigalgs not sent for 1.3-only ClientHello");
@@ -296,7 +297,7 @@ SKIP: {
$dsa_status = $sha1_status = $sha224_status = 0;
$proxy->clear();
$proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0");
- $proxy->filter(\&modify_sigalgs_filter);
+ $proxy->filter(\&examine_sigalgs_filter);
$proxy->start();
ok($dsa_status && $sha1_status && $sha224_status,
"backwards compatible sigalg sent for compat ClientHello");
@@ -304,7 +305,7 @@ SKIP: {
}
SKIP: {
- skip "TLSv1.3 disabled", 5
+ skip "TLSv1.3 disabled", 6
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 23: Insert signature_algorithms_cert that match normal sigalgs
$testtype = SIGALGS_CERT_ALL;
@@ -356,9 +357,17 @@ SKIP: {
$testtype = UNRECOGNIZED_SIGALG;
$proxy->start();
ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
+
+ #Test 28: Insert large number of sig algs. We should ignore any beyond our
+ # limit but the handshake should still complete successfully.
+ $testtype = LARGE_NUM_SIG_ALGS;
+ $proxy->clear();
+ $proxy->filter(\&modify_sigalgs_filter);
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Large number of sigalgs");
}
-sub sigalgs_filter
+sub modify_sigalgs_filter
{
my $proxy = shift;
@@ -380,6 +389,12 @@ sub sigalgs_filter
} elsif ($testtype == NO_PSS_SIG_ALGS) {
#No PSS sig algs - just send rsa_pkcs1_sha256
$sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01;
+ } elsif ($testtype == LARGE_NUM_SIG_ALGS) {
+ #Send 129 sig algs to test that we correctly ignore those
+ #beyond our limit of 128
+ $sigalg = pack "C260", 0x01, 0x02,
+ 0x08, 0x04, # rsa_pss_rsae_sha256
+ (0xfe, 0x00) x 128; # invalid/reserved sigalg codepoint
} else {
#PSS sig algs only - just send rsa_pss_rsae_sha256
$sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04;
@@ -392,7 +407,7 @@ sub sigalgs_filter
}
}
-sub modify_sigalgs_filter
+sub examine_sigalgs_filter
{
my $proxy = shift;