Test for 64KB certificate chain limit

2020-06-07 17:53:52 +01:00 · 2020-06-07 17:53:52 +01:00 · 22a9a49bd4
parent 1803e8e7ad
commit 22a9a49bd4
2 changed files with 63 additions and 0 deletions
--- a/rustls/src/msgs/handshake_test.rs
+++ b/rustls/src/msgs/handshake_test.rs
@ -1158,3 +1158,30 @@ fn cannot_read_messagehash_from_network() {
    let enc = mh.get_encoding();
    assert!(HandshakeMessagePayload::read_bytes(&enc).is_none());
 }
+
+#[test]
+fn cannot_decode_huge_certificate() {
+    let mut buf = [ 0u8; 65 * 1024 ];
+    // exactly 64KB decodes fine
+    buf[0] = 0x0b;
+    buf[1] = 0x01;
+    buf[2] = 0x00;
+    buf[3] = 0x03;
+    buf[4] = 0x01;
+    buf[5] = 0x00;
+    buf[6] = 0x00;
+    buf[7] = 0x00;
+    buf[8] = 0xff;
+    buf[9] = 0xfd;
+    HandshakeMessagePayload::read_bytes(&buf)
+        .unwrap();
+
+    // however 64KB + 1 byte does not
+    buf[1] = 0x01;
+    buf[2] = 0x00;
+    buf[3] = 0x04;
+    buf[4] = 0x01;
+    buf[5] = 0x00;
+    buf[6] = 0x01;
+    assert!(HandshakeMessagePayload::read_bytes(&buf).is_none());
+}
--- a/rustls/src/msgs/hsjoiner.rs
+++ b/rustls/src/msgs/hsjoiner.rs
@ -241,4 +241,40 @@ mod tests {

        pop_eq(&expect, &mut hj);
    }
+
+    #[test]
+    fn test_rejoins_then_rejects_giant_certs() {
+        let mut hj = HandshakeJoiner::new();
+        let msg = Message {
+            typ: ContentType::Handshake,
+            version: ProtocolVersion::TLSv1_2,
+            payload: MessagePayload::new_opaque(b"\x0b\x01\x00\x04\x01\x00\x01\x00\xff\xfe".to_vec()),
+        };
+
+        assert_eq!(hj.want_message(&msg), true);
+        assert_eq!(hj.take_message(msg), Some(0));
+        assert_eq!(hj.is_empty(), false);
+
+        for _i in 0..8191 {
+            let msg = Message {
+                typ: ContentType::Handshake,
+                version: ProtocolVersion::TLSv1_2,
+                payload: MessagePayload::new_opaque(b"\x01\x02\x03\x04\x05\x06\x07\x08".to_vec()),
+            };
+
+            assert_eq!(hj.want_message(&msg), true);
+            assert_eq!(hj.take_message(msg), Some(0));
+            assert_eq!(hj.is_empty(), false);
+        }
+
+        // final 6 bytes
+        let msg = Message {
+            typ: ContentType::Handshake,
+            version: ProtocolVersion::TLSv1_2,
+            payload: MessagePayload::new_opaque(b"\x01\x02\x03\x04\x05\x06".to_vec()),
+        };
+
+        assert_eq!(hj.want_message(&msg), true);
+        assert_eq!(hj.take_message(msg), None);
+    }
 }