]>
Commit | Line | Data |
---|---|---|
203b1cdf | 1 | #! /usr/bin/env perl |
a28d06f3 | 2 | # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. |
203b1cdf | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
203b1cdf MC |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; | |
11 | use OpenSSL::Test::Utils; | |
12 | use TLSProxy::Proxy; | |
13 | use File::Temp qw(tempfile); | |
14 | ||
15 | use constant { | |
16 | REVERSE_ORDER_VERSIONS => 1, | |
17 | UNRECOGNISED_VERSIONS => 2, | |
18 | NO_EXTENSION => 3, | |
19 | EMPTY_EXTENSION => 4, | |
54682aa3 | 20 | TLS1_1_AND_1_0_ONLY => 5, |
d8434cf8 MC |
21 | WITH_TLS1_4 => 6, |
22 | BAD_LEGACY_VERSION => 7 | |
203b1cdf MC |
23 | }; |
24 | ||
25 | my $testtype; | |
26 | ||
27 | my $test_name = "test_sslversions"; | |
28 | setup($test_name); | |
29 | ||
30 | plan skip_all => "TLSProxy isn't usable on $^O" | |
c5856878 | 31 | if $^O =~ /^(VMS)$/; |
203b1cdf MC |
32 | |
33 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
34 | if disabled("engine") || disabled("dynamic-engine"); | |
35 | ||
36 | plan skip_all => "$test_name needs the sock feature enabled" | |
37 | if disabled("sock"); | |
38 | ||
39 | plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled" | |
a763ca11 MC |
40 | if disabled("tls1_3") |
41 | || (disabled("ec") && disabled("dh")) | |
42 | || disabled("tls1_2") | |
43 | || disabled("tls1_1"); | |
203b1cdf | 44 | |
203b1cdf MC |
45 | my $proxy = TLSProxy::Proxy->new( |
46 | undef, | |
47 | cmdstr(app(["openssl"]), display => 1), | |
48 | srctop_file("apps", "server.pem"), | |
49 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
50 | ); | |
51 | ||
52 | #We're just testing various negative and unusual scenarios here. ssltest with | |
433deaff | 53 | #02-protocol-version.cnf should check all the various combinations of normal |
203b1cdf MC |
54 | #version neg |
55 | ||
56 | #Test 1: An empty supported_versions extension should not succeed | |
57 | $testtype = EMPTY_EXTENSION; | |
58 | $proxy->filter(\&modify_supported_versions_filter); | |
59 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; | |
d8434cf8 | 60 | plan tests => 8; |
203b1cdf MC |
61 | ok(TLSProxy::Message->fail(), "Empty supported versions"); |
62 | ||
63 | #Test 2: supported_versions extension with no recognised versions should not | |
64 | #succeed | |
65 | $proxy->clear(); | |
66 | $testtype = UNRECOGNISED_VERSIONS; | |
67 | $proxy->start(); | |
68 | ok(TLSProxy::Message->fail(), "No recognised versions"); | |
69 | ||
70 | #Test 3: No supported versions extensions should succeed and select TLSv1.2 | |
71 | $proxy->clear(); | |
72 | $testtype = NO_EXTENSION; | |
73 | $proxy->start(); | |
74 | my $record = pop @{$proxy->record_list}; | |
75 | ok(TLSProxy::Message->success() | |
76 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2, | |
77 | "No supported versions extension"); | |
78 | ||
79 | #Test 4: No supported versions extensions should fail if only TLS1.3 available | |
80 | $proxy->clear(); | |
81 | $proxy->serverflags("-tls1_3"); | |
82 | $proxy->start(); | |
83 | ok(TLSProxy::Message->fail(), "No supported versions extension (only TLS1.3)"); | |
84 | ||
85 | #Test 5: supported versions extension with best version last should succeed | |
86 | #and select TLSv1.3 | |
87 | $proxy->clear(); | |
88 | $testtype = REVERSE_ORDER_VERSIONS; | |
89 | $proxy->start(); | |
90 | $record = pop @{$proxy->record_list}; | |
91 | ok(TLSProxy::Message->success() | |
2d729db2 | 92 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2 |
16abbd11 | 93 | && TLSProxy::Proxy->is_tls13(), |
203b1cdf MC |
94 | "Reverse order versions"); |
95 | ||
96 | #Test 6: no TLSv1.3 or TLSv1.2 version in supported versions extension, but | |
97 | #TLSv1.1 and TLSv1.0 are present. Should just use TLSv1.1 and succeed | |
98 | $proxy->clear(); | |
aba03ae5 KR |
99 | $proxy->clientflags("-cipher DEFAULT:\@SECLEVEL=0"); |
100 | $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); | |
54682aa3 | 101 | $testtype = TLS1_1_AND_1_0_ONLY; |
203b1cdf MC |
102 | $proxy->start(); |
103 | $record = pop @{$proxy->record_list}; | |
104 | ok(TLSProxy::Message->success() | |
105 | && $record->version() == TLSProxy::Record::VERS_TLS_1_1, | |
54682aa3 | 106 | "TLS1.1 and TLS1.0 in supported versions extension only"); |
203b1cdf | 107 | |
17d01b42 MC |
108 | #Test 7: TLS1.4 and TLS1.3 in supported versions. Should succeed and use TLS1.3 |
109 | $proxy->clear(); | |
110 | $testtype = WITH_TLS1_4; | |
111 | $proxy->start(); | |
112 | $record = pop @{$proxy->record_list}; | |
113 | ok(TLSProxy::Message->success() | |
2d729db2 | 114 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2 |
16abbd11 | 115 | && TLSProxy::Proxy->is_tls13(), |
17d01b42 MC |
116 | "TLS1.4 in supported versions extension"); |
117 | ||
d8434cf8 MC |
118 | #Test 8: Set the legacy version to SSLv3 with supported versions. Should fail |
119 | $proxy->clear(); | |
120 | $testtype = BAD_LEGACY_VERSION; | |
121 | $proxy->start(); | |
122 | ok(TLSProxy::Message->fail(), "Legacy version is SSLv3 with supported versions"); | |
123 | ||
203b1cdf MC |
124 | sub modify_supported_versions_filter |
125 | { | |
126 | my $proxy = shift; | |
127 | ||
b9647e34 MC |
128 | if ($proxy->flight == 1) { |
129 | # Change the ServerRandom so that the downgrade sentinel doesn't cause | |
130 | # the connection to fail | |
131 | my $message = ${$proxy->message_list}[1]; | |
132 | return if (!defined $message); | |
133 | ||
134 | $message->random("\0"x32); | |
135 | $message->repack(); | |
136 | return; | |
137 | } | |
138 | ||
203b1cdf MC |
139 | # We're only interested in the initial ClientHello |
140 | if ($proxy->flight != 0) { | |
141 | return; | |
142 | } | |
143 | ||
144 | foreach my $message (@{$proxy->message_list}) { | |
145 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
146 | my $ext; | |
147 | if ($testtype == REVERSE_ORDER_VERSIONS) { | |
148 | $ext = pack "C5", | |
149 | 0x04, # Length | |
150 | 0x03, 0x03, #TLSv1.2 | |
35e742ec | 151 | 0x03, 0x04; #TLSv1.3 |
203b1cdf MC |
152 | } elsif ($testtype == UNRECOGNISED_VERSIONS) { |
153 | $ext = pack "C5", | |
154 | 0x04, # Length | |
155 | 0x04, 0x04, #Some unrecognised version | |
156 | 0x04, 0x03; #Another unrecognised version | |
54682aa3 | 157 | } elsif ($testtype == TLS1_1_AND_1_0_ONLY) { |
203b1cdf MC |
158 | $ext = pack "C5", |
159 | 0x04, # Length | |
160 | 0x03, 0x02, #TLSv1.1 | |
161 | 0x03, 0x01; #TLSv1.0 | |
17d01b42 MC |
162 | } elsif ($testtype == WITH_TLS1_4) { |
163 | $ext = pack "C5", | |
164 | 0x04, # Length | |
86ed2e1c | 165 | 0x03, 0x05, #TLSv1.4 |
35e742ec | 166 | 0x03, 0x04; #TLSv1.3 |
203b1cdf MC |
167 | } |
168 | if ($testtype == REVERSE_ORDER_VERSIONS | |
169 | || $testtype == UNRECOGNISED_VERSIONS | |
54682aa3 | 170 | || $testtype == TLS1_1_AND_1_0_ONLY |
17d01b42 | 171 | || $testtype == WITH_TLS1_4) { |
203b1cdf MC |
172 | $message->set_extension( |
173 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); | |
174 | } elsif ($testtype == EMPTY_EXTENSION) { | |
175 | $message->set_extension( | |
176 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ""); | |
d8434cf8 | 177 | } elsif ($testtype == NO_EXTENSION) { |
203b1cdf MC |
178 | $message->delete_extension( |
179 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS); | |
d8434cf8 MC |
180 | } else { |
181 | # BAD_LEGACY_VERSION | |
182 | $message->client_version(TLSProxy::Record::VERS_SSL_3_0); | |
203b1cdf MC |
183 | } |
184 | ||
185 | $message->repack(); | |
186 | } | |
187 | } | |
188 | } |