]>
Commit | Line | Data |
---|---|---|
203b1cdf | 1 | #! /usr/bin/env perl |
6738bf14 | 2 | # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. |
203b1cdf MC |
3 | # |
4 | # Licensed under the OpenSSL license (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; | |
11 | use OpenSSL::Test::Utils; | |
12 | use TLSProxy::Proxy; | |
13 | use File::Temp qw(tempfile); | |
14 | ||
15 | use constant { | |
16 | REVERSE_ORDER_VERSIONS => 1, | |
17 | UNRECOGNISED_VERSIONS => 2, | |
18 | NO_EXTENSION => 3, | |
19 | EMPTY_EXTENSION => 4, | |
54682aa3 | 20 | TLS1_1_AND_1_0_ONLY => 5, |
17d01b42 | 21 | WITH_TLS1_4 => 6 |
203b1cdf MC |
22 | }; |
23 | ||
24 | my $testtype; | |
25 | ||
26 | my $test_name = "test_sslversions"; | |
27 | setup($test_name); | |
28 | ||
29 | plan skip_all => "TLSProxy isn't usable on $^O" | |
c5856878 | 30 | if $^O =~ /^(VMS)$/; |
203b1cdf MC |
31 | |
32 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
33 | if disabled("engine") || disabled("dynamic-engine"); | |
34 | ||
35 | plan skip_all => "$test_name needs the sock feature enabled" | |
36 | if disabled("sock"); | |
37 | ||
38 | plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled" | |
39 | if disabled("tls1_3") || disabled("tls1_2") || disabled("tls1_1"); | |
40 | ||
41 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; | |
42 | ||
43 | my $proxy = TLSProxy::Proxy->new( | |
44 | undef, | |
45 | cmdstr(app(["openssl"]), display => 1), | |
46 | srctop_file("apps", "server.pem"), | |
47 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
48 | ); | |
49 | ||
50 | #We're just testing various negative and unusual scenarios here. ssltest with | |
51 | #02-protocol-version.conf should check all the various combinations of normal | |
52 | #version neg | |
53 | ||
54 | #Test 1: An empty supported_versions extension should not succeed | |
55 | $testtype = EMPTY_EXTENSION; | |
56 | $proxy->filter(\&modify_supported_versions_filter); | |
57 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; | |
17d01b42 | 58 | plan tests => 7; |
203b1cdf MC |
59 | ok(TLSProxy::Message->fail(), "Empty supported versions"); |
60 | ||
61 | #Test 2: supported_versions extension with no recognised versions should not | |
62 | #succeed | |
63 | $proxy->clear(); | |
64 | $testtype = UNRECOGNISED_VERSIONS; | |
65 | $proxy->start(); | |
66 | ok(TLSProxy::Message->fail(), "No recognised versions"); | |
67 | ||
68 | #Test 3: No supported versions extensions should succeed and select TLSv1.2 | |
69 | $proxy->clear(); | |
70 | $testtype = NO_EXTENSION; | |
71 | $proxy->start(); | |
72 | my $record = pop @{$proxy->record_list}; | |
73 | ok(TLSProxy::Message->success() | |
74 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2, | |
75 | "No supported versions extension"); | |
76 | ||
77 | #Test 4: No supported versions extensions should fail if only TLS1.3 available | |
78 | $proxy->clear(); | |
79 | $proxy->serverflags("-tls1_3"); | |
80 | $proxy->start(); | |
81 | ok(TLSProxy::Message->fail(), "No supported versions extension (only TLS1.3)"); | |
82 | ||
83 | #Test 5: supported versions extension with best version last should succeed | |
84 | #and select TLSv1.3 | |
85 | $proxy->clear(); | |
86 | $testtype = REVERSE_ORDER_VERSIONS; | |
87 | $proxy->start(); | |
88 | $record = pop @{$proxy->record_list}; | |
89 | ok(TLSProxy::Message->success() | |
2d729db2 | 90 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2 |
16abbd11 | 91 | && TLSProxy::Proxy->is_tls13(), |
203b1cdf MC |
92 | "Reverse order versions"); |
93 | ||
94 | #Test 6: no TLSv1.3 or TLSv1.2 version in supported versions extension, but | |
95 | #TLSv1.1 and TLSv1.0 are present. Should just use TLSv1.1 and succeed | |
96 | $proxy->clear(); | |
54682aa3 | 97 | $testtype = TLS1_1_AND_1_0_ONLY; |
203b1cdf MC |
98 | $proxy->start(); |
99 | $record = pop @{$proxy->record_list}; | |
100 | ok(TLSProxy::Message->success() | |
101 | && $record->version() == TLSProxy::Record::VERS_TLS_1_1, | |
54682aa3 | 102 | "TLS1.1 and TLS1.0 in supported versions extension only"); |
203b1cdf | 103 | |
17d01b42 MC |
104 | #Test 7: TLS1.4 and TLS1.3 in supported versions. Should succeed and use TLS1.3 |
105 | $proxy->clear(); | |
106 | $testtype = WITH_TLS1_4; | |
107 | $proxy->start(); | |
108 | $record = pop @{$proxy->record_list}; | |
109 | ok(TLSProxy::Message->success() | |
2d729db2 | 110 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2 |
16abbd11 | 111 | && TLSProxy::Proxy->is_tls13(), |
17d01b42 MC |
112 | "TLS1.4 in supported versions extension"); |
113 | ||
203b1cdf MC |
114 | sub modify_supported_versions_filter |
115 | { | |
116 | my $proxy = shift; | |
117 | ||
b9647e34 MC |
118 | if ($proxy->flight == 1) { |
119 | # Change the ServerRandom so that the downgrade sentinel doesn't cause | |
120 | # the connection to fail | |
121 | my $message = ${$proxy->message_list}[1]; | |
122 | return if (!defined $message); | |
123 | ||
124 | $message->random("\0"x32); | |
125 | $message->repack(); | |
126 | return; | |
127 | } | |
128 | ||
203b1cdf MC |
129 | # We're only interested in the initial ClientHello |
130 | if ($proxy->flight != 0) { | |
131 | return; | |
132 | } | |
133 | ||
134 | foreach my $message (@{$proxy->message_list}) { | |
135 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
136 | my $ext; | |
137 | if ($testtype == REVERSE_ORDER_VERSIONS) { | |
138 | $ext = pack "C5", | |
139 | 0x04, # Length | |
140 | 0x03, 0x03, #TLSv1.2 | |
73cc84a1 MC |
141 | #TODO(TLS1.3): Fix before release |
142 | 0x7f, 0x1c; #TLSv1.3 (draft 28) | |
203b1cdf MC |
143 | } elsif ($testtype == UNRECOGNISED_VERSIONS) { |
144 | $ext = pack "C5", | |
145 | 0x04, # Length | |
146 | 0x04, 0x04, #Some unrecognised version | |
147 | 0x04, 0x03; #Another unrecognised version | |
54682aa3 | 148 | } elsif ($testtype == TLS1_1_AND_1_0_ONLY) { |
203b1cdf MC |
149 | $ext = pack "C5", |
150 | 0x04, # Length | |
151 | 0x03, 0x02, #TLSv1.1 | |
152 | 0x03, 0x01; #TLSv1.0 | |
17d01b42 MC |
153 | } elsif ($testtype == WITH_TLS1_4) { |
154 | $ext = pack "C5", | |
155 | 0x04, # Length | |
73cc84a1 MC |
156 | #TODO(TLS1.3): Fix before release |
157 | 0x7f, 0x1c; #TLSv1.3 (draft 28) | |
203b1cdf MC |
158 | } |
159 | if ($testtype == REVERSE_ORDER_VERSIONS | |
160 | || $testtype == UNRECOGNISED_VERSIONS | |
54682aa3 | 161 | || $testtype == TLS1_1_AND_1_0_ONLY |
17d01b42 | 162 | || $testtype == WITH_TLS1_4) { |
203b1cdf MC |
163 | $message->set_extension( |
164 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); | |
165 | } elsif ($testtype == EMPTY_EXTENSION) { | |
166 | $message->set_extension( | |
167 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ""); | |
168 | } else { | |
169 | $message->delete_extension( | |
170 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS); | |
171 | } | |
172 | ||
173 | $message->repack(); | |
174 | } | |
175 | } | |
176 | } | |
177 | ||
178 |