]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
3c2bdd7d | 2 | # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. |
011467ee | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
011467ee MC |
8 | |
9 | use strict; | |
42e0ccdf | 10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; |
3f22ed2f | 11 | use OpenSSL::Test::Utils; |
011467ee MC |
12 | use TLSProxy::Proxy; |
13 | ||
53eecb5d | 14 | my $test_name = "test_sslvertol"; |
25be5f44 RL |
15 | setup($test_name); |
16 | ||
60f9f1e1 | 17 | plan skip_all => "TLSProxy isn't usable on $^O" |
c5856878 | 18 | if $^O =~ /^(VMS)$/; |
60f9f1e1 | 19 | |
2dd400bd | 20 | plan skip_all => "$test_name needs the dynamic engine feature enabled" |
19ab5790 | 21 | if disabled("engine") || disabled("dynamic-engine"); |
25be5f44 | 22 | |
f9e55034 MC |
23 | plan skip_all => "$test_name needs the sock feature enabled" |
24 | if disabled("sock"); | |
25 | ||
b273fcc5 MC |
26 | plan skip_all => "$test_name needs TLS enabled" |
27 | if alldisabled(available_protocols("tls")); | |
28 | ||
011467ee MC |
29 | my $proxy = TLSProxy::Proxy->new( |
30 | \&vers_tolerance_filter, | |
25c78440 | 31 | cmdstr(app(["openssl"]), display => 1), |
b44b935e RL |
32 | srctop_file("apps", "server.pem"), |
33 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
011467ee MC |
34 | ); |
35 | ||
7638e378 RL |
36 | my @available_tls_versions = (); |
37 | foreach (available_protocols("tls")) { | |
38 | unless (disabled($_)) { | |
39 | note("Checking enabled protocol $_"); | |
40 | m|^([a-z]+)(\d)(_\d)?|; | |
41 | my $versionname; | |
42 | if (defined $3) { | |
43 | $versionname = 'TLSProxy::Record::VERS_'.uc($1).'_'.$2.$3; | |
44 | note("'$1', '$2', '$3' => $versionname"); | |
45 | } else { | |
46 | $versionname = 'TLSProxy::Record::VERS_'.uc($1).'_'.$2.'_0'; | |
47 | note("'$1', '$2' => $versionname"); | |
48 | } | |
49 | push @available_tls_versions, eval $versionname; | |
50 | } | |
51 | } | |
52 | note("TLS versions we can expect: ", join(", ", @available_tls_versions)); | |
53 | ||
17d01b42 MC |
54 | #This file does tests without the supported_versions extension. |
55 | #See 70-test_sslversions.t for tests with supported versions. | |
2ed4c571 | 56 | |
7638e378 RL |
57 | #Test 1: Asking for TLS1.4 should pass and negotiate the maximum |
58 | #available TLS version according to configuration below TLS1.3 | |
cd998837 | 59 | my $client_version = TLSProxy::Record::VERS_TLS_1_4; |
2ed4c571 | 60 | my $previous_version = tls_version_below(TLSProxy::Record::VERS_TLS_1_3); |
cd998837 | 61 | $proxy->clientflags("-no_tls1_3"); |
b02b5743 | 62 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; |
17d01b42 | 63 | plan tests => 3; |
2ed4c571 RL |
64 | SKIP: { |
65 | skip "There are too few protocols enabled for test 1", 1 | |
66 | unless defined $previous_version; | |
67 | ||
68 | my $record = pop @{$proxy->record_list}; | |
69 | ok((note("Record version received: ".$record->version()), | |
70 | TLSProxy::Message->success()) | |
71 | && $record->version() == $previous_version, | |
72 | "Version tolerance test, below TLS 1.4 and not TLS 1.3"); | |
73 | } | |
011467ee | 74 | |
7638e378 RL |
75 | #Test 2: Asking for TLS1.3 with that disabled should succeed and negotiate |
76 | #the highest configured TLS version below that. | |
77 | $client_version = TLSProxy::Record::VERS_TLS_1_3; | |
2ed4c571 RL |
78 | $previous_version = tls_version_below($client_version); |
79 | SKIP: { | |
80 | skip "There are too few protocols enabled for test 2", 1 | |
81 | unless defined $previous_version; | |
82 | ||
83 | $proxy->clear(); | |
84 | $proxy->clientflags("-no_tls1_3"); | |
85 | $proxy->start(); | |
86 | my $record = pop @{$proxy->record_list}; | |
87 | ok((note("Record version received: ".$record->version()), | |
88 | TLSProxy::Message->success()) | |
89 | && $record->version() == $previous_version, | |
90 | "Version tolerance test, max version but not TLS 1.3"); | |
91 | } | |
17d01b42 | 92 | |
7638e378 RL |
93 | #Test 3: Testing something below SSLv3 should fail. We must disable TLS 1.3 |
94 | #to avoid having the 'supported_versions' extension kick in and override our | |
95 | #desires. | |
011467ee | 96 | $client_version = TLSProxy::Record::VERS_SSL_3_0 - 1; |
5427976d | 97 | $proxy->clear(); |
cd998837 | 98 | $proxy->clientflags("-no_tls1_3"); |
5427976d | 99 | $proxy->start(); |
2ed4c571 | 100 | my $record = pop @{$proxy->record_list}; |
7638e378 RL |
101 | ok((note("Record version received: ". |
102 | (defined $record ? $record->version() : "none")), | |
103 | TLSProxy::Message->fail()), | |
104 | "Version tolerance test, SSL < 3.0"); | |
011467ee MC |
105 | |
106 | sub vers_tolerance_filter | |
107 | { | |
108 | my $proxy = shift; | |
109 | ||
110 | # We're only interested in the initial ClientHello | |
111 | if ($proxy->flight != 0) { | |
112 | return; | |
113 | } | |
114 | ||
115 | foreach my $message (@{$proxy->message_list}) { | |
116 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
117 | #Set the client version | |
7638e378 | 118 | #Anything above the max supported version should succeed |
011467ee MC |
119 | #Anything below SSLv3 should fail |
120 | $message->client_version($client_version); | |
121 | $message->repack(); | |
122 | } | |
123 | } | |
124 | } | |
7638e378 RL |
125 | |
126 | sub tls_version_below { | |
127 | if (@_) { | |
128 | my $term = shift; | |
129 | my $res = undef; | |
130 | ||
131 | foreach (@available_tls_versions) { | |
132 | $res = $_ if $_ < $term; | |
133 | } | |
134 | return $res; | |
135 | } | |
136 | return $available_tls_versions[-1]; | |
137 | } |