]>
Commit | Line | Data |
---|---|---|
42a8b3f9 DSH |
1 | #!/usr/bin/perl |
2 | # Written by Stephen Henson for the OpenSSL project. | |
3 | # ==================================================================== | |
4 | # Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. | |
5 | # | |
6 | # Redistribution and use in source and binary forms, with or without | |
7 | # modification, are permitted provided that the following conditions | |
8 | # are met: | |
9 | # | |
10 | # 1. Redistributions of source code must retain the above copyright | |
11 | # notice, this list of conditions and the following disclaimer. | |
12 | # | |
13 | # 2. Redistributions in binary form must reproduce the above copyright | |
14 | # notice, this list of conditions and the following disclaimer in | |
15 | # the documentation and/or other materials provided with the | |
16 | # distribution. | |
17 | # | |
18 | # 3. All advertising materials mentioning features or use of this | |
19 | # software must display the following acknowledgment: | |
20 | # "This product includes software developed by the OpenSSL Project | |
21 | # for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
22 | # | |
23 | # 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
24 | # endorse or promote products derived from this software without | |
25 | # prior written permission. For written permission, please contact | |
26 | # openssl-core@openssl.org. | |
27 | # | |
28 | # 5. Products derived from this software may not be called "OpenSSL" | |
29 | # nor may "OpenSSL" appear in their names without prior written | |
30 | # permission of the OpenSSL Project. | |
31 | # | |
32 | # 6. Redistributions of any form whatsoever must retain the following | |
33 | # acknowledgment: | |
34 | # "This product includes software developed by the OpenSSL Project | |
35 | # for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
36 | # | |
37 | # THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
38 | # EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
39 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
40 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
41 | # ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
42 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
43 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
44 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
45 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
46 | # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
47 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
48 | # OF THE POSSIBILITY OF SUCH DAMAGE. | |
49 | # ==================================================================== | |
50 | # | |
51 | # This product includes cryptographic software written by Eric Young | |
52 | # (eay@cryptsoft.com). This product includes software written by Tim | |
53 | # Hudson (tjh@cryptsoft.com). | |
54 | ||
55 | use strict; | |
42e0ccdf | 56 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; |
3f22ed2f | 57 | use OpenSSL::Test::Utils; |
42a8b3f9 DSH |
58 | use TLSProxy::Proxy; |
59 | use File::Temp qw(tempfile); | |
60 | ||
61 | my $test_name = "test_tlsextms"; | |
62 | setup($test_name); | |
63 | ||
60f9f1e1 | 64 | plan skip_all => "TLSProxy isn't usable on $^O" |
2d32d3be | 65 | if $^O =~ /^(VMS|MSWin32)$/; |
60f9f1e1 | 66 | |
2dd400bd | 67 | plan skip_all => "$test_name needs the dynamic engine feature enabled" |
19ab5790 | 68 | if disabled("engine") || disabled("dynamic-engine"); |
42a8b3f9 | 69 | |
42a8b3f9 DSH |
70 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; |
71 | ||
72 | sub checkmessages($$$$$); | |
73 | sub setrmextms($$); | |
74 | sub clearall(); | |
75 | ||
76 | my $crmextms = 0; | |
77 | my $srmextms = 0; | |
78 | my $cextms = 0; | |
79 | my $sextms = 0; | |
80 | my $fullhand = 0; | |
81 | ||
82 | my $proxy = TLSProxy::Proxy->new( | |
83 | \&extms_filter, | |
84 | cmdstr(app(["openssl"])), | |
42e0ccdf | 85 | srctop_file("apps", "server.pem"), |
b44b935e | 86 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) |
42a8b3f9 DSH |
87 | ); |
88 | ||
89 | plan tests => 9; | |
90 | ||
91 | #Test 1: By default server and client should send extended master secret | |
92 | # extension. | |
93 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
94 | # Full handshake | |
95 | ||
96 | setrmextms(0, 0); | |
97 | $proxy->start(); | |
98 | checkmessages(1, "Default extended master secret test", 1, 1, 1); | |
99 | ||
100 | #Test 2: If client omits extended master secret extension, server should too. | |
101 | #Expected result: ClientHello extension not seen; ServerHello extension not seen | |
102 | # Full handshake | |
103 | ||
104 | clearall(); | |
105 | setrmextms(1, 0); | |
106 | $proxy->start(); | |
107 | checkmessages(2, "No client extension extended master secret test", 0, 0, 1); | |
108 | ||
109 | # Test 3: same as 1 but with session tickets disabled. | |
110 | # Expected result: same as test 1. | |
111 | ||
112 | clearall(); | |
113 | $proxy->clientflags("-no_ticket"); | |
114 | setrmextms(0, 0); | |
115 | $proxy->start(); | |
116 | checkmessages(3, "No ticket extended master secret test", 1, 1, 1); | |
117 | ||
118 | # Test 4: same as 2 but with session tickets disabled. | |
119 | # Expected result: same as test 2. | |
120 | ||
121 | clearall(); | |
122 | $proxy->clientflags("-no_ticket"); | |
123 | setrmextms(1, 0); | |
124 | $proxy->start(); | |
125 | checkmessages(2, "No ticket, no client extension extended master secret test", 0, 0, 1); | |
126 | ||
127 | #Test 5: Session resumption extended master secret test | |
128 | # | |
129 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
130 | # Abbreviated handshake | |
131 | ||
132 | clearall(); | |
133 | setrmextms(0, 0); | |
134 | (my $fh, my $session) = tempfile(); | |
135 | $proxy->serverconnects(2); | |
136 | $proxy->clientflags("-sess_out ".$session); | |
137 | $proxy->start(); | |
5427976d | 138 | $proxy->clearClient(); |
42a8b3f9 DSH |
139 | $proxy->clientflags("-sess_in ".$session); |
140 | $proxy->clientstart(); | |
141 | checkmessages(5, "Session resumption extended master secret test", 1, 1, 0); | |
142 | ||
b6453a68 | 143 | #Test 6: Session resumption extended master secret test original session |
42a8b3f9 DSH |
144 | # omits extension. Server must not resume session. |
145 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
146 | # Full handshake | |
147 | ||
148 | clearall(); | |
149 | setrmextms(1, 0); | |
150 | ($fh, $session) = tempfile(); | |
151 | $proxy->serverconnects(2); | |
152 | $proxy->clientflags("-sess_out ".$session); | |
153 | $proxy->start(); | |
5427976d | 154 | $proxy->clearClient(); |
42a8b3f9 DSH |
155 | $proxy->clientflags("-sess_in ".$session); |
156 | setrmextms(0, 0); | |
157 | $proxy->clientstart(); | |
158 | checkmessages(6, "Session resumption extended master secret test", 1, 1, 1); | |
159 | ||
160 | #Test 7: Session resumption extended master secret test resumed session | |
161 | # omits client extension. Server must abort connection. | |
162 | #Expected result: aborted connection. | |
163 | ||
164 | clearall(); | |
165 | setrmextms(0, 0); | |
166 | ($fh, $session) = tempfile(); | |
167 | $proxy->serverconnects(2); | |
168 | $proxy->clientflags("-sess_out ".$session); | |
169 | $proxy->start(); | |
5427976d | 170 | $proxy->clearClient(); |
42a8b3f9 DSH |
171 | $proxy->clientflags("-sess_in ".$session); |
172 | setrmextms(1, 0); | |
173 | $proxy->clientstart(); | |
b6453a68 | 174 | ok(TLSProxy::Message->fail(), "Client inconsistent session resumption"); |
42a8b3f9 DSH |
175 | |
176 | #Test 8: Session resumption extended master secret test resumed session | |
177 | # omits server extension. Client must abort connection. | |
178 | #Expected result: aborted connection. | |
179 | ||
180 | clearall(); | |
181 | setrmextms(0, 0); | |
182 | ($fh, $session) = tempfile(); | |
183 | $proxy->serverconnects(2); | |
184 | $proxy->clientflags("-sess_out ".$session); | |
185 | $proxy->start(); | |
5427976d | 186 | $proxy->clearClient(); |
42a8b3f9 DSH |
187 | $proxy->clientflags("-sess_in ".$session); |
188 | setrmextms(0, 1); | |
189 | $proxy->clientstart(); | |
190 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1"); | |
191 | ||
192 | #Test 9: Session resumption extended master secret test initial session | |
193 | # omits server extension. Client must abort connection. | |
194 | #Expected result: aborted connection. | |
195 | ||
196 | clearall(); | |
197 | setrmextms(0, 1); | |
198 | ($fh, $session) = tempfile(); | |
199 | $proxy->serverconnects(2); | |
200 | $proxy->clientflags("-sess_out ".$session); | |
201 | $proxy->start(); | |
5427976d | 202 | $proxy->clearClient(); |
42a8b3f9 DSH |
203 | $proxy->clientflags("-sess_in ".$session); |
204 | setrmextms(0, 0); | |
205 | $proxy->clientstart(); | |
206 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); | |
207 | ||
208 | sub extms_filter | |
209 | { | |
210 | my $proxy = shift; | |
211 | ||
212 | foreach my $message (@{$proxy->message_list}) { | |
213 | if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
aa474d1f | 214 | $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); |
42a8b3f9 DSH |
215 | $message->repack(); |
216 | } | |
217 | if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
aa474d1f | 218 | $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); |
42a8b3f9 DSH |
219 | $message->repack(); |
220 | } | |
221 | } | |
222 | } | |
223 | ||
224 | sub checkmessages($$$$$) | |
225 | { | |
226 | my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_; | |
227 | ||
228 | subtest $testname => sub { | |
229 | ||
230 | foreach my $message (@{$proxy->message_list}) { | |
231 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO | |
232 | || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
233 | #Get the extensions data | |
234 | my %extensions = %{$message->extension_data}; | |
235 | if (defined | |
aa474d1f | 236 | $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) { |
42a8b3f9 DSH |
237 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { |
238 | $cextms = 1; | |
239 | } else { | |
240 | $sextms = 1; | |
241 | } | |
242 | } | |
243 | } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { | |
244 | #Must be doing a full handshake | |
245 | $fullhand = 1; | |
246 | } | |
247 | } | |
248 | ||
249 | plan tests => 4; | |
250 | ||
251 | ok(TLSProxy::Message->success, "Handshake"); | |
252 | ||
253 | ok($testcextms == $cextms, | |
254 | "ClientHello extension extended master secret check"); | |
255 | ok($testsextms == $sextms, | |
256 | "ServerHello extension extended master secret check"); | |
257 | ok($testhand == $fullhand, | |
258 | "Extended master secret full handshake check"); | |
259 | ||
260 | } | |
261 | } | |
262 | ||
263 | sub setrmextms($$) | |
264 | { | |
265 | ($crmextms, $srmextms) = @_; | |
266 | } | |
267 | ||
268 | sub clearall() | |
269 | { | |
270 | $cextms = 0; | |
271 | $sextms = 0; | |
272 | $fullhand = 0; | |
273 | $proxy->clear(); | |
274 | } |