]>
Commit | Line | Data |
---|---|---|
42a8b3f9 DSH |
1 | #!/usr/bin/perl |
2 | # Written by Stephen Henson for the OpenSSL project. | |
3 | # ==================================================================== | |
4 | # Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. | |
5 | # | |
6 | # Redistribution and use in source and binary forms, with or without | |
7 | # modification, are permitted provided that the following conditions | |
8 | # are met: | |
9 | # | |
10 | # 1. Redistributions of source code must retain the above copyright | |
11 | # notice, this list of conditions and the following disclaimer. | |
12 | # | |
13 | # 2. Redistributions in binary form must reproduce the above copyright | |
14 | # notice, this list of conditions and the following disclaimer in | |
15 | # the documentation and/or other materials provided with the | |
16 | # distribution. | |
17 | # | |
18 | # 3. All advertising materials mentioning features or use of this | |
19 | # software must display the following acknowledgment: | |
20 | # "This product includes software developed by the OpenSSL Project | |
21 | # for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
22 | # | |
23 | # 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
24 | # endorse or promote products derived from this software without | |
25 | # prior written permission. For written permission, please contact | |
26 | # openssl-core@openssl.org. | |
27 | # | |
28 | # 5. Products derived from this software may not be called "OpenSSL" | |
29 | # nor may "OpenSSL" appear in their names without prior written | |
30 | # permission of the OpenSSL Project. | |
31 | # | |
32 | # 6. Redistributions of any form whatsoever must retain the following | |
33 | # acknowledgment: | |
34 | # "This product includes software developed by the OpenSSL Project | |
35 | # for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
36 | # | |
37 | # THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
38 | # EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
39 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
40 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
41 | # ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
42 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
43 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
44 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
45 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
46 | # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
47 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
48 | # OF THE POSSIBILITY OF SUCH DAMAGE. | |
49 | # ==================================================================== | |
50 | # | |
51 | # This product includes cryptographic software written by Eric Young | |
52 | # (eay@cryptsoft.com). This product includes software written by Tim | |
53 | # Hudson (tjh@cryptsoft.com). | |
54 | ||
55 | use strict; | |
42e0ccdf | 56 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; |
3f22ed2f | 57 | use OpenSSL::Test::Utils; |
42a8b3f9 DSH |
58 | use TLSProxy::Proxy; |
59 | use File::Temp qw(tempfile); | |
60 | ||
61 | my $test_name = "test_tlsextms"; | |
62 | setup($test_name); | |
63 | ||
60f9f1e1 | 64 | plan skip_all => "TLSProxy isn't usable on $^O" |
2d32d3be | 65 | if $^O =~ /^(VMS|MSWin32)$/; |
60f9f1e1 | 66 | |
2dd400bd | 67 | plan skip_all => "$test_name needs the dynamic engine feature enabled" |
19ab5790 | 68 | if disabled("engine") || disabled("dynamic-engine"); |
42a8b3f9 | 69 | |
f9e55034 MC |
70 | plan skip_all => "$test_name needs the sock feature enabled" |
71 | if disabled("sock"); | |
72 | ||
42a8b3f9 DSH |
73 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; |
74 | ||
75 | sub checkmessages($$$$$); | |
76 | sub setrmextms($$); | |
77 | sub clearall(); | |
78 | ||
79 | my $crmextms = 0; | |
80 | my $srmextms = 0; | |
81 | my $cextms = 0; | |
82 | my $sextms = 0; | |
83 | my $fullhand = 0; | |
84 | ||
85 | my $proxy = TLSProxy::Proxy->new( | |
86 | \&extms_filter, | |
25c78440 | 87 | cmdstr(app(["openssl"]), display => 1), |
42e0ccdf | 88 | srctop_file("apps", "server.pem"), |
b44b935e | 89 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) |
42a8b3f9 DSH |
90 | ); |
91 | ||
92 | plan tests => 9; | |
93 | ||
94 | #Test 1: By default server and client should send extended master secret | |
95 | # extension. | |
96 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
97 | # Full handshake | |
98 | ||
99 | setrmextms(0, 0); | |
100 | $proxy->start(); | |
101 | checkmessages(1, "Default extended master secret test", 1, 1, 1); | |
102 | ||
103 | #Test 2: If client omits extended master secret extension, server should too. | |
104 | #Expected result: ClientHello extension not seen; ServerHello extension not seen | |
105 | # Full handshake | |
106 | ||
107 | clearall(); | |
108 | setrmextms(1, 0); | |
109 | $proxy->start(); | |
110 | checkmessages(2, "No client extension extended master secret test", 0, 0, 1); | |
111 | ||
112 | # Test 3: same as 1 but with session tickets disabled. | |
113 | # Expected result: same as test 1. | |
114 | ||
115 | clearall(); | |
116 | $proxy->clientflags("-no_ticket"); | |
117 | setrmextms(0, 0); | |
118 | $proxy->start(); | |
119 | checkmessages(3, "No ticket extended master secret test", 1, 1, 1); | |
120 | ||
121 | # Test 4: same as 2 but with session tickets disabled. | |
122 | # Expected result: same as test 2. | |
123 | ||
124 | clearall(); | |
125 | $proxy->clientflags("-no_ticket"); | |
126 | setrmextms(1, 0); | |
127 | $proxy->start(); | |
128 | checkmessages(2, "No ticket, no client extension extended master secret test", 0, 0, 1); | |
129 | ||
130 | #Test 5: Session resumption extended master secret test | |
131 | # | |
132 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
133 | # Abbreviated handshake | |
134 | ||
135 | clearall(); | |
136 | setrmextms(0, 0); | |
137 | (my $fh, my $session) = tempfile(); | |
138 | $proxy->serverconnects(2); | |
139 | $proxy->clientflags("-sess_out ".$session); | |
140 | $proxy->start(); | |
5427976d | 141 | $proxy->clearClient(); |
42a8b3f9 DSH |
142 | $proxy->clientflags("-sess_in ".$session); |
143 | $proxy->clientstart(); | |
144 | checkmessages(5, "Session resumption extended master secret test", 1, 1, 0); | |
145 | ||
b6453a68 | 146 | #Test 6: Session resumption extended master secret test original session |
42a8b3f9 DSH |
147 | # omits extension. Server must not resume session. |
148 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
149 | # Full handshake | |
150 | ||
151 | clearall(); | |
152 | setrmextms(1, 0); | |
153 | ($fh, $session) = tempfile(); | |
154 | $proxy->serverconnects(2); | |
155 | $proxy->clientflags("-sess_out ".$session); | |
156 | $proxy->start(); | |
5427976d | 157 | $proxy->clearClient(); |
42a8b3f9 DSH |
158 | $proxy->clientflags("-sess_in ".$session); |
159 | setrmextms(0, 0); | |
160 | $proxy->clientstart(); | |
161 | checkmessages(6, "Session resumption extended master secret test", 1, 1, 1); | |
162 | ||
163 | #Test 7: Session resumption extended master secret test resumed session | |
164 | # omits client extension. Server must abort connection. | |
165 | #Expected result: aborted connection. | |
166 | ||
167 | clearall(); | |
168 | setrmextms(0, 0); | |
169 | ($fh, $session) = tempfile(); | |
170 | $proxy->serverconnects(2); | |
171 | $proxy->clientflags("-sess_out ".$session); | |
172 | $proxy->start(); | |
5427976d | 173 | $proxy->clearClient(); |
42a8b3f9 DSH |
174 | $proxy->clientflags("-sess_in ".$session); |
175 | setrmextms(1, 0); | |
176 | $proxy->clientstart(); | |
b6453a68 | 177 | ok(TLSProxy::Message->fail(), "Client inconsistent session resumption"); |
42a8b3f9 DSH |
178 | |
179 | #Test 8: Session resumption extended master secret test resumed session | |
180 | # omits server extension. Client must abort connection. | |
181 | #Expected result: aborted connection. | |
182 | ||
183 | clearall(); | |
184 | setrmextms(0, 0); | |
185 | ($fh, $session) = tempfile(); | |
186 | $proxy->serverconnects(2); | |
187 | $proxy->clientflags("-sess_out ".$session); | |
188 | $proxy->start(); | |
5427976d | 189 | $proxy->clearClient(); |
42a8b3f9 DSH |
190 | $proxy->clientflags("-sess_in ".$session); |
191 | setrmextms(0, 1); | |
192 | $proxy->clientstart(); | |
193 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1"); | |
194 | ||
195 | #Test 9: Session resumption extended master secret test initial session | |
196 | # omits server extension. Client must abort connection. | |
197 | #Expected result: aborted connection. | |
198 | ||
199 | clearall(); | |
200 | setrmextms(0, 1); | |
201 | ($fh, $session) = tempfile(); | |
202 | $proxy->serverconnects(2); | |
203 | $proxy->clientflags("-sess_out ".$session); | |
204 | $proxy->start(); | |
5427976d | 205 | $proxy->clearClient(); |
42a8b3f9 DSH |
206 | $proxy->clientflags("-sess_in ".$session); |
207 | setrmextms(0, 0); | |
208 | $proxy->clientstart(); | |
209 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); | |
210 | ||
211 | sub extms_filter | |
212 | { | |
213 | my $proxy = shift; | |
214 | ||
215 | foreach my $message (@{$proxy->message_list}) { | |
216 | if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
aa474d1f | 217 | $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); |
42a8b3f9 DSH |
218 | $message->repack(); |
219 | } | |
220 | if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
aa474d1f | 221 | $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); |
42a8b3f9 DSH |
222 | $message->repack(); |
223 | } | |
224 | } | |
225 | } | |
226 | ||
227 | sub checkmessages($$$$$) | |
228 | { | |
229 | my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_; | |
230 | ||
231 | subtest $testname => sub { | |
232 | ||
233 | foreach my $message (@{$proxy->message_list}) { | |
234 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO | |
235 | || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
236 | #Get the extensions data | |
237 | my %extensions = %{$message->extension_data}; | |
238 | if (defined | |
aa474d1f | 239 | $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) { |
42a8b3f9 DSH |
240 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { |
241 | $cextms = 1; | |
242 | } else { | |
243 | $sextms = 1; | |
244 | } | |
245 | } | |
246 | } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { | |
247 | #Must be doing a full handshake | |
248 | $fullhand = 1; | |
249 | } | |
250 | } | |
251 | ||
252 | plan tests => 4; | |
253 | ||
254 | ok(TLSProxy::Message->success, "Handshake"); | |
255 | ||
256 | ok($testcextms == $cextms, | |
257 | "ClientHello extension extended master secret check"); | |
258 | ok($testsextms == $sextms, | |
259 | "ServerHello extension extended master secret check"); | |
260 | ok($testhand == $fullhand, | |
261 | "Extended master secret full handshake check"); | |
262 | ||
263 | } | |
264 | } | |
265 | ||
266 | sub setrmextms($$) | |
267 | { | |
268 | ($crmextms, $srmextms) = @_; | |
269 | } | |
270 | ||
271 | sub clearall() | |
272 | { | |
273 | $cextms = 0; | |
274 | $sextms = 0; | |
275 | $fullhand = 0; | |
276 | $proxy->clear(); | |
277 | } |