]>
Commit | Line | Data |
---|---|---|
42a8b3f9 DSH |
1 | #!/usr/bin/perl |
2 | # Written by Stephen Henson for the OpenSSL project. | |
3 | # ==================================================================== | |
4 | # Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. | |
5 | # | |
6 | # Redistribution and use in source and binary forms, with or without | |
7 | # modification, are permitted provided that the following conditions | |
8 | # are met: | |
9 | # | |
10 | # 1. Redistributions of source code must retain the above copyright | |
11 | # notice, this list of conditions and the following disclaimer. | |
12 | # | |
13 | # 2. Redistributions in binary form must reproduce the above copyright | |
14 | # notice, this list of conditions and the following disclaimer in | |
15 | # the documentation and/or other materials provided with the | |
16 | # distribution. | |
17 | # | |
18 | # 3. All advertising materials mentioning features or use of this | |
19 | # software must display the following acknowledgment: | |
20 | # "This product includes software developed by the OpenSSL Project | |
21 | # for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
22 | # | |
23 | # 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
24 | # endorse or promote products derived from this software without | |
25 | # prior written permission. For written permission, please contact | |
26 | # openssl-core@openssl.org. | |
27 | # | |
28 | # 5. Products derived from this software may not be called "OpenSSL" | |
29 | # nor may "OpenSSL" appear in their names without prior written | |
30 | # permission of the OpenSSL Project. | |
31 | # | |
32 | # 6. Redistributions of any form whatsoever must retain the following | |
33 | # acknowledgment: | |
34 | # "This product includes software developed by the OpenSSL Project | |
35 | # for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
36 | # | |
37 | # THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
38 | # EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
39 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
40 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
41 | # ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
42 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
43 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
44 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
45 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
46 | # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
47 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
48 | # OF THE POSSIBILITY OF SUCH DAMAGE. | |
49 | # ==================================================================== | |
50 | # | |
51 | # This product includes cryptographic software written by Eric Young | |
52 | # (eay@cryptsoft.com). This product includes software written by Tim | |
53 | # Hudson (tjh@cryptsoft.com). | |
54 | ||
55 | use strict; | |
56 | use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/; | |
57 | use TLSProxy::Proxy; | |
58 | use File::Temp qw(tempfile); | |
59 | ||
60 | my $test_name = "test_tlsextms"; | |
61 | setup($test_name); | |
62 | ||
63 | plan skip_all => "$test_name can only be performed with OpenSSL configured shared" | |
64 | unless (map { s/\R//; s/^SHARED_LIBS=\s*//; $_ } | |
65 | grep { /^SHARED_LIBS=/ } | |
66 | do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne ""; | |
67 | ||
68 | $ENV{OPENSSL_ENGINES} = top_dir("engines"); | |
69 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; | |
70 | ||
71 | sub checkmessages($$$$$); | |
72 | sub setrmextms($$); | |
73 | sub clearall(); | |
74 | ||
75 | my $crmextms = 0; | |
76 | my $srmextms = 0; | |
77 | my $cextms = 0; | |
78 | my $sextms = 0; | |
79 | my $fullhand = 0; | |
80 | ||
81 | my $proxy = TLSProxy::Proxy->new( | |
82 | \&extms_filter, | |
83 | cmdstr(app(["openssl"])), | |
84 | top_file("apps", "server.pem"), | |
85 | 1 | |
86 | ); | |
87 | ||
88 | plan tests => 9; | |
89 | ||
90 | #Test 1: By default server and client should send extended master secret | |
91 | # extension. | |
92 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
93 | # Full handshake | |
94 | ||
95 | setrmextms(0, 0); | |
96 | $proxy->start(); | |
97 | checkmessages(1, "Default extended master secret test", 1, 1, 1); | |
98 | ||
99 | #Test 2: If client omits extended master secret extension, server should too. | |
100 | #Expected result: ClientHello extension not seen; ServerHello extension not seen | |
101 | # Full handshake | |
102 | ||
103 | clearall(); | |
104 | setrmextms(1, 0); | |
105 | $proxy->start(); | |
106 | checkmessages(2, "No client extension extended master secret test", 0, 0, 1); | |
107 | ||
108 | # Test 3: same as 1 but with session tickets disabled. | |
109 | # Expected result: same as test 1. | |
110 | ||
111 | clearall(); | |
112 | $proxy->clientflags("-no_ticket"); | |
113 | setrmextms(0, 0); | |
114 | $proxy->start(); | |
115 | checkmessages(3, "No ticket extended master secret test", 1, 1, 1); | |
116 | ||
117 | # Test 4: same as 2 but with session tickets disabled. | |
118 | # Expected result: same as test 2. | |
119 | ||
120 | clearall(); | |
121 | $proxy->clientflags("-no_ticket"); | |
122 | setrmextms(1, 0); | |
123 | $proxy->start(); | |
124 | checkmessages(2, "No ticket, no client extension extended master secret test", 0, 0, 1); | |
125 | ||
126 | #Test 5: Session resumption extended master secret test | |
127 | # | |
128 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
129 | # Abbreviated handshake | |
130 | ||
131 | clearall(); | |
132 | setrmextms(0, 0); | |
133 | (my $fh, my $session) = tempfile(); | |
134 | $proxy->serverconnects(2); | |
135 | $proxy->clientflags("-sess_out ".$session); | |
136 | $proxy->start(); | |
137 | $proxy->clear(); | |
138 | $proxy->clientflags("-sess_in ".$session); | |
139 | $proxy->clientstart(); | |
140 | checkmessages(5, "Session resumption extended master secret test", 1, 1, 0); | |
141 | ||
142 | #Test 6: Session resumption extended master secret test orginial session | |
143 | # omits extension. Server must not resume session. | |
144 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
145 | # Full handshake | |
146 | ||
147 | clearall(); | |
148 | setrmextms(1, 0); | |
149 | ($fh, $session) = tempfile(); | |
150 | $proxy->serverconnects(2); | |
151 | $proxy->clientflags("-sess_out ".$session); | |
152 | $proxy->start(); | |
153 | $proxy->clear(); | |
154 | $proxy->clientflags("-sess_in ".$session); | |
155 | setrmextms(0, 0); | |
156 | $proxy->clientstart(); | |
157 | checkmessages(6, "Session resumption extended master secret test", 1, 1, 1); | |
158 | ||
159 | #Test 7: Session resumption extended master secret test resumed session | |
160 | # omits client extension. Server must abort connection. | |
161 | #Expected result: aborted connection. | |
162 | ||
163 | clearall(); | |
164 | setrmextms(0, 0); | |
165 | ($fh, $session) = tempfile(); | |
166 | $proxy->serverconnects(2); | |
167 | $proxy->clientflags("-sess_out ".$session); | |
168 | $proxy->start(); | |
169 | $proxy->clear(); | |
170 | $proxy->clientflags("-sess_in ".$session); | |
171 | setrmextms(1, 0); | |
172 | $proxy->clientstart(); | |
173 | ok(TLSProxy::Message->fail(), "Client inconsistent session resupmption"); | |
174 | ||
175 | #Test 8: Session resumption extended master secret test resumed session | |
176 | # omits server extension. Client must abort connection. | |
177 | #Expected result: aborted connection. | |
178 | ||
179 | clearall(); | |
180 | setrmextms(0, 0); | |
181 | ($fh, $session) = tempfile(); | |
182 | $proxy->serverconnects(2); | |
183 | $proxy->clientflags("-sess_out ".$session); | |
184 | $proxy->start(); | |
185 | $proxy->clear(); | |
186 | $proxy->clientflags("-sess_in ".$session); | |
187 | setrmextms(0, 1); | |
188 | $proxy->clientstart(); | |
189 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1"); | |
190 | ||
191 | #Test 9: Session resumption extended master secret test initial session | |
192 | # omits server extension. Client must abort connection. | |
193 | #Expected result: aborted connection. | |
194 | ||
195 | clearall(); | |
196 | setrmextms(0, 1); | |
197 | ($fh, $session) = tempfile(); | |
198 | $proxy->serverconnects(2); | |
199 | $proxy->clientflags("-sess_out ".$session); | |
200 | $proxy->start(); | |
201 | $proxy->clear(); | |
202 | $proxy->clientflags("-sess_in ".$session); | |
203 | setrmextms(0, 0); | |
204 | $proxy->clientstart(); | |
205 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); | |
206 | ||
207 | sub extms_filter | |
208 | { | |
209 | my $proxy = shift; | |
210 | ||
211 | foreach my $message (@{$proxy->message_list}) { | |
212 | if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
213 | $message->delete_extension(TLSProxy::ClientHello::EXT_EXTENDED_MASTER_SECRET); | |
214 | $message->repack(); | |
215 | } | |
216 | if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
217 | $message->delete_extension(TLSProxy::ClientHello::EXT_EXTENDED_MASTER_SECRET); | |
218 | $message->repack(); | |
219 | } | |
220 | } | |
221 | } | |
222 | ||
223 | sub checkmessages($$$$$) | |
224 | { | |
225 | my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_; | |
226 | ||
227 | subtest $testname => sub { | |
228 | ||
229 | foreach my $message (@{$proxy->message_list}) { | |
230 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO | |
231 | || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
232 | #Get the extensions data | |
233 | my %extensions = %{$message->extension_data}; | |
234 | if (defined | |
235 | $extensions{TLSProxy::ClientHello::EXT_EXTENDED_MASTER_SECRET}) { | |
236 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
237 | $cextms = 1; | |
238 | } else { | |
239 | $sextms = 1; | |
240 | } | |
241 | } | |
242 | } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { | |
243 | #Must be doing a full handshake | |
244 | $fullhand = 1; | |
245 | } | |
246 | } | |
247 | ||
248 | plan tests => 4; | |
249 | ||
250 | ok(TLSProxy::Message->success, "Handshake"); | |
251 | ||
252 | ok($testcextms == $cextms, | |
253 | "ClientHello extension extended master secret check"); | |
254 | ok($testsextms == $sextms, | |
255 | "ServerHello extension extended master secret check"); | |
256 | ok($testhand == $fullhand, | |
257 | "Extended master secret full handshake check"); | |
258 | ||
259 | } | |
260 | } | |
261 | ||
262 | sub setrmextms($$) | |
263 | { | |
264 | ($crmextms, $srmextms) = @_; | |
265 | } | |
266 | ||
267 | sub clearall() | |
268 | { | |
269 | $cextms = 0; | |
270 | $sextms = 0; | |
271 | $fullhand = 0; | |
272 | $proxy->clear(); | |
273 | } |