test/recipes/70-test_sslextension.t

   1 #! /usr/bin/env perl
   2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the OpenSSL license (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9 use strict;
  10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
  11 use OpenSSL::Test::Utils;
  12 use TLSProxy::Proxy;
  13
  14 my $test_name = "test_sslextension";
  15 setup($test_name);
  16
  17 plan skip_all => "TLSProxy isn't usable on $^O"
  18     if $^O =~ /^(VMS|MSWin32)$/;
  19
  20 plan skip_all => "$test_name needs the dynamic engine feature enabled"
  21     if disabled("engine") || disabled("dynamic-engine");
  22
  23 plan skip_all => "$test_name needs the sock feature enabled"
  24     if disabled("sock");
  25
  26 plan skip_all => "$test_name needs TLS enabled"
  27     if alldisabled(available_protocols("tls"));
  28
  29 use constant {
  30     UNSOLICITED_SERVER_NAME => 0,
  31     UNSOLICITED_SERVER_NAME_TLS13 => 1,
  32     UNSOLICITED_SCT => 2
  33 };
  34
  35 my $testtype;
  36
  37 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
  38 my $proxy = TLSProxy::Proxy->new(
  39     \&extension_filter,
  40     cmdstr(app(["openssl"]), display => 1),
  41     srctop_file("apps", "server.pem"),
  42     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
  43 );
  44
  45 # Test 1: Sending a zero length extension block should pass
  46 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
  47 plan tests => 6;
  48 ok(TLSProxy::Message->success, "Zero extension length test");
  49
  50 sub extension_filter
  51 {
  52     my $proxy = shift;
  53
  54     if ($proxy->flight == 1) {
  55         # Change the ServerRandom so that the downgrade sentinel doesn't cause
  56         # the connection to fail
  57         my $message = ${$proxy->message_list}[1];
  58         $message->random("\0"x32);
  59         $message->repack();
  60         return;
  61     }
  62
  63     # We're only interested in the initial ClientHello
  64     if ($proxy->flight != 0) {
  65         return;
  66     }
  67
  68     foreach my $message (@{$proxy->message_list}) {
  69         if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
  70             # Remove all extensions and set the extension len to zero
  71             $message->extension_data({});
  72             $message->extensions_len(0);
  73             # Extensions have been removed so make sure we don't try to use them
  74             $message->process_extensions();
  75
  76             $message->repack();
  77         }
  78     }
  79 }
  80
  81 # Test 2-3: Sending a duplicate extension should fail.
  82 sub inject_duplicate_extension
  83 {
  84   my ($proxy, $message_type) = @_;
  85
  86     foreach my $message (@{$proxy->message_list}) {
  87         if ($message->mt == $message_type) {
  88           my %extensions = %{$message->extension_data};
  89             # Add a duplicate (unknown) extension.
  90             $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, "");
  91             $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, "");
  92             $message->repack();
  93         }
  94     }
  95 }
  96
  97 sub inject_duplicate_extension_clienthello
  98 {
  99     my $proxy = shift;
 100
 101     # We're only interested in the initial ClientHello
 102     if ($proxy->flight != 0) {
 103         return;
 104     }
 105
 106     inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO);
 107 }
 108
 109 sub inject_duplicate_extension_serverhello
 110 {
 111     my $proxy = shift;
 112
 113     # We're only interested in the initial ServerHello
 114     if ($proxy->flight != 1) {
 115         return;
 116     }
 117
 118     inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO);
 119 }
 120
 121 $proxy->clear();
 122 $proxy->filter(\&inject_duplicate_extension_clienthello);
 123 $proxy->start();
 124 ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension");
 125
 126 $proxy->clear();
 127 $proxy->filter(\&inject_duplicate_extension_serverhello);
 128 $proxy->start();
 129 ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension");
 130
 131 sub inject_unsolicited_extension
 132 {
 133     my $proxy = shift;
 134     my $message;
 135
 136     # We're only interested in the initial ServerHello/EncryptedExtensions
 137     if ($proxy->flight != 1) {
 138         return;
 139     }
 140
 141     if ($testtype == UNSOLICITED_SERVER_NAME_TLS13) {
 142         $message = ${$proxy->message_list}[2];
 143         die "Expecting EE message ".($message->mt).", ".${$proxy->message_list}[1]->mt.", ".${$proxy->message_list}[3]->mt if $message->mt != TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS;
 144     } else {
 145         $message = ${$proxy->message_list}[1];
 146     }
 147
 148     my $ext = pack "C2",
 149         0x00, 0x00; #Extension length
 150
 151     my $type;
 152     if ($testtype == UNSOLICITED_SERVER_NAME
 153             || $testtype == UNSOLICITED_SERVER_NAME_TLS13) {
 154         $type = TLSProxy::Message::EXT_SERVER_NAME;
 155     } elsif ($testtype == UNSOLICITED_SCT) {
 156         $type = TLSProxy::Message::EXT_SCT;
 157     }
 158     $message->set_extension($type, $ext);
 159     $message->repack();
 160 }
 161
 162 SKIP: {
 163     skip "TLS <= 1.2 disabled", 1 if alldisabled(("tls1", "tls1_1", "tls1_2"));
 164     #Test 4: Inject an unsolicited extension (<= TLSv1.2)
 165     $proxy->clear();
 166     $proxy->filter(\&inject_unsolicited_extension);
 167     $testtype = UNSOLICITED_SERVER_NAME;
 168     $proxy->clientflags("-no_tls1_3 -noservername");
 169     $proxy->start();
 170     ok(TLSProxy::Message->fail(), "Unsolicited server name extension");
 171 }
 172
 173 SKIP: {
 174     skip "TLS <= 1.2 or CT disabled", 1
 175         if alldisabled(("tls1", "tls1_1", "tls1_2")) || disabled("ct");
 176     #Test 5: Same as above for the SCT extension which has special handling
 177     $proxy->clear();
 178     $testtype = UNSOLICITED_SCT;
 179     $proxy->clientflags("-no_tls1_3");
 180     $proxy->start();
 181     ok(TLSProxy::Message->fail(), "Unsolicited sct extension");
 182 }
 183
 184 SKIP: {
 185     skip "TLS 1.3 disabled", 1 if disabled("tls1_3");
 186     #Test 6: Inject an unsolicited extension (TLSv1.3)
 187     $proxy->clear();
 188     $proxy->filter(\&inject_unsolicited_extension);
 189     $testtype = UNSOLICITED_SERVER_NAME_TLS13;
 190     $proxy->clientflags("-noservername");
 191     $proxy->start();
 192     ok(TLSProxy::Message->fail(), "Unsolicited server name extension (TLSv1.3)");
 193 }