]>
Commit | Line | Data |
---|---|---|
203b1cdf | 1 | #! /usr/bin/env perl |
6738bf14 | 2 | # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. |
203b1cdf | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
203b1cdf MC |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; | |
11 | use OpenSSL::Test::Utils; | |
12 | use TLSProxy::Proxy; | |
13 | use File::Temp qw(tempfile); | |
14 | ||
15 | use constant { | |
16 | REVERSE_ORDER_VERSIONS => 1, | |
17 | UNRECOGNISED_VERSIONS => 2, | |
18 | NO_EXTENSION => 3, | |
19 | EMPTY_EXTENSION => 4, | |
54682aa3 | 20 | TLS1_1_AND_1_0_ONLY => 5, |
d8434cf8 MC |
21 | WITH_TLS1_4 => 6, |
22 | BAD_LEGACY_VERSION => 7 | |
203b1cdf MC |
23 | }; |
24 | ||
25 | my $testtype; | |
26 | ||
27 | my $test_name = "test_sslversions"; | |
28 | setup($test_name); | |
29 | ||
30 | plan skip_all => "TLSProxy isn't usable on $^O" | |
c5856878 | 31 | if $^O =~ /^(VMS)$/; |
203b1cdf MC |
32 | |
33 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
34 | if disabled("engine") || disabled("dynamic-engine"); | |
35 | ||
36 | plan skip_all => "$test_name needs the sock feature enabled" | |
37 | if disabled("sock"); | |
38 | ||
39 | plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled" | |
40 | if disabled("tls1_3") || disabled("tls1_2") || disabled("tls1_1"); | |
41 | ||
42 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; | |
43 | ||
44 | my $proxy = TLSProxy::Proxy->new( | |
45 | undef, | |
46 | cmdstr(app(["openssl"]), display => 1), | |
47 | srctop_file("apps", "server.pem"), | |
48 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
49 | ); | |
50 | ||
51 | #We're just testing various negative and unusual scenarios here. ssltest with | |
52 | #02-protocol-version.conf should check all the various combinations of normal | |
53 | #version neg | |
54 | ||
55 | #Test 1: An empty supported_versions extension should not succeed | |
56 | $testtype = EMPTY_EXTENSION; | |
57 | $proxy->filter(\&modify_supported_versions_filter); | |
58 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; | |
d8434cf8 | 59 | plan tests => 8; |
203b1cdf MC |
60 | ok(TLSProxy::Message->fail(), "Empty supported versions"); |
61 | ||
62 | #Test 2: supported_versions extension with no recognised versions should not | |
63 | #succeed | |
64 | $proxy->clear(); | |
65 | $testtype = UNRECOGNISED_VERSIONS; | |
66 | $proxy->start(); | |
67 | ok(TLSProxy::Message->fail(), "No recognised versions"); | |
68 | ||
69 | #Test 3: No supported versions extensions should succeed and select TLSv1.2 | |
70 | $proxy->clear(); | |
71 | $testtype = NO_EXTENSION; | |
72 | $proxy->start(); | |
73 | my $record = pop @{$proxy->record_list}; | |
74 | ok(TLSProxy::Message->success() | |
75 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2, | |
76 | "No supported versions extension"); | |
77 | ||
78 | #Test 4: No supported versions extensions should fail if only TLS1.3 available | |
79 | $proxy->clear(); | |
80 | $proxy->serverflags("-tls1_3"); | |
81 | $proxy->start(); | |
82 | ok(TLSProxy::Message->fail(), "No supported versions extension (only TLS1.3)"); | |
83 | ||
84 | #Test 5: supported versions extension with best version last should succeed | |
85 | #and select TLSv1.3 | |
86 | $proxy->clear(); | |
87 | $testtype = REVERSE_ORDER_VERSIONS; | |
88 | $proxy->start(); | |
89 | $record = pop @{$proxy->record_list}; | |
90 | ok(TLSProxy::Message->success() | |
2d729db2 | 91 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2 |
16abbd11 | 92 | && TLSProxy::Proxy->is_tls13(), |
203b1cdf MC |
93 | "Reverse order versions"); |
94 | ||
95 | #Test 6: no TLSv1.3 or TLSv1.2 version in supported versions extension, but | |
96 | #TLSv1.1 and TLSv1.0 are present. Should just use TLSv1.1 and succeed | |
97 | $proxy->clear(); | |
54682aa3 | 98 | $testtype = TLS1_1_AND_1_0_ONLY; |
203b1cdf MC |
99 | $proxy->start(); |
100 | $record = pop @{$proxy->record_list}; | |
101 | ok(TLSProxy::Message->success() | |
102 | && $record->version() == TLSProxy::Record::VERS_TLS_1_1, | |
54682aa3 | 103 | "TLS1.1 and TLS1.0 in supported versions extension only"); |
203b1cdf | 104 | |
17d01b42 MC |
105 | #Test 7: TLS1.4 and TLS1.3 in supported versions. Should succeed and use TLS1.3 |
106 | $proxy->clear(); | |
107 | $testtype = WITH_TLS1_4; | |
108 | $proxy->start(); | |
109 | $record = pop @{$proxy->record_list}; | |
110 | ok(TLSProxy::Message->success() | |
2d729db2 | 111 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2 |
16abbd11 | 112 | && TLSProxy::Proxy->is_tls13(), |
17d01b42 MC |
113 | "TLS1.4 in supported versions extension"); |
114 | ||
d8434cf8 MC |
115 | #Test 8: Set the legacy version to SSLv3 with supported versions. Should fail |
116 | $proxy->clear(); | |
117 | $testtype = BAD_LEGACY_VERSION; | |
118 | $proxy->start(); | |
119 | ok(TLSProxy::Message->fail(), "Legacy version is SSLv3 with supported versions"); | |
120 | ||
203b1cdf MC |
121 | sub modify_supported_versions_filter |
122 | { | |
123 | my $proxy = shift; | |
124 | ||
b9647e34 MC |
125 | if ($proxy->flight == 1) { |
126 | # Change the ServerRandom so that the downgrade sentinel doesn't cause | |
127 | # the connection to fail | |
128 | my $message = ${$proxy->message_list}[1]; | |
129 | return if (!defined $message); | |
130 | ||
131 | $message->random("\0"x32); | |
132 | $message->repack(); | |
133 | return; | |
134 | } | |
135 | ||
203b1cdf MC |
136 | # We're only interested in the initial ClientHello |
137 | if ($proxy->flight != 0) { | |
138 | return; | |
139 | } | |
140 | ||
141 | foreach my $message (@{$proxy->message_list}) { | |
142 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
143 | my $ext; | |
144 | if ($testtype == REVERSE_ORDER_VERSIONS) { | |
145 | $ext = pack "C5", | |
146 | 0x04, # Length | |
147 | 0x03, 0x03, #TLSv1.2 | |
35e742ec | 148 | 0x03, 0x04; #TLSv1.3 |
203b1cdf MC |
149 | } elsif ($testtype == UNRECOGNISED_VERSIONS) { |
150 | $ext = pack "C5", | |
151 | 0x04, # Length | |
152 | 0x04, 0x04, #Some unrecognised version | |
153 | 0x04, 0x03; #Another unrecognised version | |
54682aa3 | 154 | } elsif ($testtype == TLS1_1_AND_1_0_ONLY) { |
203b1cdf MC |
155 | $ext = pack "C5", |
156 | 0x04, # Length | |
157 | 0x03, 0x02, #TLSv1.1 | |
158 | 0x03, 0x01; #TLSv1.0 | |
17d01b42 MC |
159 | } elsif ($testtype == WITH_TLS1_4) { |
160 | $ext = pack "C5", | |
161 | 0x04, # Length | |
86ed2e1c | 162 | 0x03, 0x05, #TLSv1.4 |
35e742ec | 163 | 0x03, 0x04; #TLSv1.3 |
203b1cdf MC |
164 | } |
165 | if ($testtype == REVERSE_ORDER_VERSIONS | |
166 | || $testtype == UNRECOGNISED_VERSIONS | |
54682aa3 | 167 | || $testtype == TLS1_1_AND_1_0_ONLY |
17d01b42 | 168 | || $testtype == WITH_TLS1_4) { |
203b1cdf MC |
169 | $message->set_extension( |
170 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); | |
171 | } elsif ($testtype == EMPTY_EXTENSION) { | |
172 | $message->set_extension( | |
173 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ""); | |
d8434cf8 | 174 | } elsif ($testtype == NO_EXTENSION) { |
203b1cdf MC |
175 | $message->delete_extension( |
176 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS); | |
d8434cf8 MC |
177 | } else { |
178 | # BAD_LEGACY_VERSION | |
179 | $message->client_version(TLSProxy::Record::VERS_SSL_3_0); | |
203b1cdf MC |
180 | } |
181 | ||
182 | $message->repack(); | |
183 | } | |
184 | } | |
185 | } |