]>
Commit | Line | Data |
---|---|---|
203b1cdf | 1 | #! /usr/bin/env perl |
33388b44 | 2 | # Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. |
203b1cdf | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
203b1cdf MC |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; | |
11 | use OpenSSL::Test::Utils; | |
12 | use TLSProxy::Proxy; | |
13 | use File::Temp qw(tempfile); | |
14 | ||
15 | use constant { | |
16 | REVERSE_ORDER_VERSIONS => 1, | |
17 | UNRECOGNISED_VERSIONS => 2, | |
18 | NO_EXTENSION => 3, | |
19 | EMPTY_EXTENSION => 4, | |
54682aa3 | 20 | TLS1_1_AND_1_0_ONLY => 5, |
d8434cf8 MC |
21 | WITH_TLS1_4 => 6, |
22 | BAD_LEGACY_VERSION => 7 | |
203b1cdf MC |
23 | }; |
24 | ||
25 | my $testtype; | |
26 | ||
27 | my $test_name = "test_sslversions"; | |
28 | setup($test_name); | |
29 | ||
30 | plan skip_all => "TLSProxy isn't usable on $^O" | |
c5856878 | 31 | if $^O =~ /^(VMS)$/; |
203b1cdf MC |
32 | |
33 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
34 | if disabled("engine") || disabled("dynamic-engine"); | |
35 | ||
36 | plan skip_all => "$test_name needs the sock feature enabled" | |
37 | if disabled("sock"); | |
38 | ||
39 | plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled" | |
a763ca11 MC |
40 | if disabled("tls1_3") |
41 | || (disabled("ec") && disabled("dh")) | |
42 | || disabled("tls1_2") | |
43 | || disabled("tls1_1"); | |
203b1cdf MC |
44 | |
45 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; | |
46 | ||
47 | my $proxy = TLSProxy::Proxy->new( | |
48 | undef, | |
49 | cmdstr(app(["openssl"]), display => 1), | |
50 | srctop_file("apps", "server.pem"), | |
51 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
52 | ); | |
53 | ||
54 | #We're just testing various negative and unusual scenarios here. ssltest with | |
433deaff | 55 | #02-protocol-version.cnf should check all the various combinations of normal |
203b1cdf MC |
56 | #version neg |
57 | ||
58 | #Test 1: An empty supported_versions extension should not succeed | |
59 | $testtype = EMPTY_EXTENSION; | |
60 | $proxy->filter(\&modify_supported_versions_filter); | |
61 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; | |
d8434cf8 | 62 | plan tests => 8; |
203b1cdf MC |
63 | ok(TLSProxy::Message->fail(), "Empty supported versions"); |
64 | ||
65 | #Test 2: supported_versions extension with no recognised versions should not | |
66 | #succeed | |
67 | $proxy->clear(); | |
68 | $testtype = UNRECOGNISED_VERSIONS; | |
69 | $proxy->start(); | |
70 | ok(TLSProxy::Message->fail(), "No recognised versions"); | |
71 | ||
72 | #Test 3: No supported versions extensions should succeed and select TLSv1.2 | |
73 | $proxy->clear(); | |
74 | $testtype = NO_EXTENSION; | |
75 | $proxy->start(); | |
76 | my $record = pop @{$proxy->record_list}; | |
77 | ok(TLSProxy::Message->success() | |
78 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2, | |
79 | "No supported versions extension"); | |
80 | ||
81 | #Test 4: No supported versions extensions should fail if only TLS1.3 available | |
82 | $proxy->clear(); | |
83 | $proxy->serverflags("-tls1_3"); | |
84 | $proxy->start(); | |
85 | ok(TLSProxy::Message->fail(), "No supported versions extension (only TLS1.3)"); | |
86 | ||
87 | #Test 5: supported versions extension with best version last should succeed | |
88 | #and select TLSv1.3 | |
89 | $proxy->clear(); | |
90 | $testtype = REVERSE_ORDER_VERSIONS; | |
91 | $proxy->start(); | |
92 | $record = pop @{$proxy->record_list}; | |
93 | ok(TLSProxy::Message->success() | |
2d729db2 | 94 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2 |
16abbd11 | 95 | && TLSProxy::Proxy->is_tls13(), |
203b1cdf MC |
96 | "Reverse order versions"); |
97 | ||
98 | #Test 6: no TLSv1.3 or TLSv1.2 version in supported versions extension, but | |
99 | #TLSv1.1 and TLSv1.0 are present. Should just use TLSv1.1 and succeed | |
100 | $proxy->clear(); | |
aba03ae5 KR |
101 | $proxy->clientflags("-cipher DEFAULT:\@SECLEVEL=0"); |
102 | $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); | |
54682aa3 | 103 | $testtype = TLS1_1_AND_1_0_ONLY; |
203b1cdf MC |
104 | $proxy->start(); |
105 | $record = pop @{$proxy->record_list}; | |
106 | ok(TLSProxy::Message->success() | |
107 | && $record->version() == TLSProxy::Record::VERS_TLS_1_1, | |
54682aa3 | 108 | "TLS1.1 and TLS1.0 in supported versions extension only"); |
203b1cdf | 109 | |
17d01b42 MC |
110 | #Test 7: TLS1.4 and TLS1.3 in supported versions. Should succeed and use TLS1.3 |
111 | $proxy->clear(); | |
112 | $testtype = WITH_TLS1_4; | |
113 | $proxy->start(); | |
114 | $record = pop @{$proxy->record_list}; | |
115 | ok(TLSProxy::Message->success() | |
2d729db2 | 116 | && $record->version() == TLSProxy::Record::VERS_TLS_1_2 |
16abbd11 | 117 | && TLSProxy::Proxy->is_tls13(), |
17d01b42 MC |
118 | "TLS1.4 in supported versions extension"); |
119 | ||
d8434cf8 MC |
120 | #Test 8: Set the legacy version to SSLv3 with supported versions. Should fail |
121 | $proxy->clear(); | |
122 | $testtype = BAD_LEGACY_VERSION; | |
123 | $proxy->start(); | |
124 | ok(TLSProxy::Message->fail(), "Legacy version is SSLv3 with supported versions"); | |
125 | ||
203b1cdf MC |
126 | sub modify_supported_versions_filter |
127 | { | |
128 | my $proxy = shift; | |
129 | ||
b9647e34 MC |
130 | if ($proxy->flight == 1) { |
131 | # Change the ServerRandom so that the downgrade sentinel doesn't cause | |
132 | # the connection to fail | |
133 | my $message = ${$proxy->message_list}[1]; | |
134 | return if (!defined $message); | |
135 | ||
136 | $message->random("\0"x32); | |
137 | $message->repack(); | |
138 | return; | |
139 | } | |
140 | ||
203b1cdf MC |
141 | # We're only interested in the initial ClientHello |
142 | if ($proxy->flight != 0) { | |
143 | return; | |
144 | } | |
145 | ||
146 | foreach my $message (@{$proxy->message_list}) { | |
147 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
148 | my $ext; | |
149 | if ($testtype == REVERSE_ORDER_VERSIONS) { | |
150 | $ext = pack "C5", | |
151 | 0x04, # Length | |
152 | 0x03, 0x03, #TLSv1.2 | |
35e742ec | 153 | 0x03, 0x04; #TLSv1.3 |
203b1cdf MC |
154 | } elsif ($testtype == UNRECOGNISED_VERSIONS) { |
155 | $ext = pack "C5", | |
156 | 0x04, # Length | |
157 | 0x04, 0x04, #Some unrecognised version | |
158 | 0x04, 0x03; #Another unrecognised version | |
54682aa3 | 159 | } elsif ($testtype == TLS1_1_AND_1_0_ONLY) { |
203b1cdf MC |
160 | $ext = pack "C5", |
161 | 0x04, # Length | |
162 | 0x03, 0x02, #TLSv1.1 | |
163 | 0x03, 0x01; #TLSv1.0 | |
17d01b42 MC |
164 | } elsif ($testtype == WITH_TLS1_4) { |
165 | $ext = pack "C5", | |
166 | 0x04, # Length | |
86ed2e1c | 167 | 0x03, 0x05, #TLSv1.4 |
35e742ec | 168 | 0x03, 0x04; #TLSv1.3 |
203b1cdf MC |
169 | } |
170 | if ($testtype == REVERSE_ORDER_VERSIONS | |
171 | || $testtype == UNRECOGNISED_VERSIONS | |
54682aa3 | 172 | || $testtype == TLS1_1_AND_1_0_ONLY |
17d01b42 | 173 | || $testtype == WITH_TLS1_4) { |
203b1cdf MC |
174 | $message->set_extension( |
175 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); | |
176 | } elsif ($testtype == EMPTY_EXTENSION) { | |
177 | $message->set_extension( | |
178 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS, ""); | |
d8434cf8 | 179 | } elsif ($testtype == NO_EXTENSION) { |
203b1cdf MC |
180 | $message->delete_extension( |
181 | TLSProxy::Message::EXT_SUPPORTED_VERSIONS); | |
d8434cf8 MC |
182 | } else { |
183 | # BAD_LEGACY_VERSION | |
184 | $message->client_version(TLSProxy::Record::VERS_SSL_3_0); | |
203b1cdf MC |
185 | } |
186 | ||
187 | $message->repack(); | |
188 | } | |
189 | } | |
190 | } |