]>
Commit | Line | Data |
---|---|---|
b9647e34 | 1 | #! /usr/bin/env perl |
6738bf14 | 2 | # Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. |
b9647e34 | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
b9647e34 MC |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; | |
11 | use OpenSSL::Test::Utils; | |
12 | use TLSProxy::Proxy; | |
13 | ||
14 | my $test_name = "test_tls13downgrade"; | |
15 | setup($test_name); | |
16 | ||
17 | plan skip_all => "TLSProxy isn't usable on $^O" | |
c5856878 | 18 | if $^O =~ /^(VMS)$/; |
b9647e34 MC |
19 | |
20 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
21 | if disabled("engine") || disabled("dynamic-engine"); | |
22 | ||
23 | plan skip_all => "$test_name needs the sock feature enabled" | |
24 | if disabled("sock"); | |
25 | ||
26 | plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled" | |
27 | if disabled("tls1_3") || disabled("tls1_2"); | |
28 | ||
b9647e34 MC |
29 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; |
30 | ||
31 | my $proxy = TLSProxy::Proxy->new( | |
32 | undef, | |
33 | cmdstr(app(["openssl"]), display => 1), | |
34 | srctop_file("apps", "server.pem"), | |
35 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
36 | ); | |
37 | ||
38 | use constant { | |
39 | DOWNGRADE_TO_TLS_1_2 => 0, | |
9b287d53 MC |
40 | DOWNGRADE_TO_TLS_1_1 => 1, |
41 | FALLBACK_FROM_TLS_1_3 => 2, | |
b9647e34 MC |
42 | }; |
43 | ||
44 | #Test 1: Downgrade from TLSv1.3 to TLSv1.2 | |
45 | $proxy->filter(\&downgrade_filter); | |
46 | my $testtype = DOWNGRADE_TO_TLS_1_2; | |
47 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; | |
5627f9f2 | 48 | plan tests => 6; |
b9647e34 MC |
49 | ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.2"); |
50 | ||
51 | #Test 2: Downgrade from TLSv1.3 to TLSv1.1 | |
52 | $proxy->clear(); | |
53 | $testtype = DOWNGRADE_TO_TLS_1_1; | |
54 | $proxy->start(); | |
55 | ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.1"); | |
56 | ||
57 | #Test 3: Downgrade from TLSv1.2 to TLSv1.1 | |
58 | $proxy->clear(); | |
59 | $proxy->clientflags("-no_tls1_3"); | |
60 | $proxy->serverflags("-no_tls1_3"); | |
61 | $proxy->start(); | |
62 | ok(TLSProxy::Message->fail(), "Downgrade TLSv1.2 to TLSv1.1"); | |
63 | ||
9b287d53 MC |
64 | #Test 4: Client falls back from TLSv1.3 (server does not support the fallback |
65 | # SCSV) | |
66 | $proxy->clear(); | |
67 | $testtype = FALLBACK_FROM_TLS_1_3; | |
68 | $proxy->clientflags("-fallback_scsv -no_tls1_3"); | |
69 | $proxy->start(); | |
70 | my $alert = TLSProxy::Message->alert(); | |
71 | ok(TLSProxy::Message->fail() | |
72 | && !$alert->server() | |
73 | && $alert->description() == TLSProxy::Message::AL_DESC_ILLEGAL_PARAMETER, | |
74 | "Fallback from TLSv1.3"); | |
75 | ||
3e7cb13d | 76 | SKIP: { |
5627f9f2 MC |
77 | skip "TLSv1.1 disabled", 2 if disabled("tls1_1"); |
78 | #Test 5: A client side protocol "hole" should not be detected as a downgrade | |
3e7cb13d MC |
79 | $proxy->clear(); |
80 | $proxy->filter(undef); | |
81 | $proxy->clientflags("-no_tls1_2"); | |
82 | $proxy->start(); | |
5627f9f2 MC |
83 | ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole"); |
84 | ||
85 | #Test 6: A server side protocol "hole" should not be detected as a downgrade | |
86 | $proxy->clear(); | |
87 | $proxy->filter(undef); | |
88 | $proxy->serverflags("-no_tls1_2"); | |
89 | $proxy->start(); | |
90 | ok(TLSProxy::Message->success(), "TLSv1.2 server-side protocol hole"); | |
3e7cb13d MC |
91 | } |
92 | ||
b9647e34 MC |
93 | sub downgrade_filter |
94 | { | |
95 | my $proxy = shift; | |
96 | ||
97 | # We're only interested in the initial ClientHello | |
98 | if ($proxy->flight != 0) { | |
99 | return; | |
100 | } | |
101 | ||
102 | my $message = ${$proxy->message_list}[0]; | |
103 | ||
104 | my $ext; | |
9b287d53 MC |
105 | if ($testtype == FALLBACK_FROM_TLS_1_3) { |
106 | #The default ciphersuite we use for TLSv1.2 without any SCSV | |
107 | my @ciphersuites = (TLSProxy::Message::CIPHER_RSA_WITH_AES_128_CBC_SHA); | |
108 | $message->ciphersuite_len(2 * scalar @ciphersuites); | |
109 | $message->ciphersuites(\@ciphersuites); | |
b9647e34 | 110 | } else { |
9b287d53 MC |
111 | if ($testtype == DOWNGRADE_TO_TLS_1_2) { |
112 | $ext = pack "C3", | |
113 | 0x02, # Length | |
114 | 0x03, 0x03; #TLSv1.2 | |
115 | } else { | |
116 | $ext = pack "C3", | |
117 | 0x02, # Length | |
118 | 0x03, 0x02; #TLSv1.1 | |
119 | } | |
120 | ||
121 | $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext); | |
b9647e34 MC |
122 | } |
123 | ||
b9647e34 MC |
124 | $message->repack(); |
125 | } | |
126 |