2 # Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
12 use OpenSSL
::Test qw
/:DEFAULT cmdstr srctop_file bldtop_dir/;
13 use OpenSSL
::Test
::Utils
;
15 use TLSProxy
::Message
;
17 my $test_name = "test_sslrecords";
20 plan skip_all
=> "TLSProxy isn't usable on $^O"
23 plan skip_all
=> "$test_name needs the dynamic engine feature enabled"
24 if disabled
("engine") || disabled
("dynamic-engine");
26 plan skip_all
=> "$test_name needs the sock feature enabled"
29 my $testplanisset = 0;
30 my $inject_recs_num = undef;
31 my $content_type = undef;
32 my $boundary_test_type = undef;
33 my $fatal_alert = undef; # set by filters at expected fatal alerts
34 my $sslv2testtype = undef;
35 my $proxy_start_success = 0;
36 my $dtlsproxy = undef;
39 my $dummyproxy = TLSProxy
::Proxy
->new(
40 \
&add_empty_recs_filter
,
41 cmdstr
(app
([ "openssl" ]), display
=> 1),
42 srctop_file
("apps", "server.pem"),
43 (!$ENV{HARNESS_ACTIVE
} || $ENV{HARNESS_VERBOSE
})
46 # Avoid failures with tls1_3 disabled builds
47 # TLSProxy defaults to use tls1_3 and tls1_2 is required by the tests so
48 # set it here and check that a simple proxy works before running the tests
49 $dummyproxy->serverflags("-tls1_2");
50 $dummyproxy->clientflags("-no_tls1_3");
52 $dummyproxy->start() or plan skip_all
=> "Unable to start up Proxy for tests";
56 skip
"TLS 1.2 is disabled", 21 if disabled
("tls1_2");
58 $tlsproxy = TLSProxy
::Proxy
->new(
59 \
&add_empty_recs_filter
,
60 cmdstr
(app
([ "openssl" ]), display
=> 1),
61 srctop_file
("apps", "server.pem"),
62 (!$ENV{HARNESS_ACTIVE
} || $ENV{HARNESS_VERBOSE
})
68 skip
"DTLS 1.2 is disabled", 21 if disabled
("dtls1_2");
69 skip
"DTLSProxy does not work on Windows", 21 if $^O
=~ /^(MSWin32)$/;
71 $dtlsproxy = TLSProxy
::Proxy
->new_dtls(
72 \
&add_empty_recs_filter
,
73 cmdstr
(app
([ "openssl" ]), display
=> 1),
74 srctop_file
("apps", "server.pem"),
75 (!$ENV{HARNESS_ACTIVE
} || $ENV{HARNESS_VERBOSE
})
82 my $run_test_as_dtls = shift;
85 if ($run_test_as_dtls == 1) {
91 $fatal_alert = 0; # set by filters at expected fatal alerts
93 skip
"Record tests not intended for dtls", 1 if $run_test_as_dtls == 1;
94 #Test 1: Injecting out of context empty records should fail
96 $content_type = TLSProxy
::Record
::RT_APPLICATION_DATA
;
99 $proxy->serverflags("-tls1_2");
100 $proxy->clientflags("-no_tls1_3");
102 ok
($fatal_alert, "Out of context empty records test");
105 #Test 2: Injecting in context empty records should succeed
107 $content_type = TLSProxy
::Record
::RT_HANDSHAKE
;
108 if ($run_test_as_dtls == 1) {
109 $proxy->serverflags("-min_protocol DTLSv1.2 -max_protocol DTLSv1.2");
110 $proxy->clientflags("-max_protocol DTLSv1.2");
112 $proxy->serverflags("-tls1_2");
113 $proxy->clientflags("-no_tls1_3");
115 $proxy_start_success = $proxy->start();
116 ok
($proxy_start_success && TLSProxy
::Message
->success(),
117 "In context empty records test".($run_test_as_dtls == 1) ?
" for DTLS" : " for TLS");
120 skip
"Record tests not intended for dtls", 7 if $run_test_as_dtls == 1;
121 #Test 3: Injecting too many in context empty records should fail
124 #We allow 32 consecutive in context empty records
125 $inject_recs_num = 33;
126 $proxy->serverflags("-tls1_2");
127 $proxy->clientflags("-no_tls1_3");
129 ok
($fatal_alert, "Too many in context empty records test");
131 #Test 4: Injecting a fragmented fatal alert should fail. We expect the server to
132 # send back an alert of its own because it cannot handle fragmented
136 $proxy->filter(\
&add_frag_alert_filter
);
137 $proxy->serverflags("-tls1_2");
138 $proxy->clientflags("-no_tls1_3");
140 ok
($fatal_alert, "Fragmented alert records test");
142 #Run some SSLv2 ClientHello tests
145 TLSV1_2_IN_SSLV2
=> 0,
147 FRAGMENTED_IN_TLSV1_2
=> 2,
148 FRAGMENTED_IN_SSLV2
=> 3,
149 ALERT_BEFORE_SSLV2
=> 4
152 # The TLSv1.2 in SSLv2 ClientHello need to run at security level 0
153 # because in a SSLv2 ClientHello we can't send extensions to indicate
154 # which signature algorithm we want to use, and the default is SHA1.
156 #Test 5: Inject an SSLv2 style record format for a TLSv1.2 ClientHello
157 $sslv2testtype = TLSV1_2_IN_SSLV2
;
159 $proxy->filter(\
&add_sslv2_filter
);
160 $proxy->serverflags("-tls1_2");
161 $proxy->clientflags("-no_tls1_3 -legacy_renegotiation");
162 $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
164 ok
(TLSProxy
::Message
->success(), "TLSv1.2 in SSLv2 ClientHello test");
166 #Test 6: Inject an SSLv2 style record format for an SSLv2 ClientHello. We don't
167 # support this so it should fail. We actually treat it as an unknown
168 # protocol so we don't even send an alert in this case.
169 $sslv2testtype = SSLV2_IN_SSLV2
;
171 $proxy->serverflags("-tls1_2");
172 $proxy->clientflags("-no_tls1_3");
173 $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
175 ok
(TLSProxy
::Message
->fail(), "SSLv2 in SSLv2 ClientHello test");
177 #Test 7: Sanity check ClientHello fragmentation. This isn't really an SSLv2 test
178 # at all, but it gives us confidence that Test 8 fails for the right
180 $sslv2testtype = FRAGMENTED_IN_TLSV1_2
;
182 $proxy->serverflags("-tls1_2");
183 $proxy->clientflags("-no_tls1_3");
184 $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
186 ok
(TLSProxy
::Message
->success(), "Fragmented ClientHello in TLSv1.2 test");
188 #Test 8: Fragment a TLSv1.2 ClientHello across a TLS1.2 record; an SSLv2
189 # record; and another TLS1.2 record. This isn't allowed so should fail
190 $sslv2testtype = FRAGMENTED_IN_SSLV2
;
192 $proxy->serverflags("-tls1_2");
193 $proxy->clientflags("-no_tls1_3");
194 $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
196 ok
(TLSProxy
::Message
->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
198 #Test 9: Send a TLS warning alert before an SSLv2 ClientHello. This should
199 # fail because an SSLv2 ClientHello must be the first record.
200 $sslv2testtype = ALERT_BEFORE_SSLV2
;
202 $proxy->serverflags("-tls1_2");
203 $proxy->clientflags("-no_tls1_3");
204 $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
206 ok
(TLSProxy
::Message
->fail(), "Alert before SSLv2 ClientHello test");
208 #Unrecognised record type tests
210 #Test 10: Sending an unrecognised record type in TLS1.2 should fail
213 if ($run_test_as_dtls == 1) {
214 $proxy->serverflags("-min_protocol DTLSv1.2 -max_protocol DTLSv1.2");
215 $proxy->clientflags("-max_protocol DTLSv1.2");
217 $proxy->serverflags("-tls1_2");
218 $proxy->clientflags("-no_tls1_3");
220 $proxy->filter(\
&add_unknown_record_type
);
221 $proxy_start_success = $proxy->start();
223 if ($run_test_as_dtls == 1) {
224 ok
($proxy_start_success == 0, "Unrecognised record type in DTLS1.2");
226 ok
($fatal_alert, "Unrecognised record type in TLS1.2");
230 skip
"TLSv1.1 or DTLSv1 disabled", 1 if ($run_test_as_dtls == 0 && disabled
("tls1_1"))
231 || ($run_test_as_dtls == 1 && disabled
("dtls1"));
233 #Test 11: Sending an unrecognised record type in TLS1.1 should fail
236 if ($run_test_as_dtls == 1) {
237 $proxy->clientflags("-min_protocol DTLSv1 -max_protocol DTLSv1 -cipher DEFAULT:\@SECLEVEL=0");
239 $proxy->clientflags("-tls1_1 -cipher DEFAULT:\@SECLEVEL=0");
241 $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
242 $proxy_start_success = $proxy->start();
243 if ($run_test_as_dtls == 1) {
244 ok
($proxy_start_success == 0, "Unrecognised record type in DTLSv1");
246 ok
($fatal_alert, "Unrecognised record type in TLSv1.1");
251 skip
"Record tests not intended for dtls", 10 if $run_test_as_dtls == 1;
252 #Test 12: Sending a different record version in TLS1.2 should fail
255 $proxy->clientflags("-tls1_2");
256 $proxy->filter(\
&change_version
);
258 ok
($fatal_alert, "Changed record version in TLS1.2");
260 #TLS1.3 specific tests
262 skip
"TLSv1.3 disabled", 9
263 if disabled
("tls1_3") || (disabled
("ec") && disabled
("dh"));
265 #Test 13: Sending a different record version in TLS1.3 should fail
267 $proxy->filter(\
&change_version
);
269 ok
(TLSProxy
::Message
->fail(), "Changed record version in TLS1.3");
271 #Test 14: Sending an unrecognised record type in TLS1.3 should fail
274 $proxy->filter(\
&add_unknown_record_type
);
276 ok
($fatal_alert, "Unrecognised record type in TLS1.3");
278 #Test 15: Sending an outer record type other than app data once encrypted
282 $proxy->filter(\
&change_outer_record_type
);
284 ok
($fatal_alert, "Wrong outer record type in TLS1.3");
287 DATA_AFTER_SERVER_HELLO
=> 0,
288 DATA_AFTER_FINISHED
=> 1,
289 DATA_AFTER_KEY_UPDATE
=> 2,
290 DATA_BETWEEN_KEY_UPDATE
=> 3,
291 NO_DATA_BETWEEN_KEY_UPDATE
=> 4,
294 #Test 16: Sending a ServerHello which doesn't end on a record boundary
298 $boundary_test_type = DATA_AFTER_SERVER_HELLO
;
299 $proxy->filter(\
¬_on_record_boundary
);
301 ok
($fatal_alert, "Record not on boundary in TLS1.3 (ServerHello)");
303 #Test 17: Sending a Finished which doesn't end on a record boundary
307 $boundary_test_type = DATA_AFTER_FINISHED
;
309 ok
($fatal_alert, "Record not on boundary in TLS1.3 (Finished)");
311 #Test 18: Sending a KeyUpdate which doesn't end on a record boundary
315 $boundary_test_type = DATA_AFTER_KEY_UPDATE
;
317 ok
($fatal_alert, "Record not on boundary in TLS1.3 (KeyUpdate)");
319 #Test 19: Sending application data in the middle of a fragmented KeyUpdate
320 # should fail. Strictly speaking this is not a record boundary test
321 # but we use the same filter.
324 $boundary_test_type = DATA_BETWEEN_KEY_UPDATE
;
326 ok
($fatal_alert, "Data between KeyUpdate");
328 #Test 20: Fragmented KeyUpdate. This should succeed. Strictly speaking this
329 # is not a record boundary test but we use the same filter.
331 $boundary_test_type = NO_DATA_BETWEEN_KEY_UPDATE
;
333 ok
(TLSProxy
::Message
->success(), "No data between KeyUpdate");
336 skip
"EC disabled", 1 if disabled
("ec");
338 #Test 21: Force an HRR and change the "real" ServerHello to have a protocol
339 # record version of 0x0301 (TLSv1.0). At this point we have already
340 # decided that we are doing TLSv1.3 but are still using plaintext
341 # records. The server should be sending a record version of 0x303
342 # (TLSv1.2), but the RFC requires us to ignore this field so we
343 # should tolerate the incorrect version.
345 $proxy->filter(\
&change_server_hello_version
);
346 $proxy->serverflags("-groups P-256"); # Force an HRR
348 ok
(TLSProxy
::Message
->success(), "Bad ServerHello record version after HRR");
355 sub add_empty_recs_filter
358 my $records = $proxy->record_list;
359 my $isdtls = $proxy->isdtls();
361 # We're only interested in the initial ClientHello
362 if ($proxy->flight != 0) {
363 $fatal_alert = 1 if @
{$records}[-1]->is_fatal_alert(1) == TLSProxy
::Message
::AL_DESC_UNEXPECTED_MESSAGE
;
367 for (my $i = 0; $i < $inject_recs_num; $i++) {
370 $record = TLSProxy
::Record
->new_dtls(
373 TLSProxy
::Record
::VERS_DTLS_1_2
,
384 $record = TLSProxy
::Record
->new(
387 TLSProxy
::Record
::VERS_TLS_1_2
,
396 push @
{$records}, $record;
400 sub add_frag_alert_filter
403 my $records = $proxy->record_list;
406 # We're only interested in the initial ClientHello
407 if ($proxy->flight != 0) {
408 $fatal_alert = 1 if @
{$records}[-1]->is_fatal_alert(1) == TLSProxy
::Message
::AL_DESC_UNEXPECTED_MESSAGE
;
412 # Add a zero length fragment first
413 #my $record = TLSProxy::Record->new(
415 # TLSProxy::Record::RT_ALERT,
416 # TLSProxy::Record::VERS_TLS_1_2,
423 #push @{$proxy->record_list}, $record;
425 # Now add the alert level (Fatal) as a separate record
426 $byte = pack('C', TLSProxy
::Message
::AL_LEVEL_FATAL
);
427 my $record = TLSProxy
::Record
->new(
429 TLSProxy
::Record
::RT_ALERT
,
430 TLSProxy
::Record
::VERS_TLS_1_2
,
438 push @
{$records}, $record;
440 # And finally the description (Unexpected message) in a third record
441 $byte = pack('C', TLSProxy
::Message
::AL_DESC_UNEXPECTED_MESSAGE
);
442 $record = TLSProxy
::Record
->new(
444 TLSProxy
::Record
::RT_ALERT
,
445 TLSProxy
::Record
::VERS_TLS_1_2
,
453 push @
{$records}, $record;
462 # We're only interested in the initial ClientHello
463 if ($proxy->flight != 0) {
467 # Ditch the real ClientHello - we're going to replace it with our own
468 shift @
{$proxy->record_list};
470 if ($sslv2testtype == ALERT_BEFORE_SSLV2
) {
471 my $alert = pack('CC', TLSProxy
::Message
::AL_LEVEL_FATAL
,
472 TLSProxy
::Message
::AL_DESC_NO_RENEGOTIATION
);
473 my $alertlen = length $alert;
474 $record = TLSProxy
::Record
->new(
476 TLSProxy
::Record
::RT_ALERT
,
477 TLSProxy
::Record
::VERS_TLS_1_2
,
486 push @
{$proxy->record_list}, $record;
489 if ($sslv2testtype == ALERT_BEFORE_SSLV2
490 || $sslv2testtype == TLSV1_2_IN_SSLV2
491 || $sslv2testtype == SSLV2_IN_SSLV2
) {
492 # This is an SSLv2 format ClientHello
497 0x00, 0x03, # Ciphersuites len
498 0x00, 0x00, # Session id len
499 0x00, 0x20, # Challenge len
500 0x00, 0x00, 0x2f, #AES128-SHA
501 0x01, 0x18, 0x9F, 0x76, 0xEC, 0x57, 0xCE, 0xE5, 0xB3, 0xAB, 0x79, 0x90,
502 0xAD, 0xAC, 0x6E, 0xD1, 0x58, 0x35, 0x03, 0x97, 0x16, 0x10, 0x82, 0x56,
503 0xD8, 0x55, 0xFF, 0xE1, 0x8A, 0xA3, 0x2E, 0xF6; # Challenge
505 if ($sslv2testtype == SSLV2_IN_SSLV2
) {
506 # Set the version to "real" SSLv2
507 vec($clienthello, 1, 8) = 0x00;
508 vec($clienthello, 2, 8) = 0x02;
511 my $chlen = length $clienthello;
513 $record = TLSProxy
::Record
->new(
515 TLSProxy
::Record
::RT_HANDSHAKE
,
516 TLSProxy
::Record
::VERS_TLS_1_2
,
525 push @
{$proxy->record_list}, $record;
527 # For this test we're using a real TLS ClientHello
531 0x00, 0x00, 0x2D, # Message length
532 0x03, 0x03, # TLSv1.2
533 0x01, 0x18, 0x9F, 0x76, 0xEC, 0x57, 0xCE, 0xE5, 0xB3, 0xAB, 0x79, 0x90,
534 0xAD, 0xAC, 0x6E, 0xD1, 0x58, 0x35, 0x03, 0x97, 0x16, 0x10, 0x82, 0x56,
535 0xD8, 0x55, 0xFF, 0xE1, 0x8A, 0xA3, 0x2E, 0xF6, # Random
536 0x00, # Session id len
537 0x00, 0x04, # Ciphersuites len
538 0x00, 0x2f, # AES128-SHA
539 0x00, 0xff, # Empty reneg info SCSV
540 0x01, # Compression methods len
541 0x00, # Null compression
542 0x00, 0x00; # Extensions len
544 # Split this into 3: A TLS record; a SSLv2 record and a TLS record.
545 # We deliberately split the second record prior to the Challenge/Random
546 # and set the first byte of the random to 1. This makes the second SSLv2
547 # record look like an SSLv2 ClientHello
548 my $frag1 = substr $clienthello, 0, 6;
549 my $frag2 = substr $clienthello, 6, 32;
550 my $frag3 = substr $clienthello, 38;
552 my $fraglen = length $frag1;
553 $record = TLSProxy
::Record
->new(
555 TLSProxy
::Record
::RT_HANDSHAKE
,
556 TLSProxy
::Record
::VERS_TLS_1_2
,
564 push @
{$proxy->record_list}, $record;
566 $fraglen = length $frag2;
568 if ($sslv2testtype == FRAGMENTED_IN_SSLV2
) {
573 $record = TLSProxy
::Record
->new(
575 TLSProxy
::Record
::RT_HANDSHAKE
,
576 TLSProxy
::Record
::VERS_TLS_1_2
,
584 push @
{$proxy->record_list}, $record;
586 $fraglen = length $frag3;
587 $record = TLSProxy
::Record
->new(
589 TLSProxy
::Record
::RT_HANDSHAKE
,
590 TLSProxy
::Record
::VERS_TLS_1_2
,
598 push @
{$proxy->record_list}, $record;
603 sub add_unknown_record_type
606 my $records = $proxy->record_list;
607 my $isdtls = $proxy->isdtls;
610 # We'll change a record after the initial version neg has taken place
611 if ($proxy->flight == 0) {
614 } elsif ($proxy->flight != 1 || $added_record) {
615 $fatal_alert = 1 if @
{$records}[-1]->is_fatal_alert(0) == TLSProxy
::Message
::AL_DESC_UNEXPECTED_MESSAGE
;
622 $record = TLSProxy
::Record
->new_dtls(
624 TLSProxy
::Record
::RT_UNKNOWN
,
625 @
{$records}[-1]->version(),
626 @
{$records}[-1]->epoch(),
627 @
{$records}[-1]->seq() +1,
636 $record = TLSProxy
::Record
->new(
638 TLSProxy
::Record
::RT_UNKNOWN
,
639 @
{$records}[-1]->version(),
649 #Find ServerHello record and insert after that
651 for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) {
656 splice @
{$proxy->record_list}, $i, 0, $record;
663 my $records = $proxy->record_list;
665 # We'll change a version after the initial version neg has taken place
666 if ($proxy->flight != 1) {
667 $fatal_alert = 1 if @
{$records}[-1]->is_fatal_alert(0) == TLSProxy
::Message
::AL_DESC_PROTOCOL_VERSION
;
671 if ($#{$records} > 1) {
672 # ... typically in ServerHelloDone
673 @
{$records}[-1]->version(TLSProxy
::Record
::VERS_TLS_1_1
);
677 sub change_server_hello_version
680 my $records = $proxy->record_list;
682 # We're only interested in changing the ServerHello after an HRR
683 if ($proxy->flight != 3) {
687 # The ServerHello has index 5
694 @
{$records}[5]->version(TLSProxy
::Record
::VERS_TLS_1_0
);
697 sub change_outer_record_type
700 my $records = $proxy->record_list;
702 # We'll change a record after the initial version neg has taken place
703 if ($proxy->flight != 1) {
704 $fatal_alert = 1 if @
{$records}[-1]->is_fatal_alert(0) == TLSProxy
::Message
::AL_DESC_UNEXPECTED_MESSAGE
;
708 # Find CCS record and change record after that
710 foreach my $record (@
{$records}) {
711 last if $record->content_type == TLSProxy
::Record
::RT_CCS
;
714 if (defined(${$records}[++$i])) {
715 ${$records}[$i]->outer_content_type(TLSProxy
::Record
::RT_HANDSHAKE
);
719 sub not_on_record_boundary
722 my $records = $proxy->record_list;
725 #Find server's first flight
726 if ($proxy->flight != 1) {
727 $fatal_alert = 1 if @
{$records}[-1]->is_fatal_alert(0) == TLSProxy
::Message
::AL_DESC_UNEXPECTED_MESSAGE
;
731 if ($boundary_test_type == DATA_AFTER_SERVER_HELLO
) {
732 #Merge the ServerHello and EncryptedExtensions records into one
734 foreach my $record (@
{$records}) {
735 if ($record->content_type == TLSProxy
::Record
::RT_HANDSHAKE
) {
736 $record->{sent
} = 1; # pretend it's sent already
742 if (defined(${$records}[$i+1])) {
743 $data = ${$records}[$i]->data();
744 $data .= ${$records}[$i+1]->decrypt_data();
745 ${$records}[$i+1]->data($data);
746 ${$records}[$i+1]->len(length $data);
748 #Delete the old ServerHello record
749 splice @
{$records}, $i, 1;
751 } elsif ($boundary_test_type == DATA_AFTER_FINISHED
) {
752 return if @
{$proxy->{message_list
}}[-1]->{mt
}
753 != TLSProxy
::Message
::MT_FINISHED
;
755 my $last_record = @
{$records}[-1];
756 $data = $last_record->decrypt_data;
758 #Add a KeyUpdate message onto the end of the Finished record
759 my $keyupdate = pack "C5",
761 0x00, 0x00, 0x01, # Message length
762 0x00; # Update not requested
766 #Add content type and tag
767 $data .= pack("C", TLSProxy
::Record
::RT_HANDSHAKE
).("\0"x16
);
770 $last_record->data($data);
771 $last_record->len(length $data);
772 } elsif ($boundary_test_type == DATA_AFTER_KEY_UPDATE
) {
773 return if @
{$proxy->{message_list
}}[-1]->{mt
}
774 != TLSProxy
::Message
::MT_FINISHED
;
776 #KeyUpdates must end on a record boundary
778 my $record = TLSProxy
::Record
->new(
780 TLSProxy
::Record
::RT_APPLICATION_DATA
,
781 TLSProxy
::Record
::VERS_TLS_1_2
,
790 #Add two KeyUpdate messages into a single record
791 my $keyupdate = pack "C5",
793 0x00, 0x00, 0x01, # Message length
794 0x00; # Update not requested
796 $data = $keyupdate.$keyupdate;
798 #Add content type and tag
799 $data .= pack("C", TLSProxy
::Record
::RT_HANDSHAKE
).("\0"x16
);
801 $record->data($data);
802 $record->len(length $data);
803 push @
{$records}, $record;
805 return if @
{$proxy->{message_list
}}[-1]->{mt
}
806 != TLSProxy
::Message
::MT_FINISHED
;
808 my $record = TLSProxy
::Record
->new(
810 TLSProxy
::Record
::RT_APPLICATION_DATA
,
811 TLSProxy
::Record
::VERS_TLS_1_2
,
820 #Add a partial KeyUpdate message into the record
822 0x18; # KeyUpdate message type. Omit the rest of the message header
824 #Add content type and tag
825 $data .= pack("C", TLSProxy
::Record
::RT_HANDSHAKE
).("\0"x16
);
827 $record->data($data);
828 $record->len(length $data);
829 push @
{$records}, $record;
831 if ($boundary_test_type == DATA_BETWEEN_KEY_UPDATE
) {
832 #Now add an app data record
833 $record = TLSProxy
::Record
->new(
835 TLSProxy
::Record
::RT_APPLICATION_DATA
,
836 TLSProxy
::Record
::VERS_TLS_1_2
,
845 #Add an empty app data record (just content type and tag)
846 $data = pack("C", TLSProxy
::Record
::RT_APPLICATION_DATA
).("\0"x16
);
848 $record->data($data);
849 $record->len(length $data);
850 push @
{$records}, $record;
853 #Now add the rest of the KeyUpdate message
854 $record = TLSProxy
::Record
->new(
856 TLSProxy
::Record
::RT_APPLICATION_DATA
,
857 TLSProxy
::Record
::VERS_TLS_1_2
,
866 #Add the last 4 bytes of the KeyUpdate record
868 0x00, 0x00, 0x01, # Message length
869 0x00; # Update not requested
871 #Add content type and tag
872 $data .= pack("C", TLSProxy
::Record
::RT_HANDSHAKE
).("\0"x16
);
874 $record->data($data);
875 $record->len(length $data);
876 push @
{$records}, $record;