$proxy->serverflags("-tls1_2");
$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 20;
+plan tests => 21;
ok($fatal_alert, "Out of context empty records test");
#Test 2: Injecting in context empty records should succeed
#TLS1.3 specific tests
SKIP: {
- skip "TLSv1.3 disabled", 8
+ skip "TLSv1.3 disabled", 9
if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 13: Sending a different record version in TLS1.3 should fail
$boundary_test_type = NO_DATA_BETWEEN_KEY_UPDATE;
$proxy->start();
ok(TLSProxy::Message->success(), "No data between KeyUpdate");
+
+ SKIP: {
+ skip "EC disabled", 1 if disabled("ec");
+
+ #Test 21: Force an HRR and change the "real" ServerHello to have a protocol
+ # record version of 0x0301 (TLSv1.0). At this point we have already
+ # decided that we are doing TLSv1.3 but are still using plaintext
+ # records. The server should be sending a record version of 0x303
+ # (TLSv1.2), but the RFC requires us to ignore this field so we
+ # should tolerate the incorrect version.
+ $proxy->clear();
+ $proxy->filter(\&change_server_hello_version);
+ $proxy->serverflags("-groups P-256"); # Force an HRR
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Bad ServerHello record version after HRR");
+ }
}
}
}
+sub change_server_hello_version
+{
+ my $proxy = shift;
+ my $records = $proxy->record_list;
+
+ # We're only interested in changing the ServerHello after an HRR
+ if ($proxy->flight != 3) {
+ return;
+ }
+
+ # The ServerHello has index 5
+ # 0 - ClientHello
+ # 1 - HRR
+ # 2 - CCS
+ # 3 - ClientHello(2)
+ # 4 - CCS
+ # 5 - ServerHello
+ @{$records}[5]->version(TLSProxy::Record::VERS_TLS_1_0);
+}
+
sub change_outer_record_type
{
my $proxy = shift;
projects / openssl.git / commitdiff