2 # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
11 use OpenSSL::Test::Utils;
14 my $test_name = "test_sslextension";
17 plan skip_all => "TLSProxy isn't usable on $^O"
20 plan skip_all => "$test_name needs the dynamic engine feature enabled"
21 if disabled("engine") || disabled("dynamic-engine");
23 plan skip_all => "$test_name needs the sock feature enabled"
26 plan skip_all => "$test_name needs TLS enabled"
27 if alldisabled(available_protocols("tls"));
29 my $no_below_tls13 = alldisabled(("tls1", "tls1_1", "tls1_2"))
30 || (!disabled("tls1_3") && disabled("tls1_2"));
33 UNSOLICITED_SERVER_NAME => 0,
34 UNSOLICITED_SERVER_NAME_TLS13 => 1,
36 NONCOMPLIANT_SUPPORTED_GROUPS => 3
41 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
42 my $proxy = TLSProxy::Proxy->new(
43 \&inject_duplicate_extension_clienthello,
44 cmdstr(app(["openssl"]), display => 1),
45 srctop_file("apps", "server.pem"),
46 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
54 if ($proxy->flight == 1) {
55 # Change the ServerRandom so that the downgrade sentinel doesn't cause
56 # the connection to fail
57 my $message = ${$proxy->message_list}[1];
58 $message->random("\0"x32);
63 # We're only interested in the initial ClientHello
64 if ($proxy->flight != 0) {
68 foreach my $message (@{$proxy->message_list}) {
69 if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
70 # Remove all extensions and set the extension len to zero
71 $message->extension_data({});
72 $message->extensions_len(0);
73 # Extensions have been removed so make sure we don't try to use them
74 $message->process_extensions();
81 sub inject_duplicate_extension
83 my ($proxy, $message_type) = @_;
85 foreach my $message (@{$proxy->message_list}) {
86 if ($message->mt == $message_type) {
87 my %extensions = %{$message->extension_data};
88 # Add a duplicate (unknown) extension.
89 $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, "");
90 $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, "");
96 sub inject_duplicate_extension_clienthello
100 # We're only interested in the initial ClientHello
101 if ($proxy->flight != 0) {
105 inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO);
108 sub inject_duplicate_extension_serverhello
112 # We're only interested in the initial ServerHello
113 if ($proxy->flight != 1) {
117 inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO);
120 sub inject_unsolicited_extension
125 # We're only interested in the initial ServerHello/EncryptedExtensions
126 if ($proxy->flight != 1) {
130 if ($testtype == UNSOLICITED_SERVER_NAME_TLS13) {
131 $message = ${$proxy->message_list}[2];
132 die "Expecting EE message ".($message->mt).", ".${$proxy->message_list}[1]->mt.", ".${$proxy->message_list}[3]->mt if $message->mt != TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS;
134 $message = ${$proxy->message_list}[1];
138 0x00, 0x00; #Extension length
141 if ($testtype == UNSOLICITED_SERVER_NAME
142 || $testtype == UNSOLICITED_SERVER_NAME_TLS13) {
143 $type = TLSProxy::Message::EXT_SERVER_NAME;
144 } elsif ($testtype == UNSOLICITED_SCT) {
145 $type = TLSProxy::Message::EXT_SCT;
146 } elsif ($testtype == NONCOMPLIANT_SUPPORTED_GROUPS) {
147 $type = TLSProxy::Message::EXT_SUPPORTED_GROUPS;
149 $message->set_extension($type, $ext);
153 # Test 1-2: Sending a duplicate extension should fail.
154 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
156 ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension");
159 $proxy->filter(\&inject_duplicate_extension_serverhello);
161 ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension");
164 skip "TLS <= 1.2 disabled", 3 if $no_below_tls13;
166 #Test 3: Sending a zero length extension block should pass
168 $proxy->filter(\&extension_filter);
170 ok(TLSProxy::Message->success, "Zero extension length test");
172 #Test 4: Inject an unsolicited extension (<= TLSv1.2)
174 $proxy->filter(\&inject_unsolicited_extension);
175 $testtype = UNSOLICITED_SERVER_NAME;
176 $proxy->clientflags("-no_tls1_3 -noservername");
178 ok(TLSProxy::Message->fail(), "Unsolicited server name extension");
180 #Test 5: Inject a noncompliant supported_groups extension (<= TLSv1.2)
182 $proxy->filter(\&inject_unsolicited_extension);
183 $testtype = NONCOMPLIANT_SUPPORTED_GROUPS;
184 $proxy->clientflags("-no_tls1_3");
186 ok(TLSProxy::Message->success(), "Noncompliant supported_groups extension");
190 skip "TLS <= 1.2 or CT disabled", 1
191 if $no_below_tls13 || disabled("ct");
192 #Test 6: Same as above for the SCT extension which has special handling
194 $testtype = UNSOLICITED_SCT;
195 $proxy->clientflags("-no_tls1_3");
197 ok(TLSProxy::Message->fail(), "Unsolicited sct extension");
201 skip "TLS 1.3 disabled", 1 if disabled("tls1_3");
202 #Test 7: Inject an unsolicited extension (TLSv1.3)
204 $proxy->filter(\&inject_unsolicited_extension);
205 $testtype = UNSOLICITED_SERVER_NAME_TLS13;
206 $proxy->clientflags("-noservername");
208 ok(TLSProxy::Message->fail(), "Unsolicited server name extension (TLSv1.3)");