Fix TLSProxy end of test detection

Previously TLSProxy would detect a successful handshake once it saw the
server Finished message. This causes problems with abbreviated handshakes,
or if the client fails to process a message from the last server flight.

This change additionally sends some application data and finishes when the
client sends a CloseNotify.

Reviewed-by: Tim Hudson <tjh@openssl.org>

diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 028322b613b62c794b97f46ad8057fbde01a20f5..6376219d151b91626830e68f225ca4d5689ce8b2 100644 (file)
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -73,6 +73,18 @@ use constant {
     MT_CERTIFICATE_STATUS => 22,
     MT_NEXT_PROTO => 67
 };
+
+#Alert levels
+use constant {
+    AL_LEVEL_WARN => 1,
+    AL_LEVEL_FATAL => 2
+};
+
+#Alert descriptions
+use constant {
+    AL_DESC_CLOSE_NOTIFY => 0
+};
+
 my %message_type = (
     MT_HELLO_REQUEST, "HelloRequest",
     MT_CLIENT_HELLO, "ClientHello",
@@ -164,11 +176,6 @@ sub get_messages
                                               $startoffset);
                     push @messages, $message;
 
-                    #Check if we have finished the handshake
-                    if ($mt == MT_FINISHED && $server) {
-                        $success = 1;
-                        $end = 1;
-                    }
                     $payload = "";
                 } else {
                     #This is just part of the total message
@@ -210,11 +217,6 @@ sub get_messages
                                                   $startoffset);
                         push @messages, $message;
 
-                        #Check if we have finished the handshake
-                        if ($mt == MT_FINISHED && $server) {
-                            $success = 1;
-                            $end = 1;
-                        }
                         $payload = "";
                     } else {
                         #This is just part of the total message
@@ -230,8 +232,15 @@ sub get_messages
         print "  [ENCRYPTED APPLICATION DATA]\n";
         print "  [".$record->decrypt_data."]\n";
     } elsif ($record->content_type == TLSProxy::Record::RT_ALERT) {
-        #For now assume all alerts are fatal
+        my ($alertlev, $alertdesc) = unpack('CC', $record->decrypt_data);
+        #All alerts end the test
         $end = 1;
+        #A CloseNotify from the client indicates we have finished successfully
+        #(we assume)
+        if (!$server && $alertlev == AL_LEVEL_WARN
+            && $alertdesc == AL_DESC_CLOSE_NOTIFY) {
+            $success = 1;
+        }
     }
 
     return @messages;

diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm
index 571ab10e83e89b747dca032b00f64cc292b76b47..af6c8ddaaf545d3d1414173e49b39e980f5b499c 100644 (file)
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -130,7 +130,7 @@ sub start
         open(STDOUT, ">", File::Spec->devnull())
             or die "Failed to redirect stdout";
         open(STDERR, ">&STDOUT");
-        my $execcmd = $self->execute." s_server -engine ossltest -accept "
+        my $execcmd = $self->execute." s_server -rev -engine ossltest -accept "
             .($self->server_port)
             ." -cert ".$self->cert." -naccept 1";
         if ($self->ciphers ne "") {
@@ -167,7 +167,7 @@ sub start
             open(STDOUT, ">", File::Spec->devnull())
                 or die "Failed to redirect stdout";
             open(STDERR, ">&STDOUT");
-            my $execcmd = $self->execute
+            my $execcmd = "echo test | ".$self->execute
                  ." s_client -engine ossltest -connect "
                  .($self->proxy_addr).":".($self->proxy_port);
             if ($self->cipherc ne "") {