From bc349281880c3f1da784cbc76b28f34d8ab10601 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 30 Nov 2016 12:54:01 +0000 Subject: [PATCH 1/1] Add a renegotiation test Make sure we did not break the unsafe legacy reneg checks with the extension work. Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: Rich Salz Reviewed-by: Richard Levitte --- test/recipes/70-test_renegotiation.t | 70 ++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100755 test/recipes/70-test_renegotiation.t diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t new file mode 100755 index 0000000000..9bd90267fe --- /dev/null +++ b/test/recipes/70-test_renegotiation.t @@ -0,0 +1,70 @@ +#! /usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +my $test_name = "test_renegotiation"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS|MSWin32)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS <= 1.2 enabled" + if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; +my $proxy = TLSProxy::Proxy->new( + undef, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +#Test 1: A basic renegotiation test +$proxy->clientflags("-no_tls1_3"); +$proxy->reneg(1); +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 2; +ok(TLSProxy::Message->success(), "Basic renegotiation"); + +#Test 2: Client does not send the Reneg SCSV. Reneg should fail +$proxy->clear(); +$proxy->filter(\&reneg_filter); +$proxy->clientflags("-no_tls1_3"); +$proxy->reneg(1); +$proxy->start(); +ok(TLSProxy::Message->fail(), "No client SCSV"); + +sub reneg_filter +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello message + if ($proxy->flight != 0) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + #Remove any SCSV ciphersuites - just leave AES128-SHA (0x002f) + my @ciphersuite = (0x002f); + $message->ciphersuites(\@ciphersuite); + $message->ciphersuite_len(2); + $message->repack(); + } + } +} -- 2.34.1