+
+sub add_sslv2_filter
+{
+ my $proxy = shift;
+ my $clienthello;
+ my $record;
+
+ # We're only interested in the initial ClientHello
+ if ($proxy->flight != 0) {
+ return;
+ }
+
+ # Ditch the real ClientHello - we're going to replace it with our own
+ shift @{$proxy->record_list};
+
+ if ($sslv2testtype == ALERT_BEFORE_SSLV2) {
+ my $alert = pack('CC', TLSProxy::Message::AL_LEVEL_FATAL,
+ TLSProxy::Message::AL_DESC_NO_RENEGOTIATION);
+ my $alertlen = length $alert;
+ $record = TLSProxy::Record->new(
+ 0,
+ TLSProxy::Record::RT_ALERT,
+ TLSProxy::Record::VERS_TLS_1_2,
+ $alertlen,
+ 0,
+ $alertlen,
+ $alertlen,
+ $alert,
+ $alert
+ );
+
+ push @{$proxy->record_list}, $record;
+ }
+
+ if ($sslv2testtype == ALERT_BEFORE_SSLV2
+ || $sslv2testtype == TLSV1_2_IN_SSLV2
+ || $sslv2testtype == SSLV2_IN_SSLV2) {
+ # This is an SSLv2 format ClientHello
+ $clienthello =
+ pack "C44",
+ 0x01, # ClientHello
+ 0x03, 0x03, #TLSv1.2
+ 0x00, 0x03, # Ciphersuites len
+ 0x00, 0x00, # Session id len
+ 0x00, 0x20, # Challenge len
+ 0x00, 0x00, 0x2f, #AES128-SHA
+ 0x01, 0x18, 0x9F, 0x76, 0xEC, 0x57, 0xCE, 0xE5, 0xB3, 0xAB, 0x79, 0x90,
+ 0xAD, 0xAC, 0x6E, 0xD1, 0x58, 0x35, 0x03, 0x97, 0x16, 0x10, 0x82, 0x56,
+ 0xD8, 0x55, 0xFF, 0xE1, 0x8A, 0xA3, 0x2E, 0xF6; # Challenge
+
+ if ($sslv2testtype == SSLV2_IN_SSLV2) {
+ # Set the version to "real" SSLv2
+ vec($clienthello, 1, 8) = 0x00;
+ vec($clienthello, 2, 8) = 0x02;
+ }
+
+ my $chlen = length $clienthello;
+
+ $record = TLSProxy::Record->new(
+ 0,
+ TLSProxy::Record::RT_HANDSHAKE,
+ TLSProxy::Record::VERS_TLS_1_2,
+ $chlen,
+ 1, #SSLv2
+ $chlen,
+ $chlen,
+ $clienthello,
+ $clienthello
+ );
+
+ push @{$proxy->record_list}, $record;
+ } else {
+ # For this test we're using a real TLS ClientHello
+ $clienthello =
+ pack "C49",
+ 0x01, # ClientHello
+ 0x00, 0x00, 0x2D, # Message length
+ 0x03, 0x03, # TLSv1.2
+ 0x01, 0x18, 0x9F, 0x76, 0xEC, 0x57, 0xCE, 0xE5, 0xB3, 0xAB, 0x79, 0x90,
+ 0xAD, 0xAC, 0x6E, 0xD1, 0x58, 0x35, 0x03, 0x97, 0x16, 0x10, 0x82, 0x56,
+ 0xD8, 0x55, 0xFF, 0xE1, 0x8A, 0xA3, 0x2E, 0xF6, # Random
+ 0x00, # Session id len
+ 0x00, 0x04, # Ciphersuites len
+ 0x00, 0x2f, # AES128-SHA
+ 0x00, 0xff, # Empty reneg info SCSV
+ 0x01, # Compression methods len
+ 0x00, # Null compression
+ 0x00, 0x00; # Extensions len
+
+ # Split this into 3: A TLS record; a SSLv2 record and a TLS record.
+ # We deliberately split the second record prior to the Challenge/Random
+ # and set the first byte of the random to 1. This makes the second SSLv2
+ # record look like an SSLv2 ClientHello
+ my $frag1 = substr $clienthello, 0, 6;
+ my $frag2 = substr $clienthello, 6, 32;
+ my $frag3 = substr $clienthello, 38;
+
+ my $fraglen = length $frag1;
+ $record = TLSProxy::Record->new(
+ 0,
+ TLSProxy::Record::RT_HANDSHAKE,
+ TLSProxy::Record::VERS_TLS_1_2,
+ $fraglen,
+ 0,
+ $fraglen,
+ $fraglen,
+ $frag1,
+ $frag1
+ );
+ push @{$proxy->record_list}, $record;
+
+ $fraglen = length $frag2;
+ my $recvers;
+ if ($sslv2testtype == FRAGMENTED_IN_SSLV2) {
+ $recvers = 1;
+ } else {
+ $recvers = 0;
+ }
+ $record = TLSProxy::Record->new(
+ 0,
+ TLSProxy::Record::RT_HANDSHAKE,
+ TLSProxy::Record::VERS_TLS_1_2,
+ $fraglen,
+ $recvers,
+ $fraglen,
+ $fraglen,
+ $frag2,
+ $frag2
+ );
+ push @{$proxy->record_list}, $record;
+
+ $fraglen = length $frag3;
+ $record = TLSProxy::Record->new(
+ 0,
+ TLSProxy::Record::RT_HANDSHAKE,
+ TLSProxy::Record::VERS_TLS_1_2,
+ $fraglen,
+ 0,
+ $fraglen,
+ $fraglen,
+ $frag3,
+ $frag3
+ );
+ push @{$proxy->record_list}, $record;
+ }
+
+}
+
+sub add_unknown_record_type
+{
+ my $proxy = shift;
+
+ # We'll change a record after the initial version neg has taken place
+ if ($proxy->flight != 1) {
+ return;
+ }
+
+ my $lastrec = ${$proxy->record_list}[-1];
+ my $record = TLSProxy::Record->new(
+ 1,
+ TLSProxy::Record::RT_UNKNOWN,
+ $lastrec->version(),
+ 1,
+ 0,
+ 1,
+ 1,
+ "X",
+ "X"
+ );
+
+ #Find ServerHello record and insert after that
+ my $i;
+ for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) {
+ next;
+ }
+ $i++;
+
+ splice @{$proxy->record_list}, $i, 0, $record;
+}
+
+sub change_version
+{
+ my $proxy = shift;
+
+ # We'll change a version after the initial version neg has taken place
+ if ($proxy->flight != 2) {
+ return;
+ }
+
+ (${$proxy->record_list}[-1])->version(TLSProxy::Record::VERS_TLS_1_1);
+}
+
+sub change_outer_record_type
+{
+ my $proxy = shift;
+
+ # We'll change a record after the initial version neg has taken place
+ if ($proxy->flight != 1) {
+ return;
+ }
+
+ #Find ServerHello record and change record after that
+ my $i;
+ for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) {
+ next;
+ }
+ #Skip CCS and ServerHello
+ $i += 2;
+ ${$proxy->record_list}[$i]->outer_content_type(TLSProxy::Record::RT_HANDSHAKE);
+}
+
+sub not_on_record_boundary
+{
+ my $proxy = shift;
+ my $data;
+
+ #Find server's first flight
+ if ($proxy->flight != 1) {
+ return;
+ }
+
+ if ($boundary_test_type == DATA_AFTER_SERVER_HELLO) {
+ #Merge the ServerHello and EncryptedExtensions records into one
+ my $i;
+ for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) {
+ next;
+ }
+ $data = ${$proxy->record_list}[$i]->data();
+ $data .= ${$proxy->record_list}[$i + 1]->decrypt_data();
+ ${$proxy->record_list}[$i]->data($data);
+ ${$proxy->record_list}[$i]->len(length $data);
+
+ #Delete the old EncryptedExtensions record
+ splice @{$proxy->record_list}, $i + 1, 1;
+ } elsif ($boundary_test_type == DATA_AFTER_FINISHED) {
+ $data = ${$proxy->record_list}[-1]->decrypt_data;
+
+ #Add a KeyUpdate message onto the end of the Finished record
+ my $keyupdate = pack "C5",
+ 0x18, # KeyUpdate
+ 0x00, 0x00, 0x01, # Message length
+ 0x00; # Update not requested
+
+ $data .= $keyupdate;
+
+ #Add content type and tag
+ $data .= pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16);
+
+ #Update the record
+ ${$proxy->record_list}[-1]->data($data);
+ ${$proxy->record_list}[-1]->len(length $data);
+ } else {
+ #KeyUpdates must end on a record boundary
+
+ my $record = TLSProxy::Record->new(
+ 1,
+ TLSProxy::Record::RT_APPLICATION_DATA,
+ TLSProxy::Record::VERS_TLS_1_0,
+ 0,
+ 0,
+ 0,
+ 0,
+ "",
+ ""
+ );
+
+ #Add two KeyUpdate messages into a single record
+ my $keyupdate = pack "C5",
+ 0x18, # KeyUpdate
+ 0x00, 0x00, 0x01, # Message length
+ 0x00; # Update not requested
+
+ $data = $keyupdate.$keyupdate;
+
+ #Add content type and tag
+ $data .= pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16);
+
+ $record->data($data);
+ $record->len(length $data);
+ push @{$proxy->record_list}, $record;
+ }
+}