X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2Frecipes%2F70-test_sslextension.t;h=20e1933f0054162277d18f367a6dd68aeefba9f7;hp=7d45ce26a3c7b7e8f6ea3ef4ec618b88f6c9bc25;hb=dfd5fb09500d5800b37b3aec05884fc7409032d7;hpb=25c78440d21c814705e0e50c6e567300936aa02b diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t old mode 100755 new mode 100644 index 7d45ce26a3..20e1933f00 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -1,58 +1,14 @@ -#!/usr/bin/perl -# Written by Matt Caswell for the OpenSSL project. -# ==================================================================== -# Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# -# 3. All advertising materials mentioning features or use of this -# software must display the following acknowledgment: -# "This product includes software developed by the OpenSSL Project -# for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -# -# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -# endorse or promote products derived from this software without -# prior written permission. For written permission, please contact -# openssl-core@openssl.org. -# -# 5. Products derived from this software may not be called "OpenSSL" -# nor may "OpenSSL" appear in their names without prior written -# permission of the OpenSSL Project. -# -# 6. Redistributions of any form whatsoever must retain the following -# acknowledgment: -# "This product includes software developed by the OpenSSL Project -# for use in the OpenSSL Toolkit (http://www.openssl.org/)" -# -# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -# OF THE POSSIBILITY OF SUCH DAMAGE. -# ==================================================================== -# -# This product includes cryptographic software written by Eric Young -# (eay@cryptsoft.com). This product includes software written by Tim -# Hudson (tjh@cryptsoft.com). +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html use strict; +use feature 'state'; + use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; use OpenSSL::Test::Utils; use TLSProxy::Proxy; @@ -61,7 +17,7 @@ my $test_name = "test_sslextension"; setup($test_name); plan skip_all => "TLSProxy isn't usable on $^O" - if $^O =~ /^(VMS|MSWin32)$/; + if $^O =~ /^(VMS)$/; plan skip_all => "$test_name needs the dynamic engine feature enabled" if disabled("engine") || disabled("dynamic-engine"); @@ -69,24 +25,44 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); + +my $no_below_tls13 = alldisabled(("tls1", "tls1_1", "tls1_2")) + || (!disabled("tls1_3") && disabled("tls1_2")); + +use constant { + UNSOLICITED_SERVER_NAME => 0, + UNSOLICITED_SERVER_NAME_TLS13 => 1, + UNSOLICITED_SCT => 2, + NONCOMPLIANT_SUPPORTED_GROUPS => 3 +}; + +my $testtype; +my $fatal_alert = 0; # set by filter on fatal alert + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( - \&extension_filter, + \&inject_duplicate_extension_clienthello, cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); -plan tests => 3; - -# Test 1: Sending a zero length extension block should pass -$proxy->start(); -ok(TLSProxy::Message->success, "Zero extension length test"); sub extension_filter { my $proxy = shift; + if ($proxy->flight == 1) { + # Change the ServerRandom so that the downgrade sentinel doesn't cause + # the connection to fail + my $message = ${$proxy->message_list}[1]; + $message->random("\0"x32); + $message->repack(); + return; + } + # We're only interested in the initial ClientHello if ($proxy->flight != 0) { return; @@ -105,7 +81,6 @@ sub extension_filter } } -# Test 2-3: Sending a duplicate extension should fail. sub inject_duplicate_extension { my ($proxy, $message_type) = @_; @@ -126,11 +101,13 @@ sub inject_duplicate_extension_clienthello my $proxy = shift; # We're only interested in the initial ClientHello - if ($proxy->flight != 0) { + if ($proxy->flight == 0) { + inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO); return; } - inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO); + my $last_record = @{$proxy->{record_list}}[-1]; + $fatal_alert = 1 if $last_record->is_fatal_alert(1); } sub inject_duplicate_extension_serverhello @@ -138,20 +115,122 @@ sub inject_duplicate_extension_serverhello my $proxy = shift; # We're only interested in the initial ServerHello + if ($proxy->flight == 0) { + return; + } elsif ($proxy->flight == 1) { + inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO); + return; + } + + my $last_record = @{$proxy->{record_list}}[-1]; + $fatal_alert = 1 if $last_record->is_fatal_alert(0); +} + +sub inject_unsolicited_extension +{ + my $proxy = shift; + my $message; + state $sent_unsolisited_extension; + + if ($proxy->flight == 0) { + $sent_unsolisited_extension = 0; + return; + } + + # We're only interested in the initial ServerHello/EncryptedExtensions if ($proxy->flight != 1) { + if ($sent_unsolisited_extension) { + my $last_record = @{$proxy->record_list}[-1]; + $fatal_alert = 1 if $last_record->is_fatal_alert(0); + } return; } - inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO); + if ($testtype == UNSOLICITED_SERVER_NAME_TLS13) { + return if (!defined($message = ${$proxy->message_list}[2])); + die "Expecting EE message ".($message->mt)."," + .${$proxy->message_list}[1]->mt.", " + .${$proxy->message_list}[3]->mt + if $message->mt != TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS; + } else { + $message = ${$proxy->message_list}[1]; + } + + my $ext = pack "C2", + 0x00, 0x00; #Extension length + + my $type; + if ($testtype == UNSOLICITED_SERVER_NAME + || $testtype == UNSOLICITED_SERVER_NAME_TLS13) { + $type = TLSProxy::Message::EXT_SERVER_NAME; + } elsif ($testtype == UNSOLICITED_SCT) { + $type = TLSProxy::Message::EXT_SCT; + } elsif ($testtype == NONCOMPLIANT_SUPPORTED_GROUPS) { + $type = TLSProxy::Message::EXT_SUPPORTED_GROUPS; + } + $message->set_extension($type, $ext); + $message->repack(); + $sent_unsolisited_extension = 1; } -$proxy->clear(); -$proxy->filter(\&inject_duplicate_extension_clienthello); -$proxy->start(); -ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension"); +# Test 1-2: Sending a duplicate extension should fail. +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 7; +ok($fatal_alert, "Duplicate ClientHello extension"); +$fatal_alert = 0; $proxy->clear(); $proxy->filter(\&inject_duplicate_extension_serverhello); $proxy->start(); -ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension"); +ok($fatal_alert, "Duplicate ServerHello extension"); + +SKIP: { + skip "TLS <= 1.2 disabled", 3 if $no_below_tls13; + + #Test 3: Sending a zero length extension block should pass + $proxy->clear(); + $proxy->filter(\&extension_filter); + $proxy->start(); + ok(TLSProxy::Message->success, "Zero extension length test"); + + #Test 4: Inject an unsolicited extension (<= TLSv1.2) + $fatal_alert = 0; + $proxy->clear(); + $proxy->filter(\&inject_unsolicited_extension); + $testtype = UNSOLICITED_SERVER_NAME; + $proxy->clientflags("-no_tls1_3 -noservername"); + $proxy->start(); + ok($fatal_alert, "Unsolicited server name extension"); + + #Test 5: Inject a noncompliant supported_groups extension (<= TLSv1.2) + $proxy->clear(); + $proxy->filter(\&inject_unsolicited_extension); + $testtype = NONCOMPLIANT_SUPPORTED_GROUPS; + $proxy->clientflags("-no_tls1_3"); + $proxy->start(); + ok(TLSProxy::Message->success(), "Noncompliant supported_groups extension"); +} +SKIP: { + skip "TLS <= 1.2 or CT disabled", 1 + if $no_below_tls13 || disabled("ct"); + #Test 6: Same as above for the SCT extension which has special handling + $fatal_alert = 0; + $proxy->clear(); + $testtype = UNSOLICITED_SCT; + $proxy->clientflags("-no_tls1_3"); + $proxy->start(); + ok($fatal_alert, "Unsolicited sct extension"); +} + +SKIP: { + skip "TLS 1.3 disabled", 1 if disabled("tls1_3"); + #Test 7: Inject an unsolicited extension (TLSv1.3) + $fatal_alert = 0; + $proxy->clear(); + $proxy->filter(\&inject_unsolicited_extension); + $testtype = UNSOLICITED_SERVER_NAME_TLS13; + $proxy->clientflags("-noservername"); + $proxy->start(); + ok($fatal_alert, "Unsolicited server name extension (TLSv1.3)"); +}