X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2Frecipes%2F70-test_sslvertol.t;h=24c3446a3e6bca87b9085f457eac6ef5ed1cab88;hp=f89bc87c266fafcbf347e76b5614ef87fac03f6d;hb=c5856878f709edb00759d56a55ccddb2ecd67d87;hpb=2dd400bd435b3be3240b6d509a9a6737a642c37c diff --git a/test/recipes/70-test_sslvertol.t b/test/recipes/70-test_sslvertol.t old mode 100755 new mode 100644 index f89bc87c26..24c3446a3e --- a/test/recipes/70-test_sslvertol.t +++ b/test/recipes/70-test_sslvertol.t @@ -1,56 +1,10 @@ -#!/usr/bin/perl -# Written by Matt Caswell for the OpenSSL project. -# ==================================================================== -# Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. # -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# -# 3. All advertising materials mentioning features or use of this -# software must display the following acknowledgment: -# "This product includes software developed by the OpenSSL Project -# for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -# -# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -# endorse or promote products derived from this software without -# prior written permission. For written permission, please contact -# openssl-core@openssl.org. -# -# 5. Products derived from this software may not be called "OpenSSL" -# nor may "OpenSSL" appear in their names without prior written -# permission of the OpenSSL Project. -# -# 6. Redistributions of any form whatsoever must retain the following -# acknowledgment: -# "This product includes software developed by the OpenSSL Project -# for use in the OpenSSL Toolkit (http://www.openssl.org/)" -# -# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -# OF THE POSSIBILITY OF SUCH DAMAGE. -# ==================================================================== -# -# This product includes cryptographic software written by Eric Young -# (eay@cryptsoft.com). This product includes software written by Tim -# Hudson (tjh@cryptsoft.com). +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html use strict; use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; @@ -61,31 +15,94 @@ my $test_name = "test_sslextension"; setup($test_name); plan skip_all => "TLSProxy isn't usable on $^O" - if $^O =~ /^VMS$/; + if $^O =~ /^(VMS)$/; plan skip_all => "$test_name needs the dynamic engine feature enabled" - if disabled("engine") || disabled("dynamic_engines"); + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); -$ENV{OPENSSL_ENGINES} = bldtop_dir("engines"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&vers_tolerance_filter, - cmdstr(app(["openssl"])), + cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); -plan tests => 2; +my @available_tls_versions = (); +foreach (available_protocols("tls")) { + unless (disabled($_)) { + note("Checking enabled protocol $_"); + m|^([a-z]+)(\d)(_\d)?|; + my $versionname; + if (defined $3) { + $versionname = 'TLSProxy::Record::VERS_'.uc($1).'_'.$2.$3; + note("'$1', '$2', '$3' => $versionname"); + } else { + $versionname = 'TLSProxy::Record::VERS_'.uc($1).'_'.$2.'_0'; + note("'$1', '$2' => $versionname"); + } + push @available_tls_versions, eval $versionname; + } +} +note("TLS versions we can expect: ", join(", ", @available_tls_versions)); + +#This file does tests without the supported_versions extension. +#See 70-test_sslversions.t for tests with supported versions. -#Test 1: Asking for TLS1.3 should pass -my $client_version = TLSProxy::Record::VERS_TLS_1_3; -$proxy->start(); -ok(TLSProxy::Message->success(), "Version tolerance test, TLS 1.3"); +#Test 1: Asking for TLS1.4 should pass and negotiate the maximum +#available TLS version according to configuration below TLS1.3 +my $client_version = TLSProxy::Record::VERS_TLS_1_4; +my $previous_version = tls_version_below(TLSProxy::Record::VERS_TLS_1_3); +$proxy->clientflags("-no_tls1_3"); +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 3; +SKIP: { + skip "There are too few protocols enabled for test 1", 1 + unless defined $previous_version; + + my $record = pop @{$proxy->record_list}; + ok((note("Record version received: ".$record->version()), + TLSProxy::Message->success()) + && $record->version() == $previous_version, + "Version tolerance test, below TLS 1.4 and not TLS 1.3"); +} + +#Test 2: Asking for TLS1.3 with that disabled should succeed and negotiate +#the highest configured TLS version below that. +$client_version = TLSProxy::Record::VERS_TLS_1_3; +$previous_version = tls_version_below($client_version); +SKIP: { + skip "There are too few protocols enabled for test 2", 1 + unless defined $previous_version; + + $proxy->clear(); + $proxy->clientflags("-no_tls1_3"); + $proxy->start(); + my $record = pop @{$proxy->record_list}; + ok((note("Record version received: ".$record->version()), + TLSProxy::Message->success()) + && $record->version() == $previous_version, + "Version tolerance test, max version but not TLS 1.3"); +} -#Test 2: Testing something below SSLv3 should fail +#Test 3: Testing something below SSLv3 should fail. We must disable TLS 1.3 +#to avoid having the 'supported_versions' extension kick in and override our +#desires. $client_version = TLSProxy::Record::VERS_SSL_3_0 - 1; -$proxy->restart(); -ok(TLSProxy::Message->fail(), "Version tolerance test, SSL < 3.0"); +$proxy->clear(); +$proxy->clientflags("-no_tls1_3"); +$proxy->start(); +my $record = pop @{$proxy->record_list}; +ok((note("Record version received: ". + (defined $record ? $record->version() : "none")), + TLSProxy::Message->fail()), + "Version tolerance test, SSL < 3.0"); sub vers_tolerance_filter { @@ -99,10 +116,23 @@ sub vers_tolerance_filter foreach my $message (@{$proxy->message_list}) { if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { #Set the client version - #Anything above the max supported version (TLS1.2) should succeed + #Anything above the max supported version should succeed #Anything below SSLv3 should fail $message->client_version($client_version); $message->repack(); } } } + +sub tls_version_below { + if (@_) { + my $term = shift; + my $res = undef; + + foreach (@available_tls_versions) { + $res = $_ if $_ < $term; + } + return $res; + } + return $available_tls_versions[-1]; +}