X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=util%2FTLSProxy%2FMessage.pm;h=ce469c46d01dccb347dc2251743732a44c0a6c67;hp=1810d8c30ecde0bd9012431eb067124e2e170eca;hb=0adb6417403f4be801b8da28cb83efb60f79f66c;hpb=8523288e6d667f052bda092e01ab17986782fede diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm index 1810d8c30e..ce469c46d0 100644 --- a/util/TLSProxy/Message.pm +++ b/util/TLSProxy/Message.pm @@ -17,6 +17,8 @@ use constant { MT_CLIENT_HELLO => 1, MT_SERVER_HELLO => 2, MT_NEW_SESSION_TICKET => 4, + MT_HELLO_RETRY_REQUEST => 6, + MT_ENCRYPTED_EXTENSIONS => 8, MT_CERTIFICATE => 11, MT_SERVER_KEY_EXCHANGE => 12, MT_CERTIFICATE_REQUEST => 13, @@ -46,6 +48,8 @@ my %message_type = ( MT_CLIENT_HELLO, "ClientHello", MT_SERVER_HELLO, "ServerHello", MT_NEW_SESSION_TICKET, "NewSessionTicket", + MT_HELLO_RETRY_REQUEST, "HelloRetryRequest", + MT_ENCRYPTED_EXTENSIONS, "EncryptedExtensions", MT_CERTIFICATE, "Certificate", MT_SERVER_KEY_EXCHANGE, "ServerKeyExchange", MT_CERTIFICATE_REQUEST, "CertificateRequest", @@ -58,13 +62,34 @@ my %message_type = ( ); use constant { + EXT_SERVER_NAME => 0, EXT_STATUS_REQUEST => 5, + EXT_SUPPORTED_GROUPS => 10, + EXT_EC_POINT_FORMATS => 11, + EXT_SRP => 12, + EXT_SIG_ALGS => 13, + EXT_USE_SRTP => 14, + EXT_ALPN => 16, + EXT_SCT => 18, + EXT_PADDING => 21, EXT_ENCRYPT_THEN_MAC => 22, EXT_EXTENDED_MASTER_SECRET => 23, EXT_SESSION_TICKET => 35, - # This extension does not exist and isn't recognised by OpenSSL. - # We use it to test handling of duplicate extensions. - EXT_DUPLICATE_EXTENSION => 1234 + EXT_KEY_SHARE => 40, + EXT_PSK => 41, + EXT_SUPPORTED_VERSIONS => 43, + EXT_PSK_KEX_MODES => 45, + EXT_RENEGOTIATE => 65281, + EXT_NPN => 13172, + # This extension is an unofficial extension only ever written by OpenSSL + # (i.e. not read), and even then only when enabled. We use it to test + # handling of duplicate extensions. + EXT_DUPLICATE_EXTENSION => 0xfde8 +}; + +use constant { + CIPHER_DHE_RSA_AES_128_SHA => 0x0033, + CIPHER_ADH_AES_128_SHA => 0x0034 }; my $payload = ""; @@ -77,6 +102,7 @@ my $end = 0; my @message_rec_list = (); my @message_frag_lens = (); my $ciphersuite = 0; +my $successondata = 0; sub clear { @@ -86,6 +112,7 @@ sub clear $server = 0; $success = 0; $end = 0; + $successondata = 0; @message_rec_list = (); @message_frag_lens = (); } @@ -112,9 +139,9 @@ sub get_messages die "CCS received before message data complete\n"; } if ($server) { - TLSProxy::Record->server_ccs_seen(1); + TLSProxy::Record->server_encrypting(1); } else { - TLSProxy::Record->client_ccs_seen(1); + TLSProxy::Record->client_encrypting(1); } } elsif ($record->content_type == TLSProxy::Record::RT_HANDSHAKE) { if ($record->len == 0 || $record->len_real == 0) { @@ -171,7 +198,7 @@ sub get_messages $recoffset += 4; $payload = ""; - if ($recoffset < $record->decrypt_len) { + if ($recoffset <= $record->decrypt_len) { #Some payload data is present in this record if ($record->decrypt_len - $recoffset >= $messlen) { #We can complete the message with this record @@ -197,6 +224,11 @@ sub get_messages } elsif ($record->content_type == TLSProxy::Record::RT_APPLICATION_DATA) { print " [ENCRYPTED APPLICATION DATA]\n"; print " [".$record->decrypt_data."]\n"; + + if ($successondata) { + $success = 1; + $end = 1; + } } elsif ($record->content_type == TLSProxy::Record::RT_ALERT) { my ($alertlev, $alertdesc) = unpack('CC', $record->decrypt_data); #A CloseNotify from the client indicates we have finished successfully @@ -230,6 +262,15 @@ sub create_message [@message_frag_lens] ); $message->parse(); + } elsif ($mt == MT_HELLO_RETRY_REQUEST) { + $message = TLSProxy::HelloRetryRequest->new( + $server, + $data, + [@message_rec_list], + $startoffset, + [@message_frag_lens] + ); + $message->parse(); } elsif ($mt == MT_SERVER_HELLO) { $message = TLSProxy::ServerHello->new( $server, @@ -239,6 +280,33 @@ sub create_message [@message_frag_lens] ); $message->parse(); + } elsif ($mt == MT_ENCRYPTED_EXTENSIONS) { + $message = TLSProxy::EncryptedExtensions->new( + $server, + $data, + [@message_rec_list], + $startoffset, + [@message_frag_lens] + ); + $message->parse(); + } elsif ($mt == MT_CERTIFICATE) { + $message = TLSProxy::Certificate->new( + $server, + $data, + [@message_rec_list], + $startoffset, + [@message_frag_lens] + ); + $message->parse(); + } elsif ($mt == MT_CERTIFICATE_VERIFY) { + $message = TLSProxy::CertificateVerify->new( + $server, + $data, + [@message_rec_list], + $startoffset, + [@message_frag_lens] + ); + $message->parse(); } elsif ($mt == MT_SERVER_KEY_EXCHANGE) { $message = TLSProxy::ServerKeyExchange->new( $server, @@ -319,7 +387,7 @@ sub ciphersuite } #Update all the underlying records with the modified data from this message -#Note: Does not currently support re-encrypting +#Note: Only supports re-encrypting for TLSv1.3 sub repack { my $self = shift; @@ -362,8 +430,14 @@ sub repack # use an explicit override field instead.) $rec->decrypt_len(length($rec->decrypt_data)); $rec->len($rec->len + length($msgdata) - $old_length); - # Don't support re-encryption. - $rec->data($rec->decrypt_data); + # Only support re-encryption for TLSv1.3. + if (TLSProxy::Proxy->is_tls13() && $rec->encrypted()) { + #Add content type (1 byte) and 16 tag bytes + $rec->data($rec->decrypt_data + .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16)); + } else { + $rec->data($rec->decrypt_data); + } #Update the fragment len in case we changed it above ${$self->message_frag_lens}[0] = length($msgdata) @@ -452,5 +526,12 @@ sub encoded_length my $self = shift; return TLS_MESSAGE_HEADER_LENGTH + length($self->data); } - +sub successondata +{ + my $class = shift; + if (@_) { + $successondata = shift; + } + return $successondata; +} 1;