--- /dev/null
+#! /usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
+use OpenSSL::Test::Utils;
+use TLSProxy::Proxy;
+
+my $test_name = "test_tls13alerts";
+setup($test_name);
+
+plan skip_all => "TLSProxy isn't usable on $^O"
+ if $^O =~ /^(VMS)$/;
+
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
+ if disabled("engine") || disabled("dynamic-engine");
+
+plan skip_all => "$test_name needs the sock feature enabled"
+ if disabled("sock");
+
+plan skip_all => "$test_name needs TLS1.3 enabled"
+ if disabled("tls1_3");
+
+$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
+
+my $proxy = TLSProxy::Proxy->new(
+ undef,
+ cmdstr(app(["openssl"]), display => 1),
+ srctop_file("apps", "server.pem"),
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+);
+
+#Test 1: We test that a server can handle an unencrypted alert when normally the
+# next message is encrypted
+$proxy->filter(\&alert_filter);
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
+plan tests => 1;
+my $alert = TLSProxy::Message->alert();
+ok(TLSProxy::Message->fail() && !$alert->server() && !$alert->encrypted(), "Client sends an unecrypted alert");
+
+sub alert_filter
+{
+ my $proxy = shift;
+
+ if ($proxy->flight != 1) {
+ return;
+ }
+
+ ${$proxy->message_list}[1]->session_id_len(1);
+ ${$proxy->message_list}[1]->repack();
+}
--- /dev/null
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+
+package TLSProxy::Alert;
+
+sub new
+{
+ my $class = shift;
+ my ($server,
+ $encrypted,
+ $level,
+ $description) = @_;
+
+ my $self = {
+ server => $server,
+ encrypted => $encrypted,
+ level => $level,
+ description => $description
+ };
+
+ return bless $self, $class;
+}
+
+#Read only accessors
+sub server
+{
+ my $self = shift;
+ return $self->{server};
+}
+sub encrypted
+{
+ my $self = shift;
+ return $self->{encrypted};
+}
+sub level
+{
+ my $self = shift;
+ return $self->{level};
+}
+sub description
+{
+ my $self = shift;
+ return $self->{description};
+}
+1;
package TLSProxy::Message;
+use TLSProxy::Alert;
+
use constant TLS_MESSAGE_HEADER_LENGTH => 4;
#Message types
my @message_frag_lens = ();
my $ciphersuite = 0;
my $successondata = 0;
+my $alert;
sub clear
{
$successondata = 0;
@message_rec_list = ();
@message_frag_lens = ();
+ $alert = undef;
}
#Class method to extract messages from a record
if ($alertlev == AL_LEVEL_FATAL || $alertdesc == AL_DESC_CLOSE_NOTIFY) {
$end = 1;
}
+ $alert = TLSProxy::Alert->new(
+ $server,
+ $record->encrypted,
+ $alertlev,
+ $alertdesc);
}
return @messages;
my $class = shift;
return !$success && $end;
}
+
+sub alert
+{
+ return $alert;
+}
+
sub new
{
my $class = shift;
$data # decrypt_data
);
- if ($content_type != RT_CCS) {
+ if ($content_type != RT_CCS
+ && (!TLSProxy::Proxy->is_tls13()
+ || $content_type != RT_ALERT)) {
if (($server && $server_encrypting)
|| (!$server && $client_encrypting)) {
if (!TLSProxy::Proxy->is_tls13() && $etm) {