Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
OWEALs
/
openssl
-ын хуулбар git://git.openssl.org/openssl.git
2
0
Салаа 0
Файлууд Асуудлууд 1 Мэдлэгийн сан
Мод: 4011bab1f8
Салаанууд Тагууд
openssl
/
test
/
recipes
/
70-test_sslextension.t

70-test_sslextension.t 7.1 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the OpenSSL license (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. use strict;
    10. 

  10. use feature 'state';
    11. 

  11. 

  12. use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
    13. 

  13. use OpenSSL::Test::Utils;
    14. 

  14. use TLSProxy::Proxy;
    15. 

  15. 

  16. my $test_name = "test_sslextension";
    17. 

  17. setup($test_name);
    18. 

  18. 

  19. plan skip_all => "TLSProxy isn't usable on $^O"
    20. 

  20.     if $^O =~ /^(VMS)$/;
    21. 

  21. 

  22. plan skip_all => "$test_name needs the dynamic engine feature enabled"
    23. 

  23.     if disabled("engine") || disabled("dynamic-engine");
    24. 

  24. 

  25. plan skip_all => "$test_name needs the sock feature enabled"
    26. 

  26.     if disabled("sock");
    27. 

  27. 

  28. plan skip_all => "$test_name needs TLS enabled"
    29. 

  29.     if alldisabled(available_protocols("tls"));
    30. 

  30. 

  31. my $no_below_tls13 = alldisabled(("tls1", "tls1_1", "tls1_2"))
    32. 

  32.                      || (!disabled("tls1_3") && disabled("tls1_2"));
    33. 

  33. 

  34. use constant {
    35. 

  35.     UNSOLICITED_SERVER_NAME => 0,
    36. 

  36.     UNSOLICITED_SERVER_NAME_TLS13 => 1,
    37. 

  37.     UNSOLICITED_SCT => 2,
    38. 

  38.     NONCOMPLIANT_SUPPORTED_GROUPS => 3
    39. 

  39. };
    40. 

  40. 

  41. my $testtype;
    42. 

  42. my $fatal_alert = 0;    # set by filter on fatal alert
    43. 

  43. 

  44. $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
    45. 

  45. my $proxy = TLSProxy::Proxy->new(
    46. 

  46.     \&inject_duplicate_extension_clienthello,
    47. 

  47.     cmdstr(app(["openssl"]), display => 1),
    48. 

  48.     srctop_file("apps", "server.pem"),
    49. 

  49.     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
    50. 

  50. );
    51. 

  51. 

  52. 

  53. sub extension_filter
    54. 

  54. {
    55. 

  55.     my $proxy = shift;
    56. 

  56. 

  57.     if ($proxy->flight == 1) {
    58. 

  58.         # Change the ServerRandom so that the downgrade sentinel doesn't cause
    59. 

  59.         # the connection to fail
    60. 

  60.         my $message = ${$proxy->message_list}[1];
    61. 

  61.         $message->random("\0"x32);
    62. 

  62.         $message->repack();
    63. 

  63.         return;
    64. 

  64.     }
    65. 

  65. 

  66.     # We're only interested in the initial ClientHello
    67. 

  67.     if ($proxy->flight != 0) {
    68. 

  68.         return;
    69. 

  69.     }
    70. 

  70. 

  71.     foreach my $message (@{$proxy->message_list}) {
    72. 

  72.         if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
    73. 

  73.             # Remove all extensions and set the extension len to zero
    74. 

  74.             $message->extension_data({});
    75. 

  75.             $message->extensions_len(0);
    76. 

  76.             # Extensions have been removed so make sure we don't try to use them
    77. 

  77.             $message->process_extensions();
    78. 

  78. 

  79.             $message->repack();
    80. 

  80.         }
    81. 

  81.     }
    82. 

  82. }
    83. 

  83. 

  84. sub inject_duplicate_extension
    85. 

  85. {
    86. 

  86.   my ($proxy, $message_type) = @_;
    87. 

  87. 

  88.     foreach my $message (@{$proxy->message_list}) {
    89. 

  89.         if ($message->mt == $message_type) {
    90. 

  90.           my %extensions = %{$message->extension_data};
    91. 

  91.             # Add a duplicate (unknown) extension.
    92. 

  92.             $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, "");
    93. 

  93.             $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, "");
    94. 

  94.             $message->repack();
    95. 

  95.         }
    96. 

  96.     }
    97. 

  97. }
    98. 

  98. 

  99. sub inject_duplicate_extension_clienthello
    100. 

  100. {
    101. 

  101.     my $proxy = shift;
    102. 

  102. 

  103.     # We're only interested in the initial ClientHello
    104. 

  104.     if ($proxy->flight == 0) {
    105. 

  105.         inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO);
    106. 

  106.         return;
    107. 

  107.     }
    108. 

  108. 

  109.     my $last_record = @{$proxy->{record_list}}[-1];
    110. 

  110.     $fatal_alert = 1 if $last_record->is_fatal_alert(1);
    111. 

  111. }
    112. 

  112. 

  113. sub inject_duplicate_extension_serverhello
    114. 

  114. {
    115. 

  115.     my $proxy = shift;
    116. 

  116. 

  117.     # We're only interested in the initial ServerHello
    118. 

  118.     if ($proxy->flight == 0) {
    119. 

  119.         return;
    120. 

  120.     } elsif ($proxy->flight == 1) {
    121. 

  121.         inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO);
    122. 

  122.         return;
    123. 

  123.     }
    124. 

  124. 

  125.     my $last_record = @{$proxy->{record_list}}[-1];
    126. 

  126.     $fatal_alert = 1 if $last_record->is_fatal_alert(0);
    127. 

  127. }
    128. 

  128. 

  129. sub inject_unsolicited_extension
    130. 

  130. {
    131. 

  131.     my $proxy = shift;
    132. 

  132.     my $message;
    133. 

  133.     state $sent_unsolisited_extension;
    134. 

  134. 

  135.     if ($proxy->flight == 0) {
    136. 

  136.         $sent_unsolisited_extension = 0;
    137. 

  137.         return;
    138. 

  138.     }
    139. 

  139. 

  140.     # We're only interested in the initial ServerHello/EncryptedExtensions
    141. 

  141.     if ($proxy->flight != 1) {
    142. 

  142.         if ($sent_unsolisited_extension) {
    143. 

  143.             my $last_record = @{$proxy->record_list}[-1];
    144. 

  144.             $fatal_alert = 1 if $last_record->is_fatal_alert(0);
    145. 

  145.         }
    146. 

  146.         return;
    147. 

  147.     }
    148. 

  148. 

  149.     if ($testtype == UNSOLICITED_SERVER_NAME_TLS13) {
    150. 

  150.         return if (!defined($message = ${$proxy->message_list}[2]));
    151. 

  151.         die "Expecting EE message ".($message->mt).","
    152. 

  152.                                    .${$proxy->message_list}[1]->mt.", "
    153. 

  153.                                    .${$proxy->message_list}[3]->mt
    154. 

  154.             if $message->mt != TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS;
    155. 

  155.     } else {
    156. 

  156.         $message = ${$proxy->message_list}[1];
    157. 

  157.     }
    158. 

  158. 

  159.     my $ext = pack "C2",
    160. 

  160.         0x00, 0x00; #Extension length
    161. 

  161. 

  162.     my $type;
    163. 

  163.     if ($testtype == UNSOLICITED_SERVER_NAME
    164. 

  164.             || $testtype == UNSOLICITED_SERVER_NAME_TLS13) {
    165. 

  165.         $type = TLSProxy::Message::EXT_SERVER_NAME;
    166. 

  166.     } elsif ($testtype == UNSOLICITED_SCT) {
    167. 

  167.         $type = TLSProxy::Message::EXT_SCT;
    168. 

  168.     } elsif ($testtype == NONCOMPLIANT_SUPPORTED_GROUPS) {
    169. 

  169.         $type = TLSProxy::Message::EXT_SUPPORTED_GROUPS;
    170. 

  170.     }
    171. 

  171.     $message->set_extension($type, $ext);
    172. 

  172.     $message->repack();
    173. 

  173.     $sent_unsolisited_extension = 1;
    174. 

  174. }
    175. 

  175. 

  176. # Test 1-2: Sending a duplicate extension should fail.
    177. 

  177. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
    178. 

  178. plan tests => 7;
    179. 

  179. ok($fatal_alert, "Duplicate ClientHello extension");
    180. 

  180. 

  181. $fatal_alert = 0;
    182. 

  182. $proxy->clear();
    183. 

  183. $proxy->filter(\&inject_duplicate_extension_serverhello);
    184. 

  184. $proxy->start();
    185. 

  185. ok($fatal_alert, "Duplicate ServerHello extension");
    186. 

  186. 

  187. SKIP: {
    188. 

  188.     skip "TLS <= 1.2 disabled", 3 if $no_below_tls13;
    189. 

  189. 

  190.     #Test 3: Sending a zero length extension block should pass
    191. 

  191.     $proxy->clear();
    192. 

  192.     $proxy->filter(\&extension_filter);
    193. 

  193.     $proxy->start();
    194. 

  194.     ok(TLSProxy::Message->success, "Zero extension length test");
    195. 

  195. 

  196.     #Test 4: Inject an unsolicited extension (<= TLSv1.2)
    197. 

  197.     $fatal_alert = 0;
    198. 

  198.     $proxy->clear();
    199. 

  199.     $proxy->filter(\&inject_unsolicited_extension);
    200. 

  200.     $testtype = UNSOLICITED_SERVER_NAME;
    201. 

  201.     $proxy->clientflags("-no_tls1_3 -noservername");
    202. 

  202.     $proxy->start();
    203. 

  203.     ok($fatal_alert, "Unsolicited server name extension");
    204. 

  204. 

  205.     #Test 5: Inject a noncompliant supported_groups extension (<= TLSv1.2)
    206. 

  206.     $proxy->clear();
    207. 

  207.     $proxy->filter(\&inject_unsolicited_extension);
    208. 

  208.     $testtype = NONCOMPLIANT_SUPPORTED_GROUPS;
    209. 

  209.     $proxy->clientflags("-no_tls1_3");
    210. 

  210.     $proxy->start();
    211. 

  211.     ok(TLSProxy::Message->success(), "Noncompliant supported_groups extension");
    212. 

  212. }
    213. 

  213. 

  214. SKIP: {
    215. 

  215.     skip "TLS <= 1.2 or CT disabled", 1
    216. 

  216.         if $no_below_tls13 || disabled("ct");
    217. 

  217.     #Test 6: Same as above for the SCT extension which has special handling
    218. 

  218.     $fatal_alert = 0;
    219. 

  219.     $proxy->clear();
    220. 

  220.     $testtype = UNSOLICITED_SCT;
    221. 

  221.     $proxy->clientflags("-no_tls1_3");
    222. 

  222.     $proxy->start();
    223. 

  223.     ok($fatal_alert, "Unsolicited sct extension");
    224. 

  224. }
    225. 

  225. 

  226. SKIP: {
    227. 

  227.     skip "TLS 1.3 disabled", 1 if disabled("tls1_3");
    228. 

  228.     #Test 7: Inject an unsolicited extension (TLSv1.3)
    229. 

  229.     $fatal_alert = 0;
    230. 

  230.     $proxy->clear();
    231. 

  231.     $proxy->filter(\&inject_unsolicited_extension);
    232. 

  232.     $testtype = UNSOLICITED_SERVER_NAME_TLS13;
    233. 

  233.     $proxy->clientflags("-noservername");
    234. 

  234.     $proxy->start();
    235. 

  235.     ok($fatal_alert, "Unsolicited server name extension (TLSv1.3)");
    236. 

  236. }
    237.