Tree - source-git/openssl - CentOS Git server

source-git / openssl

Blame test/recipes/70-test_sslcbcpadding.t

Blob History Raw

Packit	c4476c	`#! /usr/bin/env perl`
Packit	c4476c	`# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.`
Packit	c4476c	`#`
Packit	c4476c	`# Licensed under the OpenSSL license (the "License"). You may not use`
Packit	c4476c	`# this file except in compliance with the License. You can obtain a copy`
Packit	c4476c	`# in the file LICENSE in the source distribution or at`
Packit	c4476c	`# https://www.openssl.org/source/license.html`
Packit	c4476c
Packit	c4476c	`use strict;`
Packit	c4476c	`use feature 'state';`
Packit	c4476c
Packit	c4476c	`use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;`
Packit	c4476c	`use OpenSSL::Test::Utils;`
Packit	c4476c	`use TLSProxy::Proxy;`
Packit	c4476c
Packit	c4476c	`my $test_name = "test_sslcbcpadding";`
Packit	c4476c	`setup($test_name);`
Packit	c4476c
Packit	c4476c	`plan skip_all => "TLSProxy isn't usable on $^O"`
Packit	c4476c	`if $^O =~ /^(VMS)$/;`
Packit	c4476c
Packit	c4476c	`plan skip_all => "$test_name needs the dynamic engine feature enabled"`
Packit	c4476c	`if disabled("engine") \|\| disabled("dynamic-engine");`
Packit	c4476c
Packit	c4476c	`plan skip_all => "$test_name needs the sock feature enabled"`
Packit	c4476c	`if disabled("sock");`
Packit	c4476c
Packit	c4476c	`plan skip_all => "$test_name needs TLSv1.2 enabled"`
Packit	c4476c	`if disabled("tls1_2");`
Packit	c4476c
Packit	c4476c	`$ENV{OPENSSL_ia32cap} = '~0x200000200000000';`
Packit	c4476c	`my $proxy = TLSProxy::Proxy->new(`
Packit	c4476c	`\&add_maximal_padding_filter,`
Packit	c4476c	`cmdstr(app(["openssl"]), display => 1),`
Packit	c4476c	`srctop_file("apps", "server.pem"),`
Packit	c4476c	`(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})`
Packit	c4476c	`);`
Packit	c4476c
Packit	c4476c	`# TODO: We could test all 256 values, but then the log file gets too large for`
Packit	c4476c	`# CI. See https://github.com/openssl/openssl/issues/1440.`
Packit	c4476c	`my @test_offsets = (0, 128, 254, 255);`
Packit	c4476c
Packit	c4476c	`# Test that maximally-padded records are accepted.`
Packit	c4476c	`my $bad_padding_offset = -1;`
Packit	c4476c	`$proxy->serverflags("-tls1_2");`
Packit	c4476c	`$proxy->serverconnects(1 + scalar(@test_offsets));`
Packit	c4476c	`$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";`
Packit	c4476c	`plan tests => 1 + scalar(@test_offsets);`
Packit	c4476c	`ok(TLSProxy::Message->success(), "Maximally-padded record test");`
Packit	c4476c
Packit	c4476c	`# Test that invalid padding is rejected.`
Packit	c4476c	`my $fatal_alert; # set by add_maximal_padding_filter on client's fatal alert`
Packit	c4476c
Packit	c4476c	`foreach my $offset (@test_offsets) {`
Packit	c4476c	`$bad_padding_offset = $offset;`
Packit	c4476c	`$fatal_alert = 0;`
Packit	c4476c	`$proxy->clearClient();`
Packit	c4476c	`$proxy->clientstart();`
Packit	c4476c	`ok($fatal_alert, "Invalid padding byte $bad_padding_offset");`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`sub add_maximal_padding_filter`
Packit	c4476c	`{`
Packit	c4476c	`my $proxy = shift;`
Packit	c4476c	`my $messages = $proxy->message_list;`
Packit	c4476c	`state $sent_corrupted_payload;`
Packit	c4476c
Packit	c4476c	`if ($proxy->flight == 0) {`
Packit	c4476c	`# Disable Encrypt-then-MAC.`
Packit	c4476c	`foreach my $message (@{$messages}) {`
Packit	c4476c	`if ($message->mt != TLSProxy::Message::MT_CLIENT_HELLO) {`
Packit	c4476c	`next;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`$message->delete_extension(TLSProxy::Message::EXT_ENCRYPT_THEN_MAC);`
Packit	c4476c	`$message->process_extensions();`
Packit	c4476c	`$message->repack();`
Packit	c4476c	`}`
Packit	c4476c	`$sent_corrupted_payload = 0;`
Packit	c4476c	`return;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`my $last_message = @{$messages}[-1];`
Packit	c4476c	`if (defined($last_message)`
Packit	c4476c	`&& $last_message->server`
Packit	c4476c	`&& $last_message->mt == TLSProxy::Message::MT_FINISHED`
Packit	c4476c	`&& !@{$last_message->records}[0]->{sent}) {`
Packit	c4476c
Packit	c4476c	`# Insert a maximally-padded record. Assume a block size of 16 (AES) and`
Packit	c4476c	`# a MAC length of 20 (SHA-1).`
Packit	c4476c	`my $block_size = 16;`
Packit	c4476c	`my $mac_len = 20;`
Packit	c4476c
Packit	c4476c	`# Size the plaintext so that 256 is a valid padding.`
Packit	c4476c	`my $plaintext_len = $block_size - ($mac_len % $block_size);`
Packit	c4476c	`my $plaintext = "A" x $plaintext_len;`
Packit	c4476c
Packit	c4476c	`my $data = "B" x $block_size; # Explicit IV.`
Packit	c4476c	`$data .= $plaintext;`
Packit	c4476c	`$data .= TLSProxy::Proxy::fill_known_data($mac_len); # MAC.`
Packit	c4476c
Packit	c4476c	`# Add padding.`
Packit	c4476c	`for (my $i = 0; $i < 256; $i++) {`
Packit	c4476c	`if ($i == $bad_padding_offset) {`
Packit	c4476c	`$sent_corrupted_payload = 1;`
Packit	c4476c	`$data .= "\xfe";`
Packit	c4476c	`} else {`
Packit	c4476c	`$data .= "\xff";`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`my $record = TLSProxy::Record->new(`
Packit	c4476c	`$proxy->flight,`
Packit	c4476c	`TLSProxy::Record::RT_APPLICATION_DATA,`
Packit	c4476c	`TLSProxy::Record::VERS_TLS_1_2,`
Packit	c4476c	`length($data),`
Packit	c4476c	`0,`
Packit	c4476c	`length($data),`
Packit	c4476c	`$plaintext_len,`
Packit	c4476c	`$data,`
Packit	c4476c	`$plaintext,`
Packit	c4476c	`);`
Packit	c4476c
Packit	c4476c	`# Send the record immediately after the server Finished.`
Packit	c4476c	`push @{$proxy->record_list}, $record;`
Packit	c4476c	`} elsif ($sent_corrupted_payload) {`
Packit	c4476c	`# Check for bad_record_mac from client`
Packit	c4476c	`my $last_record = @{$proxy->record_list}[-1];`
Packit	c4476c	`$fatal_alert = 1 if $last_record->is_fatal_alert(0) == 20;`
Packit	c4476c	`}`
Packit	c4476c	`}`

source-git / openssl

Source Code

Blame test/recipes/70-test_sslcbcpadding.t