source-git / openssl

Clone
Source Code
GIT

Blame test/recipes/70-test_tls13downgrade.t

c8 c8s master
  1.   3c126e197bf64be56e1432546d39885b80b61a84
  2.   test
  3.   recipes
  4.   70-test_tls13downgrade.t
Blob History Raw
Packit Service 084de1 
#! /usr/bin/env perl
Packit Service 084de1 
# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Packit Service 084de1 
#
Packit Service 084de1 
# Licensed under the OpenSSL license (the "License").  You may not use
Packit Service 084de1 
# this file except in compliance with the License.  You can obtain a copy
Packit Service 084de1 
# in the file LICENSE in the source distribution or at
Packit Service 084de1 
# https://www.openssl.org/source/license.html
Packit Service 084de1
Packit Service 084de1 
use strict;
Packit Service 084de1 
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
Packit Service 084de1 
use OpenSSL::Test::Utils;
Packit Service 084de1 
use TLSProxy::Proxy;
Packit Service 084de1
Packit Service 084de1 
my $test_name = "test_tls13downgrade";
Packit Service 084de1 
setup($test_name);
Packit Service 084de1
Packit Service 084de1 
plan skip_all => "TLSProxy isn't usable on $^O"
Packit Service 084de1 
    if $^O =~ /^(VMS)$/;
Packit Service 084de1
Packit Service 084de1 
plan skip_all => "$test_name needs the dynamic engine feature enabled"
Packit Service 084de1 
    if disabled("engine") || disabled("dynamic-engine");
Packit Service 084de1
Packit Service 084de1 
plan skip_all => "$test_name needs the sock feature enabled"
Packit Service 084de1 
    if disabled("sock");
Packit Service 084de1
Packit Service 084de1 
plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled"
Packit Service 084de1 
    if disabled("tls1_3") || disabled("tls1_2");
Packit Service 084de1
Packit Service 084de1 
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
Packit Service 084de1
Packit Service 084de1 
my $proxy = TLSProxy::Proxy->new(
Packit Service 084de1 
    undef,
Packit Service 084de1 
    cmdstr(app(["openssl"]), display => 1),
Packit Service 084de1 
    srctop_file("apps", "server.pem"),
Packit Service 084de1 
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
Packit Service 084de1 
);
Packit Service 084de1
Packit Service 084de1 
use constant {
Packit Service 084de1 
    DOWNGRADE_TO_TLS_1_2 => 0,
Packit Service 084de1 
    DOWNGRADE_TO_TLS_1_1 => 1,
Packit Service 084de1 
    FALLBACK_FROM_TLS_1_3 => 2,
Packit Service 084de1 
};
Packit Service 084de1
Packit Service 084de1 
#Test 1: Downgrade from TLSv1.3 to TLSv1.2
Packit Service 084de1 
$proxy->filter(\&downgrade_filter);
Packit Service 084de1 
my $testtype = DOWNGRADE_TO_TLS_1_2;
Packit Service 084de1 
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
Packit Service 084de1 
plan tests => 6;
Packit Service 084de1 
ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.2");
Packit Service 084de1
Packit Service 084de1 
#Test 2: Downgrade from TLSv1.3 to TLSv1.1
Packit Service 084de1 
$proxy->clear();
Packit Service 084de1 
$testtype = DOWNGRADE_TO_TLS_1_1;
Packit Service 084de1 
$proxy->start();
Packit Service 084de1 
ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.1");
Packit Service 084de1
Packit Service 084de1 
#Test 3: Downgrade from TLSv1.2 to TLSv1.1
Packit Service 084de1 
$proxy->clear();
Packit Service 084de1 
$proxy->clientflags("-no_tls1_3");
Packit Service 084de1 
$proxy->serverflags("-no_tls1_3");
Packit Service 084de1 
$proxy->start();
Packit Service 084de1 
ok(TLSProxy::Message->fail(), "Downgrade TLSv1.2 to TLSv1.1");
Packit Service 084de1
Packit Service 084de1 
#Test 4: Client falls back from TLSv1.3 (server does not support the fallback
Packit Service 084de1 
#        SCSV)
Packit Service 084de1 
$proxy->clear();
Packit Service 084de1 
$testtype = FALLBACK_FROM_TLS_1_3;
Packit Service 084de1 
$proxy->clientflags("-fallback_scsv -no_tls1_3");
Packit Service 084de1 
$proxy->start();
Packit Service 084de1 
my $alert = TLSProxy::Message->alert();
Packit Service 084de1 
ok(TLSProxy::Message->fail()
Packit Service 084de1 
   && !$alert->server()
Packit Service 084de1 
   && $alert->description() == TLSProxy::Message::AL_DESC_ILLEGAL_PARAMETER,
Packit Service 084de1 
   "Fallback from TLSv1.3");
Packit Service 084de1
Packit Service 084de1 
SKIP: {
Packit Service 084de1 
    skip "TLSv1.1 disabled", 2 if disabled("tls1_1");
Packit Service 084de1 
    #Test 5: A client side protocol "hole" should not be detected as a downgrade
Packit Service 084de1 
    $proxy->clear();
Packit Service 084de1 
    $proxy->filter(undef);
Packit Service 084de1 
    $proxy->clientflags("-no_tls1_2");
Packit Service 084de1 
    $proxy->start();
Packit Service 084de1 
    ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole");
Packit Service 084de1
Packit Service 084de1 
    #Test 6: A server side protocol "hole" should not be detected as a downgrade
Packit Service 084de1 
    $proxy->clear();
Packit Service 084de1 
    $proxy->filter(undef);
Packit Service 084de1 
    $proxy->serverflags("-no_tls1_2");
Packit Service 084de1 
    $proxy->start();
Packit Service 084de1 
    ok(TLSProxy::Message->success(), "TLSv1.2 server-side protocol hole");
Packit Service 084de1 
}
Packit Service 084de1
Packit Service 084de1 
sub downgrade_filter
Packit Service 084de1 
{
Packit Service 084de1 
    my $proxy = shift;
Packit Service 084de1
Packit Service 084de1 
    # We're only interested in the initial ClientHello
Packit Service 084de1 
    if ($proxy->flight != 0) {
Packit Service 084de1 
        return;
Packit Service 084de1 
    }
Packit Service 084de1
Packit Service 084de1 
    my $message = ${$proxy->message_list}[0];
Packit Service 084de1
Packit Service 084de1 
    my $ext;
Packit Service 084de1 
    if ($testtype == FALLBACK_FROM_TLS_1_3) {
Packit Service 084de1 
        #The default ciphersuite we use for TLSv1.2 without any SCSV
Packit Service 084de1 
        my @ciphersuites = (TLSProxy::Message::CIPHER_RSA_WITH_AES_128_CBC_SHA);
Packit Service 084de1 
        $message->ciphersuite_len(2 * scalar @ciphersuites);
Packit Service 084de1 
        $message->ciphersuites(\@ciphersuites);
Packit Service 084de1 
    } else {
Packit Service 084de1 
        if ($testtype == DOWNGRADE_TO_TLS_1_2) {
Packit Service 084de1 
            $ext = pack "C3",
Packit Service 084de1 
                0x02, # Length
Packit Service 084de1 
                0x03, 0x03; #TLSv1.2
Packit Service 084de1 
        } else {
Packit Service 084de1 
            $ext = pack "C3",
Packit Service 084de1 
                0x02, # Length
Packit Service 084de1 
                0x03, 0x02; #TLSv1.1
Packit Service 084de1 
        }
Packit Service 084de1
Packit Service 084de1 
        $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext);
Packit Service 084de1 
    }
Packit Service 084de1
Packit Service 084de1 
    $message->repack();
Packit Service 084de1 
}
Packit Service 084de1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation