Tree - source-git/openssl - CentOS Git server

source-git / openssl

Blame test/recipes/70-test_tls13downgrade.t

Blob History Raw

Packit	c4476c	`#! /usr/bin/env perl`
Packit	c4476c	`# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.`
Packit	c4476c	`#`
Packit	c4476c	`# Licensed under the OpenSSL license (the "License"). You may not use`
Packit	c4476c	`# this file except in compliance with the License. You can obtain a copy`
Packit	c4476c	`# in the file LICENSE in the source distribution or at`
Packit	c4476c	`# https://www.openssl.org/source/license.html`
Packit	c4476c
Packit	c4476c	`use strict;`
Packit	c4476c	`use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;`
Packit	c4476c	`use OpenSSL::Test::Utils;`
Packit	c4476c	`use TLSProxy::Proxy;`
Packit	c4476c
Packit	c4476c	`my $test_name = "test_tls13downgrade";`
Packit	c4476c	`setup($test_name);`
Packit	c4476c
Packit	c4476c	`plan skip_all => "TLSProxy isn't usable on $^O"`
Packit	c4476c	`if $^O =~ /^(VMS)$/;`
Packit	c4476c
Packit	c4476c	`plan skip_all => "$test_name needs the dynamic engine feature enabled"`
Packit	c4476c	`if disabled("engine") \|\| disabled("dynamic-engine");`
Packit	c4476c
Packit	c4476c	`plan skip_all => "$test_name needs the sock feature enabled"`
Packit	c4476c	`if disabled("sock");`
Packit	c4476c
Packit	c4476c	`plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled"`
Packit	c4476c	`if disabled("tls1_3") \|\| disabled("tls1_2");`
Packit	c4476c
Packit	c4476c	`$ENV{OPENSSL_ia32cap} = '~0x200000200000000';`
Packit	c4476c
Packit	c4476c	`my $proxy = TLSProxy::Proxy->new(`
Packit	c4476c	`undef,`
Packit	c4476c	`cmdstr(app(["openssl"]), display => 1),`
Packit	c4476c	`srctop_file("apps", "server.pem"),`
Packit	c4476c	`(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})`
Packit	c4476c	`);`
Packit	c4476c
Packit	c4476c	`use constant {`
Packit	c4476c	`DOWNGRADE_TO_TLS_1_2 => 0,`
Packit	c4476c	`DOWNGRADE_TO_TLS_1_1 => 1,`
Packit	c4476c	`FALLBACK_FROM_TLS_1_3 => 2,`
Packit	c4476c	`};`
Packit	c4476c
Packit	c4476c	`#Test 1: Downgrade from TLSv1.3 to TLSv1.2`
Packit	c4476c	`$proxy->filter(\&downgrade_filter);`
Packit	c4476c	`my $testtype = DOWNGRADE_TO_TLS_1_2;`
Packit	c4476c	`$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";`
Packit	c4476c	`plan tests => 6;`
Packit	c4476c	`ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.2");`
Packit	c4476c
Packit	c4476c	`#Test 2: Downgrade from TLSv1.3 to TLSv1.1`
Packit	c4476c	`$proxy->clear();`
Packit	c4476c	`$testtype = DOWNGRADE_TO_TLS_1_1;`
Packit	c4476c	`$proxy->start();`
Packit	c4476c	`ok(TLSProxy::Message->fail(), "Downgrade TLSv1.3 to TLSv1.1");`
Packit	c4476c
Packit	c4476c	`#Test 3: Downgrade from TLSv1.2 to TLSv1.1`
Packit	c4476c	`$proxy->clear();`
Packit	c4476c	`$proxy->clientflags("-no_tls1_3");`
Packit	c4476c	`$proxy->serverflags("-no_tls1_3");`
Packit	c4476c	`$proxy->start();`
Packit	c4476c	`ok(TLSProxy::Message->fail(), "Downgrade TLSv1.2 to TLSv1.1");`
Packit	c4476c
Packit	c4476c	`#Test 4: Client falls back from TLSv1.3 (server does not support the fallback`
Packit	c4476c	`# SCSV)`
Packit	c4476c	`$proxy->clear();`
Packit	c4476c	`$testtype = FALLBACK_FROM_TLS_1_3;`
Packit	c4476c	`$proxy->clientflags("-fallback_scsv -no_tls1_3");`
Packit	c4476c	`$proxy->start();`
Packit	c4476c	`my $alert = TLSProxy::Message->alert();`
Packit	c4476c	`ok(TLSProxy::Message->fail()`
Packit	c4476c	`&& !$alert->server()`
Packit	c4476c	`&& $alert->description() == TLSProxy::Message::AL_DESC_ILLEGAL_PARAMETER,`
Packit	c4476c	`"Fallback from TLSv1.3");`
Packit	c4476c
Packit	c4476c	`SKIP: {`
Packit	c4476c	`skip "TLSv1.1 disabled", 2 if disabled("tls1_1");`
Packit	c4476c	`#Test 5: A client side protocol "hole" should not be detected as a downgrade`
Packit	c4476c	`$proxy->clear();`
Packit	c4476c	`$proxy->filter(undef);`
Packit	c4476c	`$proxy->clientflags("-no_tls1_2");`
Packit	c4476c	`$proxy->start();`
Packit	c4476c	`ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole");`
Packit	c4476c
Packit	c4476c	`#Test 6: A server side protocol "hole" should not be detected as a downgrade`
Packit	c4476c	`$proxy->clear();`
Packit	c4476c	`$proxy->filter(undef);`
Packit	c4476c	`$proxy->serverflags("-no_tls1_2");`
Packit	c4476c	`$proxy->start();`
Packit	c4476c	`ok(TLSProxy::Message->success(), "TLSv1.2 server-side protocol hole");`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`sub downgrade_filter`
Packit	c4476c	`{`
Packit	c4476c	`my $proxy = shift;`
Packit	c4476c
Packit	c4476c	`# We're only interested in the initial ClientHello`
Packit	c4476c	`if ($proxy->flight != 0) {`
Packit	c4476c	`return;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`my $message = ${$proxy->message_list}[0];`
Packit	c4476c
Packit	c4476c	`my $ext;`
Packit	c4476c	`if ($testtype == FALLBACK_FROM_TLS_1_3) {`
Packit	c4476c	`#The default ciphersuite we use for TLSv1.2 without any SCSV`
Packit	c4476c	`my @ciphersuites = (TLSProxy::Message::CIPHER_RSA_WITH_AES_128_CBC_SHA);`
Packit	c4476c	`$message->ciphersuite_len(2 * scalar @ciphersuites);`
Packit	c4476c	`$message->ciphersuites(\@ciphersuites);`
Packit	c4476c	`} else {`
Packit	c4476c	`if ($testtype == DOWNGRADE_TO_TLS_1_2) {`
Packit	c4476c	`$ext = pack "C3",`
Packit	c4476c	`0x02, # Length`
Packit	c4476c	`0x03, 0x03; #TLSv1.2`
Packit	c4476c	`} else {`
Packit	c4476c	`$ext = pack "C3",`
Packit	c4476c	`0x02, # Length`
Packit	c4476c	`0x03, 0x02; #TLSv1.1`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`$message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`$message->repack();`
Packit	c4476c	`}`
Packit	c4476c

source-git / openssl

Source Code

Blame test/recipes/70-test_tls13downgrade.t