#!/usr/bin/perl
use strict;
use warnings;
use Test::More;
use Socket;
use File::Spec;
use Net::SSLeay;
use Config;
use IO::Socket::INET;
BEGIN {
plan skip_all => "fork() not supported on $^O" unless $Config{d_fork};
}
my $tests = 34;
plan tests => $tests;
my $pid;
alarm(30);
END { kill 9,$pid if $pid }
# Values that were previously looked up for get_keyblock_size test
# Revisit: currently the only known user for get_keyblock_size is
# EAP-FAST. How it works with AEAD ciphers is for future study.
our %non_aead_cipher_to_keyblock_size =
(
'RC4-MD5' => 64,
'RC4-SHA' => 72,
'AES256-SHA256' => 160,
'AES128-SHA256' => 128,
'AES128-SHA' => 104,
'AES256-SHA' => 136,
);
our %tls_1_2_aead_cipher_to_keyblock_size = (
'AES128-GCM-SHA256' => 56,
'AES256-GCM-SHA384' => 88,
);
our %tls_1_3_aead_cipher_to_keyblock_size = (
# Only in TLS 1.3
'TLS_AES_128_GCM_SHA256' => 56,
'TLS_AES_256_GCM_SHA384' => 88,
'TLS_CHACHA20_POLY1305_SHA256' => 88,
);
# Combine the AEAD hashes
our %aead_cipher_to_keyblock_size = (%tls_1_2_aead_cipher_to_keyblock_size, %tls_1_3_aead_cipher_to_keyblock_size);
# Combine the hashes
our %cipher_to_keyblock_size = (%non_aead_cipher_to_keyblock_size, %aead_cipher_to_keyblock_size);
our %version_str2int =
(
'SSLv3' => sub {return eval {Net::SSLeay::SSL3_VERSION();}},
'TLSv1' => sub {return eval {Net::SSLeay::TLS1_VERSION();}},
'TLSv1.1' => sub {return eval {Net::SSLeay::TLS1_1_VERSION();}},
'TLSv1.2' => sub {return eval {Net::SSLeay::TLS1_2_VERSION();}},
'TLSv1.3' => sub {return eval {Net::SSLeay::TLS1_3_VERSION();}},
);
my $server;
Net::SSLeay::initialize();
{
# SSL server - just handle single connect, send information to
# client and exit
my $cert_pem = File::Spec->catfile('t', 'data', 'testcert_wildcard.crt.pem');
my $key_pem = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem');
$server = IO::Socket::INET->new( LocalAddr => '127.0.0.1', Listen => 3)
or BAIL_OUT("failed to create server socket: $!");
defined($pid = fork()) or BAIL_OUT("failed to fork: $!");
if ($pid == 0) {
my $cl = $server->accept or BAIL_OUT("accept failed: $!");
my $ctx = Net::SSLeay::CTX_new();
Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
# my $get_keyblock_size_ciphers = join(':', keys(%cipher_to_keyblock_size));
my $get_keyblock_size_ciphers = join(':', keys(%non_aead_cipher_to_keyblock_size));
Net::SSLeay::CTX_set_cipher_list($ctx, $get_keyblock_size_ciphers);
my $ssl = Net::SSLeay::new($ctx);
Net::SSLeay::set_fd($ssl, fileno($cl));
Net::SSLeay::accept($ssl);
# Send our idea of Finished messages to the client.
my ($f_len, $finished_s, $finished_c);
$f_len = Net::SSLeay::get_finished($ssl, $finished_s);
Net::SSLeay::write($ssl, "server: $f_len ". unpack('H*', $finished_s));
$f_len = Net::SSLeay::get_peer_finished($ssl, $finished_c);
Net::SSLeay::write($ssl, "client: $f_len ". unpack('H*', $finished_c));
# Echo back the termination request from client
my $end = Net::SSLeay::read($ssl);
Net::SSLeay::write($ssl, $end);
exit(0);
}
}
sub client {
# SSL client - connect to server and receive information that we
# compare to our expected values
my ($f_len, $f_len_trunc, $finished_s, $finished_c, $msg, $expected);
my $saddr = $server->sockhost.':'.$server->sockport;
my $cl = IO::Socket::INET->new($saddr)
or BAIL_OUT("failed to connect to server: $!");
my $ctx = Net::SSLeay::CTX_new();
Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
my $ssl = Net::SSLeay::new($ctx);
Net::SSLeay::set_fd($ssl, $cl);
client_test_finished($ssl);
client_test_keyblock_size($ssl);
client_test_version_funcs($ssl);
client_test_ciphersuites();
# Tell the server to quit and see that our connection is still up
my $end = "end";
Net::SSLeay::write($ssl, $end);
ok($end eq Net::SSLeay::read($ssl), 'Successful termination');
return;
}
client();
waitpid $pid, 0;
exit(0);
# Test get_finished() and get_peer_finished() with server.
sub client_test_finished
{
my ($ssl) = @_;
my ($f_len, $f_len_trunc, $finished_s, $finished_c, $msg, $expected);
# Finished messages have not been sent yet
$f_len = Net::SSLeay::get_peer_finished($ssl, $finished_s);
ok($f_len == 0, 'Return value for get_peer_finished is empty before connect for server');
ok(defined $finished_s && $finished_s eq '', 'Server Finished is empty');
$f_len = Net::SSLeay::get_finished($ssl, $finished_c);
ok($f_len == 0, 'Finished is empty before connect for client');
ok(defined $finished_c && $finished_c eq '', 'Client Finished is empty');
# Complete connection. After this we have Finished messages from both peers.
Net::SSLeay::connect($ssl);
$f_len = Net::SSLeay::get_peer_finished($ssl, $finished_s);
ok($f_len, 'Server Finished is not empty');
ok($f_len == length($finished_s), 'Return value for get_peer_finished equals to Finished length');
$expected = "server: $f_len " . unpack('H*', $finished_s);
$msg = Net::SSLeay::read($ssl);
ok($msg eq $expected, 'Server Finished is equal');
$f_len = Net::SSLeay::get_finished($ssl, $finished_c);
ok($f_len, 'Client Finished is not empty');
ok($f_len == length($finished_c), 'Return value for get_finished equals to Finished length');
$expected = "client: $f_len " . unpack('H*', $finished_c);
$msg = Net::SSLeay::read($ssl);
ok($msg eq $expected, 'Client Finished is equal');
ok($finished_s ne $finished_c, 'Server and Client Finished are not equal');
# Finished should still be the same. See that we can fetch truncated values.
my $trunc8_s = substr($finished_s, 0, 8);
$f_len_trunc = Net::SSLeay::get_peer_finished($ssl, $finished_s, 8);
ok($f_len_trunc == $f_len, 'Return value for get_peer_finished is unchanged when count is set');
ok($trunc8_s eq $finished_s, 'Count works for get_peer_finished');
my $trunc8_c = substr($finished_c, 0, 8);
$f_len_trunc = Net::SSLeay::get_finished($ssl, $finished_c, 8);
ok($f_len_trunc == $f_len, 'Return value for get_finished is unchanged when count is set');
ok($trunc8_c eq $finished_c, 'Count works for get_finished');
}
# Test get_keyblock_size
# Notes: With TLS 1.3 the cipher is always an AEAD cipher. If AEAD
# ciphers are enabled for TLS 1.2 and earlier, with LibreSSL
# get_keyblock_size returns -1 when AEAD cipher is chosen.
sub client_test_keyblock_size
{
my ($ssl) = @_;
my $cipher = Net::SSLeay::get_cipher($ssl);
ok($cipher, "get_cipher returns a value: $cipher");
my $keyblock_size = &Net::SSLeay::get_keyblock_size($ssl);
ok(defined $keyblock_size, 'get_keyblock_size return value is defined');
if ($keyblock_size == -1)
{
# Accept -1 with AEAD ciphers with LibreSSL
like(Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()), qr/^LibreSSL/, 'get_keyblock_size returns -1 with LibreSSL');
ok(defined $aead_cipher_to_keyblock_size{$cipher}, 'keyblock size is -1 for an AEAD cipher');
}
else
{
ok($keyblock_size >= 0, 'get_keyblock_size return value is not negative');
ok($cipher_to_keyblock_size{$cipher} == $keyblock_size, "keyblock size $keyblock_size is the expected value $cipher_to_keyblock_size{$cipher}");
}
}
# Test SSL_get_version and related functions
sub client_test_version_funcs
{
my ($ssl) = @_;
my $version_str = Net::SSLeay::get_version($ssl);
my $version_const = $version_str2int{$version_str};
my $version = Net::SSLeay::version($ssl);
ok(defined $version_const, "Net::SSLeay::get_version return value $version_str is known");
is(&$version_const, $version, "Net:SSLeay::version return value $version matches get_version string");
if (defined &Net::SSLeay::client_version) {
if ($version_str eq 'TLSv1.3') {
# Noticed that client_version and version are equal for all SSL/TLS versions except of TLSv1.3
# For more, see https://github.com/openssl/openssl/issues/7079
is(Net::SSLeay::client_version($ssl), &{$version_str2int{'TLSv1.2'}},
'Net::SSLeay::client_version TLSv1.2 is expected when Net::SSLeay::version indicates TLSv1.3');
} else {
is(Net::SSLeay::client_version($ssl), $version, 'Net::SSLeay::client_version equals to Net::SSLeay::version');
}
is(Net::SSLeay::is_dtls($ssl), 0, 'Net::SSLeay::is_dtls returns 0');
} else
{
SKIP: {
skip('Do not have Net::SSLeay::client_version nor Net::SSLeay::is_dtls', 2);
};
}
return;
}
sub client_test_ciphersuites
{
unless (defined &Net::SSLeay::CTX_set_ciphersuites)
{
SKIP: {
skip('Do not have Net::SSLeay::CTX_set_ciphersuites', 10);
}
return;
}
my $ciphersuites = join(':', keys(%tls_1_3_aead_cipher_to_keyblock_size));
my ($ctx, $rv, $ssl);
$ctx = Net::SSLeay::CTX_new();
$rv = Net::SSLeay::CTX_set_ciphersuites($ctx, $ciphersuites);
is($rv, 1, 'CTX set good ciphersuites');
$rv = Net::SSLeay::CTX_set_ciphersuites($ctx, '');
is($rv, 1, 'CTX set empty ciphersuites');
{
no warnings 'uninitialized';
$rv = Net::SSLeay::CTX_set_ciphersuites($ctx, undef);
};
is($rv, 1, 'CTX set undef ciphersuites');
$rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:' . $ciphersuites);
is($rv, 0, 'CTX set partially bad ciphersuites');
$rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:');
is($rv, 0, 'CTX set bad ciphersuites');
$ssl = Net::SSLeay::new($ctx);
$rv = Net::SSLeay::set_ciphersuites($ssl, $ciphersuites);
is($rv, 1, 'SSL set good ciphersuites');
$rv = Net::SSLeay::set_ciphersuites($ssl, '');
is($rv, 1, 'SSL set empty ciphersuites');
{
no warnings 'uninitialized';
$rv = Net::SSLeay::set_ciphersuites($ssl, undef);
};
is($rv, 1, 'SSL set undef ciphersuites');
$rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:' . $ciphersuites);
is($rv, 0, 'SSL set partially bad ciphersuites');
$rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:');
is($rv, 0, 'SSL set bad ciphersuites');
return;
}