Add a test to check the EC point formats extension appears when we expect

author Matt Caswell <matt@openssl.org>

Wed, 28 Dec 2016 15:01:57 +0000 (15:01 +0000)

committer Matt Caswell <matt@openssl.org>

Thu, 29 Dec 2016 13:32:54 +0000 (13:32 +0000)
author Matt Caswell <matt@openssl.org>
Wed, 28 Dec 2016 15:01:57 +0000 (15:01 +0000)
committer Matt Caswell <matt@openssl.org>
Thu, 29 Dec 2016 13:32:54 +0000 (13:32 +0000)
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t

index fb4ec61b492370b2c1147001442cb7beb0a789c2..de8b0bcf2d6eb0be01a7e5fec1d596fad1062696 100755 (executable)
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -46,6 +46,9 @@ my $proxy = TLSProxy::Proxy->new(
      [TLSProxy::Message::MT_CERTIFICATE,
          checkhandshake::ALL_HANDSHAKES
          & ~checkhandshake::RESUME_HANDSHAKE],
+    (disabled("ec") ? () :
+                      [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
+                          checkhandshake::EC_HANDSHAKE]),
      [TLSProxy::Message::MT_CERTIFICATE_STATUS,
          checkhandshake::OCSP_HANDSHAKE],
      #ServerKeyExchange handshakes not currently supported by TLSProxy
@@ -94,10 +97,14 @@ my $proxy = TLSProxy::Proxy->new(
          checkhandshake::SERVER_NAME_CLI_EXTENSION],
      [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
          checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
-    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
-        checkhandshake::DEFAULT_EXTENSIONS],
-    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
-        checkhandshake::DEFAULT_EXTENSIONS],
+    (disabled("ec") ? () :
+                      [TLSProxy::Message::MT_CLIENT_HELLO,
+                       TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+                       checkhandshake::DEFAULT_EXTENSIONS]),
+    (disabled("ec") ? () :
+                      [TLSProxy::Message::MT_CLIENT_HELLO,
+                       TLSProxy::Message::EXT_EC_POINT_FORMATS,
+                       checkhandshake::DEFAULT_EXTENSIONS]),
      [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
          checkhandshake::DEFAULT_EXTENSIONS],
      [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
@@ -135,6 +142,8 @@ my $proxy = TLSProxy::Proxy->new(
          checkhandshake::SCT_SRV_EXTENSION],
      [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
          checkhandshake::NPN_SRV_EXTENSION],
+    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
      [0,0,0]
  );
  
@@ -143,7 +152,7 @@ my $proxy = TLSProxy::Proxy->new(
  $proxy->serverconnects(2);
  $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 20;
+plan tests => 21;
  checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                 checkhandshake::DEFAULT_EXTENSIONS,
                 "Default handshake test");
@@ -358,3 +367,16 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                 checkhandshake::DEFAULT_EXTENSIONS
                 | checkhandshake::SRP_CLI_EXTENSION,
                 "SRP extension test");
+
+#Test 21: EC handshake
+SKIP: {
+    skip "No EC support in this OpenSSL build", 1 if disabled("ec");
+    $proxy->clear();
+    $proxy->clientflags("-no_tls1_3");
+    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
+                   checkhandshake::DEFAULT_EXTENSIONS
+                   | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
+                   "EC handshake test");
+}
diff --git a/test/testlib/checkhandshake.pm b/test/testlib/checkhandshake.pm

index eb34fff622d6e7df62c66a0164697ad55cf9e521..9529b949bdc876ee80ece605a68bcaa449d32cb5 100644 (file)
--- a/test/testlib/checkhandshake.pm
+++ b/test/testlib/checkhandshake.pm
@@ -23,8 +23,9 @@ use constant {
      CLIENT_AUTH_HANDSHAKE => 8,
      RENEG_HANDSHAKE => 16,
      NPN_HANDSHAKE => 32,
+    EC_HANDSHAKE => 64,
  
-    ALL_HANDSHAKES => 63
+    ALL_HANDSHAKES => 127
  };
  
  use constant {
@@ -43,6 +44,8 @@ use constant {
      NPN_CLI_EXTENSION => 0x00000800,
      NPN_SRV_EXTENSION => 0x00001000,
      SRP_CLI_EXTENSION => 0x00002000,
+    #Client side for ec point formats is a default extension
+    EC_POINT_FORMAT_SRV_EXTENSION => 0x00004000,
  };
  
  our @handmessages = ();
diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm

index e5c42c83c450bfd726a2796a81880e625e0e24b5..7837787a034aad6ab4763a6ce139541733865415 100644 (file)
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -83,6 +83,10 @@ use constant {
      EXT_DUPLICATE_EXTENSION => 0xfde8
  };
  
+use constant {
+    CIPHER_ADH_AES_128_SHA => 0x03000034
+};
+
  my $payload = "";
  my $messlen = -1;
  my $mt;
diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm

index 65615891f8b17615a35110b3e21e3981b4756c96..84ca3a75108762a32af087b137b60e1d4c12d6e2 100644 (file)
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -25,6 +25,7 @@ my $have_IPv6 = 0;
  my $IP_factory;
  
  my $is_tls13 = 0;
+my $ciphersuite = undef;
  
  sub new
  {
@@ -108,6 +109,7 @@ sub clearClient
      $self->{message_list} = [];
      $self->{clientflags} = "";
      $is_tls13 = 0;
+    $ciphersuite = undef;
  
      TLSProxy::Message->clear();
      TLSProxy::Record->clear();
@@ -535,4 +537,13 @@ sub reneg
      return $self->{reneg};
  }
  
+sub ciphersuite
+{
+    my $class = shift;
+    if (@_) {
+        $ciphersuite = shift;
+    }
+    return $ciphersuite;
+}
+
  1;
diff --git a/util/TLSProxy/ServerHello.pm b/util/TLSProxy/ServerHello.pm

index 5a038c902b144c8622e4c9e3d547f64f15955dcc..1abdd053e152aa71de8891fc3ddbc2ede7af316c 100644 (file)
--- a/util/TLSProxy/ServerHello.pm
+++ b/util/TLSProxy/ServerHello.pm
@@ -103,6 +103,7 @@ sub parse
      $self->session_id_len($session_id_len);
      $self->session($session);
      $self->ciphersuite($ciphersuite);
+    TLSProxy::Proxy->ciphersuite($ciphersuite);
      $self->comp_meth($comp_meth);
      $self->extension_data(\%extensions);
  
diff --git a/util/TLSProxy/ServerKeyExchange.pm b/util/TLSProxy/ServerKeyExchange.pm

index 6e5b4cdcb42fe5acfec75b4c579595ba391c449a..7640b3f55bd53e6300a5a5a414e83926bef018d5 100644 (file)
--- a/util/TLSProxy/ServerKeyExchange.pm
+++ b/util/TLSProxy/ServerKeyExchange.pm
@@ -42,9 +42,9 @@ sub parse
  {
      my $self = shift;
  
-    #Minimal SKE parsing. Only supports DHE at the moment (if its not DHE
-    #the parsing data will be trash...which is ok as long as we don't try to
-    #use it)
+    #Minimal SKE parsing. Only supports one known DHE ciphersuite at the moment
+    return if (TLSProxy::Proxy->ciphersuite()
+               != TLSProxy::Message::CIPHER_ADH_AES_128_SHA);
  
      my $p_len = unpack('n', $self->data);
      my $ptr = 2;
author	Matt Caswell <matt@openssl.org>
	Wed, 28 Dec 2016 15:01:57 +0000 (15:01 +0000)
committer	Matt Caswell <matt@openssl.org>
	Thu, 29 Dec 2016 13:32:54 +0000 (13:32 +0000)
test/recipes/70-test_sslmessages.t		patch \| blob \| history
test/testlib/checkhandshake.pm		patch \| blob \| history
util/TLSProxy/Message.pm		patch \| blob \| history
util/TLSProxy/Proxy.pm		patch \| blob \| history
util/TLSProxy/ServerHello.pm		patch \| blob \| history
util/TLSProxy/ServerKeyExchange.pm		patch \| blob \| history