Add a test for fragmented alerts

The previous commit fixed a problem where fragmented alerts would cause an
infinite loop. This commit adds a test for these fragmented alerts.

Reviewed-by: Andy Polyakov <appro@openssl.org>

diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t
index b0e37398fba542469fbcbfa1fd256817ccfe7fbb..94aabdcf6d004774174d6a83a252a5c50d2d12e7 100644 (file)
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -38,7 +38,7 @@ my $proxy = TLSProxy::Proxy->new(
 my $content_type = TLSProxy::Record::RT_APPLICATION_DATA;
 my $inject_recs_num = 1;
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 3;
+plan tests => 4;
 ok(TLSProxy::Message->fail(), "Out of context empty records test");
 
 #Test 2: Injecting in context empty records should succeed
@@ -54,6 +54,14 @@ $inject_recs_num = 33;
 $proxy->start();
 ok(TLSProxy::Message->fail(), "Too many in context empty records test");
 
+#Test 4: Injecting a fragmented fatal alert should fail. We actually expect no
+#        alerts to be sent from either side because *we* injected the fatal
+#        alert, i.e. this will look like a disorderly close
+$proxy->clear();
+$proxy->filter(\&add_frag_alert_filter);
+$proxy->start();
+ok(!TLSProxy::Message->end(), "Fragmented alert records test");
+
 sub add_empty_recs_filter
 {
     my $proxy = shift;
@@ -78,3 +86,55 @@ sub add_empty_recs_filter
         push @{$proxy->record_list}, $record;
     }
 }
+
+sub add_frag_alert_filter
+{
+    my $proxy = shift;
+    my $byte;
+
+    # We're only interested in the initial ClientHello
+    if ($proxy->flight != 0) {
+        return;
+    }
+
+    # Add a zero length fragment first
+    #my $record = TLSProxy::Record->new(
+    #    0,
+    #    TLSProxy::Record::RT_ALERT,
+    #    TLSProxy::Record::VERS_TLS_1_2,
+    #    0,
+    #    0,
+    #    0,
+    #    "",
+    #    ""
+    #);
+    #push @{$proxy->record_list}, $record;
+
+    # Now add the alert level (Fatal) as a seperate record
+    $byte = pack('C', TLSProxy::Message::AL_LEVEL_FATAL);
+    my $record = TLSProxy::Record->new(
+        0,
+        TLSProxy::Record::RT_ALERT,
+        TLSProxy::Record::VERS_TLS_1_2,
+        1,
+        1,
+        1,
+        $byte,
+        $byte
+    );
+    push @{$proxy->record_list}, $record;
+
+    # And finally the description (Unexpected message) in a third record
+    $byte = pack('C', TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE);
+    $record = TLSProxy::Record->new(
+        0,
+        TLSProxy::Record::RT_ALERT,
+        TLSProxy::Record::VERS_TLS_1_2,
+        1,
+        1,
+        1,
+        $byte,
+        $byte
+    );
+    push @{$proxy->record_list}, $record;
+}

diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 85d5d6bcd47353c92061cbe07af51649e5b0b524..b8db22fb85f7f2d9f9b09476b59f5e25c3228b68 100644 (file)
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -36,7 +36,8 @@ use constant {
 
 #Alert descriptions
 use constant {
-    AL_DESC_CLOSE_NOTIFY => 0
+    AL_DESC_CLOSE_NOTIFY => 0,
+    AL_DESC_UNEXPECTED_MESSAGE => 10
 };
 
 my %message_type = (