From: Matt Caswell Date: Tue, 16 Jun 2015 12:12:37 +0000 (+0100) Subject: Add some libssl tests X-Git-Tag: OpenSSL_1_1_0-pre1~829 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=011467ee55aa82a96cd8a539560c46fd4504a82b;p=oweals%2Fopenssl.git Add some libssl tests Two tests are added: one is a simple version tolerance test; the second is a test to ensure that OpenSSL operates correctly in the case of a zero length extensions block. The latter was broken inadvertently (now fixed) and it would have been helpful to have a test case for it. Reviewed-by: Richard Levitte --- diff --git a/test/Makefile b/test/Makefile index f49dc76ef0..1f27894de2 100644 --- a/test/Makefile +++ b/test/Makefile @@ -71,6 +71,8 @@ CONSTTIMETEST= constant_time_test VERIFYEXTRATEST= verify_extra_test CLIENTHELLOTEST= clienthellotest PACKETTEST= packettest +SSLVERTOLTEST= sslvertoltest.pl +SSLEXTENSIONTEST= sslextensiontest.pl TESTS= alltests @@ -156,7 +158,8 @@ alltests: \ test_ige test_jpake test_secmem \ test_srp test_cms test_v3name test_ocsp \ test_gost2814789 test_heartbeat test_p5_crpt2 \ - test_constant_time test_verify_extra test_clienthello test_packet + test_constant_time test_verify_extra test_clienthello test_packet \ + test_sslvertol test_sslextension test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt @echo $(START) $@ @@ -417,6 +420,15 @@ test_packet: $(PACKETTEST)$(EXE_EXT) @echo $(START) $@ ../util/shlib_wrap.sh ./$(PACKETTEST) +#OPENSSL_ia32cap=... in ssl tests below ensures AES-NI is switched off (AES-NI does not go through the testmode engine) +test_sslvertol: ../apps/openssl$(EXE_EXT) + @echo $(START) $@ + PERL5LIB=$$PERL5LIB:../util ../util/shlib_wrap.sh ./$(SSLVERTOLTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem + +test_sslextension: ../apps/openssl$(EXE_EXT) + @echo $(START) $@ + PERL5LIB=$$PERL5LIB:../util ../util/shlib_wrap.sh ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem + update: local_depend @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi diff --git a/test/sslextensiontest.pl b/test/sslextensiontest.pl new file mode 100755 index 0000000000..802bac19a4 --- /dev/null +++ b/test/sslextensiontest.pl @@ -0,0 +1,89 @@ +#!/usr/bin/perl +# Written by Matt Caswell for the OpenSSL project. +# ==================================================================== +# Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# 3. All advertising materials mentioning features or use of this +# software must display the following acknowledgment: +# "This product includes software developed by the OpenSSL Project +# for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +# +# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +# endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# openssl-core@openssl.org. +# +# 5. Products derived from this software may not be called "OpenSSL" +# nor may "OpenSSL" appear in their names without prior written +# permission of the OpenSSL Project. +# +# 6. Redistributions of any form whatsoever must retain the following +# acknowledgment: +# "This product includes software developed by the OpenSSL Project +# for use in the OpenSSL Toolkit (http://www.openssl.org/)" +# +# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +# OF THE POSSIBILITY OF SUCH DAMAGE. +# ==================================================================== +# +# This product includes cryptographic software written by Eric Young +# (eay@cryptsoft.com). This product includes software written by Tim +# Hudson (tjh@cryptsoft.com). + +use strict; +use TLSProxy::Proxy; + +my $proxy = TLSProxy::Proxy->new( + \&extension_filter, + @ARGV +); + +#Test 1: Sending a zero length extension block should pass +$proxy->start(); +TLSProxy::Message->success or die "FAILED: Zero extension length test\n"; + +print "SUCCESS: Extension test\n"; + +sub extension_filter +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + #Remove all extensions and set the extension len to zero + $message->extension_data({}); + $message->extensions_len(0); + #Extensions have been removed so make sure we don't try to use them + $message->process_extensions(); + + $message->repack(); + } + } +} diff --git a/test/sslvertoltest.pl b/test/sslvertoltest.pl new file mode 100755 index 0000000000..1828a7d1bb --- /dev/null +++ b/test/sslvertoltest.pl @@ -0,0 +1,93 @@ +#!/usr/bin/perl +# Written by Matt Caswell for the OpenSSL project. +# ==================================================================== +# Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# 3. All advertising materials mentioning features or use of this +# software must display the following acknowledgment: +# "This product includes software developed by the OpenSSL Project +# for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +# +# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +# endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# openssl-core@openssl.org. +# +# 5. Products derived from this software may not be called "OpenSSL" +# nor may "OpenSSL" appear in their names without prior written +# permission of the OpenSSL Project. +# +# 6. Redistributions of any form whatsoever must retain the following +# acknowledgment: +# "This product includes software developed by the OpenSSL Project +# for use in the OpenSSL Toolkit (http://www.openssl.org/)" +# +# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +# OF THE POSSIBILITY OF SUCH DAMAGE. +# ==================================================================== +# +# This product includes cryptographic software written by Eric Young +# (eay@cryptsoft.com). This product includes software written by Tim +# Hudson (tjh@cryptsoft.com). + +use strict; +use TLSProxy::Proxy; + +my $proxy = TLSProxy::Proxy->new( + \&vers_tolerance_filter, + @ARGV +); + +#Test 1: Asking for TLS1.3 should pass +my $client_version = TLSProxy::Record::VERS_TLS_1_3; +$proxy->start(); +TLSProxy::Message->success or die "FAILED: Version tolerance test\n"; + +#Test 2: Testing something below SSLv3 should fail +$client_version = TLSProxy::Record::VERS_SSL_3_0 - 1; +$proxy->restart(); +TLSProxy::Message->success and die "FAILED: Version tolerance test\n"; + +print "SUCCESS: Version tolerance test\n"; + +sub vers_tolerance_filter +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + #Set the client version + #Anything above the max supported version (TLS1.2) should succeed + #Anything below SSLv3 should fail + $message->client_version($client_version); + $message->repack(); + } + } +}