From 397f4f78760480f982adaeed98ccb10bda4d3fbb Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 28 Dec 2016 15:01:57 +0000 Subject: [PATCH] Add a test to check the EC point formats extension appears when we expect The previous commit fixed a bug where the EC point formats extensions did not appear in the ServerHello. This should have been caught by 70-test_sslmessages but that test never tries an EC ciphersuite. This updates the test to do that. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/2153) --- test/recipes/70-test_sslmessages.t | 32 +++++++++++++++++++++++++----- test/testlib/checkhandshake.pm | 5 ++++- util/TLSProxy/Message.pm | 4 ++++ util/TLSProxy/Proxy.pm | 11 ++++++++++ util/TLSProxy/ServerHello.pm | 1 + util/TLSProxy/ServerKeyExchange.pm | 6 +++--- 6 files changed, 50 insertions(+), 9 deletions(-) diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t index fb4ec61b49..de8b0bcf2d 100755 --- a/test/recipes/70-test_sslmessages.t +++ b/test/recipes/70-test_sslmessages.t @@ -46,6 +46,9 @@ my $proxy = TLSProxy::Proxy->new( [TLSProxy::Message::MT_CERTIFICATE, checkhandshake::ALL_HANDSHAKES & ~checkhandshake::RESUME_HANDSHAKE], + (disabled("ec") ? () : + [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE, + checkhandshake::EC_HANDSHAKE]), [TLSProxy::Message::MT_CERTIFICATE_STATUS, checkhandshake::OCSP_HANDSHAKE], #ServerKeyExchange handshakes not currently supported by TLSProxy @@ -94,10 +97,14 @@ my $proxy = TLSProxy::Proxy->new( checkhandshake::SERVER_NAME_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, checkhandshake::STATUS_REQUEST_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, - checkhandshake::DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, - checkhandshake::DEFAULT_EXTENSIONS], + (disabled("ec") ? () : + [TLSProxy::Message::MT_CLIENT_HELLO, + TLSProxy::Message::EXT_SUPPORTED_GROUPS, + checkhandshake::DEFAULT_EXTENSIONS]), + (disabled("ec") ? () : + [TLSProxy::Message::MT_CLIENT_HELLO, + TLSProxy::Message::EXT_EC_POINT_FORMATS, + checkhandshake::DEFAULT_EXTENSIONS]), [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, @@ -135,6 +142,8 @@ my $proxy = TLSProxy::Proxy->new( checkhandshake::SCT_SRV_EXTENSION], [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN, checkhandshake::NPN_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, + checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION], [0,0,0] ); @@ -143,7 +152,7 @@ my $proxy = TLSProxy::Proxy->new( $proxy->serverconnects(2); $proxy->clientflags("-no_tls1_3 -sess_out ".$session); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 20; +plan tests => 21; checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, checkhandshake::DEFAULT_EXTENSIONS, "Default handshake test"); @@ -358,3 +367,16 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, checkhandshake::DEFAULT_EXTENSIONS | checkhandshake::SRP_CLI_EXTENSION, "SRP extension test"); + +#Test 21: EC handshake +SKIP: { + skip "No EC support in this OpenSSL build", 1 if disabled("ec"); + $proxy->clear(); + $proxy->clientflags("-no_tls1_3"); + $proxy->ciphers("ECDHE-RSA-AES128-SHA"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::EC_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION, + "EC handshake test"); +} diff --git a/test/testlib/checkhandshake.pm b/test/testlib/checkhandshake.pm index eb34fff622..9529b949bd 100644 --- a/test/testlib/checkhandshake.pm +++ b/test/testlib/checkhandshake.pm @@ -23,8 +23,9 @@ use constant { CLIENT_AUTH_HANDSHAKE => 8, RENEG_HANDSHAKE => 16, NPN_HANDSHAKE => 32, + EC_HANDSHAKE => 64, - ALL_HANDSHAKES => 63 + ALL_HANDSHAKES => 127 }; use constant { @@ -43,6 +44,8 @@ use constant { NPN_CLI_EXTENSION => 0x00000800, NPN_SRV_EXTENSION => 0x00001000, SRP_CLI_EXTENSION => 0x00002000, + #Client side for ec point formats is a default extension + EC_POINT_FORMAT_SRV_EXTENSION => 0x00004000, }; our @handmessages = (); diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm index e5c42c83c4..7837787a03 100644 --- a/util/TLSProxy/Message.pm +++ b/util/TLSProxy/Message.pm @@ -83,6 +83,10 @@ use constant { EXT_DUPLICATE_EXTENSION => 0xfde8 }; +use constant { + CIPHER_ADH_AES_128_SHA => 0x03000034 +}; + my $payload = ""; my $messlen = -1; my $mt; diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm index 65615891f8..84ca3a7510 100644 --- a/util/TLSProxy/Proxy.pm +++ b/util/TLSProxy/Proxy.pm @@ -25,6 +25,7 @@ my $have_IPv6 = 0; my $IP_factory; my $is_tls13 = 0; +my $ciphersuite = undef; sub new { @@ -108,6 +109,7 @@ sub clearClient $self->{message_list} = []; $self->{clientflags} = ""; $is_tls13 = 0; + $ciphersuite = undef; TLSProxy::Message->clear(); TLSProxy::Record->clear(); @@ -535,4 +537,13 @@ sub reneg return $self->{reneg}; } +sub ciphersuite +{ + my $class = shift; + if (@_) { + $ciphersuite = shift; + } + return $ciphersuite; +} + 1; diff --git a/util/TLSProxy/ServerHello.pm b/util/TLSProxy/ServerHello.pm index 5a038c902b..1abdd053e1 100644 --- a/util/TLSProxy/ServerHello.pm +++ b/util/TLSProxy/ServerHello.pm @@ -103,6 +103,7 @@ sub parse $self->session_id_len($session_id_len); $self->session($session); $self->ciphersuite($ciphersuite); + TLSProxy::Proxy->ciphersuite($ciphersuite); $self->comp_meth($comp_meth); $self->extension_data(\%extensions); diff --git a/util/TLSProxy/ServerKeyExchange.pm b/util/TLSProxy/ServerKeyExchange.pm index 6e5b4cdcb4..7640b3f55b 100644 --- a/util/TLSProxy/ServerKeyExchange.pm +++ b/util/TLSProxy/ServerKeyExchange.pm @@ -42,9 +42,9 @@ sub parse { my $self = shift; - #Minimal SKE parsing. Only supports DHE at the moment (if its not DHE - #the parsing data will be trash...which is ok as long as we don't try to - #use it) + #Minimal SKE parsing. Only supports one known DHE ciphersuite at the moment + return if (TLSProxy::Proxy->ciphersuite() + != TLSProxy::Message::CIPHER_ADH_AES_128_SHA); my $p_len = unpack('n', $self->data); my $ptr = 2; -- 2.25.1