From 56c2a6d78354b395dfd0c535debbe063d71b30ab Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 9 May 2017 16:42:01 +0100 Subject: [PATCH] Add tests for unsolicited extensions Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3418) --- test/recipes/70-test_sslextension.t | 70 ++++++++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 1c0e96eb58..ce25c787af 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -26,6 +26,14 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS enabled" if alldisabled(available_protocols("tls")); +use constant { + UNSOLICITED_SERVER_NAME => 0, + UNSOLICITED_SERVER_NAME_TLS13 => 1, + UNSOLICITED_SCT => 2 +}; + +my $testtype; + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&extension_filter, @@ -36,7 +44,7 @@ my $proxy = TLSProxy::Proxy->new( # Test 1: Sending a zero length extension block should pass $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 3; +plan tests => 6; ok(TLSProxy::Message->success, "Zero extension length test"); sub extension_filter @@ -119,3 +127,63 @@ $proxy->clear(); $proxy->filter(\&inject_duplicate_extension_serverhello); $proxy->start(); ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension"); + +sub inject_unsolicited_extension +{ + my $proxy = shift; + my $message; + + # We're only interested in the initial ServerHello/EncryptedExtensions + if ($proxy->flight != 1) { + return; + } + + if ($testtype == UNSOLICITED_SERVER_NAME_TLS13) { + $message = ${$proxy->message_list}[2]; + die "Expecting EE message ".($message->mt).", ".${$proxy->message_list}[1]->mt.", ".${$proxy->message_list}[3]->mt if $message->mt != TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS; + } else { + $message = ${$proxy->message_list}[1]; + } + + my $ext = pack "C2", + 0x00, 0x00; #Extension length + + my $type; + if ($testtype == UNSOLICITED_SERVER_NAME + || $testtype == UNSOLICITED_SERVER_NAME_TLS13) { + $type = TLSProxy::Message::EXT_SERVER_NAME; + } elsif ($testtype == UNSOLICITED_SCT) { + $type = TLSProxy::Message::EXT_SCT; + } + $message->set_extension($type, $ext); + $message->repack(); +} + +SKIP: { + skip "TLS <= 1.2 disabled", 2 if alldisabled(("tls1", "tls1_1", "tls1_2")); + #Test 4: Inject an unsolicited extension (<= TLSv1.2) + $proxy->clear(); + $proxy->filter(\&inject_unsolicited_extension); + $testtype = UNSOLICITED_SERVER_NAME; + $proxy->clientflags("-no_tls1_3 -noservername"); + $proxy->start(); + ok(TLSProxy::Message->fail(), "Unsolicited server name extension"); + + #Test 5: Same as above for the SCT extension which has special handling + $proxy->clear(); + $testtype = UNSOLICITED_SCT; + $proxy->clientflags("-no_tls1_3"); + $proxy->start(); + ok(TLSProxy::Message->fail(), "Unsolicited sct extension"); +} + +SKIP: { + skip "TLS 1.3 disabled", 1 if disabled("tls1_3"); + #Test 6: Inject an unsolicited extension (TLSv1.3) + $proxy->clear(); + $proxy->filter(\&inject_unsolicited_extension); + $testtype = UNSOLICITED_SERVER_NAME_TLS13; + $proxy->clientflags("-noservername"); + $proxy->start(); + ok(TLSProxy::Message->fail(), "Unsolicited server name extension (TLSv1.3)"); +} -- 2.25.1