From 8af538e5c55f43f9ae996d3f2cae04222cda6762 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 13 Aug 2015 16:58:20 +0100 Subject: [PATCH] Fix TLSProxy end of test detection Previously TLSProxy would detect a successful handshake once it saw the server Finished message. This causes problems with abbreviated handshakes, or if the client fails to process a message from the last server flight. This change additionally sends some application data and finishes when the client sends a CloseNotify. Reviewed-by: Tim Hudson --- util/TLSProxy/Message.pm | 31 ++++++++++++++++++++----------- util/TLSProxy/Proxy.pm | 4 ++-- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm index 028322b613..6376219d15 100644 --- a/util/TLSProxy/Message.pm +++ b/util/TLSProxy/Message.pm @@ -73,6 +73,18 @@ use constant { MT_CERTIFICATE_STATUS => 22, MT_NEXT_PROTO => 67 }; + +#Alert levels +use constant { + AL_LEVEL_WARN => 1, + AL_LEVEL_FATAL => 2 +}; + +#Alert descriptions +use constant { + AL_DESC_CLOSE_NOTIFY => 0 +}; + my %message_type = ( MT_HELLO_REQUEST, "HelloRequest", MT_CLIENT_HELLO, "ClientHello", @@ -164,11 +176,6 @@ sub get_messages $startoffset); push @messages, $message; - #Check if we have finished the handshake - if ($mt == MT_FINISHED && $server) { - $success = 1; - $end = 1; - } $payload = ""; } else { #This is just part of the total message @@ -210,11 +217,6 @@ sub get_messages $startoffset); push @messages, $message; - #Check if we have finished the handshake - if ($mt == MT_FINISHED && $server) { - $success = 1; - $end = 1; - } $payload = ""; } else { #This is just part of the total message @@ -230,8 +232,15 @@ sub get_messages print " [ENCRYPTED APPLICATION DATA]\n"; print " [".$record->decrypt_data."]\n"; } elsif ($record->content_type == TLSProxy::Record::RT_ALERT) { - #For now assume all alerts are fatal + my ($alertlev, $alertdesc) = unpack('CC', $record->decrypt_data); + #All alerts end the test $end = 1; + #A CloseNotify from the client indicates we have finished successfully + #(we assume) + if (!$server && $alertlev == AL_LEVEL_WARN + && $alertdesc == AL_DESC_CLOSE_NOTIFY) { + $success = 1; + } } return @messages; diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm index 571ab10e83..af6c8ddaaf 100644 --- a/util/TLSProxy/Proxy.pm +++ b/util/TLSProxy/Proxy.pm @@ -130,7 +130,7 @@ sub start open(STDOUT, ">", File::Spec->devnull()) or die "Failed to redirect stdout"; open(STDERR, ">&STDOUT"); - my $execcmd = $self->execute." s_server -engine ossltest -accept " + my $execcmd = $self->execute." s_server -rev -engine ossltest -accept " .($self->server_port) ." -cert ".$self->cert." -naccept 1"; if ($self->ciphers ne "") { @@ -167,7 +167,7 @@ sub start open(STDOUT, ">", File::Spec->devnull()) or die "Failed to redirect stdout"; open(STDERR, ">&STDOUT"); - my $execcmd = $self->execute + my $execcmd = "echo test | ".$self->execute ." s_client -engine ossltest -connect " .($self->proxy_addr).":".($self->proxy_port); if ($self->cipherc ne "") { -- 2.25.1