diff options
Diffstat (limited to 'test/recipes/70-test_renegotiation.t')
-rw-r--r-- | test/recipes/70-test_renegotiation.t | 101 |
1 files changed, 94 insertions, 7 deletions
diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t index 37fbfd5854..445d447dc9 100644 --- a/test/recipes/70-test_renegotiation.t +++ b/test/recipes/70-test_renegotiation.t @@ -7,6 +7,7 @@ # https://www.openssl.org/source/license.html use strict; +use List::Util 'first'; use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; use OpenSSL::Test::Utils; use TLSProxy::Proxy; @@ -26,7 +27,7 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS <= 1.2 enabled" if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2")); -plan tests => 5; +plan tests => 9; my $proxy = TLSProxy::Proxy->new( undef, @@ -42,9 +43,10 @@ $proxy->reneg(1); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; ok(TLSProxy::Message->success(), "Basic renegotiation"); -#Test 2: Client does not send the Reneg SCSV. Reneg should fail +#Test 2: Seclevel 0 client does not send the Reneg SCSV. Reneg should fail $proxy->clear(); -$proxy->filter(\&reneg_filter); +$proxy->filter(\&reneg_scsv_filter); +$proxy->cipherc("DEFAULT:\@SECLEVEL=0"); $proxy->clientflags("-no_tls1_3"); $proxy->serverflags("-client_renegotiation"); $proxy->reneg(1); @@ -52,9 +54,24 @@ $proxy->start(); ok(TLSProxy::Message->fail(), "No client SCSV"); SKIP: { + skip "TLSv1.2 disabled", 1 + if disabled("tls1_2"); + + #Test 3: TLS 1.2 client does not send the Reneg extension. Reneg should fail + + $proxy->clear(); + $proxy->filter(\&reneg_ext_filter); + $proxy->clientflags("-no_tls1_3"); + $proxy->serverflags("-client_renegotiation"); + $proxy->reneg(1); + $proxy->start(); + ok(TLSProxy::Message->fail(), "No client extension"); +} + +SKIP: { skip "TLSv1.2 or TLSv1.1 disabled", 1 if disabled("tls1_2") || disabled("tls1_1"); - #Test 3: Check that the ClientHello version remains the same in the reneg + #Test 4: Check that the ClientHello version remains the same in the reneg # handshake $proxy->clear(); $proxy->filter(undef); @@ -84,7 +101,7 @@ SKIP: { skip "TLSv1.2 disabled", 1 if disabled("tls1_2"); - #Test 4: Test for CVE-2021-3449. client_sig_algs instead of sig_algs in + #Test 5: Test for CVE-2021-3449. client_sig_algs instead of sig_algs in # resumption ClientHello $proxy->clear(); $proxy->filter(\&sigalgs_filter); @@ -98,7 +115,7 @@ SKIP: { SKIP: { skip "TLSv1.2 and TLSv1.1 disabled", 1 if disabled("tls1_2") && disabled("tls1_1"); - #Test 5: Client fails to do renegotiation + #Test 6: Client fails to do renegotiation $proxy->clear(); $proxy->filter(undef); $proxy->serverflags("-no_tls1_3"); @@ -109,7 +126,60 @@ SKIP: { "Check client renegotiation failed"); } -sub reneg_filter +SKIP: { + skip "TLSv1 disabled", 1 + if disabled("tls1"); + + #Test 7: Check that SECLEVEL 0 sends SCSV not RI extension + $proxy->clear(); + $proxy->filter(undef); + $proxy->cipherc("DEFAULT:\@SECLEVEL=0"); + $proxy->start(); + + my $clientHello = first { $_->mt == TLSProxy::Message::MT_CLIENT_HELLO } @{$proxy->message_list}; + my $has_scsv = 255 ~~ @{$clientHello->ciphersuites}; + my $has_ri_extension = exists $clientHello->extension_data()->{TLSProxy::Message::EXT_RENEGOTIATE}; + + ok($has_scsv && !$has_ri_extension, "SECLEVEL=0 should use SCSV not RI extension by default"); +} + +SKIP: { + skip "TLSv1.2 disabled", 1 + if disabled("tls1_2"); + + #Test 8: Check that SECLEVEL0 + TLS 1.2 sends RI extension not SCSV + $proxy->clear(); + $proxy->filter(undef); + $proxy->cipherc("DEFAULT:\@SECLEVEL=0"); + $proxy->clientflags("-tls1_2"); + $proxy->start(); + + my $clientHello = first { $_->mt == TLSProxy::Message::MT_CLIENT_HELLO } @{$proxy->message_list}; + my $has_scsv = 255 ~~ @{$clientHello->ciphersuites}; + my $has_ri_extension = exists $clientHello->extension_data()->{TLSProxy::Message::EXT_RENEGOTIATE}; + + ok(!$has_scsv && $has_ri_extension, "TLS1.2 should use RI extension despite SECLEVEL=0"); +} + + +SKIP: { + skip "TLSv1.3 disabled", 1 + if disabled("tls1_3"); + + #Test 9: Check that TLS 1.3 sends neither RI extension nor SCSV + $proxy->clear(); + $proxy->filter(undef); + $proxy->clientflags("-tls1_3"); + $proxy->start(); + + my $clientHello = first { $_->mt == TLSProxy::Message::MT_CLIENT_HELLO } @{$proxy->message_list}; + my $has_scsv = 255 ~~ @{$clientHello->ciphersuites}; + my $has_ri_extension = exists $clientHello->extension_data()->{TLSProxy::Message::EXT_RENEGOTIATE}; + + ok(!$has_scsv && !$has_ri_extension, "TLS1.3 should not use RI extension or SCSV"); +} + +sub reneg_scsv_filter { my $proxy = shift; @@ -129,6 +199,23 @@ sub reneg_filter } } +sub reneg_ext_filter +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello message + if ($proxy->flight != 0) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + $message->delete_extension(TLSProxy::Message::EXT_RENEGOTIATE); + $message->repack(); + } + } +} + sub sigalgs_filter { my $proxy = shift; |