diff options
author | Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk> | 2024-01-11 14:18:07 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2024-02-09 08:11:23 +0000 |
commit | a1c72cc20dd4620a69142cfc65fd17daef8d28ee (patch) | |
tree | 0ac3c746f4b0e57162a6d493787189cc130f5e2f /test | |
parent | 01690a7ff36c4d18c48b301cdf375c954105a1d9 (diff) |
Support DTLS in TLS::Proxy.
Fixes #23199
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23319)
Diffstat (limited to 'test')
-rw-r--r-- | test/recipes/70-test_dtlsrecords.t | 153 | ||||
-rw-r--r-- | test/recipes/70-test_sslcbcpadding.t | 2 | ||||
-rw-r--r-- | test/recipes/70-test_sslrecords.t | 13 | ||||
-rw-r--r-- | test/recipes/70-test_tls13hrr.t | 3 |
4 files changed, 163 insertions, 8 deletions
diff --git a/test/recipes/70-test_dtlsrecords.t b/test/recipes/70-test_dtlsrecords.t new file mode 100644 index 0000000000..99ce1128c0 --- /dev/null +++ b/test/recipes/70-test_dtlsrecords.t @@ -0,0 +1,153 @@ +#! /usr/bin/env perl +# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use feature 'state'; + +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; +use TLSProxy::Message; + +my $test_name = "test_dtlsrecords"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs DTLSv1.2 enabled" + if disabled("dtls1_2"); + +my $proxy = TLSProxy::Proxy->new_dtls( + undef, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +plan tests => 4; + +my $fatal_alert = 0; # set by filters at expected fatal alerts +my $inject_recs_num = 0; # used by add_empty_recs_filter +my $proxy_start_success = 0; + +#Test 1: Injecting out of context empty records should succeed +my $content_type = TLSProxy::Record::RT_APPLICATION_DATA; +$inject_recs_num = 1; +$proxy->serverflags("-min_protocol DTLSv1.2 -max_protocol DTLSv1.2"); +$proxy->clientflags("-max_protocol DTLSv1.2"); +$proxy->filter(\&add_empty_recs_filter); +$proxy_start_success = $proxy->start(); +ok($proxy_start_success && TLSProxy::Message->success(), "Out of context empty records test"); + +#Test 2: Injecting in context empty records should succeed +$proxy->clear(); +$content_type = TLSProxy::Record::RT_HANDSHAKE; +$inject_recs_num = 1; +$proxy->serverflags("-min_protocol DTLSv1.2 -max_protocol DTLSv1.2"); +$proxy->clientflags("-max_protocol DTLSv1.2"); +$proxy->filter(\&add_empty_recs_filter); +$proxy_start_success = $proxy->start(); +ok($proxy_start_success && TLSProxy::Message->success(), "In context empty records test"); + +#Unrecognised record type tests + +#Test 3: Sending an unrecognised record type in DTLSv1.2 should fail +$fatal_alert = 0; +$proxy->clear(); +$proxy->serverflags("-min_protocol DTLSv1.2 -max_protocol DTLSv1.2"); +$proxy->clientflags("-max_protocol DTLSv1.2"); +$proxy->filter(\&add_unknown_record_type); +ok($proxy->start() == 0, "Unrecognised record type in DTLS1.2"); + +SKIP: { + skip "DTLSv1 disabled", 1 if disabled("dtls1"); + + #Test 4: Sending an unrecognised record type in DTLSv1 should fail + $fatal_alert = 0; + $proxy->clear(); + $proxy->clientflags("-min_protocol DTLSv1 -max_protocol DTLSv1 -cipher DEFAULT:\@SECLEVEL=0"); + $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); + $proxy->filter(\&add_unknown_record_type); + ok($proxy->start() == 0, "Unrecognised record type in DTLSv1"); +} + +sub add_empty_recs_filter +{ + my $proxy = shift; + my $records = $proxy->record_list; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(1) == TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE; + return; + } + + for (my $i = 0; $i < $inject_recs_num; $i++) { + my $record = TLSProxy::Record->new_dtls( + 0, + $content_type, + TLSProxy::Record::VERS_TLS_1_2, + 0, + 0, + 0, + 0, + 0, + 0, + "", + "" + ); + push @{$records}, $record; + } +} + +sub add_unknown_record_type +{ + my $proxy = shift; + my $records = $proxy->record_list; + state $added_record; + + # We'll change a record after the initial version neg has taken place + if ($proxy->flight == 0) { + $added_record = 0; + return; + } elsif ($proxy->flight != 1 || $added_record) { + $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE; + return; + } + + my $record = TLSProxy::Record->new_dtls( + 1, + TLSProxy::Record::RT_UNKNOWN, + @{$records}[-1]->version(), + @{$records}[-1]->epoch(), + @{$records}[-1]->seq() +1, + 1, + 0, + 1, + 1, + "X", + "X" + ); + + #Find ServerHello record and insert after that + my $i; + for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) { + next; + } + $i++; + + splice @{$proxy->record_list}, $i, 0, $record; + $added_record = 1; +} diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t index c24f315c60..e49efb28e2 100644 --- a/test/recipes/70-test_sslcbcpadding.t +++ b/test/recipes/70-test_sslcbcpadding.t @@ -127,6 +127,6 @@ sub add_maximal_padding_filter } elsif ($sent_corrupted_payload) { # Check for bad_record_mac from client my $last_record = @{$proxy->record_list}[-1]; - $fatal_alert = 1 if $last_record->is_fatal_alert(0) == 20; + $fatal_alert = 1 if $last_record->is_fatal_alert(0) == TLSProxy::Message::AL_DESC_BAD_RECORD_MAC; } } diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index 9a7e3d8c06..43e288b63e 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -12,6 +12,7 @@ use feature 'state'; use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; use OpenSSL::Test::Utils; use TLSProxy::Proxy; +use TLSProxy::Message; my $test_name = "test_sslrecords"; setup($test_name); @@ -273,7 +274,7 @@ sub add_empty_recs_filter # We're only interested in the initial ClientHello if ($proxy->flight != 0) { - $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(1) == 10; + $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(1) == TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE; return; } @@ -301,7 +302,7 @@ sub add_frag_alert_filter # We're only interested in the initial ClientHello if ($proxy->flight != 0) { - $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(1) == 10; + $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(1) == TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE; return; } @@ -507,7 +508,7 @@ sub add_unknown_record_type $added_record = 0; return; } elsif ($proxy->flight != 1 || $added_record) { - $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == 10; + $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE; return; } @@ -541,7 +542,7 @@ sub change_version # We'll change a version after the initial version neg has taken place if ($proxy->flight != 1) { - $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == 70; + $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == TLSProxy::Message::AL_DESC_PROTOCOL_VERSION; return; } @@ -578,7 +579,7 @@ sub change_outer_record_type # We'll change a record after the initial version neg has taken place if ($proxy->flight != 1) { - $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == 10; + $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE; return; } @@ -601,7 +602,7 @@ sub not_on_record_boundary #Find server's first flight if ($proxy->flight != 1) { - $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == 10; + $fatal_alert = 1 if @{$records}[-1]->is_fatal_alert(0) == TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE; return; } diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 3feabef060..c49a6be88b 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -10,6 +10,7 @@ use strict; use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; use OpenSSL::Test::Utils; use TLSProxy::Proxy; +use TLSProxy::Message; my $test_name = "test_tls13hrr"; setup($test_name); @@ -122,7 +123,7 @@ sub hrr_filter # and the unexpected_message alert from client if ($proxy->flight == 4) { $fatal_alert = 1 - if @{$proxy->record_list}[-1]->is_fatal_alert(0) == 10; + if @{$proxy->record_list}[-1]->is_fatal_alert(0) == TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE; return; } if ($proxy->flight != 3) { |