diff options
| -rw-r--r-- | test/recipes/70-test_sslextension.t | 32 | ||||
| -rw-r--r-- | util/perl/TLSProxy/Certificate.pm | 5 | ||||
| -rw-r--r-- | util/perl/TLSProxy/ClientHello.pm | 7 | ||||
| -rw-r--r-- | util/perl/TLSProxy/EncryptedExtensions.pm | 5 | ||||
| -rw-r--r-- | util/perl/TLSProxy/Message.pm | 16 | ||||
| -rw-r--r-- | util/perl/TLSProxy/ServerHello.pm | 2 |
6 files changed, 42 insertions, 25 deletions
diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 79466b6109..e725b44f9c 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -88,9 +88,11 @@ sub inject_duplicate_extension foreach my $message (@{$proxy->message_list}) { if ($message->mt == $message_type) { my %extensions = %{$message->extension_data}; - # Add a duplicate (unknown) extension. - $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, ""); - $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, ""); + # Add a duplicate extension. We use cryptopro_bug since we never + # normally write that one, and it is allowed as unsolicited in the + # ServerHello + $message->set_extension(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION, ""); + $message->dupext(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION); $message->repack(); } } @@ -173,9 +175,23 @@ sub inject_unsolicited_extension $sent_unsolisited_extension = 1; } +sub inject_cryptopro_extension +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + my $message = ${$proxy->message_list}[0]; + $message->set_extension(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION, ""); + $message->repack(); +} + # Test 1-2: Sending a duplicate extension should fail. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 7; +plan tests => 8; ok($fatal_alert, "Duplicate ClientHello extension"); $fatal_alert = 0; @@ -234,3 +250,11 @@ SKIP: { $proxy->start(); ok($fatal_alert, "Unsolicited server name extension (TLSv1.3)"); } + +#Test 8: Send the cryptopro extension in a ClientHello. Normally this is an +# unsolicited extension only ever seen in the ServerHello. We should +# ignore it in a ClientHello +$proxy->clear(); +$proxy->filter(\&inject_cryptopro_extension); +$proxy->start(); +ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello"); diff --git a/util/perl/TLSProxy/Certificate.pm b/util/perl/TLSProxy/Certificate.pm index 70c9faea72..03f6619954 100644 --- a/util/perl/TLSProxy/Certificate.pm +++ b/util/perl/TLSProxy/Certificate.pm @@ -138,11 +138,6 @@ sub set_message_contents $extensions .= pack("n", $key); $extensions .= pack("n", length($extdata)); $extensions .= $extdata; - if ($key == TLSProxy::Message::EXT_DUPLICATE_EXTENSION) { - $extensions .= pack("n", $key); - $extensions .= pack("n", length($extdata)); - $extensions .= $extdata; - } } $data = pack('C', length($self->context())); $data .= $self->context; diff --git a/util/perl/TLSProxy/ClientHello.pm b/util/perl/TLSProxy/ClientHello.pm index 7ae3dba901..c49bc23671 100644 --- a/util/perl/TLSProxy/ClientHello.pm +++ b/util/perl/TLSProxy/ClientHello.pm @@ -124,11 +124,6 @@ sub extension_contents $extension .= pack("n", $key); $extension .= pack("n", length($extdata)); $extension .= $extdata; - if ($key == TLSProxy::Message::EXT_DUPLICATE_EXTENSION) { - $extension .= pack("n", $key); - $extension .= pack("n", length($extdata)); - $extension .= $extdata; - } return $extension; } @@ -151,6 +146,8 @@ sub set_message_contents foreach my $key (keys %{$self->extension_data}) { next if ($key == TLSProxy::Message::EXT_PSK); $extensions .= $self->extension_contents($key); + #Add extension twice if we are duplicating that extension + $extensions .= $self->extension_contents($key) if ($key == $self->dupext); } #PSK extension always goes last... if (defined ${$self->extension_data}{TLSProxy::Message::EXT_PSK}) { diff --git a/util/perl/TLSProxy/EncryptedExtensions.pm b/util/perl/TLSProxy/EncryptedExtensions.pm index f56f3c4270..4fd445b41e 100644 --- a/util/perl/TLSProxy/EncryptedExtensions.pm +++ b/util/perl/TLSProxy/EncryptedExtensions.pm @@ -81,11 +81,6 @@ sub set_message_contents $extensions .= pack("n", $key); $extensions .= pack("n", length($extdata)); $extensions .= $extdata; - if ($key == TLSProxy::Message::EXT_DUPLICATE_EXTENSION) { - $extensions .= pack("n", $key); - $extensions .= pack("n", length($extdata)); - $extensions .= $extdata; - } } $data = pack('n', length($extensions)); diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm index 642afb58cb..71803698c2 100644 --- a/util/perl/TLSProxy/Message.pm +++ b/util/perl/TLSProxy/Message.pm @@ -86,10 +86,7 @@ use constant { EXT_SIG_ALGS_CERT => 50, EXT_RENEGOTIATE => 65281, EXT_NPN => 13172, - # This extension is an unofficial extension only ever written by OpenSSL - # (i.e. not read), and even then only when enabled. We use it to test - # handling of duplicate extensions. - EXT_DUPLICATE_EXTENSION => 0xfde8, + EXT_CRYPTOPRO_BUG_EXTENSION => 0xfde8, EXT_UNKNOWN => 0xfffe, #Unknown extension that should appear last EXT_FORCE_LAST => 0xffff @@ -420,7 +417,8 @@ sub new records => $records, mt => $mt, startoffset => $startoffset, - message_frag_lens => $message_frag_lens + message_frag_lens => $message_frag_lens, + dupext => -1 }; return bless $self, $class; @@ -575,6 +573,14 @@ sub encoded_length my $self = shift; return TLS_MESSAGE_HEADER_LENGTH + length($self->data); } +sub dupext +{ + my $self = shift; + if (@_) { + $self->{dupext} = shift; + } + return $self->{dupext}; +} sub successondata { my $class = shift; diff --git a/util/perl/TLSProxy/ServerHello.pm b/util/perl/TLSProxy/ServerHello.pm index 94e7ab5f39..14eb813d5e 100644 --- a/util/perl/TLSProxy/ServerHello.pm +++ b/util/perl/TLSProxy/ServerHello.pm @@ -154,7 +154,7 @@ sub set_message_contents $extensions .= pack("n", $key); $extensions .= pack("n", length($extdata)); $extensions .= $extdata; - if ($key == TLSProxy::Message::EXT_DUPLICATE_EXTENSION) { + if ($key == $self->dupext) { $extensions .= pack("n", $key); $extensions .= pack("n", length($extdata)); $extensions .= $extdata; |