mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-21 01:15:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Enable TLSProxy to talk TLS1.3

Browse Source 
Now that ossltest knows about a TLS1.3 cipher we can now do TLS1.3 in
TLSProxy

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Matt Caswell 2016-10-28 15:57:12 +01:00
parent aad22ba2c6
commit 837e591d42
4 changed files with 30 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
test/recipes/70-test_sslcbcpadding.t
View File

@ -40,6 +40,7 @@ my @test_offsets = (0, 128, 254, 255);
# Test that maximally-padded records are accepted.
my $bad_padding_offset = -1;
$proxy->serverflags("-tls1_2");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 1 + scalar(@test_offsets);
ok(TLSProxy::Message->success(), "Maximally-padded record test");

9
test/recipes/70-test_sslrecords.t
View File

@ -37,6 +37,7 @@ my $proxy = TLSProxy::Proxy->new(
#Test 1: Injecting out of context empty records should fail
my $content_type = TLSProxy::Record::RT_APPLICATION_DATA;
my $inject_recs_num = 1;
$proxy->serverflags("-tls1_2");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 9;
ok(TLSProxy::Message->fail(), "Out of context empty records test");
@ -44,6 +45,7 @@ ok(TLSProxy::Message->fail(), "Out of context empty records test");
#Test 2: Injecting in context empty records should succeed
$proxy->clear();
$content_type = TLSProxy::Record::RT_HANDSHAKE;
$proxy->serverflags("-tls1_2");
$proxy->start();
ok(TLSProxy::Message->success(), "In context empty records test");
@ -51,6 +53,7 @@ ok(TLSProxy::Message->success(), "In context empty records test");
$proxy->clear();
#We allow 32 consecutive in context empty records
$inject_recs_num = 33;
$proxy->serverflags("-tls1_2");
$proxy->start();
ok(TLSProxy::Message->fail(), "Too many in context empty records test");
@ -59,6 +62,7 @@ ok(TLSProxy::Message->fail(), "Too many in context empty records test");
# alert, i.e. this will look like a disorderly close
$proxy->clear();
$proxy->filter(\&add_frag_alert_filter);
$proxy->serverflags("-tls1_2");
$proxy->start();
ok(!TLSProxy::Message->end(), "Fragmented alert records test");
@ -75,6 +79,7 @@ use constant {
my $sslv2testtype = TLSV1_2_IN_SSLV2;
$proxy->clear();
$proxy->filter(\&add_sslv2_filter);
$proxy->serverflags("-tls1_2");
$proxy->start();
ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
@ -83,6 +88,7 @@ ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
# protocol so we don't even send an alert in this case.
$sslv2testtype = SSLV2_IN_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->start();
ok(!TLSProxy::Message->end(), "SSLv2 in SSLv2 ClientHello test");
@ -91,6 +97,7 @@ ok(!TLSProxy::Message->end(), "SSLv2 in SSLv2 ClientHello test");
# reasons
$sslv2testtype = FRAGMENTED_IN_TLSV1_2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->start();
ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test");
@ -98,6 +105,7 @@ ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test");
# record; and another TLS1.2 record. This isn't allowed so should fail
$sslv2testtype = FRAGMENTED_IN_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->start();
ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
@ -105,6 +113,7 @@ ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
# fail because an SSLv2 ClientHello must be the first record.
$sslv2testtype = ALERT_BEFORE_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
$proxy->start();
ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test");
sub add_empty_recs_filter

8
util/TLSProxy/Proxy.pm
View File

@ -48,7 +48,7 @@ sub new
cert => $cert,
debug => $debug,
cipherc => "",
ciphers => "AES128-SHA",
ciphers => "AES128-SHA:TLS13-AES-128-GCM-SHA256",
flight => 0,
record_list => [],
message_list => [],
@ -113,7 +113,7 @@ sub clear
my $self = shift;
$self->clearClient;
$self->{ciphers} = "AES128-SHA";
$self->{ciphers} = "AES128-SHA:TLS13-AES-128-GCM-SHA256";
$self->{serverflags} = "";
$self->{serverconnects} = 1;
$self->{serverpid} = 0;
@ -147,10 +147,8 @@ sub start
or die "Failed to redirect stdout: $!";
open(STDERR, ">&STDOUT");
}
# TODO(TLS1.3): Temporarily disabled for TLS1.3...no shared cipher
# because the TLS1.3 ciphersuites are not compatible with ossltest
my $execcmd = $self->execute
." s_server -no_tls1_3 -no_comp -rev -engine ossltest -accept "
." s_server -no_comp -rev -engine ossltest -accept "
.($self->server_port)
." -cert ".$self->cert." -naccept ".$self->serverconnects;
if ($self->ciphers ne "") {

29
util/TLSProxy/Record.pm
View File

@ -107,7 +107,7 @@ sub get_records
if (($server && $server_ccs_seen)
|| (!$server && $client_ccs_seen)) {
if ($etm) {
if ($version != VERS_TLS_1_3() && $etm) {
$record->decryptETM();
} else {
$record->decrypt();
@ -221,22 +221,27 @@ sub decryptETM
sub decrypt()
{
my ($self) = shift;
my $mactaglen = 20;
my $data = $self->data;
if($self->version >= VERS_TLS_1_1()) {
#TLS1.1+ has an explicit IV. Throw it away
#Throw away any IVs
if ($self->version >= VERS_TLS_1_3()) {
#8 bytes for a GCM IV
$data = substr($data, 8);
$mactaglen = 16;
} elsif ($self->version >= VERS_TLS_1_1()) {
#16 bytes for a standard IV
$data = substr($data, 16);
#Find out what the padding byte is
my $padval = unpack("C", substr($data, length($data) - 1));
#Throw away the padding
$data = substr($data, 0, length($data) - ($padval + 1));
}
#Find out what the padding byte is
my $padval = unpack("C", substr($data, length($data) - 1));
#Throw away the padding
$data = substr($data, 0, length($data) - ($padval + 1));
#Throw away the MAC (assumes MAC is 20 bytes for now. FIXME)
$data = substr($data, 0, length($data) - 20);
#Throw away the MAC or TAG
$data = substr($data, 0, length($data) - $mactaglen);
$self->decrypt_data($data);
$self->decrypt_len(length($data));