| 70-test_tls13hrr.t (1.1.1.3) | 70-test_tls13hrr.t (1.1.1.4) |
|---|---|
| 1#! /usr/bin/env perl | 1#! /usr/bin/env perl |
| 2# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. | 2# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. |
| 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use strict; 10use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; --- 22 unchanged lines hidden (view full) --- 33 cmdstr(app(["openssl"]), display => 1), 34 srctop_file("apps", "server.pem"), 35 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 36); 37 38use constant { 39 CHANGE_HRR_CIPHERSUITE => 0, 40 CHANGE_CH1_CIPHERSUITE => 1, | 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use strict; 10use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; --- 22 unchanged lines hidden (view full) --- 33 cmdstr(app(["openssl"]), display => 1), 34 srctop_file("apps", "server.pem"), 35 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 36); 37 38use constant { 39 CHANGE_HRR_CIPHERSUITE => 0, 40 CHANGE_CH1_CIPHERSUITE => 1, |
| 41 DUPLICATE_HRR => 2 | 41 DUPLICATE_HRR => 2, 42 INVALID_GROUP => 3 |
| 42}; 43 44#Test 1: A client should fail if the server changes the ciphersuite between the 45# HRR and the SH 46$proxy->filter(\&hrr_filter); 47if (disabled("ec")) { 48 $proxy->serverflags("-curves ffdhe3072"); 49} else { 50 $proxy->serverflags("-curves P-256"); 51} 52my $testtype = CHANGE_HRR_CIPHERSUITE; 53$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; | 43}; 44 45#Test 1: A client should fail if the server changes the ciphersuite between the 46# HRR and the SH 47$proxy->filter(\&hrr_filter); 48if (disabled("ec")) { 49 $proxy->serverflags("-curves ffdhe3072"); 50} else { 51 $proxy->serverflags("-curves P-256"); 52} 53my $testtype = CHANGE_HRR_CIPHERSUITE; 54$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; |
| 54plan tests => 3; | 55plan tests => 4; |
| 55ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); 56 57#Test 2: It is an error if the client changes the offered ciphersuites so that 58# we end up selecting a different ciphersuite between HRR and the SH 59$proxy->clear(); 60if (disabled("ec")) { 61 $proxy->serverflags("-curves ffdhe3072"); 62} else { --- 12 unchanged lines hidden (view full) --- 75 $proxy->serverflags("-curves ffdhe3072"); 76} else { 77 $proxy->serverflags("-curves P-256"); 78} 79$testtype = DUPLICATE_HRR; 80$proxy->start(); 81ok($fatal_alert, "Server duplicated HRR"); 82 | 56ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); 57 58#Test 2: It is an error if the client changes the offered ciphersuites so that 59# we end up selecting a different ciphersuite between HRR and the SH 60$proxy->clear(); 61if (disabled("ec")) { 62 $proxy->serverflags("-curves ffdhe3072"); 63} else { --- 12 unchanged lines hidden (view full) --- 76 $proxy->serverflags("-curves ffdhe3072"); 77} else { 78 $proxy->serverflags("-curves P-256"); 79} 80$testtype = DUPLICATE_HRR; 81$proxy->start(); 82ok($fatal_alert, "Server duplicated HRR"); 83 |
| 84#Test 4: If the client sends a group that is in the supported_groups list but 85# otherwise not valid (e.g. not suitable for TLSv1.3) we should reject it 86# and not consider it when sending the HRR. We send brainpoolP512r1 in 87# the ClientHello, which is acceptable to the server but is not valid in 88# TLSv1.3. We expect the server to select X25519 in the HRR and the 89# handshake to complete successfully 90SKIP: { 91 skip "EC/TLSv1.2 is disabled in this build", 1 92 if disabled("ec") || disabled("tls1_2"); 93 94 $proxy->clear(); 95 $proxy->clientflags("-groups P-256:brainpoolP512r1:X25519"); 96 $proxy->serverflags("-groups brainpoolP512r1:X25519"); 97 $testtype = INVALID_GROUP; 98 $proxy->start(); 99 ok(TLSProxy::Message->success(), "Invalid group with HRR"); 100} 101 |
|
| 83sub hrr_filter 84{ 85 my $proxy = shift; 86 87 if ($testtype == CHANGE_HRR_CIPHERSUITE) { 88 # We're only interested in the HRR 89 if ($proxy->flight != 1) { 90 return; --- 37 unchanged lines hidden (view full) --- 128 $hrr_record->data(), 129 $hrr_record->decrypt_data()); 130 131 $i++; 132 splice @{$proxy->record_list}, $i, 0, $dup_hrr; 133 return; 134 } 135 | 102sub hrr_filter 103{ 104 my $proxy = shift; 105 106 if ($testtype == CHANGE_HRR_CIPHERSUITE) { 107 # We're only interested in the HRR 108 if ($proxy->flight != 1) { 109 return; --- 37 unchanged lines hidden (view full) --- 147 $hrr_record->data(), 148 $hrr_record->decrypt_data()); 149 150 $i++; 151 splice @{$proxy->record_list}, $i, 0, $dup_hrr; 152 return; 153 } 154 |
| 136 # CHANGE_CH1_CIPHERSUITE | |
| 137 if ($proxy->flight != 0) { 138 return; 139 } 140 141 my $ch1 = ${$proxy->message_list}[0]; 142 | 155 if ($proxy->flight != 0) { 156 return; 157 } 158 159 my $ch1 = ${$proxy->message_list}[0]; 160 |
| 143 # The server will always pick TLS_AES_256_GCM_SHA384 144 my @ciphersuites = (TLSProxy::Message::CIPHER_TLS13_AES_128_GCM_SHA256); 145 $ch1->ciphersuite_len(2 * scalar @ciphersuites); 146 $ch1->ciphersuites(\@ciphersuites); | 161 if ($testtype == CHANGE_CH1_CIPHERSUITE) { 162 # The server will always pick TLS_AES_256_GCM_SHA384 163 my @ciphersuites = (TLSProxy::Message::CIPHER_TLS13_AES_128_GCM_SHA256); 164 $ch1->ciphersuite_len(2 * scalar @ciphersuites); 165 $ch1->ciphersuites(\@ciphersuites); 166 } elsif ($testtype == INVALID_GROUP) { 167 # INVALID_GROUP 168 my $ext = pack "C7", 169 0x00, 0x05, #List Length 170 0x00, 0x1c, #brainpoolP512r1 (not compatible with TLSv1.3) 171 0x00, 0x01, 0xff; #key_exchange data 172 $ch1->set_extension( 173 TLSProxy::Message::EXT_KEY_SHARE, $ext); 174 } |
| 147 $ch1->repack(); 148} | 175 $ch1->repack(); 176} |