diff options
| -rw-r--r-- | test/asynciotest.c | 24 | ||||
| -rw-r--r-- | test/recipes/70-test_sslrecords.t | 1 | ||||
| -rw-r--r-- | test/ssltestlib.c | 2 | ||||
| -rw-r--r-- | util/TLSProxy/Message.pm | 4 | ||||
| -rw-r--r-- | util/TLSProxy/Record.pm | 25 | ||||
| -rw-r--r-- | util/TLSProxy/ServerHello.pm | 6 |
6 files changed, 43 insertions, 19 deletions
diff --git a/test/asynciotest.c b/test/asynciotest.c index a4f43f8127..d7b1dd3860 100644 --- a/test/asynciotest.c +++ b/test/asynciotest.c @@ -142,8 +142,9 @@ static int async_write(BIO *bio, const char *in, int inl) abort(); while (PACKET_remaining(&pkt) > 0) { - PACKET payload; + PACKET payload, wholebody; unsigned int contenttype, versionhi, versionlo, data; + unsigned int msgtype = 0, negversion; if ( !PACKET_get_1(&pkt, &contenttype) || !PACKET_get_1(&pkt, &versionhi) @@ -154,6 +155,17 @@ static int async_write(BIO *bio, const char *in, int inl) /* Pretend we wrote out the record header */ written += SSL3_RT_HEADER_LENGTH; + wholebody = payload; + if (contenttype == SSL3_RT_HANDSHAKE + && !PACKET_get_1(&wholebody, &msgtype)) + abort(); + + if (msgtype == SSL3_MT_SERVER_HELLO + && (!PACKET_forward(&wholebody, + SSL3_HM_HEADER_LENGTH - 1) + || !PACKET_get_net_2(&wholebody, &negversion))) + abort(); + while (PACKET_get_1(&payload, &data)) { /* Create a new one byte long record for each byte in the * record in the input buffer @@ -177,10 +189,14 @@ static int async_write(BIO *bio, const char *in, int inl) written++; } /* - * We can't fragment anything after the CCS, otherwise we - * get a bad record MAC + * We can't fragment anything after the ServerHello (or CCS <= + * TLS1.2), otherwise we get a bad record MAC + * TODO(TLS1.3): Change TLS1_3_VERSION_DRAFT to TLS1_3_VERSION + * before release */ - if (contenttype == SSL3_RT_CHANGE_CIPHER_SPEC) { + if (contenttype == SSL3_RT_CHANGE_CIPHER_SPEC + || (negversion == TLS1_3_VERSION_DRAFT + && msgtype == SSL3_MT_SERVER_HELLO)) { fragment = 0; break; } diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index cafa30ce3c..e6f7a36c05 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -128,6 +128,7 @@ ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); #Test 10: Sending an unrecognised record type in TLS1.2 should fail $proxy->clear(); +$proxy->serverflags("-tls1_2"); $proxy->filter(\&add_unknown_record_type); $proxy->start(); ok(TLSProxy::Message->fail(), "Unrecognised record type in TLS1.2"); diff --git a/test/ssltestlib.c b/test/ssltestlib.c index 4e20763bee..42ba98cb7a 100644 --- a/test/ssltestlib.c +++ b/test/ssltestlib.c @@ -564,7 +564,7 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, return 0; } -#define MAXLOOPS 100000 +#define MAXLOOPS 1000000 /* * NOTE: Transfers control of the BIOs - this function will free them on error diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm index 6bf5a72949..3259edc5dd 100644 --- a/util/TLSProxy/Message.pm +++ b/util/TLSProxy/Message.pm @@ -115,9 +115,9 @@ sub get_messages die "CCS received before message data complete\n"; } if ($server) { - TLSProxy::Record->server_ccs_seen(1); + TLSProxy::Record->server_encrypting(1); } else { - TLSProxy::Record->client_ccs_seen(1); + TLSProxy::Record->client_encrypting(1); } } elsif ($record->content_type == TLSProxy::Record::RT_HANDSHAKE) { if ($record->len == 0 || $record->len_real == 0) { diff --git a/util/TLSProxy/Record.pm b/util/TLSProxy/Record.pm index bf6de439ad..6d35f08bed 100644 --- a/util/TLSProxy/Record.pm +++ b/util/TLSProxy/Record.pm @@ -11,8 +11,8 @@ use TLSProxy::Proxy; package TLSProxy::Record; -my $server_ccs_seen = 0; -my $client_ccs_seen = 0; +my $server_encrypting = 0; +my $client_encrypting = 0; my $etm = 0; use constant TLS_RECORD_HEADER_LENGTH => 5; @@ -36,6 +36,7 @@ my %record_type = ( use constant { VERS_TLS_1_4 => 773, + VERS_TLS_1_3_DRAFT => 32530, VERS_TLS_1_3 => 772, VERS_TLS_1_2 => 771, VERS_TLS_1_1 => 770, @@ -108,8 +109,8 @@ sub get_records substr($packet, TLS_RECORD_HEADER_LENGTH, $len_real) ); - if (($server && $server_ccs_seen) - || (!$server && $client_ccs_seen)) { + if (($server && $server_encrypting) + || (!$server && $client_encrypting)) { if ($version != VERS_TLS_1_3() && $etm) { $record->decryptETM(); } else { @@ -133,26 +134,26 @@ sub get_records sub clear { - $server_ccs_seen = 0; - $client_ccs_seen = 0; + $server_encrypting = 0; + $client_encrypting = 0; } #Class level accessors -sub server_ccs_seen +sub server_encrypting { my $class = shift; if (@_) { - $server_ccs_seen = shift; + $server_encrypting = shift; } - return $server_ccs_seen; + return $server_encrypting; } -sub client_ccs_seen +sub client_encrypting { my $class = shift; if (@_) { - $client_ccs_seen = shift; + $client_encrypting= shift; } - return $client_ccs_seen; + return $client_encrypting; } #Enable/Disable Encrypt-then-MAC sub etm diff --git a/util/TLSProxy/ServerHello.pm b/util/TLSProxy/ServerHello.pm index 79a8be9a89..9d6ad385bb 100644 --- a/util/TLSProxy/ServerHello.pm +++ b/util/TLSProxy/ServerHello.pm @@ -94,6 +94,12 @@ sub parse $self->process_data(); + # TODO(TLS1.3): Replace this reference to draft version before release + if ($server_version == TLSProxy::Record::VERS_TLS_1_3_DRAFT) { + TLSProxy::Record->server_encrypting(1); + TLSProxy::Record->client_encrypting(1); + } + print " Server Version:".$server_version."\n"; print " Session ID Len:".$session_id_len."\n"; print " Ciphersuite:".$ciphersuite."\n"; |