diff options
author | Matt Caswell <matt@openssl.org> | 2016-11-30 13:54:01 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-12-08 18:20:16 +0100 |
commit | bc349281880c3f1da784cbc76b28f34d8ab10601 (patch) | |
tree | b50b7927049e45f50a8d80724949b95ebdcc40be /test/recipes/70-test_renegotiation.t | |
parent | Add more extension tests to test_sslmessages (diff) | |
download | openssl-bc349281880c3f1da784cbc76b28f34d8ab10601.tar.xz openssl-bc349281880c3f1da784cbc76b28f34d8ab10601.zip |
Add a renegotiation test
Make sure we did not break the unsafe legacy reneg checks with the extension
work.
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'test/recipes/70-test_renegotiation.t')
-rwxr-xr-x | test/recipes/70-test_renegotiation.t | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t new file mode 100755 index 0000000000..9bd90267fe --- /dev/null +++ b/test/recipes/70-test_renegotiation.t @@ -0,0 +1,70 @@ +#! /usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +my $test_name = "test_renegotiation"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS|MSWin32)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS <= 1.2 enabled" + if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; +my $proxy = TLSProxy::Proxy->new( + undef, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +#Test 1: A basic renegotiation test +$proxy->clientflags("-no_tls1_3"); +$proxy->reneg(1); +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 2; +ok(TLSProxy::Message->success(), "Basic renegotiation"); + +#Test 2: Client does not send the Reneg SCSV. Reneg should fail +$proxy->clear(); +$proxy->filter(\&reneg_filter); +$proxy->clientflags("-no_tls1_3"); +$proxy->reneg(1); +$proxy->start(); +ok(TLSProxy::Message->fail(), "No client SCSV"); + +sub reneg_filter +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello message + if ($proxy->flight != 0) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + #Remove any SCSV ciphersuites - just leave AES128-SHA (0x002f) + my @ciphersuite = (0x002f); + $message->ciphersuites(\@ciphersuite); + $message->ciphersuite_len(2); + $message->repack(); + } + } +} |