[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Wed Aug 26 09:44:07 UTC 2015
The branch master has been updated
via ddcc5e5b60e2e14a7f65cc8faff0642cb68f4343 (commit)
via 8af538e5c55f43f9ae996d3f2cae04222cda6762 (commit)
from ee4ffd6fccd169775ba74afb1dbfecff48ee413d (commit)
- Log -----------------------------------------------------------------
commit ddcc5e5b60e2e14a7f65cc8faff0642cb68f4343
Author: Matt Caswell <matt at openssl.org>
Date: Thu Aug 13 15:17:14 2015 +0100
Add NewSessionTicket test suite
Add a set of tests for checking that NewSessionTicket messages are
behaving as expected.
Reviewed-by: Tim Hudson <tjh at openssl.org>
commit 8af538e5c55f43f9ae996d3f2cae04222cda6762
Author: Matt Caswell <matt at openssl.org>
Date: Thu Aug 13 16:58:20 2015 +0100
Fix TLSProxy end of test detection
Previously TLSProxy would detect a successful handshake once it saw the
server Finished message. This causes problems with abbreviated handshakes,
or if the client fails to process a message from the last server flight.
This change additionally sends some application data and finishes when the
client sends a CloseNotify.
Reviewed-by: Tim Hudson <tjh at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
test/Makefile | 8 +-
test/sslsessionticktest.pl | 173 +++++++++++++++++++++++++++++++++++++++++++
util/TLSProxy/ClientHello.pm | 3 +-
util/TLSProxy/Message.pm | 31 +++++---
util/TLSProxy/Proxy.pm | 68 +++++++++++++++--
5 files changed, 262 insertions(+), 21 deletions(-)
create mode 100755 test/sslsessionticktest.pl
diff --git a/test/Makefile b/test/Makefile
index b59613c..782a34b 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -73,6 +73,7 @@ CLIENTHELLOTEST= clienthellotest
PACKETTEST= packettest
SSLVERTOLTEST= sslvertoltest.pl
SSLEXTENSIONTEST= sslextensiontest.pl
+SSLSESSIONTICKTEST= sslsessionticktest.pl
SSLSKEWITH0PTEST= sslskewith0ptest.pl
TESTS= alltests
@@ -160,7 +161,7 @@ alltests: \
test_srp test_cms test_v3name test_ocsp \
test_gost2814789 test_heartbeat test_p5_crpt2 \
test_constant_time test_verify_extra test_clienthello test_packet \
- test_sslvertol test_sslextension test_sslskewith0p
+ test_sslvertol test_sslextension test_sslsessionticket test_sslskewith0p
test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
@echo $(START) $@
@@ -432,6 +433,11 @@ test_sslextension: ../apps/openssl$(EXE_EXT)
[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
@[ -n "$(SHARED_LIBS)" ] || echo test_sslextension can only be performed with OpenSSL configured shared
+test_sslsessionticket: ../apps/openssl$(EXE_EXT)
+ @echo $(START) $@
+ [ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLSESSIONTICKTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+ @[ -n "$(SHARED_LIBS)" ] || echo test_sslsessionticket can only be performed with OpenSSL configured shared
+
test_sslskewith0p: ../apps/openssl$(EXE_EXT)
@echo $(START) $@
[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLSKEWITH0PTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
diff --git a/test/sslsessionticktest.pl b/test/sslsessionticktest.pl
new file mode 100755
index 0000000..922a359
--- /dev/null
+++ b/test/sslsessionticktest.pl
@@ -0,0 +1,173 @@
+#!/usr/bin/perl
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+# software must display the following acknowledgment:
+# "This product includes software developed by the OpenSSL Project
+# for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+# endorse or promote products derived from this software without
+# prior written permission. For written permission, please contact
+# openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+# nor may "OpenSSL" appear in their names without prior written
+# permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+# acknowledgment:
+# "This product includes software developed by the OpenSSL Project
+# for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com). This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+use TLSProxy::Proxy;
+use File::Temp qw(tempfile);
+
+my $chellotickext = 0;
+my $shellotickext = 0;
+my $fullhand = 0;
+my $ticketseen = 0;
+
+my $proxy = TLSProxy::Proxy->new(
+ undef,
+ @ARGV
+);
+
+#Test 1: By default with no existing session we should get a session ticket
+#Expected result: ClientHello extension seen; ServerHello extension seen
+# NewSessionTicket message seen; Full handshake
+$proxy->start();
+checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
+
+#Test 2: If the server does not accept tickets we should get a normal handshake
+#with no session tickets
+#Expected result: ClientHello extension seen; ServerHello extension not seen
+# NewSessionTicket message not seen; Full handshake
+clearall();
+$proxy->serverflags("-no_ticket");
+$proxy->start();
+checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
+
+#Test 3: If the client does not accept tickets we should get a normal handshake
+#with no session tickets
+#Expected result: ClientHello extension not seen; ServerHello extension not seen
+# NewSessionTicket message not seen; Full handshake
+clearall();
+$proxy->clientflags("-no_ticket");
+$proxy->start();
+checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
+
+#Test 4: Test session resumption with session ticket
+#Expected result: ClientHello extension seen; ServerHello extension not seen
+# NewSessionTicket message not seen; Abbreviated handshake
+clearall();
+(my $fh, my $session) = tempfile();
+$proxy->serverconnects(2);
+$proxy->clientflags("-sess_out ".$session);
+$proxy->start();
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->clientstart();
+checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
+
+#Test 5: Test session resumption with ticket capable client without a ticket
+#Expected result: ClientHello extension seen; ServerHello extension seen
+# NewSessionTicket message seen; Abbreviated handshake
+clearall();
+(my $fh, my $session) = tempfile();
+$proxy->serverconnects(2);
+$proxy->clientflags("-sess_out ".$session." -no_ticket");
+$proxy->start();
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->clientstart();
+checkmessages(5, "Session resumption with ticket capable client without a "
+ ."ticket", 1, 1, 1, 0);
+
+sub checkmessages()
+{
+ my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_;
+
+ foreach my $message (@{$proxy->message_list}) {
+ if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
+ || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
+ #Get the extensions data
+ my %extensions = %{$message->extension_data};
+ if (defined
+ $extensions{TLSProxy::ClientHello::EXT_SESSION_TICKET}) {
+ if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
+ $chellotickext = 1;
+ } else {
+ $shellotickext = 1;
+ }
+ }
+ } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
+ #Must be doing a full handshake
+ $fullhand = 1;
+ } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
+ $ticketseen = 1;
+ }
+ }
+
+ TLSProxy::Message->success or die "FAILED: $testname: Hanshake failed "
+ ."(Test $testno)\n";
+ if (($testch && !$chellotickext) || (!$testch && $chellotickext)) {
+ die "FAILED: $testname: ClientHello extension Session Ticket check "
+ ."failed (Test $testno)\n";
+ }
+ if (($testsh && !$shellotickext) || (!$testsh && $shellotickext)) {
+ die "FAILED: $testname: ServerHello extension Session Ticket check "
+ ."failed (Test $testno)\n";
+ }
+ if (($testtickseen && !$ticketseen) || (!$testtickseen && $ticketseen)) {
+ die "FAILED: $testname: Session Ticket message presence check failed "
+ ."(Test $testno)\n";
+ }
+ if (($testhand && !$fullhand) || (!$testhand && $fullhand)) {
+ die "FAILED: $testname: Session Ticket full handshake check failed "
+ ."(Test $testno)\n";
+ }
+ print "SUCCESS: $testname (Test#$testno)\n";
+}
+
+sub clearall()
+{
+ $chellotickext = 0;
+ $shellotickext = 0;
+ $fullhand = 0;
+ $ticketseen = 0;
+ $proxy->clear();
+}
diff --git a/util/TLSProxy/ClientHello.pm b/util/TLSProxy/ClientHello.pm
index 54fb5bb..0b7dbbc 100644
--- a/util/TLSProxy/ClientHello.pm
+++ b/util/TLSProxy/ClientHello.pm
@@ -58,7 +58,8 @@ package TLSProxy::ClientHello;
use parent 'TLSProxy::Message';
use constant {
- EXT_ENCRYPT_THEN_MAC => 22
+ EXT_ENCRYPT_THEN_MAC => 22,
+ EXT_SESSION_TICKET => 35
};
sub new
diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 028322b..6376219 100644
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -73,6 +73,18 @@ use constant {
MT_CERTIFICATE_STATUS => 22,
MT_NEXT_PROTO => 67
};
+
+#Alert levels
+use constant {
+ AL_LEVEL_WARN => 1,
+ AL_LEVEL_FATAL => 2
+};
+
+#Alert descriptions
+use constant {
+ AL_DESC_CLOSE_NOTIFY => 0
+};
+
my %message_type = (
MT_HELLO_REQUEST, "HelloRequest",
MT_CLIENT_HELLO, "ClientHello",
@@ -164,11 +176,6 @@ sub get_messages
$startoffset);
push @messages, $message;
- #Check if we have finished the handshake
- if ($mt == MT_FINISHED && $server) {
- $success = 1;
- $end = 1;
- }
$payload = "";
} else {
#This is just part of the total message
@@ -210,11 +217,6 @@ sub get_messages
$startoffset);
push @messages, $message;
- #Check if we have finished the handshake
- if ($mt == MT_FINISHED && $server) {
- $success = 1;
- $end = 1;
- }
$payload = "";
} else {
#This is just part of the total message
@@ -230,8 +232,15 @@ sub get_messages
print " [ENCRYPTED APPLICATION DATA]\n";
print " [".$record->decrypt_data."]\n";
} elsif ($record->content_type == TLSProxy::Record::RT_ALERT) {
- #For now assume all alerts are fatal
+ my ($alertlev, $alertdesc) = unpack('CC', $record->decrypt_data);
+ #All alerts end the test
$end = 1;
+ #A CloseNotify from the client indicates we have finished successfully
+ #(we assume)
+ if (!$server && $alertlev == AL_LEVEL_WARN
+ && $alertdesc == AL_DESC_CLOSE_NOTIFY) {
+ $success = 1;
+ }
}
return @messages;
diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm
index 571ab10..75094f1 100644
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -79,13 +79,16 @@ sub new
server_addr => "localhost",
server_port => 4443,
filter => $filter,
+ serverflags => "",
+ clientflags => "",
+ serverconnects => 1,
#Public read
execute => $execute,
cert => $cert,
debug => $debug,
- cipherc => "AES128-SHA",
- ciphers => "",
+ cipherc => "",
+ ciphers => "AES128-SHA",
flight => 0,
record_list => [],
message_list => [],
@@ -101,12 +104,15 @@ sub clear
{
my $self = shift;
- $self->{cipherc} = "AES128-SHA";
- $self->{ciphers} = "";
+ $self->{cipherc} = "";
+ $self->{ciphers} = "AES128-SHA";
$self->{flight} = 0;
$self->{record_list} = [];
$self->{message_list} = [];
$self->{message_rec_list} = [];
+ $self->{serverflags} = "";
+ $self->{clientflags} = "";
+ $self->{serverconnects} = 1;
TLSProxy::Message->clear();
TLSProxy::Record->clear();
@@ -120,6 +126,14 @@ sub restart
$self->start;
}
+sub clientrestart
+{
+ my $self = shift;
+
+ $self->clear;
+ $self->clientstart;
+}
+
sub start
{
my ($self) = shift;
@@ -130,15 +144,24 @@ sub start
open(STDOUT, ">", File::Spec->devnull())
or die "Failed to redirect stdout";
open(STDERR, ">&STDOUT");
- my $execcmd = $self->execute." s_server -engine ossltest -accept "
+ my $execcmd = $self->execute." s_server -rev -engine ossltest -accept "
.($self->server_port)
- ." -cert ".$self->cert." -naccept 1";
+ ." -cert ".$self->cert." -naccept ".$self->serverconnects;
if ($self->ciphers ne "") {
$execcmd .= " -cipher ".$self->ciphers;
}
+ if ($self->serverflags ne "") {
+ $execcmd .= " ".$self->serverflags;
+ }
exec($execcmd);
}
+ $self->clientstart;
+}
+
+sub clientstart
+{
+ my ($self) = shift;
my $oldstdout;
if(!$self->debug) {
@@ -167,12 +190,15 @@ sub start
open(STDOUT, ">", File::Spec->devnull())
or die "Failed to redirect stdout";
open(STDERR, ">&STDOUT");
- my $execcmd = $self->execute
+ my $execcmd = "echo test | ".$self->execute
." s_client -engine ossltest -connect "
.($self->proxy_addr).":".($self->proxy_port);
if ($self->cipherc ne "") {
$execcmd .= " -cipher ".$self->cipherc;
}
+ if ($self->clientflags ne "") {
+ $execcmd .= " ".$self->clientflags;
+ }
exec($execcmd);
}
}
@@ -274,7 +300,9 @@ sub process_packet
print "\n";
#Finished parsing. Call user provided filter here
- $self->filter->($self);
+ if(defined $self->filter) {
+ $self->filter->($self);
+ }
#Reconstruct the packet
$packet = "";
@@ -392,4 +420,28 @@ sub ciphers
}
return $self->{ciphers};
}
+sub serverflags
+{
+ my $self = shift;
+ if (@_) {
+ $self->{serverflags} = shift;
+ }
+ return $self->{serverflags};
+}
+sub clientflags
+{
+ my $self = shift;
+ if (@_) {
+ $self->{clientflags} = shift;
+ }
+ return $self->{clientflags};
+}
+sub serverconnects
+{
+ my $self = shift;
+ if (@_) {
+ $self->{serverconnects} = shift;
+ }
+ return $self->{serverconnects};
+}
1;
More information about the openssl-commits
mailing list