openssl/test/recipes/70-test_sslvertol.t

#!/usr/bin/perl
# Written by Matt Caswell for the OpenSSL project.
# ====================================================================
# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in
#    the documentation and/or other materials provided with the
#    distribution.
#
# 3. All advertising materials mentioning features or use of this
#    software must display the following acknowledgment:
#    "This product includes software developed by the OpenSSL Project
#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
#
# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
#    endorse or promote products derived from this software without
#    prior written permission. For written permission, please contact
#    openssl-core@openssl.org.
#
# 5. Products derived from this software may not be called "OpenSSL"
#    nor may "OpenSSL" appear in their names without prior written
#    permission of the OpenSSL Project.
#
# 6. Redistributions of any form whatsoever must retain the following
#    acknowledgment:
#    "This product includes software developed by the OpenSSL Project
#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
#
# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
# OF THE POSSIBILITY OF SUCH DAMAGE.
# ====================================================================
#
# This product includes cryptographic software written by Eric Young
# (eay@cryptsoft.com).  This product includes software written by Tim
# Hudson (tjh@cryptsoft.com).

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;

my $test_name = "test_sslextension";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^VMS$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic_engines");

$ENV{OPENSSL_ENGINES} = bldtop_dir("engines");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
    \&vers_tolerance_filter,
    cmdstr(app(["openssl"])),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

plan tests => 2;

#Test 1: Asking for TLS1.3 should pass
my $client_version = TLSProxy::Record::VERS_TLS_1_3;
$proxy->start();
ok(TLSProxy::Message->success(), "Version tolerance test, TLS 1.3");

#Test 2: Testing something below SSLv3 should fail
$client_version = TLSProxy::Record::VERS_SSL_3_0 - 1;
$proxy->restart();
ok(TLSProxy::Message->fail(), "Version tolerance test, SSL < 3.0");

sub vers_tolerance_filter
{
    my $proxy = shift;

    # We're only interested in the initial ClientHello
    if ($proxy->flight != 0) {
        return;
    }

    foreach my $message (@{$proxy->message_list}) {
        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
            #Set the client version
            #Anything above the max supported version (TLS1.2) should succeed
            #Anything below SSLv3 should fail
            $message->client_version($client_version);
            $message->repack();
        }
    }
}
Add some libssl tests Two tests are added: one is a simple version tolerance test; the second is a test to ensure that OpenSSL operates correctly in the case of a zero length extensions block. The latter was broken inadvertently (now fixed) and it would have been helpful to have a test case for it. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-06-16 12:12:37 +00:00			`#!/usr/bin/perl`
			`# Written by Matt Caswell for the OpenSSL project.`
			`# ====================================================================`
			`# Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.`
			`#`
			`# Redistribution and use in source and binary forms, with or without`
			`# modification, are permitted provided that the following conditions`
			`# are met:`
			`#`
			`# 1. Redistributions of source code must retain the above copyright`
			`# notice, this list of conditions and the following disclaimer.`
			`#`
			`# 2. Redistributions in binary form must reproduce the above copyright`
			`# notice, this list of conditions and the following disclaimer in`
			`# the documentation and/or other materials provided with the`
			`# distribution.`
			`#`
			`# 3. All advertising materials mentioning features or use of this`
			`# software must display the following acknowledgment:`
			`# "This product includes software developed by the OpenSSL Project`
			`# for use in the OpenSSL Toolkit. (http://www.openssl.org/)"`
			`#`
			`# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to`
			`# endorse or promote products derived from this software without`
			`# prior written permission. For written permission, please contact`
			`# openssl-core@openssl.org.`
			`#`
			`# 5. Products derived from this software may not be called "OpenSSL"`
			`# nor may "OpenSSL" appear in their names without prior written`
			`# permission of the OpenSSL Project.`
			`#`
			`# 6. Redistributions of any form whatsoever must retain the following`
			`# acknowledgment:`
			`# "This product includes software developed by the OpenSSL Project`
			`# for use in the OpenSSL Toolkit (http://www.openssl.org/)"`
			`#`
			# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
			`# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR`
			`# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR`
			`# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,`
			`# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT`
			`# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;`
			`# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
			`# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,`
			`# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED`
			`# OF THE POSSIBILITY OF SUCH DAMAGE.`
			`# ====================================================================`
			`#`
			`# This product includes cryptographic software written by Eric Young`
			`# (eay@cryptsoft.com). This product includes software written by Tim`
			`# Hudson (tjh@cryptsoft.com).`

			`use strict;`
unified build scheme: adjust test framework for out of source build tree To be able to run tests when we've built in a directory other than the source tree, the testing framework needs a few adjustments. test/testlib/OpenSSL/Test.pm needs to know where it can find shlib_wrap.sh, and a number of other tests need to be told a different place to find engines than what they may be able to figure out on their own. Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be used as an alternative. As part of this change, top_file and top_dir are removed and srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place. Reviewed-by: Ben Laurie <ben@openssl.org> 2016-01-30 00:05:33 +00:00			`use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;`
The TLSProxy tests can't run if no-engine has been configured Make sure they detect that. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> 2016-01-16 23:25:44 +00:00			`use OpenSSL::Test::Utils;`
Add some libssl tests Two tests are added: one is a simple version tolerance test; the second is a test to ensure that OpenSSL operates correctly in the case of a zero length extensions block. The latter was broken inadvertently (now fixed) and it would have been helpful to have a test case for it. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-06-16 12:12:37 +00:00			`use TLSProxy::Proxy;`

Adapt the libssl test harness testing scripts to new testing framework This involves adding $TOP/util as perl library in test/run_tests.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-08-13 17:38:59 +00:00			`my $test_name = "test_sslextension";`
			`setup($test_name);`

VMS perl doesn't implement fork(), so don't run the TLSProxy tests there Reviewed-by: Viktor Dukhovni <viktor@openssl.org> 2016-01-13 02:53:47 +00:00			`plan skip_all => "TLSProxy isn't usable on $^O"`
			`if $^O =~ /^VMS$/;`

Run the TLSProxy based tests as long as dynamic engines are built. They depend on this feature because they use the engine ossltest, which is only available as a dynamic engine. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-02-19 21:13:11 +00:00			`plan skip_all => "$test_name needs the dynamic engine feature enabled"`
			`if disabled("engine") \|\| disabled("dynamic_engines");`
Adapt the libssl test harness testing scripts to new testing framework This involves adding $TOP/util as perl library in test/run_tests.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-08-13 17:38:59 +00:00
unified build scheme: adjust test framework for out of source build tree To be able to run tests when we've built in a directory other than the source tree, the testing framework needs a few adjustments. test/testlib/OpenSSL/Test.pm needs to know where it can find shlib_wrap.sh, and a number of other tests need to be told a different place to find engines than what they may be able to figure out on their own. Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be used as an alternative. As part of this change, top_file and top_dir are removed and srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place. Reviewed-by: Ben Laurie <ben@openssl.org> 2016-01-30 00:05:33 +00:00			`$ENV{OPENSSL_ENGINES} = bldtop_dir("engines");`
Adapt the libssl test harness testing scripts to new testing framework This involves adding $TOP/util as perl library in test/run_tests.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-08-13 17:38:59 +00:00			`$ENV{OPENSSL_ia32cap} = '~0x200000200000000';`
Add some libssl tests Two tests are added: one is a simple version tolerance test; the second is a test to ensure that OpenSSL operates correctly in the case of a zero length extensions block. The latter was broken inadvertently (now fixed) and it would have been helpful to have a test case for it. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-06-16 12:12:37 +00:00			`my $proxy = TLSProxy::Proxy->new(`
			`\&vers_tolerance_filter,`
Adapt the libssl test harness testing scripts to new testing framework This involves adding $TOP/util as perl library in test/run_tests.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-08-13 17:38:59 +00:00			`cmdstr(app(["openssl"])),`
Let all TLSProxy based tests display debug text conditionally If the environment variable HARNESS_ACTIVE isn't defined or HARNESS_VERBOSE is defined, it's probable that lots of output is desired. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-02-12 17:26:16 +00:00			`srctop_file("apps", "server.pem"),`
			`(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})`
Add some libssl tests Two tests are added: one is a simple version tolerance test; the second is a test to ensure that OpenSSL operates correctly in the case of a zero length extensions block. The latter was broken inadvertently (now fixed) and it would have been helpful to have a test case for it. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-06-16 12:12:37 +00:00			`);`

Adapt the libssl test harness testing scripts to new testing framework This involves adding $TOP/util as perl library in test/run_tests.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-08-13 17:38:59 +00:00			`plan tests => 2;`

Add some libssl tests Two tests are added: one is a simple version tolerance test; the second is a test to ensure that OpenSSL operates correctly in the case of a zero length extensions block. The latter was broken inadvertently (now fixed) and it would have been helpful to have a test case for it. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-06-16 12:12:37 +00:00			`#Test 1: Asking for TLS1.3 should pass`
			`my $client_version = TLSProxy::Record::VERS_TLS_1_3;`
			`$proxy->start();`
Adapt the libssl test harness testing scripts to new testing framework This involves adding $TOP/util as perl library in test/run_tests.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-08-13 17:38:59 +00:00			`ok(TLSProxy::Message->success(), "Version tolerance test, TLS 1.3");`
Add some libssl tests Two tests are added: one is a simple version tolerance test; the second is a test to ensure that OpenSSL operates correctly in the case of a zero length extensions block. The latter was broken inadvertently (now fixed) and it would have been helpful to have a test case for it. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-06-16 12:12:37 +00:00
			`#Test 2: Testing something below SSLv3 should fail`
			`$client_version = TLSProxy::Record::VERS_SSL_3_0 - 1;`
			`$proxy->restart();`
Adapt the libssl test harness testing scripts to new testing framework This involves adding $TOP/util as perl library in test/run_tests.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-08-13 17:38:59 +00:00			`ok(TLSProxy::Message->fail(), "Version tolerance test, SSL < 3.0");`
Add some libssl tests Two tests are added: one is a simple version tolerance test; the second is a test to ensure that OpenSSL operates correctly in the case of a zero length extensions block. The latter was broken inadvertently (now fixed) and it would have been helpful to have a test case for it. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-06-16 12:12:37 +00:00
			`sub vers_tolerance_filter`
			`{`
			`my $proxy = shift;`

			`# We're only interested in the initial ClientHello`
			`if ($proxy->flight != 0) {`
			`return;`
			`}`

			`foreach my $message (@{$proxy->message_list}) {`
			`if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {`
			`#Set the client version`
			`#Anything above the max supported version (TLS1.2) should succeed`
			`#Anything below SSLv3 should fail`
			`$message->client_version($client_version);`
			`$message->repack();`
			`}`
			`}`
			`}`