Add a test to check the EC point formats extension appears when we expect

The previous commit fixed a bug where the EC point formats extensions did not appear in the ServerHello. This should have been caught by 70-test_sslmessages but that test never tries an EC ciphersuite. This updates the test to do that. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2153)
2016-12-28 15:01:57 +00:00 · 2016-12-28 15:01:57 +00:00 · 397f4f7876
commit 397f4f7876
parent 3b58c54f26
6 changed files with 50 additions and 9 deletions
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@ -46,6 +46,9 @@ my $proxy = TLSProxy::Proxy->new(
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
+    (disabled("ec") ? () :
+                      [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
+                          checkhandshake::EC_HANDSHAKE]),
    [TLSProxy::Message::MT_CERTIFICATE_STATUS,
        checkhandshake::OCSP_HANDSHAKE],
    #ServerKeyExchange handshakes not currently supported by TLSProxy
@ -94,10 +97,14 @@ my $proxy = TLSProxy::Proxy->new(
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
-    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
-        checkhandshake::DEFAULT_EXTENSIONS],
-    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
-        checkhandshake::DEFAULT_EXTENSIONS],
+    (disabled("ec") ? () :
+                      [TLSProxy::Message::MT_CLIENT_HELLO,
+                       TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+                       checkhandshake::DEFAULT_EXTENSIONS]),
+    (disabled("ec") ? () :
+                      [TLSProxy::Message::MT_CLIENT_HELLO,
+                       TLSProxy::Message::EXT_EC_POINT_FORMATS,
+                       checkhandshake::DEFAULT_EXTENSIONS]),
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
@ -135,6 +142,8 @@ my $proxy = TLSProxy::Proxy->new(
        checkhandshake::SCT_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
        checkhandshake::NPN_SRV_EXTENSION],
+    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
    [0,0,0]
 );

@ -143,7 +152,7 @@ my $proxy = TLSProxy::Proxy->new(
 $proxy->serverconnects(2);
 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 20;
+plan tests => 21;
 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Default handshake test");
@ -358,3 +367,16 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SRP_CLI_EXTENSION,
               "SRP extension test");
+
+#Test 21: EC handshake
+SKIP: {
+    skip "No EC support in this OpenSSL build", 1 if disabled("ec");
+    $proxy->clear();
+    $proxy->clientflags("-no_tls1_3");
+    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
+                   checkhandshake::DEFAULT_EXTENSIONS
+                   | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
+                   "EC handshake test");
+}
--- a/test/testlib/checkhandshake.pm
+++ b/test/testlib/checkhandshake.pm
@ -23,8 +23,9 @@ use constant {
    CLIENT_AUTH_HANDSHAKE => 8,
    RENEG_HANDSHAKE => 16,
    NPN_HANDSHAKE => 32,
+    EC_HANDSHAKE => 64,

-    ALL_HANDSHAKES => 63
+    ALL_HANDSHAKES => 127
 };

 use constant {
@ -43,6 +44,8 @@ use constant {
    NPN_CLI_EXTENSION => 0x00000800,
    NPN_SRV_EXTENSION => 0x00001000,
    SRP_CLI_EXTENSION => 0x00002000,
+    #Client side for ec point formats is a default extension
+    EC_POINT_FORMAT_SRV_EXTENSION => 0x00004000,
 };

 our @handmessages = ();
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@ -83,6 +83,10 @@ use constant {
    EXT_DUPLICATE_EXTENSION => 0xfde8
 };

+use constant {
+    CIPHER_ADH_AES_128_SHA => 0x03000034
+};
+
 my $payload = "";
 my $messlen = -1;
 my $mt;
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@ -25,6 +25,7 @@ my $have_IPv6 = 0;
 my $IP_factory;

 my $is_tls13 = 0;
+my $ciphersuite = undef;

 sub new
 {
@ -108,6 +109,7 @@ sub clearClient
    $self->{message_list} = [];
    $self->{clientflags} = "";
    $is_tls13 = 0;
+    $ciphersuite = undef;

    TLSProxy::Message->clear();
    TLSProxy::Record->clear();
@ -535,4 +537,13 @@ sub reneg
    return $self->{reneg};
 }

+sub ciphersuite
+{
+    my $class = shift;
+    if (@_) {
+        $ciphersuite = shift;
+    }
+    return $ciphersuite;
+}
+
 1;
--- a/util/TLSProxy/ServerHello.pm
+++ b/util/TLSProxy/ServerHello.pm
@ -103,6 +103,7 @@ sub parse
    $self->session_id_len($session_id_len);
    $self->session($session);
    $self->ciphersuite($ciphersuite);
+    TLSProxy::Proxy->ciphersuite($ciphersuite);
    $self->comp_meth($comp_meth);
    $self->extension_data(\%extensions);

--- a/util/TLSProxy/ServerKeyExchange.pm
+++ b/util/TLSProxy/ServerKeyExchange.pm
@ -42,9 +42,9 @@ sub parse
 {
    my $self = shift;

-    #Minimal SKE parsing. Only supports DHE at the moment (if its not DHE
-    #the parsing data will be trash...which is ok as long as we don't try to
-    #use it)
+    #Minimal SKE parsing. Only supports one known DHE ciphersuite at the moment
+    return if (TLSProxy::Proxy->ciphersuite()
+               != TLSProxy::Message::CIPHER_ADH_AES_128_SHA);

    my $p_len = unpack('n', $self->data);
    my $ptr = 2;