Commit graph

25 commits

Author SHA1 Message Date
Matt Caswell
5427976d9e Fix a TLSProxy race condition
TLSProxy starts s_server and specifies the number of client connects
it should expect. After that s_server is supposed to close down
automatically. However, if another test is then run then TLSProxy
will start a new instance of s_server. If the previous instance
hasn't closed down yet then the new instance can fail to bind to
the socket.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-15 23:46:50 +00:00
Richard Levitte
180df315c7 Don't use 'parent' in util/dofile.pl
Because we're requiring Perl 5.10.0 and the 'parent' didn't appear
before Perl 5.10.1, we need to resort to the older parent module
declaration style, modifying @ISA.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-21 23:08:16 +01:00
Viktor Dukhovni
dca97e9bfd Work-around for proxy->s_server retry logic
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-20 18:26:23 -05:00
Emilia Kasper
aa474d1fb1 TLS: reject duplicate extensions
Adapted from BoringSSL. Added a test.

The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-19 17:24:44 +01:00
Richard Levitte
f9c693df45 Be more verbose when debugging is on
It's near impossible to figure out what goes wrong with the execution
of sub-commands otherwise.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-17 22:11:55 +01:00
Richard Levitte
98ac876f2d Prefer IO::Socket::INET6 over IO::Socket::IP
While IO::Socket::IP is a core perl module (since Perl v5.19.8, or so
says corelist), IO::Socket::INET6 has been around longer, is said to
be more widely deployed, and most importantly, seems to have less bugs
hitting us.  We therefore prefer IO::Socket::INET6, and only fall back
to IO::Socket::IP if the former doesn't exist on the local system.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-14 07:39:23 +01:00
Viktor Dukhovni
cc5a9ba485 Restore -no_comp switch for backwards compatible behaviour
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-05 11:00:53 -05:00
Viktor Dukhovni
4c35c93661 Handle localhost being either 127.0.0.1 or ::1
When connecting to "localhost" the Proxy's choice of client address
family may not match the server's choice address family.  Without
MultiHomed => 1, the proxy may try the wrong address family first,
and give up without trying the other.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-03 21:18:24 -05:00
Richard Levitte
b7d53d411e Refactoring BIO: small test correction
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 22:15:45 +01:00
Richard Levitte
72b65aa4cb Refactoring BIO: add a simple networking test of s_client and s_server
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 20:36:59 +01:00
Emilia Kasper
dc5744cb78 RT3234: disable compression
CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:

SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.

SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).

The command-line switch has changed from -no_comp to -comp.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-03 18:08:16 +01:00
Richard Levitte
0d0769a4db Prefer ReuseAddr over Reuse, with IO::Socket::INET
Reuse is deprecated and ReuseAddr is prefered, according to documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-29 17:36:08 +01:00
Matt Caswell
ef96e4a28f Add test for missing CertificateStatus message
If the client sends a status_request extension in the ClientHello
and the server responds with a status_request extension in the
ServerHello then normally the server will also later send a
CertificateStatus message. However this message is *optional* even
if the extensions were sent. This adds a test to ensure that if
the extensions are sent then we can still omit the message.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Dr. Stephen Henson
b3fce9c91e Add extms extension
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-08 16:33:04 +00:00
Dr. Stephen Henson
040c878350 TLSProxy update
Add function to delete extensions and fix ClientHello repacking.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-08 16:33:04 +00:00
Emilia Kasper
cf7f85927c Empty NewSessionTicket: test session resumption
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 16:00:58 +02:00
Emilia Kasper
7f6d90ac75 Empty session ticket: add a test
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 16:00:47 +02:00
Matt Caswell
50db968aad Fix some test failures when Configured with zlib
TLSProxy was failing if we are Configured with compression because it
doesn't support it. This fix simply switches compression off for the
purposes of the test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-19 20:07:33 +01:00
Matt Caswell
ddcc5e5b60 Add NewSessionTicket test suite
Add a set of tests for checking that NewSessionTicket messages are
behaving as expected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-26 10:38:02 +01:00
Matt Caswell
8af538e5c5 Fix TLSProxy end of test detection
Previously TLSProxy would detect a successful handshake once it saw the
server Finished message. This causes problems with abbreviated handshakes,
or if the client fails to process a message from the last server flight.

This change additionally sends some application data and finishes when the
client sends a CloseNotify.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-26 10:38:02 +01:00
Richard Levitte
00bf5001f7 for test_sslvertol, add a value to display SSL version < 3 in debug
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-13 22:05:25 +02:00
Richard Levitte
4deefd6567 Fixups in libssl test harness
- select an actual file handle for devnull
- do not declare $msgdata twice
- SKE records sometimes seem to come without sig
- in SKE parsing, use and use $pub_key_len when parsing $pub_key

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-13 22:05:25 +02:00
Richard Levitte
c0cbb4c19b Use dynamic engine for libssl test harness
Use a dynamic engine for ossltest engine so that we can build it without
subsequently deploying it during install. We do not want people accidentally
using this engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 20:27:46 +01:00
Matt Caswell
a1accbb1d7 Extend TLSProxy capabilities
Add ServerHello parsing to TLSProxy.
Also add some (very) limited ServerKeyExchange parsing.
Add the capability to set client and server cipher lists
Fix a bug with fragment lengths

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-11 20:27:46 +01:00
Matt Caswell
631c120633 Add a libssl test harness
This commit provides a set of perl modules that support the testing of
libssl. The test harness operates as a man-in-the-middle proxy between
s_server and s_client. Both s_server and s_client must be started using the
"-testmode" option which loads the new OSSLTEST engine.

The test harness enables scripts to be written that can examine the packets
sent during a handshake, as well as (potentially) modifying them so that
otherwise illegal handshake messages can be sent.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-11 20:27:46 +01:00