diff options
author | Sam Roberts <vieuxtech@gmail.com> | 2018-11-22 10:39:20 -0800 |
---|---|---|
committer | Sam Roberts <vieuxtech@gmail.com> | 2019-01-22 13:32:34 -0800 |
commit | 4231ad04f0b2aee5bda6be94715d4b70badaac8b (patch) | |
tree | 19f189fae6828708ebd37e466ce4a7716494b96a /deps/openssl/openssl/test/recipes/70-test_sslextension.t | |
parent | 5d80f9ea6091847176fa47fb1395fdffc4af9164 (diff) | |
download | android-node-v8-4231ad04f0b2aee5bda6be94715d4b70badaac8b.tar.gz android-node-v8-4231ad04f0b2aee5bda6be94715d4b70badaac8b.tar.bz2 android-node-v8-4231ad04f0b2aee5bda6be94715d4b70badaac8b.zip |
deps: upgrade openssl sources to 1.1.1a
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Diffstat (limited to 'deps/openssl/openssl/test/recipes/70-test_sslextension.t')
-rw-r--r-- | deps/openssl/openssl/test/recipes/70-test_sslextension.t | 152 |
1 files changed, 138 insertions, 14 deletions
diff --git a/deps/openssl/openssl/test/recipes/70-test_sslextension.t b/deps/openssl/openssl/test/recipes/70-test_sslextension.t index 8d6ccc6ab3..20e1933f00 100644 --- a/deps/openssl/openssl/test/recipes/70-test_sslextension.t +++ b/deps/openssl/openssl/test/recipes/70-test_sslextension.t @@ -7,6 +7,8 @@ # https://www.openssl.org/source/license.html use strict; +use feature 'state'; + use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; use OpenSSL::Test::Utils; use TLSProxy::Proxy; @@ -26,23 +28,41 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS enabled" if alldisabled(available_protocols("tls")); +my $no_below_tls13 = alldisabled(("tls1", "tls1_1", "tls1_2")) + || (!disabled("tls1_3") && disabled("tls1_2")); + +use constant { + UNSOLICITED_SERVER_NAME => 0, + UNSOLICITED_SERVER_NAME_TLS13 => 1, + UNSOLICITED_SCT => 2, + NONCOMPLIANT_SUPPORTED_GROUPS => 3 +}; + +my $testtype; +my $fatal_alert = 0; # set by filter on fatal alert + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( - \&extension_filter, + \&inject_duplicate_extension_clienthello, cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); -# Test 1: Sending a zero length extension block should pass -$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 3; -ok(TLSProxy::Message->success, "Zero extension length test"); sub extension_filter { my $proxy = shift; + if ($proxy->flight == 1) { + # Change the ServerRandom so that the downgrade sentinel doesn't cause + # the connection to fail + my $message = ${$proxy->message_list}[1]; + $message->random("\0"x32); + $message->repack(); + return; + } + # We're only interested in the initial ClientHello if ($proxy->flight != 0) { return; @@ -61,7 +81,6 @@ sub extension_filter } } -# Test 2-3: Sending a duplicate extension should fail. sub inject_duplicate_extension { my ($proxy, $message_type) = @_; @@ -82,11 +101,13 @@ sub inject_duplicate_extension_clienthello my $proxy = shift; # We're only interested in the initial ClientHello - if ($proxy->flight != 0) { + if ($proxy->flight == 0) { + inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO); return; } - inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO); + my $last_record = @{$proxy->{record_list}}[-1]; + $fatal_alert = 1 if $last_record->is_fatal_alert(1); } sub inject_duplicate_extension_serverhello @@ -94,19 +115,122 @@ sub inject_duplicate_extension_serverhello my $proxy = shift; # We're only interested in the initial ServerHello + if ($proxy->flight == 0) { + return; + } elsif ($proxy->flight == 1) { + inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO); + return; + } + + my $last_record = @{$proxy->{record_list}}[-1]; + $fatal_alert = 1 if $last_record->is_fatal_alert(0); +} + +sub inject_unsolicited_extension +{ + my $proxy = shift; + my $message; + state $sent_unsolisited_extension; + + if ($proxy->flight == 0) { + $sent_unsolisited_extension = 0; + return; + } + + # We're only interested in the initial ServerHello/EncryptedExtensions if ($proxy->flight != 1) { + if ($sent_unsolisited_extension) { + my $last_record = @{$proxy->record_list}[-1]; + $fatal_alert = 1 if $last_record->is_fatal_alert(0); + } return; } - inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO); + if ($testtype == UNSOLICITED_SERVER_NAME_TLS13) { + return if (!defined($message = ${$proxy->message_list}[2])); + die "Expecting EE message ".($message->mt)."," + .${$proxy->message_list}[1]->mt.", " + .${$proxy->message_list}[3]->mt + if $message->mt != TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS; + } else { + $message = ${$proxy->message_list}[1]; + } + + my $ext = pack "C2", + 0x00, 0x00; #Extension length + + my $type; + if ($testtype == UNSOLICITED_SERVER_NAME + || $testtype == UNSOLICITED_SERVER_NAME_TLS13) { + $type = TLSProxy::Message::EXT_SERVER_NAME; + } elsif ($testtype == UNSOLICITED_SCT) { + $type = TLSProxy::Message::EXT_SCT; + } elsif ($testtype == NONCOMPLIANT_SUPPORTED_GROUPS) { + $type = TLSProxy::Message::EXT_SUPPORTED_GROUPS; + } + $message->set_extension($type, $ext); + $message->repack(); + $sent_unsolisited_extension = 1; } -$proxy->clear(); -$proxy->filter(\&inject_duplicate_extension_clienthello); -$proxy->start(); -ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension"); +# Test 1-2: Sending a duplicate extension should fail. +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 7; +ok($fatal_alert, "Duplicate ClientHello extension"); +$fatal_alert = 0; $proxy->clear(); $proxy->filter(\&inject_duplicate_extension_serverhello); $proxy->start(); -ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension"); +ok($fatal_alert, "Duplicate ServerHello extension"); + +SKIP: { + skip "TLS <= 1.2 disabled", 3 if $no_below_tls13; + + #Test 3: Sending a zero length extension block should pass + $proxy->clear(); + $proxy->filter(\&extension_filter); + $proxy->start(); + ok(TLSProxy::Message->success, "Zero extension length test"); + + #Test 4: Inject an unsolicited extension (<= TLSv1.2) + $fatal_alert = 0; + $proxy->clear(); + $proxy->filter(\&inject_unsolicited_extension); + $testtype = UNSOLICITED_SERVER_NAME; + $proxy->clientflags("-no_tls1_3 -noservername"); + $proxy->start(); + ok($fatal_alert, "Unsolicited server name extension"); + + #Test 5: Inject a noncompliant supported_groups extension (<= TLSv1.2) + $proxy->clear(); + $proxy->filter(\&inject_unsolicited_extension); + $testtype = NONCOMPLIANT_SUPPORTED_GROUPS; + $proxy->clientflags("-no_tls1_3"); + $proxy->start(); + ok(TLSProxy::Message->success(), "Noncompliant supported_groups extension"); +} + +SKIP: { + skip "TLS <= 1.2 or CT disabled", 1 + if $no_below_tls13 || disabled("ct"); + #Test 6: Same as above for the SCT extension which has special handling + $fatal_alert = 0; + $proxy->clear(); + $testtype = UNSOLICITED_SCT; + $proxy->clientflags("-no_tls1_3"); + $proxy->start(); + ok($fatal_alert, "Unsolicited sct extension"); +} + +SKIP: { + skip "TLS 1.3 disabled", 1 if disabled("tls1_3"); + #Test 7: Inject an unsolicited extension (TLSv1.3) + $fatal_alert = 0; + $proxy->clear(); + $proxy->filter(\&inject_unsolicited_extension); + $testtype = UNSOLICITED_SERVER_NAME_TLS13; + $proxy->clientflags("-noservername"); + $proxy->start(); + ok($fatal_alert, "Unsolicited server name extension (TLSv1.3)"); +} |