Fix the tests following the state machine changes for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
diff --git a/test/asynciotest.c b/test/asynciotest.c
index a4f43f8..d7b1dd3 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -142,8 +142,9 @@
abort();
while (PACKET_remaining(&pkt) > 0) {
- PACKET payload;
+ PACKET payload, wholebody;
unsigned int contenttype, versionhi, versionlo, data;
+ unsigned int msgtype = 0, negversion;
if ( !PACKET_get_1(&pkt, &contenttype)
|| !PACKET_get_1(&pkt, &versionhi)
@@ -154,6 +155,17 @@
/* Pretend we wrote out the record header */
written += SSL3_RT_HEADER_LENGTH;
+ wholebody = payload;
+ if (contenttype == SSL3_RT_HANDSHAKE
+ && !PACKET_get_1(&wholebody, &msgtype))
+ abort();
+
+ if (msgtype == SSL3_MT_SERVER_HELLO
+ && (!PACKET_forward(&wholebody,
+ SSL3_HM_HEADER_LENGTH - 1)
+ || !PACKET_get_net_2(&wholebody, &negversion)))
+ abort();
+
while (PACKET_get_1(&payload, &data)) {
/* Create a new one byte long record for each byte in the
* record in the input buffer
@@ -177,10 +189,14 @@
written++;
}
/*
- * We can't fragment anything after the CCS, otherwise we
- * get a bad record MAC
+ * We can't fragment anything after the ServerHello (or CCS <=
+ * TLS1.2), otherwise we get a bad record MAC
+ * TODO(TLS1.3): Change TLS1_3_VERSION_DRAFT to TLS1_3_VERSION
+ * before release
*/
- if (contenttype == SSL3_RT_CHANGE_CIPHER_SPEC) {
+ if (contenttype == SSL3_RT_CHANGE_CIPHER_SPEC
+ || (negversion == TLS1_3_VERSION_DRAFT
+ && msgtype == SSL3_MT_SERVER_HELLO)) {
fragment = 0;
break;
}
diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t
index cafa30c..e6f7a36 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -128,6 +128,7 @@
#Test 10: Sending an unrecognised record type in TLS1.2 should fail
$proxy->clear();
+$proxy->serverflags("-tls1_2");
$proxy->filter(\&add_unknown_record_type);
$proxy->start();
ok(TLSProxy::Message->fail(), "Unrecognised record type in TLS1.2");
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
index 4e20763..42ba98c 100644
--- a/test/ssltestlib.c
+++ b/test/ssltestlib.c
@@ -564,7 +564,7 @@
return 0;
}
-#define MAXLOOPS 100000
+#define MAXLOOPS 1000000
/*
* NOTE: Transfers control of the BIOs - this function will free them on error
diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 6bf5a72..3259edc 100644
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -115,9 +115,9 @@
die "CCS received before message data complete\n";
}
if ($server) {
- TLSProxy::Record->server_ccs_seen(1);
+ TLSProxy::Record->server_encrypting(1);
} else {
- TLSProxy::Record->client_ccs_seen(1);
+ TLSProxy::Record->client_encrypting(1);
}
} elsif ($record->content_type == TLSProxy::Record::RT_HANDSHAKE) {
if ($record->len == 0 || $record->len_real == 0) {
diff --git a/util/TLSProxy/Record.pm b/util/TLSProxy/Record.pm
index bf6de43..6d35f08 100644
--- a/util/TLSProxy/Record.pm
+++ b/util/TLSProxy/Record.pm
@@ -11,8 +11,8 @@
package TLSProxy::Record;
-my $server_ccs_seen = 0;
-my $client_ccs_seen = 0;
+my $server_encrypting = 0;
+my $client_encrypting = 0;
my $etm = 0;
use constant TLS_RECORD_HEADER_LENGTH => 5;
@@ -36,6 +36,7 @@
use constant {
VERS_TLS_1_4 => 773,
+ VERS_TLS_1_3_DRAFT => 32530,
VERS_TLS_1_3 => 772,
VERS_TLS_1_2 => 771,
VERS_TLS_1_1 => 770,
@@ -108,8 +109,8 @@
substr($packet, TLS_RECORD_HEADER_LENGTH, $len_real)
);
- if (($server && $server_ccs_seen)
- || (!$server && $client_ccs_seen)) {
+ if (($server && $server_encrypting)
+ || (!$server && $client_encrypting)) {
if ($version != VERS_TLS_1_3() && $etm) {
$record->decryptETM();
} else {
@@ -133,26 +134,26 @@
sub clear
{
- $server_ccs_seen = 0;
- $client_ccs_seen = 0;
+ $server_encrypting = 0;
+ $client_encrypting = 0;
}
#Class level accessors
-sub server_ccs_seen
+sub server_encrypting
{
my $class = shift;
if (@_) {
- $server_ccs_seen = shift;
+ $server_encrypting = shift;
}
- return $server_ccs_seen;
+ return $server_encrypting;
}
-sub client_ccs_seen
+sub client_encrypting
{
my $class = shift;
if (@_) {
- $client_ccs_seen = shift;
+ $client_encrypting= shift;
}
- return $client_ccs_seen;
+ return $client_encrypting;
}
#Enable/Disable Encrypt-then-MAC
sub etm
diff --git a/util/TLSProxy/ServerHello.pm b/util/TLSProxy/ServerHello.pm
index 79a8be9..9d6ad38 100644
--- a/util/TLSProxy/ServerHello.pm
+++ b/util/TLSProxy/ServerHello.pm
@@ -94,6 +94,12 @@
$self->process_data();
+ # TODO(TLS1.3): Replace this reference to draft version before release
+ if ($server_version == TLSProxy::Record::VERS_TLS_1_3_DRAFT) {
+ TLSProxy::Record->server_encrypting(1);
+ TLSProxy::Record->client_encrypting(1);
+ }
+
print " Server Version:".$server_version."\n";
print " Session ID Len:".$session_id_len."\n";
print " Ciphersuite:".$ciphersuite."\n";
