More tests of FALLBACK_SCSV This is a backport of a non-regression test for issue #810 which affected the current release of mbed TLS, but not the 1.3 branch.

commit: a1cf6c8afb45daaf60936eb5c58301cae3884b5a [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Wed May 17 14:50:38 2017 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Wed May 17 14:50:38 2017 +0200
tree: 26eea1baf37274133a7327e815c56459c56b10d9
parent: 98864d5c0b154eda7aeb2c2bffe7e7e1c97424bc [diff] [blame]
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index a018f64..7bcc412 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh

@@ -16,11 +16,13 @@
 : ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
 : ${GNUTLS_CLI:=gnutls-cli}
 : ${GNUTLS_SERV:=gnutls-serv}
+: ${PERL:=perl}
 
 O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key -dhparam data_files/dhparams.pem"
 O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
 G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
 G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
+TCP_CLIENT="$PERL scripts/tcp_client.pl"
 
 TESTS=0
 FAILS=0
@@ -761,6 +763,37 @@
             -s "received FALLBACK_SCSV" \
             -S "inapropriate fallback"
 
+## ClientHello generated with
+## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
+## then manually twiddling the ciphersuite list.
+## The ClientHello content is spelled out below as a hex string as
+## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
+## The expected response is an inappropriate_fallback alert.
+requires_openssl_with_fallback_scsv
+run_test    "Fallback SCSV: beginning of list" \
+            "$P_SRV debug_level=2" \
+            "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
+            0 \
+            -s "received FALLBACK_SCSV" \
+            -s "inapropriate fallback"
+
+requires_openssl_with_fallback_scsv
+run_test    "Fallback SCSV: end of list" \
+            "$P_SRV debug_level=2" \
+            "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
+            0 \
+            -s "received FALLBACK_SCSV" \
+            -s "inapropriate fallback"
+
+## Here the expected response is a valid ServerHello prefix, up to the random.
+requires_openssl_with_fallback_scsv
+run_test    "Fallback SCSV: not in list" \
+            "$P_SRV debug_level=2" \
+            "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
+            0 \
+            -S "received FALLBACK_SCSV" \
+            -S "inapropriate fallback"
+
 # Tests for CBC 1/n-1 record splitting
 
 run_test    "CBC Record splitting: TLS 1.2, no splitting" \
commit	a1cf6c8afb45daaf60936eb5c58301cae3884b5a	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Wed May 17 14:50:38 2017 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Wed May 17 14:50:38 2017 +0200
tree	26eea1baf37274133a7327e815c56459c56b10d9
parent	98864d5c0b154eda7aeb2c2bffe7e7e1c97424bc [diff] [blame]