Add a test for a missing supported_versions extension in the HRR

Confirm that we correctly fail if supported_versions is missing from an HRR.
mattcaswell · Aug 1, 2024 · 8b0b6c9 · 8b0b6c9
1 parent 1165505
commit 8b0b6c9
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t
@@ -38,7 +38,8 @@ use constant {
     CHANGE_HRR_CIPHERSUITE => 0,
     CHANGE_CH1_CIPHERSUITE => 1,
     DUPLICATE_HRR => 2,
-    INVALID_GROUP => 3
+    INVALID_GROUP => 3,
+    NO_SUPPORTED_VERSIONS => 4
 };
 
 #Test 1: A client should fail if the server changes the ciphersuite between the
@@ -51,7 +52,7 @@ if (disabled("ec")) {
 }
 my $testtype = CHANGE_HRR_CIPHERSUITE;
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 4;
+plan tests => 5;
 ok(TLSProxy::Message->fail(), "Server ciphersuite changes");
 
 #Test 2: It is an error if the client changes the offered ciphersuites so that
@@ -98,6 +99,19 @@ SKIP: {
     ok(TLSProxy::Message->success(), "Invalid group with HRR");
 }
 
+#Test 5: A failure should occur if an HRR is sent without the supported_versions
+#        extension
+$fatal_alert = 0;
+$proxy->clear();
+if (disabled("ec")) {
+    $proxy->serverflags("-curves ffdhe3072");
+} else {
+    $proxy->serverflags("-curves P-384");
+}
+$testtype = NO_SUPPORTED_VERSIONS;
+$proxy->start();
+ok($fatal_alert, "supported_versions missing from HRR");
+
 sub hrr_filter
 {
     my $proxy = shift;
@@ -118,6 +132,25 @@ sub hrr_filter
         return;
     }
 
+    if ($testtype == NO_SUPPORTED_VERSIONS) {
+        # Check if we have the expected fatal alert
+        if ($proxy->flight == 2) {
+            $fatal_alert = 1
+                if @{$proxy->record_list}[-1]->is_fatal_alert(0) == TLSProxy::Message::AL_DESC_MISSING_EXTENSION;
+            return;
+        }
+
+        # Otherwise we're only interested in the HRR
+        if ($proxy->flight != 1) {
+            return;
+        }
+
+        my $hrr = ${$proxy->message_list}[1];
+        $hrr->delete_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS);
+        $hrr->repack();
+        return;
+    }
+
     if ($testtype == DUPLICATE_HRR) {
         # We're only interested in the HRR
         # and the unexpected_message alert from client

diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
@@ -47,7 +47,8 @@ use constant {
     AL_DESC_BAD_RECORD_MAC => 20,
     AL_DESC_ILLEGAL_PARAMETER => 47,
     AL_DESC_PROTOCOL_VERSION => 70,
-    AL_DESC_NO_RENEGOTIATION => 100
+    AL_DESC_NO_RENEGOTIATION => 100,
+    AL_DESC_MISSING_EXTENSION => 109
 };
 
 my %message_type = (