[thirdparty/openssl.git] / test / recipes / 70-test_tlsextms.t

#! /usr/bin/env perl
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
use File::Temp qw(tempfile);

my $test_name = "test_tlsextms";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled"
    if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2");

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';

sub checkmessages($$$$$);
sub setrmextms($$);
sub clearall();

my $crmextms = 0;
my $srmextms = 0;
my $cextms = 0;
my $sextms = 0;
my $fullhand = 0;

my $proxy = TLSProxy::Proxy->new(
    \&extms_filter,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

#Note that EXTMS is only relevant for <TLS1.3

#Test 1: By default server and client should send extended master secret
# extension.
#Expected result: ClientHello extension seen; ServerHello extension seen
#                 Full handshake

setrmextms(0, 0);
$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 10;
checkmessages(1, "Default extended master secret test", 1, 1, 1);

#Test 2: If client omits extended master secret extension, server should too.
#Expected result: ClientHello extension not seen; ServerHello extension not seen
#                 Full handshake

clearall();
setrmextms(1, 0);
$proxy->clientflags("-no_tls1_3");
$proxy->start();
checkmessages(2, "No client extension extended master secret test", 0, 0, 1);

# Test 3: same as 1 but with session tickets disabled.
# Expected result: same as test 1.

clearall();
$proxy->clientflags("-no_ticket -no_tls1_3");
setrmextms(0, 0);
$proxy->start();
checkmessages(3, "No ticket extended master secret test", 1, 1, 1);

# Test 4: same as 2 but with session tickets disabled.
# Expected result: same as test 2.

clearall();
$proxy->clientflags("-no_ticket -no_tls1_3");
setrmextms(1, 0);
$proxy->start();
checkmessages(4, "No ticket, no client extension extended master secret test", 0, 0, 1);

#Test 5: Session resumption extended master secret test
#
#Expected result: ClientHello extension seen; ServerHello extension seen
#                 Abbreviated handshake

clearall();
setrmextms(0, 0);
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkmessages(5, "Session resumption extended master secret test", 1, 1, 0);
unlink $session;

#Test 6: Session resumption extended master secret test original session
# omits extension. Server must not resume session.
#Expected result: ClientHello extension seen; ServerHello extension seen
#                 Full handshake

clearall();
setrmextms(1, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
setrmextms(0, 0);
$proxy->clientstart();
checkmessages(6, "Session resumption extended master secret test", 1, 1, 1);
unlink $session;

#Test 7: Session resumption extended master secret test resumed session
# omits client extension. Server must abort connection.
#Expected result: aborted connection.

clearall();
setrmextms(0, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
setrmextms(1, 0);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Client inconsistent session resumption");
unlink $session;

#Test 8: Session resumption extended master secret test resumed session
# omits server extension. Client must abort connection.
#Expected result: aborted connection.

clearall();
setrmextms(0, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
setrmextms(0, 1);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1");
unlink $session;

#Test 9: Session resumption extended master secret test initial session
# omits server extension. Client must abort connection.
#Expected result: aborted connection.

clearall();
setrmextms(0, 1);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
setrmextms(0, 0);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2");
unlink $session;

SKIP: {
    skip "TLS 1.3 disabled", 1
        if disabled("tls1_3") || (disabled("ec") && disabled("dh"));

    #Test 10: In TLS1.3 we should not negotiate extended master secret
    #Expected result: ClientHello extension seen; ServerHello extension not seen
    #                 TLS1.3 handshake (will appear as abbreviated handshake
    #                 because of no CKE message)
    clearall();
    setrmextms(0, 0);
    $proxy->start();
    checkmessages(10, "TLS1.3 extended master secret test", 1, 0, 0);
}


sub extms_filter
{
    my $proxy = shift;

    foreach my $message (@{$proxy->message_list}) {
        if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
            $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
            $message->repack();
        }
        if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
            $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
            $message->repack();
        }
    }
}

sub checkmessages($$$$$)
{
    my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_;

    subtest $testname => sub {

    foreach my $message (@{$proxy->message_list}) {
        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
            || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
        #Get the extensions data
        my %extensions = %{$message->extension_data};
        if (defined
            $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) {
            if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
                $cextms = 1;
            } else {
                $sextms = 1;
            }
        }
        } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
            #Must be doing a full handshake
            $fullhand = 1;
        }
    }

    plan tests => 4;

    ok(TLSProxy::Message->success, "Handshake");

    ok($testcextms == $cextms,
       "ClientHello extension extended master secret check");
    ok($testsextms == $sextms,
       "ServerHello extension extended master secret check");
    ok($testhand == $fullhand,
       "Extended master secret full handshake check");

    }
}

sub setrmextms($$)
{
    ($crmextms, $srmextms) = @_;
}

sub clearall()
{
    $cextms = 0;
    $sextms = 0;
    $fullhand = 0;
    $proxy->clear();
}
Commit	Line	Data
596d6b7e	1	#! /usr/bin/env perl
a28d06f3	2	# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
42a8b3f9	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
596d6b7e RS	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
42a8b3f9 DSH	8
42a8b3f9 DSH	9	use strict;
42e0ccdf	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
3f22ed2f	11	use OpenSSL::Test::Utils;
42a8b3f9 DSH	12	use TLSProxy::Proxy;
	13	use File::Temp qw(tempfile);
	14
	15	my $test_name = "test_tlsextms";
	16	setup($test_name);
	17
60f9f1e1	18	plan skip_all => "TLSProxy isn't usable on $^O"
c5856878	19	if $^O =~ /^(VMS)$/;
60f9f1e1	20
2dd400bd	21	plan skip_all => "$test_name needs the dynamic engine feature enabled"
19ab5790	22	if disabled("engine") \|\| disabled("dynamic-engine");
42a8b3f9	23
f9e55034 MC	24	plan skip_all => "$test_name needs the sock feature enabled"
	25	if disabled("sock");
	26
0f1e51ea MC	27	plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled"
0f1e51ea MC	28	if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2");
b273fcc5	29
42a8b3f9 DSH	30	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
	31
	32	sub checkmessages($$$$$);
	33	sub setrmextms($$);
	34	sub clearall();
	35
	36	my $crmextms = 0;
	37	my $srmextms = 0;
	38	my $cextms = 0;
	39	my $sextms = 0;
	40	my $fullhand = 0;
	41
	42	my $proxy = TLSProxy::Proxy->new(
	43	\&extms_filter,
25c78440	44	cmdstr(app(["openssl"]), display => 1),
42e0ccdf	45	srctop_file("apps", "server.pem"),
b44b935e	46	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
42a8b3f9 DSH	47	);
42a8b3f9 DSH	48
0f1e51ea MC	49	#Note that EXTMS is only relevant for <TLS1.3
0f1e51ea MC	50
42a8b3f9 DSH	51	#Test 1: By default server and client should send extended master secret
	52	# extension.
	53	#Expected result: ClientHello extension seen; ServerHello extension seen
	54	# Full handshake
	55
	56	setrmextms(0, 0);
0f1e51ea	57	$proxy->clientflags("-no_tls1_3");
b02b5743	58	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
a763ca11	59	plan tests => 10;
42a8b3f9 DSH	60	checkmessages(1, "Default extended master secret test", 1, 1, 1);
	61
	62	#Test 2: If client omits extended master secret extension, server should too.
	63	#Expected result: ClientHello extension not seen; ServerHello extension not seen
	64	# Full handshake
	65
	66	clearall();
	67	setrmextms(1, 0);
0f1e51ea	68	$proxy->clientflags("-no_tls1_3");
42a8b3f9 DSH	69	$proxy->start();
	70	checkmessages(2, "No client extension extended master secret test", 0, 0, 1);
	71
	72	# Test 3: same as 1 but with session tickets disabled.
	73	# Expected result: same as test 1.
	74
	75	clearall();
0f1e51ea	76	$proxy->clientflags("-no_ticket -no_tls1_3");
42a8b3f9 DSH	77	setrmextms(0, 0);
	78	$proxy->start();
	79	checkmessages(3, "No ticket extended master secret test", 1, 1, 1);
	80
	81	# Test 4: same as 2 but with session tickets disabled.
	82	# Expected result: same as test 2.
	83
	84	clearall();
0f1e51ea	85	$proxy->clientflags("-no_ticket -no_tls1_3");
42a8b3f9 DSH	86	setrmextms(1, 0);
42a8b3f9 DSH	87	$proxy->start();
0f1e51ea	88	checkmessages(4, "No ticket, no client extension extended master secret test", 0, 0, 1);
42a8b3f9 DSH	89
	90	#Test 5: Session resumption extended master secret test
	91	#
	92	#Expected result: ClientHello extension seen; ServerHello extension seen
	93	# Abbreviated handshake
	94
	95	clearall();
	96	setrmextms(0, 0);
b38c43f7	97	(undef, my $session) = tempfile();
42a8b3f9	98	$proxy->serverconnects(2);
0f1e51ea	99	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	100	$proxy->start();
5427976d	101	$proxy->clearClient();
0f1e51ea	102	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	103	$proxy->clientstart();
42a8b3f9 DSH	104	checkmessages(5, "Session resumption extended master secret test", 1, 1, 0);
b38c43f7	105	unlink $session;
42a8b3f9	106
b6453a68	107	#Test 6: Session resumption extended master secret test original session
42a8b3f9 DSH	108	# omits extension. Server must not resume session.
	109	#Expected result: ClientHello extension seen; ServerHello extension seen
	110	# Full handshake
	111
	112	clearall();
	113	setrmextms(1, 0);
b38c43f7	114	(undef, $session) = tempfile();
42a8b3f9	115	$proxy->serverconnects(2);
0f1e51ea	116	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	117	$proxy->start();
5427976d	118	$proxy->clearClient();
0f1e51ea	119	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	120	setrmextms(0, 0);
	121	$proxy->clientstart();
	122	checkmessages(6, "Session resumption extended master secret test", 1, 1, 1);
b38c43f7	123	unlink $session;
42a8b3f9 DSH	124
	125	#Test 7: Session resumption extended master secret test resumed session
	126	# omits client extension. Server must abort connection.
	127	#Expected result: aborted connection.
	128
	129	clearall();
	130	setrmextms(0, 0);
b38c43f7	131	(undef, $session) = tempfile();
42a8b3f9	132	$proxy->serverconnects(2);
0f1e51ea	133	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	134	$proxy->start();
5427976d	135	$proxy->clearClient();
0f1e51ea	136	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	137	setrmextms(1, 0);
42a8b3f9 DSH	138	$proxy->clientstart();
b6453a68	139	ok(TLSProxy::Message->fail(), "Client inconsistent session resumption");
b38c43f7	140	unlink $session;
42a8b3f9 DSH	141
	142	#Test 8: Session resumption extended master secret test resumed session
	143	# omits server extension. Client must abort connection.
	144	#Expected result: aborted connection.
	145
	146	clearall();
	147	setrmextms(0, 0);
b38c43f7	148	(undef, $session) = tempfile();
42a8b3f9	149	$proxy->serverconnects(2);
0f1e51ea	150	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	151	$proxy->start();
5427976d	152	$proxy->clearClient();
0f1e51ea	153	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	154	setrmextms(0, 1);
	155	$proxy->clientstart();
	156	ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1");
b38c43f7	157	unlink $session;
42a8b3f9 DSH	158
	159	#Test 9: Session resumption extended master secret test initial session
	160	# omits server extension. Client must abort connection.
	161	#Expected result: aborted connection.
	162
	163	clearall();
	164	setrmextms(0, 1);
b38c43f7	165	(undef, $session) = tempfile();
42a8b3f9	166	$proxy->serverconnects(2);
0f1e51ea	167	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	168	$proxy->start();
5427976d	169	$proxy->clearClient();
0f1e51ea	170	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	171	setrmextms(0, 0);
	172	$proxy->clientstart();
	173	ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2");
b38c43f7	174	unlink $session;
42a8b3f9	175
a763ca11 MC	176	SKIP: {
	177	skip "TLS 1.3 disabled", 1
	178	if disabled("tls1_3") \|\| (disabled("ec") && disabled("dh"));
	179
	180	#Test 10: In TLS1.3 we should not negotiate extended master secret
	181	#Expected result: ClientHello extension seen; ServerHello extension not seen
	182	# TLS1.3 handshake (will appear as abbreviated handshake
	183	# because of no CKE message)
0f1e51ea MC	184	clearall();
	185	setrmextms(0, 0);
	186	$proxy->start();
	187	checkmessages(10, "TLS1.3 extended master secret test", 1, 0, 0);
	188	}
	189
	190
42a8b3f9 DSH	191	sub extms_filter
	192	{
	193	my $proxy = shift;
	194
	195	foreach my $message (@{$proxy->message_list}) {
	196	if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
aa474d1f	197	$message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
42a8b3f9 DSH	198	$message->repack();
	199	}
	200	if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
aa474d1f	201	$message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
42a8b3f9 DSH	202	$message->repack();
	203	}
	204	}
	205	}
	206
	207	sub checkmessages($$$$$)
	208	{
	209	my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_;
	210
	211	subtest $testname => sub {
	212
	213	foreach my $message (@{$proxy->message_list}) {
	214	if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
	215	\|\| $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
	216	#Get the extensions data
	217	my %extensions = %{$message->extension_data};
	218	if (defined
aa474d1f	219	$extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) {
42a8b3f9 DSH	220	if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
	221	$cextms = 1;
	222	} else {
	223	$sextms = 1;
	224	}
	225	}
	226	} elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
	227	#Must be doing a full handshake
	228	$fullhand = 1;
	229	}
	230	}
	231
	232	plan tests => 4;
	233
	234	ok(TLSProxy::Message->success, "Handshake");
	235
	236	ok($testcextms == $cextms,
	237	"ClientHello extension extended master secret check");
	238	ok($testsextms == $sextms,
	239	"ServerHello extension extended master secret check");
	240	ok($testhand == $fullhand,
	241	"Extended master secret full handshake check");
	242
	243	}
	244	}
	245
	246	sub setrmextms($$)
	247	{
	248	($crmextms, $srmextms) = @_;
	249	}
	250
	251	sub clearall()
	252	{
	253	$cextms = 0;
	254	$sextms = 0;
	255	$fullhand = 0;
	256	$proxy->clear();
	257	}