[thirdparty/openssl.git] / test / recipes / 70-test_tlsextms.t

#! /usr/bin/env perl
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
use File::Temp qw(tempfile);

my $test_name = "test_tlsextms";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled"
    if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2");

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';

sub checkmessages($$$$$);
sub setrmextms($$);
sub clearall();

my $crmextms = 0;
my $srmextms = 0;
my $cextms = 0;
my $sextms = 0;
my $fullhand = 0;

my $proxy = TLSProxy::Proxy->new(
    \&extms_filter,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

#Note that EXTMS is only relevant for <TLS1.3

#Test 1: By default server and client should send extended master secret
# extension.
#Expected result: ClientHello extension seen; ServerHello extension seen
#                 Full handshake

setrmextms(0, 0);
$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
my $numtests = 9;
$numtests++ if (!disabled("tls1_3"));
plan tests => $numtests;
checkmessages(1, "Default extended master secret test", 1, 1, 1);

#Test 2: If client omits extended master secret extension, server should too.
#Expected result: ClientHello extension not seen; ServerHello extension not seen
#                 Full handshake

clearall();
setrmextms(1, 0);
$proxy->clientflags("-no_tls1_3");
$proxy->start();
checkmessages(2, "No client extension extended master secret test", 0, 0, 1);

# Test 3: same as 1 but with session tickets disabled.
# Expected result: same as test 1.

clearall();
$proxy->clientflags("-no_ticket -no_tls1_3");
setrmextms(0, 0);
$proxy->start();
checkmessages(3, "No ticket extended master secret test", 1, 1, 1);

# Test 4: same as 2 but with session tickets disabled.
# Expected result: same as test 2.

clearall();
$proxy->clientflags("-no_ticket -no_tls1_3");
setrmextms(1, 0);
$proxy->start();
checkmessages(4, "No ticket, no client extension extended master secret test", 0, 0, 1);

#Test 5: Session resumption extended master secret test
#
#Expected result: ClientHello extension seen; ServerHello extension seen
#                 Abbreviated handshake

clearall();
setrmextms(0, 0);
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkmessages(5, "Session resumption extended master secret test", 1, 1, 0);
unlink $session;

#Test 6: Session resumption extended master secret test original session
# omits extension. Server must not resume session.
#Expected result: ClientHello extension seen; ServerHello extension seen
#                 Full handshake

clearall();
setrmextms(1, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
setrmextms(0, 0);
$proxy->clientstart();
checkmessages(6, "Session resumption extended master secret test", 1, 1, 1);
unlink $session;

#Test 7: Session resumption extended master secret test resumed session
# omits client extension. Server must abort connection.
#Expected result: aborted connection.

clearall();
setrmextms(0, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
setrmextms(1, 0);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Client inconsistent session resumption");
unlink $session;

#Test 8: Session resumption extended master secret test resumed session
# omits server extension. Client must abort connection.
#Expected result: aborted connection.

clearall();
setrmextms(0, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
setrmextms(0, 1);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1");
unlink $session;

#Test 9: Session resumption extended master secret test initial session
# omits server extension. Client must abort connection.
#Expected result: aborted connection.

clearall();
setrmextms(0, 1);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
setrmextms(0, 0);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2");
unlink $session;

#Test 10: In TLS1.3 we should not negotiate extended master secret
#Expected result: ClientHello extension seen; ServerHello extension not seen
#                 TLS1.3 handshake (will appear as abbreviated handshake
#                 because of no CKE message)
if (!disabled("tls1_3")) {
    clearall();
    setrmextms(0, 0);
    $proxy->start();
    checkmessages(10, "TLS1.3 extended master secret test", 1, 0, 0);
}


sub extms_filter
{
    my $proxy = shift;

    foreach my $message (@{$proxy->message_list}) {
        if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
            $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
            $message->repack();
        }
        if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
            $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
            $message->repack();
        }
    }
}

sub checkmessages($$$$$)
{
    my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_;

    subtest $testname => sub {

    foreach my $message (@{$proxy->message_list}) {
        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
            || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
        #Get the extensions data
        my %extensions = %{$message->extension_data};
        if (defined
            $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) {
            if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
                $cextms = 1;
            } else {
                $sextms = 1;
            }
        }
        } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
            #Must be doing a full handshake
            $fullhand = 1;
        }
    }

    plan tests => 4;

    ok(TLSProxy::Message->success, "Handshake");

    ok($testcextms == $cextms,
       "ClientHello extension extended master secret check");
    ok($testsextms == $sextms,
       "ServerHello extension extended master secret check");
    ok($testhand == $fullhand,
       "Extended master secret full handshake check");

    }
}

sub setrmextms($$)
{
    ($crmextms, $srmextms) = @_;
}

sub clearall()
{
    $cextms = 0;
    $sextms = 0;
    $fullhand = 0;
    $proxy->clear();
}
Commit	Line	Data
596d6b7e	1	#! /usr/bin/env perl
6738bf14	2	# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
42a8b3f9	3	#
596d6b7e RS	4	# Licensed under the OpenSSL license (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
42a8b3f9 DSH	8
42a8b3f9 DSH	9	use strict;
42e0ccdf	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
3f22ed2f	11	use OpenSSL::Test::Utils;
42a8b3f9 DSH	12	use TLSProxy::Proxy;
	13	use File::Temp qw(tempfile);
	14
	15	my $test_name = "test_tlsextms";
	16	setup($test_name);
	17
60f9f1e1	18	plan skip_all => "TLSProxy isn't usable on $^O"
c5856878	19	if $^O =~ /^(VMS)$/;
60f9f1e1	20
2dd400bd	21	plan skip_all => "$test_name needs the dynamic engine feature enabled"
19ab5790	22	if disabled("engine") \|\| disabled("dynamic-engine");
42a8b3f9	23
f9e55034 MC	24	plan skip_all => "$test_name needs the sock feature enabled"
	25	if disabled("sock");
	26
0f1e51ea MC	27	plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled"
0f1e51ea MC	28	if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2");
b273fcc5	29
42a8b3f9 DSH	30	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
	31
	32	sub checkmessages($$$$$);
	33	sub setrmextms($$);
	34	sub clearall();
	35
	36	my $crmextms = 0;
	37	my $srmextms = 0;
	38	my $cextms = 0;
	39	my $sextms = 0;
	40	my $fullhand = 0;
	41
	42	my $proxy = TLSProxy::Proxy->new(
	43	\&extms_filter,
25c78440	44	cmdstr(app(["openssl"]), display => 1),
42e0ccdf	45	srctop_file("apps", "server.pem"),
b44b935e	46	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
42a8b3f9 DSH	47	);
42a8b3f9 DSH	48
0f1e51ea MC	49	#Note that EXTMS is only relevant for <TLS1.3
0f1e51ea MC	50
42a8b3f9 DSH	51	#Test 1: By default server and client should send extended master secret
	52	# extension.
	53	#Expected result: ClientHello extension seen; ServerHello extension seen
	54	# Full handshake
	55
	56	setrmextms(0, 0);
0f1e51ea	57	$proxy->clientflags("-no_tls1_3");
b02b5743	58	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
0f1e51ea	59	my $numtests = 9;
94ed2c67	60	$numtests++ if (!disabled("tls1_3"));
0f1e51ea	61	plan tests => $numtests;
42a8b3f9 DSH	62	checkmessages(1, "Default extended master secret test", 1, 1, 1);
	63
	64	#Test 2: If client omits extended master secret extension, server should too.
	65	#Expected result: ClientHello extension not seen; ServerHello extension not seen
	66	# Full handshake
	67
	68	clearall();
	69	setrmextms(1, 0);
0f1e51ea	70	$proxy->clientflags("-no_tls1_3");
42a8b3f9 DSH	71	$proxy->start();
	72	checkmessages(2, "No client extension extended master secret test", 0, 0, 1);
	73
	74	# Test 3: same as 1 but with session tickets disabled.
	75	# Expected result: same as test 1.
	76
	77	clearall();
0f1e51ea	78	$proxy->clientflags("-no_ticket -no_tls1_3");
42a8b3f9 DSH	79	setrmextms(0, 0);
	80	$proxy->start();
	81	checkmessages(3, "No ticket extended master secret test", 1, 1, 1);
	82
	83	# Test 4: same as 2 but with session tickets disabled.
	84	# Expected result: same as test 2.
	85
	86	clearall();
0f1e51ea	87	$proxy->clientflags("-no_ticket -no_tls1_3");
42a8b3f9 DSH	88	setrmextms(1, 0);
42a8b3f9 DSH	89	$proxy->start();
0f1e51ea	90	checkmessages(4, "No ticket, no client extension extended master secret test", 0, 0, 1);
42a8b3f9 DSH	91
	92	#Test 5: Session resumption extended master secret test
	93	#
	94	#Expected result: ClientHello extension seen; ServerHello extension seen
	95	# Abbreviated handshake
	96
	97	clearall();
	98	setrmextms(0, 0);
b38c43f7	99	(undef, my $session) = tempfile();
42a8b3f9	100	$proxy->serverconnects(2);
0f1e51ea	101	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	102	$proxy->start();
5427976d	103	$proxy->clearClient();
0f1e51ea	104	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	105	$proxy->clientstart();
42a8b3f9 DSH	106	checkmessages(5, "Session resumption extended master secret test", 1, 1, 0);
b38c43f7	107	unlink $session;
42a8b3f9	108
b6453a68	109	#Test 6: Session resumption extended master secret test original session
42a8b3f9 DSH	110	# omits extension. Server must not resume session.
	111	#Expected result: ClientHello extension seen; ServerHello extension seen
	112	# Full handshake
	113
	114	clearall();
	115	setrmextms(1, 0);
b38c43f7	116	(undef, $session) = tempfile();
42a8b3f9	117	$proxy->serverconnects(2);
0f1e51ea	118	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	119	$proxy->start();
5427976d	120	$proxy->clearClient();
0f1e51ea	121	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	122	setrmextms(0, 0);
	123	$proxy->clientstart();
	124	checkmessages(6, "Session resumption extended master secret test", 1, 1, 1);
b38c43f7	125	unlink $session;
42a8b3f9 DSH	126
	127	#Test 7: Session resumption extended master secret test resumed session
	128	# omits client extension. Server must abort connection.
	129	#Expected result: aborted connection.
	130
	131	clearall();
	132	setrmextms(0, 0);
b38c43f7	133	(undef, $session) = tempfile();
42a8b3f9	134	$proxy->serverconnects(2);
0f1e51ea	135	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	136	$proxy->start();
5427976d	137	$proxy->clearClient();
0f1e51ea	138	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	139	setrmextms(1, 0);
42a8b3f9 DSH	140	$proxy->clientstart();
b6453a68	141	ok(TLSProxy::Message->fail(), "Client inconsistent session resumption");
b38c43f7	142	unlink $session;
42a8b3f9 DSH	143
	144	#Test 8: Session resumption extended master secret test resumed session
	145	# omits server extension. Client must abort connection.
	146	#Expected result: aborted connection.
	147
	148	clearall();
	149	setrmextms(0, 0);
b38c43f7	150	(undef, $session) = tempfile();
42a8b3f9	151	$proxy->serverconnects(2);
0f1e51ea	152	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	153	$proxy->start();
5427976d	154	$proxy->clearClient();
0f1e51ea	155	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	156	setrmextms(0, 1);
	157	$proxy->clientstart();
	158	ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1");
b38c43f7	159	unlink $session;
42a8b3f9 DSH	160
	161	#Test 9: Session resumption extended master secret test initial session
	162	# omits server extension. Client must abort connection.
	163	#Expected result: aborted connection.
	164
	165	clearall();
	166	setrmextms(0, 1);
b38c43f7	167	(undef, $session) = tempfile();
42a8b3f9	168	$proxy->serverconnects(2);
0f1e51ea	169	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
42a8b3f9	170	$proxy->start();
5427976d	171	$proxy->clearClient();
0f1e51ea	172	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
42a8b3f9 DSH	173	setrmextms(0, 0);
	174	$proxy->clientstart();
	175	ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2");
b38c43f7	176	unlink $session;
42a8b3f9	177
0f1e51ea MC	178	#Test 10: In TLS1.3 we should not negotiate extended master secret
	179	#Expected result: ClientHello extension seen; ServerHello extension not seen
	180	# TLS1.3 handshake (will appear as abbreviated handshake
	181	# because of no CKE message)
	182	if (!disabled("tls1_3")) {
	183	clearall();
	184	setrmextms(0, 0);
	185	$proxy->start();
	186	checkmessages(10, "TLS1.3 extended master secret test", 1, 0, 0);
	187	}
	188
	189
42a8b3f9 DSH	190	sub extms_filter
	191	{
	192	my $proxy = shift;
	193
	194	foreach my $message (@{$proxy->message_list}) {
	195	if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
aa474d1f	196	$message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
42a8b3f9 DSH	197	$message->repack();
	198	}
	199	if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
aa474d1f	200	$message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
42a8b3f9 DSH	201	$message->repack();
	202	}
	203	}
	204	}
	205
	206	sub checkmessages($$$$$)
	207	{
	208	my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_;
	209
	210	subtest $testname => sub {
	211
	212	foreach my $message (@{$proxy->message_list}) {
	213	if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
	214	\|\| $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
	215	#Get the extensions data
	216	my %extensions = %{$message->extension_data};
	217	if (defined
aa474d1f	218	$extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) {
42a8b3f9 DSH	219	if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
	220	$cextms = 1;
	221	} else {
	222	$sextms = 1;
	223	}
	224	}
	225	} elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
	226	#Must be doing a full handshake
	227	$fullhand = 1;
	228	}
	229	}
	230
	231	plan tests => 4;
	232
	233	ok(TLSProxy::Message->success, "Handshake");
	234
	235	ok($testcextms == $cextms,
	236	"ClientHello extension extended master secret check");
	237	ok($testsextms == $sextms,
	238	"ServerHello extension extended master secret check");
	239	ok($testhand == $fullhand,
	240	"Extended master secret full handshake check");
	241
	242	}
	243	}
	244
	245	sub setrmextms($$)
	246	{
	247	($crmextms, $srmextms) = @_;
	248	}
	249
	250	sub clearall()
	251	{
	252	$cextms = 0;
	253	$sextms = 0;
	254	$fullhand = 0;
	255	$proxy->clear();
	256	}