]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
6738bf14 | 2 | # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. |
42a8b3f9 | 3 | # |
596d6b7e RS |
4 | # Licensed under the OpenSSL license (the "License"). You may not use |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
42a8b3f9 DSH |
8 | |
9 | use strict; | |
42e0ccdf | 10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; |
3f22ed2f | 11 | use OpenSSL::Test::Utils; |
42a8b3f9 DSH |
12 | use TLSProxy::Proxy; |
13 | use File::Temp qw(tempfile); | |
14 | ||
15 | my $test_name = "test_tlsextms"; | |
16 | setup($test_name); | |
17 | ||
60f9f1e1 | 18 | plan skip_all => "TLSProxy isn't usable on $^O" |
c5856878 | 19 | if $^O =~ /^(VMS)$/; |
60f9f1e1 | 20 | |
2dd400bd | 21 | plan skip_all => "$test_name needs the dynamic engine feature enabled" |
19ab5790 | 22 | if disabled("engine") || disabled("dynamic-engine"); |
42a8b3f9 | 23 | |
f9e55034 MC |
24 | plan skip_all => "$test_name needs the sock feature enabled" |
25 | if disabled("sock"); | |
26 | ||
0f1e51ea MC |
27 | plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled" |
28 | if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2"); | |
b273fcc5 | 29 | |
42a8b3f9 DSH |
30 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; |
31 | ||
32 | sub checkmessages($$$$$); | |
33 | sub setrmextms($$); | |
34 | sub clearall(); | |
35 | ||
36 | my $crmextms = 0; | |
37 | my $srmextms = 0; | |
38 | my $cextms = 0; | |
39 | my $sextms = 0; | |
40 | my $fullhand = 0; | |
41 | ||
42 | my $proxy = TLSProxy::Proxy->new( | |
43 | \&extms_filter, | |
25c78440 | 44 | cmdstr(app(["openssl"]), display => 1), |
42e0ccdf | 45 | srctop_file("apps", "server.pem"), |
b44b935e | 46 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) |
42a8b3f9 DSH |
47 | ); |
48 | ||
0f1e51ea MC |
49 | #Note that EXTMS is only relevant for <TLS1.3 |
50 | ||
42a8b3f9 DSH |
51 | #Test 1: By default server and client should send extended master secret |
52 | # extension. | |
53 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
54 | # Full handshake | |
55 | ||
56 | setrmextms(0, 0); | |
0f1e51ea | 57 | $proxy->clientflags("-no_tls1_3"); |
b02b5743 | 58 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; |
0f1e51ea | 59 | my $numtests = 9; |
94ed2c67 | 60 | $numtests++ if (!disabled("tls1_3")); |
0f1e51ea | 61 | plan tests => $numtests; |
42a8b3f9 DSH |
62 | checkmessages(1, "Default extended master secret test", 1, 1, 1); |
63 | ||
64 | #Test 2: If client omits extended master secret extension, server should too. | |
65 | #Expected result: ClientHello extension not seen; ServerHello extension not seen | |
66 | # Full handshake | |
67 | ||
68 | clearall(); | |
69 | setrmextms(1, 0); | |
0f1e51ea | 70 | $proxy->clientflags("-no_tls1_3"); |
42a8b3f9 DSH |
71 | $proxy->start(); |
72 | checkmessages(2, "No client extension extended master secret test", 0, 0, 1); | |
73 | ||
74 | # Test 3: same as 1 but with session tickets disabled. | |
75 | # Expected result: same as test 1. | |
76 | ||
77 | clearall(); | |
0f1e51ea | 78 | $proxy->clientflags("-no_ticket -no_tls1_3"); |
42a8b3f9 DSH |
79 | setrmextms(0, 0); |
80 | $proxy->start(); | |
81 | checkmessages(3, "No ticket extended master secret test", 1, 1, 1); | |
82 | ||
83 | # Test 4: same as 2 but with session tickets disabled. | |
84 | # Expected result: same as test 2. | |
85 | ||
86 | clearall(); | |
0f1e51ea | 87 | $proxy->clientflags("-no_ticket -no_tls1_3"); |
42a8b3f9 DSH |
88 | setrmextms(1, 0); |
89 | $proxy->start(); | |
0f1e51ea | 90 | checkmessages(4, "No ticket, no client extension extended master secret test", 0, 0, 1); |
42a8b3f9 DSH |
91 | |
92 | #Test 5: Session resumption extended master secret test | |
93 | # | |
94 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
95 | # Abbreviated handshake | |
96 | ||
97 | clearall(); | |
98 | setrmextms(0, 0); | |
b38c43f7 | 99 | (undef, my $session) = tempfile(); |
42a8b3f9 | 100 | $proxy->serverconnects(2); |
0f1e51ea | 101 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 102 | $proxy->start(); |
5427976d | 103 | $proxy->clearClient(); |
0f1e51ea | 104 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
105 | $proxy->clientstart(); |
106 | checkmessages(5, "Session resumption extended master secret test", 1, 1, 0); | |
b38c43f7 | 107 | unlink $session; |
42a8b3f9 | 108 | |
b6453a68 | 109 | #Test 6: Session resumption extended master secret test original session |
42a8b3f9 DSH |
110 | # omits extension. Server must not resume session. |
111 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
112 | # Full handshake | |
113 | ||
114 | clearall(); | |
115 | setrmextms(1, 0); | |
b38c43f7 | 116 | (undef, $session) = tempfile(); |
42a8b3f9 | 117 | $proxy->serverconnects(2); |
0f1e51ea | 118 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 119 | $proxy->start(); |
5427976d | 120 | $proxy->clearClient(); |
0f1e51ea | 121 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
122 | setrmextms(0, 0); |
123 | $proxy->clientstart(); | |
124 | checkmessages(6, "Session resumption extended master secret test", 1, 1, 1); | |
b38c43f7 | 125 | unlink $session; |
42a8b3f9 DSH |
126 | |
127 | #Test 7: Session resumption extended master secret test resumed session | |
128 | # omits client extension. Server must abort connection. | |
129 | #Expected result: aborted connection. | |
130 | ||
131 | clearall(); | |
132 | setrmextms(0, 0); | |
b38c43f7 | 133 | (undef, $session) = tempfile(); |
42a8b3f9 | 134 | $proxy->serverconnects(2); |
0f1e51ea | 135 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 136 | $proxy->start(); |
5427976d | 137 | $proxy->clearClient(); |
0f1e51ea | 138 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
139 | setrmextms(1, 0); |
140 | $proxy->clientstart(); | |
b6453a68 | 141 | ok(TLSProxy::Message->fail(), "Client inconsistent session resumption"); |
b38c43f7 | 142 | unlink $session; |
42a8b3f9 DSH |
143 | |
144 | #Test 8: Session resumption extended master secret test resumed session | |
145 | # omits server extension. Client must abort connection. | |
146 | #Expected result: aborted connection. | |
147 | ||
148 | clearall(); | |
149 | setrmextms(0, 0); | |
b38c43f7 | 150 | (undef, $session) = tempfile(); |
42a8b3f9 | 151 | $proxy->serverconnects(2); |
0f1e51ea | 152 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 153 | $proxy->start(); |
5427976d | 154 | $proxy->clearClient(); |
0f1e51ea | 155 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
156 | setrmextms(0, 1); |
157 | $proxy->clientstart(); | |
158 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1"); | |
b38c43f7 | 159 | unlink $session; |
42a8b3f9 DSH |
160 | |
161 | #Test 9: Session resumption extended master secret test initial session | |
162 | # omits server extension. Client must abort connection. | |
163 | #Expected result: aborted connection. | |
164 | ||
165 | clearall(); | |
166 | setrmextms(0, 1); | |
b38c43f7 | 167 | (undef, $session) = tempfile(); |
42a8b3f9 | 168 | $proxy->serverconnects(2); |
0f1e51ea | 169 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 170 | $proxy->start(); |
5427976d | 171 | $proxy->clearClient(); |
0f1e51ea | 172 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
173 | setrmextms(0, 0); |
174 | $proxy->clientstart(); | |
175 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); | |
b38c43f7 | 176 | unlink $session; |
42a8b3f9 | 177 | |
0f1e51ea MC |
178 | #Test 10: In TLS1.3 we should not negotiate extended master secret |
179 | #Expected result: ClientHello extension seen; ServerHello extension not seen | |
180 | # TLS1.3 handshake (will appear as abbreviated handshake | |
181 | # because of no CKE message) | |
182 | if (!disabled("tls1_3")) { | |
183 | clearall(); | |
184 | setrmextms(0, 0); | |
185 | $proxy->start(); | |
186 | checkmessages(10, "TLS1.3 extended master secret test", 1, 0, 0); | |
187 | } | |
188 | ||
189 | ||
42a8b3f9 DSH |
190 | sub extms_filter |
191 | { | |
192 | my $proxy = shift; | |
193 | ||
194 | foreach my $message (@{$proxy->message_list}) { | |
195 | if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
aa474d1f | 196 | $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); |
42a8b3f9 DSH |
197 | $message->repack(); |
198 | } | |
199 | if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
aa474d1f | 200 | $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); |
42a8b3f9 DSH |
201 | $message->repack(); |
202 | } | |
203 | } | |
204 | } | |
205 | ||
206 | sub checkmessages($$$$$) | |
207 | { | |
208 | my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_; | |
209 | ||
210 | subtest $testname => sub { | |
211 | ||
212 | foreach my $message (@{$proxy->message_list}) { | |
213 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO | |
214 | || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
215 | #Get the extensions data | |
216 | my %extensions = %{$message->extension_data}; | |
217 | if (defined | |
aa474d1f | 218 | $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) { |
42a8b3f9 DSH |
219 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { |
220 | $cextms = 1; | |
221 | } else { | |
222 | $sextms = 1; | |
223 | } | |
224 | } | |
225 | } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { | |
226 | #Must be doing a full handshake | |
227 | $fullhand = 1; | |
228 | } | |
229 | } | |
230 | ||
231 | plan tests => 4; | |
232 | ||
233 | ok(TLSProxy::Message->success, "Handshake"); | |
234 | ||
235 | ok($testcextms == $cextms, | |
236 | "ClientHello extension extended master secret check"); | |
237 | ok($testsextms == $sextms, | |
238 | "ServerHello extension extended master secret check"); | |
239 | ok($testhand == $fullhand, | |
240 | "Extended master secret full handshake check"); | |
241 | ||
242 | } | |
243 | } | |
244 | ||
245 | sub setrmextms($$) | |
246 | { | |
247 | ($crmextms, $srmextms) = @_; | |
248 | } | |
249 | ||
250 | sub clearall() | |
251 | { | |
252 | $cextms = 0; | |
253 | $sextms = 0; | |
254 | $fullhand = 0; | |
255 | $proxy->clear(); | |
256 | } |