[thirdparty/openssl.git] / test / recipes / 70-test_sslsigalgs.t

#! /usr/bin/env perl
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;

my $test_name = "test_sslsigalgs";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLS1.2 or TLS1.3 enabled"
    if disabled("tls1_2") && disabled("tls1_3");

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
    undef,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

use constant {
    NO_SIG_ALGS_EXT => 0,
    EMPTY_SIG_ALGS_EXT => 1,
    NO_KNOWN_SIG_ALGS => 2,
    NO_PSS_SIG_ALGS => 3,
    PSS_ONLY_SIG_ALGS => 4,
    PURE_SIGALGS => 5,
    COMPAT_SIGALGS => 6,
    SIGALGS_CERT_ALL => 7,
    SIGALGS_CERT_PKCS => 8,
    SIGALGS_CERT_INVALID => 9,
    UNRECOGNIZED_SIGALGS_CERT => 10,
    UNRECOGNIZED_SIGALG => 11
};

#Note: Throughout this test we override the default ciphersuites where TLSv1.2
#      is expected to ensure that a ServerKeyExchange message is sent that uses
#      the sigalgs

#Test 1: Default sig algs should succeed
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 26;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;

SKIP: {
    skip "TLSv1.3 disabled", 6 if disabled("tls1_3");

    $proxy->filter(\&sigalgs_filter);

    #Test 2: Sending no sig algs extension in TLSv1.3 should fail
    $proxy->clear();
    $testtype = NO_SIG_ALGS_EXT;
    $proxy->start();
    ok(TLSProxy::Message->fail, "No TLSv1.3 sigalgs");

    #Test 3: Sending an empty sig algs extension in TLSv1.3 should fail
    $proxy->clear();
    $testtype = EMPTY_SIG_ALGS_EXT;
    $proxy->start();
    ok(TLSProxy::Message->fail, "Empty TLSv1.3 sigalgs");

    #Test 4: Sending a list with no recognised sig algs in TLSv1.3 should fail
    $proxy->clear();
    $testtype = NO_KNOWN_SIG_ALGS;
    $proxy->start();
    ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");

    #Test 5: Sending a sig algs list without pss for an RSA cert in TLSv1.3
    #        should fail
    $proxy->clear();
    $testtype = NO_PSS_SIG_ALGS;
    $proxy->start();
    ok(TLSProxy::Message->fail, "No PSS TLSv1.3 sigalgs");

    #Test 6: Sending only TLSv1.3 PSS sig algs in TLSv1.3 should succeed
    #TODO(TLS1.3): Do we need to verify the cert to make sure its a PSS only
    #cert in this case?
    $proxy->clear();
    $testtype = PSS_ONLY_SIG_ALGS;
    $proxy->start();
    ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.3");

    #Test 7: Modify the CertificateVerify sigalg from rsa_pss_rsae_sha256 to
    #        rsa_pss_pss_sha256. This should fail because the public key OID
    #        in the certificate is rsaEncryption and not rsassaPss
    $proxy->filter(\&modify_cert_verify_sigalg);
    $proxy->clear();
    $proxy->start();
    ok(TLSProxy::Message->fail,
       "Mismatch between CertVerify sigalg and public key OID");
}

SKIP: {
    skip "EC or TLSv1.3 disabled", 1
        if disabled("tls1_3") || disabled("ec");
    #Test 8: Sending a valid sig algs list but not including a sig type that
    #        matches the certificate should fail in TLSv1.3.
    $proxy->clear();
    $proxy->clientflags("-sigalgs ECDSA+SHA256");
    $proxy->filter(undef);
    $proxy->start();
    ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs");
}

SKIP: {
    skip "EC, TLSv1.3 or TLSv1.2 disabled", 1
        if disabled("tls1_2") || disabled("tls1_3") || disabled("ec");

    #Test 9: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2
    #        should succeed
    $proxy->clear();
    $proxy->serverflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->filter(undef);
    $proxy->start();
    ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server");
}

SKIP: {
    skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") || disabled("ec");

    $proxy->filter(\&sigalgs_filter);

    #Test 10: Sending no sig algs extension in TLSv1.2 should succeed at
    #         security level 1
    $proxy->clear();
    $testtype = NO_SIG_ALGS_EXT;
    $proxy->clientflags("-no_tls1_3 -cipher DEFAULT\@SECLEVEL=1");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA\@SECLEVEL=1");
    $proxy->start();
    ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 1");

    #Test 11: Sending no sig algs extension in TLSv1.2 should fail at security
    #         level 2 since it will try to use SHA1. Testing client at level 1,
    #         server level 2.
    $proxy->clear();
    $testtype = NO_SIG_ALGS_EXT;
    $proxy->clientflags("-tls1_2 -cipher DEFAULT\@SECLEVEL=1");
    $proxy->ciphers("DEFAULT\@SECLEVEL=2");
    $proxy->start();
    ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 2");

    #Test 12: Sending no sig algs extension in TLSv1.2 should fail at security
    #         level 2 since it will try to use SHA1. Testing client at level 2,
    #         server level 1.
    $proxy->clear();
    $testtype = NO_SIG_ALGS_EXT;
    $proxy->clientflags("-tls1_2 -cipher DEFAULT\@SECLEVEL=2");
    $proxy->ciphers("DEFAULT\@SECLEVEL=1");
    $proxy->start();
    ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2");

    #Test 13: Sending an empty sig algs extension in TLSv1.2 should fail
    $proxy->clear();
    $testtype = EMPTY_SIG_ALGS_EXT;
    $proxy->clientflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs");

    #Test 14: Sending a list with no recognised sig algs in TLSv1.2 should fail
    $proxy->clear();
    $testtype = NO_KNOWN_SIG_ALGS;
    $proxy->clientflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");

    #Test 15: Sending a sig algs list without pss for an RSA cert in TLSv1.2
    #         should succeed
    $proxy->clear();
    $testtype = NO_PSS_SIG_ALGS;
    $proxy->clientflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs");

    #Test 16: Sending only TLSv1.3 PSS sig algs in TLSv1.2 should succeed
    $proxy->clear();
    $testtype = PSS_ONLY_SIG_ALGS;
    $proxy->serverflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2");

    #Test 17: Responding with a sig alg we did not send in TLSv1.2 should fail
    #         We send rsa_pkcs1_sha256 and respond with rsa_pss_rsae_sha256
    #         TODO(TLS1.3): Add a similar test to the TLSv1.3 section above
    #         when we have an API capable of configuring the TLSv1.3 sig algs
    $proxy->clear();
    $testtype = PSS_ONLY_SIG_ALGS;
    $proxy->clientflags("-no_tls1_3 -sigalgs RSA+SHA256");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    ok(TLSProxy::Message->fail, "Sigalg we did not send in TLSv1.2");

    #Test 18: Sending a valid sig algs list but not including a sig type that
    #         matches the certificate should fail in TLSv1.2
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->filter(undef);
    $proxy->start();
    ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
    $proxy->filter(\&sigalgs_filter);

    #Test 19: No sig algs extension, ECDSA cert, TLSv1.2 should succeed
    $proxy->clear();
    $testtype = NO_SIG_ALGS_EXT;
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-cert " . srctop_file("test", "certs",
                                               "server-ecdsa-cert.pem") .
                        " -key " . srctop_file("test", "certs",
                                               "server-ecdsa-key.pem")),
    $proxy->ciphers("ECDHE-ECDSA-AES128-SHA");
    $proxy->start();
    ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA");
}

my ($dsa_status, $sha1_status, $sha224_status);
SKIP: {
    skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa");
    #Test 20: signature_algorithms with 1.3-only ClientHello
    $testtype = PURE_SIGALGS;
    $dsa_status = $sha1_status = $sha224_status = 0;
    $proxy->clear();
    $proxy->clientflags("-tls1_3");
    $proxy->filter(\&modify_sigalgs_filter);
    $proxy->start();
    ok($dsa_status && $sha1_status && $sha224_status,
       "DSA/SHA2 sigalg sent for 1.3-only ClientHello");

    #Test 21: signature_algorithms with backwards compatible ClientHello
    SKIP: {
        skip "TLSv1.2 disabled", 1 if disabled("tls1_2");
        $testtype = COMPAT_SIGALGS;
        $dsa_status = $sha1_status = $sha224_status = 0;
        $proxy->clear();
        $proxy->filter(\&modify_sigalgs_filter);
        $proxy->start();
        ok($dsa_status && $sha1_status && $sha224_status,
           "DSA sigalg not sent for compat ClientHello");
   }
}

SKIP: {
    skip "TLSv1.3 disabled", 3 if disabled("tls1_3");
    #Test 22: Insert signature_algorithms_cert that match normal sigalgs
    $testtype = SIGALGS_CERT_ALL;
    $proxy->clear();
    $proxy->filter(\&modify_sigalgs_cert_filter);
    $proxy->start();
    ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3");

    #Test 23: Insert signature_algorithms_cert that forces PKCS#1 cert
    $testtype = SIGALGS_CERT_PKCS;
    $proxy->clear();
    $proxy->filter(\&modify_sigalgs_cert_filter);
    $proxy->start();
    ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3 with PKCS#1 cert");

    #Test 24: Insert signature_algorithms_cert that fails
    $testtype = SIGALGS_CERT_INVALID;
    $proxy->clear();
    $proxy->filter(\&modify_sigalgs_cert_filter);
    $proxy->start();
    ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
}

SKIP: {
    skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
    #Test 25: Send an unrecognized signature_algorithms_cert
    #        We should be able to skip over the unrecognized value and use a
    #        valid one that appears later in the list.
    $proxy->clear();
    $proxy->filter(\&inject_unrecognized_sigalg);
    $proxy->clientflags("-tls1_3");
    # Use -xcert to get SSL_check_chain() to run in the cert_cb.  This is
    # needed to trigger (e.g.) CVE-2020-1967
    $proxy->serverflags("" .
            " -xcert " . srctop_file("test", "certs", "servercert.pem") .
            " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
            " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
    $testtype = UNRECOGNIZED_SIGALGS_CERT;
    $proxy->start();
    ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello");

    #Test 26: Send an unrecognized signature_algorithms
    #        We should be able to skip over the unrecognized value and use a
    #        valid one that appears later in the list.
    $proxy->clear();
    $proxy->filter(\&inject_unrecognized_sigalg);
    $proxy->clientflags("-tls1_3");
    $proxy->serverflags("" .
            " -xcert " . srctop_file("test", "certs", "servercert.pem") .
            " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
            " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
    $testtype = UNRECOGNIZED_SIGALG;
    $proxy->start();
    ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
}


sub sigalgs_filter
{
    my $proxy = shift;

    # We're only interested in the initial ClientHello
    if ($proxy->flight != 0) {
        return;
    }

    foreach my $message (@{$proxy->message_list}) {
        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
            if ($testtype == NO_SIG_ALGS_EXT) {
                $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS);
            } else {
                my $sigalg;
                if ($testtype == EMPTY_SIG_ALGS_EXT) {
                    $sigalg = pack "C2", 0x00, 0x00;
                } elsif ($testtype == NO_KNOWN_SIG_ALGS) {
                    $sigalg = pack "C4", 0x00, 0x02, 0xff, 0xff;
                } elsif ($testtype == NO_PSS_SIG_ALGS) {
                    #No PSS sig algs - just send rsa_pkcs1_sha256
                    $sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01;
                } else {
                    #PSS sig algs only - just send rsa_pss_rsae_sha256
                    $sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04;
                }
                $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS, $sigalg);
            }

            $message->repack();
        }
    }
}

sub modify_sigalgs_filter
{
    my $proxy = shift;

    # We're only interested in the initial ClientHello
    return if ($proxy->flight != 0);

    foreach my $message (@{$proxy->message_list}) {
        my $ext;
        my @algs;

        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
            if ($testtype == PURE_SIGALGS) {
                my $ok = 1;
                $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
                @algs = unpack('S>*', $ext);
                # unpack will unpack the length as well
                shift @algs;
                foreach (@algs) {
                    if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512
                        || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
                        || $_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
                        || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
                        $ok = 0;
                    }
                }
                $sha1_status = $dsa_status = $sha224_status = 1 if ($ok);
            } elsif ($testtype == COMPAT_SIGALGS) {
                $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
                @algs = unpack('S>*', $ext);
                # unpack will unpack the length as well
                shift @algs;
                foreach (@algs) {
                    if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512) {
                        $dsa_status = 1;
                    }
                    if ($_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
                        || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
                        $sha1_status = 1;
                    }
                    if ($_ == TLSProxy::Message::OSSL_SIG_ALG_RSA_PKCS1_SHA224
                        || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
                        || $_ == TLSProxy::Message::OSSL_SIG_ALG_ECDSA_SHA224) {
                        $sha224_status = 1;
                    }
                }
            }
        }
    }
}

sub modify_sigalgs_cert_filter
{
    my $proxy = shift;

    # We're only interested in the initial ClientHello
    if ($proxy->flight != 0) {
        return;
    }

    foreach my $message (@{$proxy->message_list}) {
        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
            my $sigs;
            # two byte length at front of sigs, then two-byte sigschemes
            if ($testtype == SIGALGS_CERT_ALL) {
                $sigs = pack "C26", 0x00, 0x18,
                             # rsa_pkcs_sha{256,512}  rsa_pss_rsae_sha{256,512}
                             0x04, 0x01,  0x06, 0x01,  0x08, 0x04,  0x08, 0x06,
                             # ed25518    ed448        rsa_pss_pss_sha{256,512}
                             0x08, 0x07,  0x08, 0x08,  0x08, 0x09,  0x08, 0x0b,
                             # ecdsa_secp{256,512}     rsa+sha1     ecdsa+sha1
                             0x04, 0x03,  0x06, 0x03,  0x02, 0x01,  0x02, 0x03;
            } elsif ($testtype == SIGALGS_CERT_PKCS) {
                $sigs = pack "C10", 0x00, 0x08,
                             # rsa_pkcs_sha{256,384,512,1}
                             0x04, 0x01,  0x05, 0x01,  0x06, 0x01,  0x02, 0x01;
            } elsif ($testtype == SIGALGS_CERT_INVALID) {
                $sigs = pack "C4", 0x00, 0x02,
                             # unregistered codepoint
                             0xb2, 0x6f;
            }
            $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs);
            $message->repack();
        }
    }
}

sub modify_cert_verify_sigalg
{
    my $proxy = shift;

    # We're only interested in the CertificateVerify
    if ($proxy->flight != 1) {
        return;
    }

    foreach my $message (@{$proxy->message_list}) {
        if ($message->mt == TLSProxy::Message::MT_CERTIFICATE_VERIFY) {
            $message->sigalg(TLSProxy::Message::SIG_ALG_RSA_PSS_PSS_SHA256);
            $message->repack();
        }
    }
}

sub inject_unrecognized_sigalg
{
    my $proxy = shift;
    my $type;

    # We're only interested in the initial ClientHello
    if ($proxy->flight != 0) {
        return;
    }
    if ($testtype == UNRECOGNIZED_SIGALGS_CERT) {
        $type = TLSProxy::Message::EXT_SIG_ALGS_CERT;
    } elsif ($testtype == UNRECOGNIZED_SIGALG) {
        $type = TLSProxy::Message::EXT_SIG_ALGS;
    } else {
        return;
    }

    my $ext = pack "C8",
        0x00, 0x06, #Extension length
        0xfe, 0x18, #private use
        0x04, 0x01, #rsa_pkcs1_sha256
        0x08, 0x04; #rsa_pss_rsae_sha256;
    my $message = ${$proxy->message_list}[0];
    $message->set_extension($type, $ext);
    $message->repack;
}
Commit	Line	Data
6f68a52e	1	#! /usr/bin/env perl
33388b44	2	# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
6f68a52e	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
6f68a52e MC	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
	11	use OpenSSL::Test::Utils;
	12	use TLSProxy::Proxy;
	13
	14	my $test_name = "test_sslsigalgs";
	15	setup($test_name);
	16
	17	plan skip_all => "TLSProxy isn't usable on $^O"
c5856878	18	if $^O =~ /^(VMS)$/;
6f68a52e MC	19
	20	plan skip_all => "$test_name needs the dynamic engine feature enabled"
	21	if disabled("engine") \|\| disabled("dynamic-engine");
	22
	23	plan skip_all => "$test_name needs the sock feature enabled"
	24	if disabled("sock");
	25
	26	plan skip_all => "$test_name needs TLS1.2 or TLS1.3 enabled"
	27	if disabled("tls1_2") && disabled("tls1_3");
	28
	29	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
	30	my $proxy = TLSProxy::Proxy->new(
	31	undef,
	32	cmdstr(app(["openssl"]), display => 1),
	33	srctop_file("apps", "server.pem"),
	34	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
	35	);
	36
	37	use constant {
	38	NO_SIG_ALGS_EXT => 0,
	39	EMPTY_SIG_ALGS_EXT => 1,
	40	NO_KNOWN_SIG_ALGS => 2,
	41	NO_PSS_SIG_ALGS => 3,
05594f4a BK	42	PSS_ONLY_SIG_ALGS => 4,
05594f4a BK	43	PURE_SIGALGS => 5,
3e524bf2 BK	44	COMPAT_SIGALGS => 6,
	45	SIGALGS_CERT_ALL => 7,
	46	SIGALGS_CERT_PKCS => 8,
3656c08a BK	47	SIGALGS_CERT_INVALID => 9,
	48	UNRECOGNIZED_SIGALGS_CERT => 10,
	49	UNRECOGNIZED_SIGALG => 11
6f68a52e MC	50	};
6f68a52e MC	51
cd61b55f MC	52	#Note: Throughout this test we override the default ciphersuites where TLSv1.2
	53	# is expected to ensure that a ServerKeyExchange message is sent that uses
	54	# the sigalgs
	55
6f68a52e MC	56	#Test 1: Default sig algs should succeed
6f68a52e MC	57	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
3656c08a	58	plan tests => 26;
6f68a52e MC	59	ok(TLSProxy::Message->success, "Default sigalgs");
	60	my $testtype;
	61
	62	SKIP: {
9e6a3202	63	skip "TLSv1.3 disabled", 6 if disabled("tls1_3");
6f68a52e MC	64
	65	$proxy->filter(\&sigalgs_filter);
	66
	67	#Test 2: Sending no sig algs extension in TLSv1.3 should fail
	68	$proxy->clear();
	69	$testtype = NO_SIG_ALGS_EXT;
	70	$proxy->start();
	71	ok(TLSProxy::Message->fail, "No TLSv1.3 sigalgs");
	72
	73	#Test 3: Sending an empty sig algs extension in TLSv1.3 should fail
	74	$proxy->clear();
	75	$testtype = EMPTY_SIG_ALGS_EXT;
	76	$proxy->start();
	77	ok(TLSProxy::Message->fail, "Empty TLSv1.3 sigalgs");
	78
	79	#Test 4: Sending a list with no recognised sig algs in TLSv1.3 should fail
	80	$proxy->clear();
	81	$testtype = NO_KNOWN_SIG_ALGS;
	82	$proxy->start();
	83	ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
	84
	85	#Test 5: Sending a sig algs list without pss for an RSA cert in TLSv1.3
	86	# should fail
	87	$proxy->clear();
	88	$testtype = NO_PSS_SIG_ALGS;
	89	$proxy->start();
	90	ok(TLSProxy::Message->fail, "No PSS TLSv1.3 sigalgs");
	91
	92	#Test 6: Sending only TLSv1.3 PSS sig algs in TLSv1.3 should succeed
	93	#TODO(TLS1.3): Do we need to verify the cert to make sure its a PSS only
	94	#cert in this case?
	95	$proxy->clear();
	96	$testtype = PSS_ONLY_SIG_ALGS;
	97	$proxy->start();
	98	ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.3");
9e6a3202 MC	99
	100	#Test 7: Modify the CertificateVerify sigalg from rsa_pss_rsae_sha256 to
	101	# rsa_pss_pss_sha256. This should fail because the public key OID
	102	# in the certificate is rsaEncryption and not rsassaPss
	103	$proxy->filter(\&modify_cert_verify_sigalg);
	104	$proxy->clear();
	105	$proxy->start();
	106	ok(TLSProxy::Message->fail,
	107	"Mismatch between CertVerify sigalg and public key OID");
6f68a52e MC	108	}
	109
	110	SKIP: {
0e1e4045 BK	111	skip "EC or TLSv1.3 disabled", 1
0e1e4045 BK	112	if disabled("tls1_3") \|\| disabled("ec");
9e6a3202	113	#Test 8: Sending a valid sig algs list but not including a sig type that
0e1e4045	114	# matches the certificate should fail in TLSv1.3.
6f68a52e MC	115	$proxy->clear();
	116	$proxy->clientflags("-sigalgs ECDSA+SHA256");
	117	$proxy->filter(undef);
	118	$proxy->start();
	119	ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs");
0e1e4045 BK	120	}
	121
	122	SKIP: {
	123	skip "EC, TLSv1.3 or TLSv1.2 disabled", 1
	124	if disabled("tls1_2") \|\| disabled("tls1_3") \|\| disabled("ec");
6f68a52e	125
9e6a3202	126	#Test 9: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2
6f68a52e MC	127	# should succeed
	128	$proxy->clear();
	129	$proxy->serverflags("-no_tls1_3");
f865b081	130	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
6f68a52e MC	131	$proxy->filter(undef);
	132	$proxy->start();
	133	ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server");
	134	}
	135
	136	SKIP: {
b0031e5d	137	skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") \|\| disabled("ec");
6f68a52e MC	138
	139	$proxy->filter(\&sigalgs_filter);
	140
b0031e5d KR	141	#Test 10: Sending no sig algs extension in TLSv1.2 should succeed at
b0031e5d KR	142	# security level 1
6f68a52e MC	143	$proxy->clear();
6f68a52e MC	144	$testtype = NO_SIG_ALGS_EXT;
b0031e5d KR	145	$proxy->clientflags("-no_tls1_3 -cipher DEFAULT\@SECLEVEL=1");
	146	$proxy->ciphers("ECDHE-RSA-AES128-SHA\@SECLEVEL=1");
	147	$proxy->start();
	148	ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 1");
	149
	150	#Test 11: Sending no sig algs extension in TLSv1.2 should fail at security
	151	# level 2 since it will try to use SHA1. Testing client at level 1,
	152	# server level 2.
	153	$proxy->clear();
	154	$testtype = NO_SIG_ALGS_EXT;
	155	$proxy->clientflags("-tls1_2 -cipher DEFAULT\@SECLEVEL=1");
	156	$proxy->ciphers("DEFAULT\@SECLEVEL=2");
	157	$proxy->start();
	158	ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 2");
	159
	160	#Test 12: Sending no sig algs extension in TLSv1.2 should fail at security
	161	# level 2 since it will try to use SHA1. Testing client at level 2,
	162	# server level 1.
	163	$proxy->clear();
	164	$testtype = NO_SIG_ALGS_EXT;
	165	$proxy->clientflags("-tls1_2 -cipher DEFAULT\@SECLEVEL=2");
	166	$proxy->ciphers("DEFAULT\@SECLEVEL=1");
6f68a52e	167	$proxy->start();
b0031e5d	168	ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2");
6f68a52e	169
b0031e5d	170	#Test 13: Sending an empty sig algs extension in TLSv1.2 should fail
6f68a52e MC	171	$proxy->clear();
	172	$testtype = EMPTY_SIG_ALGS_EXT;
	173	$proxy->clientflags("-no_tls1_3");
f865b081	174	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
6f68a52e MC	175	$proxy->start();
	176	ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs");
	177
b0031e5d	178	#Test 14: Sending a list with no recognised sig algs in TLSv1.2 should fail
6f68a52e MC	179	$proxy->clear();
	180	$testtype = NO_KNOWN_SIG_ALGS;
	181	$proxy->clientflags("-no_tls1_3");
f865b081	182	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
6f68a52e MC	183	$proxy->start();
	184	ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
	185
b0031e5d	186	#Test 15: Sending a sig algs list without pss for an RSA cert in TLSv1.2
6f68a52e MC	187	# should succeed
	188	$proxy->clear();
	189	$testtype = NO_PSS_SIG_ALGS;
	190	$proxy->clientflags("-no_tls1_3");
f865b081	191	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
6f68a52e MC	192	$proxy->start();
	193	ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs");
	194
b0031e5d	195	#Test 16: Sending only TLSv1.3 PSS sig algs in TLSv1.2 should succeed
6f68a52e MC	196	$proxy->clear();
6f68a52e MC	197	$testtype = PSS_ONLY_SIG_ALGS;
fe3066ee	198	$proxy->serverflags("-no_tls1_3");
f865b081	199	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
6f68a52e	200	$proxy->start();
fe3066ee	201	ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2");
6f68a52e	202
b0031e5d	203	#Test 17: Responding with a sig alg we did not send in TLSv1.2 should fail
cf8e9233	204	# We send rsa_pkcs1_sha256 and respond with rsa_pss_rsae_sha256
cd61b55f MC	205	# TODO(TLS1.3): Add a similar test to the TLSv1.3 section above
	206	# when we have an API capable of configuring the TLSv1.3 sig algs
	207	$proxy->clear();
	208	$testtype = PSS_ONLY_SIG_ALGS;
	209	$proxy->clientflags("-no_tls1_3 -sigalgs RSA+SHA256");
f865b081	210	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
cd61b55f MC	211	$proxy->start();
	212	ok(TLSProxy::Message->fail, "Sigalg we did not send in TLSv1.2");
	213
b0031e5d	214	#Test 18: Sending a valid sig algs list but not including a sig type that
6f68a52e MC	215	# matches the certificate should fail in TLSv1.2
	216	$proxy->clear();
	217	$proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256");
f865b081	218	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
6f68a52e MC	219	$proxy->filter(undef);
	220	$proxy->start();
	221	ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
	222	$proxy->filter(\&sigalgs_filter);
faadddc9	223
b0031e5d	224	#Test 19: No sig algs extension, ECDSA cert, TLSv1.2 should succeed
faadddc9 DSH	225	$proxy->clear();
	226	$testtype = NO_SIG_ALGS_EXT;
	227	$proxy->clientflags("-no_tls1_3");
	228	$proxy->serverflags("-cert " . srctop_file("test", "certs",
	229	"server-ecdsa-cert.pem") .
	230	" -key " . srctop_file("test", "certs",
	231	"server-ecdsa-key.pem")),
f865b081	232	$proxy->ciphers("ECDHE-ECDSA-AES128-SHA");
faadddc9 DSH	233	$proxy->start();
faadddc9 DSH	234	ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA");
6f68a52e MC	235	}
6f68a52e MC	236
05594f4a BK	237	my ($dsa_status, $sha1_status, $sha224_status);
	238	SKIP: {
	239	skip "TLSv1.3 disabled", 2 if disabled("tls1_3") \|\| disabled("dsa");
b0031e5d	240	#Test 20: signature_algorithms with 1.3-only ClientHello
05594f4a BK	241	$testtype = PURE_SIGALGS;
	242	$dsa_status = $sha1_status = $sha224_status = 0;
	243	$proxy->clear();
	244	$proxy->clientflags("-tls1_3");
	245	$proxy->filter(\&modify_sigalgs_filter);
	246	$proxy->start();
	247	ok($dsa_status && $sha1_status && $sha224_status,
	248	"DSA/SHA2 sigalg sent for 1.3-only ClientHello");
	249
b0031e5d	250	#Test 21: signature_algorithms with backwards compatible ClientHello
c423ecaa MC	251	SKIP: {
	252	skip "TLSv1.2 disabled", 1 if disabled("tls1_2");
	253	$testtype = COMPAT_SIGALGS;
	254	$dsa_status = $sha1_status = $sha224_status = 0;
	255	$proxy->clear();
	256	$proxy->filter(\&modify_sigalgs_filter);
	257	$proxy->start();
	258	ok($dsa_status && $sha1_status && $sha224_status,
	259	"DSA sigalg not sent for compat ClientHello");
	260	}
05594f4a BK	261	}
05594f4a BK	262
3e524bf2 BK	263	SKIP: {
3e524bf2 BK	264	skip "TLSv1.3 disabled", 3 if disabled("tls1_3");
b0031e5d	265	#Test 22: Insert signature_algorithms_cert that match normal sigalgs
3e524bf2 BK	266	$testtype = SIGALGS_CERT_ALL;
	267	$proxy->clear();
	268	$proxy->filter(\&modify_sigalgs_cert_filter);
	269	$proxy->start();
	270	ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3");
	271
b0031e5d	272	#Test 23: Insert signature_algorithms_cert that forces PKCS#1 cert
3e524bf2 BK	273	$testtype = SIGALGS_CERT_PKCS;
	274	$proxy->clear();
	275	$proxy->filter(\&modify_sigalgs_cert_filter);
	276	$proxy->start();
	277	ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3 with PKCS#1 cert");
	278
b0031e5d	279	#Test 24: Insert signature_algorithms_cert that fails
3e524bf2 BK	280	$testtype = SIGALGS_CERT_INVALID;
	281	$proxy->clear();
	282	$proxy->filter(\&modify_sigalgs_cert_filter);
	283	$proxy->start();
	284	ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
	285	}
	286
3656c08a BK	287	SKIP: {
	288	skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
	289	#Test 25: Send an unrecognized signature_algorithms_cert
	290	# We should be able to skip over the unrecognized value and use a
	291	# valid one that appears later in the list.
	292	$proxy->clear();
	293	$proxy->filter(\&inject_unrecognized_sigalg);
	294	$proxy->clientflags("-tls1_3");
	295	# Use -xcert to get SSL_check_chain() to run in the cert_cb. This is
	296	# needed to trigger (e.g.) CVE-2020-1967
	297	$proxy->serverflags("" .
	298	" -xcert " . srctop_file("test", "certs", "servercert.pem") .
	299	" -xkey " . srctop_file("test", "certs", "serverkey.pem") .
	300	" -xchain " . srctop_file("test", "certs", "rootcert.pem"));
	301	$testtype = UNRECOGNIZED_SIGALGS_CERT;
	302	$proxy->start();
	303	ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello");
	304
	305	#Test 26: Send an unrecognized signature_algorithms
	306	# We should be able to skip over the unrecognized value and use a
	307	# valid one that appears later in the list.
	308	$proxy->clear();
	309	$proxy->filter(\&inject_unrecognized_sigalg);
	310	$proxy->clientflags("-tls1_3");
	311	$proxy->serverflags("" .
	312	" -xcert " . srctop_file("test", "certs", "servercert.pem") .
	313	" -xkey " . srctop_file("test", "certs", "serverkey.pem") .
	314	" -xchain " . srctop_file("test", "certs", "rootcert.pem"));
	315	$testtype = UNRECOGNIZED_SIGALG;
	316	$proxy->start();
	317	ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
	318	}
	319
6f68a52e MC	320
	321
	322	sub sigalgs_filter
	323	{
	324	my $proxy = shift;
	325
	326	# We're only interested in the initial ClientHello
	327	if ($proxy->flight != 0) {
	328	return;
	329	}
	330
	331	foreach my $message (@{$proxy->message_list}) {
	332	if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
	333	if ($testtype == NO_SIG_ALGS_EXT) {
	334	$message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS);
	335	} else {
	336	my $sigalg;
	337	if ($testtype == EMPTY_SIG_ALGS_EXT) {
	338	$sigalg = pack "C2", 0x00, 0x00;
	339	} elsif ($testtype == NO_KNOWN_SIG_ALGS) {
	340	$sigalg = pack "C4", 0x00, 0x02, 0xff, 0xff;
	341	} elsif ($testtype == NO_PSS_SIG_ALGS) {
	342	#No PSS sig algs - just send rsa_pkcs1_sha256
	343	$sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01;
	344	} else {
f55e99f7	345	#PSS sig algs only - just send rsa_pss_rsae_sha256
6f68a52e MC	346	$sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04;
	347	}
	348	$message->set_extension(TLSProxy::Message::EXT_SIG_ALGS, $sigalg);
	349	}
	350
	351	$message->repack();
	352	}
	353	}
	354	}
05594f4a BK	355
	356	sub modify_sigalgs_filter
	357	{
	358	my $proxy = shift;
	359
	360	# We're only interested in the initial ClientHello
	361	return if ($proxy->flight != 0);
	362
	363	foreach my $message (@{$proxy->message_list}) {
	364	my $ext;
	365	my @algs;
	366
	367	if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
	368	if ($testtype == PURE_SIGALGS) {
	369	my $ok = 1;
	370	$ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
	371	@algs = unpack('S>*', $ext);
	372	# unpack will unpack the length as well
	373	shift @algs;
	374	foreach (@algs) {
	375	if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
	376	\|\| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
	377	\|\| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512
	378	\|\| $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
	379	\|\| $_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
	380	\|\| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
	381	\|\| $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
	382	$ok = 0;
	383	}
	384	}
	385	$sha1_status = $dsa_status = $sha224_status = 1 if ($ok);
	386	} elsif ($testtype == COMPAT_SIGALGS) {
	387	$ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
	388	@algs = unpack('S>*', $ext);
	389	# unpack will unpack the length as well
	390	shift @algs;
	391	foreach (@algs) {
	392	if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
	393	\|\| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
	394	\|\| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512) {
	395	$dsa_status = 1;
	396	}
	397	if ($_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
	398	\|\| $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
	399	\|\| $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
	400	$sha1_status = 1;
	401	}
	402	if ($_ == TLSProxy::Message::OSSL_SIG_ALG_RSA_PKCS1_SHA224
	403	\|\| $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
	404	\|\| $_ == TLSProxy::Message::OSSL_SIG_ALG_ECDSA_SHA224) {
	405	$sha224_status = 1;
	406	}
	407	}
	408	}
	409	}
	410	}
	411	}
3e524bf2 BK	412
	413	sub modify_sigalgs_cert_filter
	414	{
	415	my $proxy = shift;
	416
	417	# We're only interested in the initial ClientHello
	418	if ($proxy->flight != 0) {
	419	return;
	420	}
	421
	422	foreach my $message (@{$proxy->message_list}) {
	423	if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
	424	my $sigs;
	425	# two byte length at front of sigs, then two-byte sigschemes
	426	if ($testtype == SIGALGS_CERT_ALL) {
	427	$sigs = pack "C26", 0x00, 0x18,
	428	# rsa_pkcs_sha{256,512} rsa_pss_rsae_sha{256,512}
	429	0x04, 0x01, 0x06, 0x01, 0x08, 0x04, 0x08, 0x06,
	430	# ed25518 ed448 rsa_pss_pss_sha{256,512}
	431	0x08, 0x07, 0x08, 0x08, 0x08, 0x09, 0x08, 0x0b,
	432	# ecdsa_secp{256,512} rsa+sha1 ecdsa+sha1
	433	0x04, 0x03, 0x06, 0x03, 0x02, 0x01, 0x02, 0x03;
	434	} elsif ($testtype == SIGALGS_CERT_PKCS) {
	435	$sigs = pack "C10", 0x00, 0x08,
	436	# rsa_pkcs_sha{256,384,512,1}
	437	0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01;
	438	} elsif ($testtype == SIGALGS_CERT_INVALID) {
	439	$sigs = pack "C4", 0x00, 0x02,
	440	# unregistered codepoint
	441	0xb2, 0x6f;
	442	}
	443	$message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs);
	444	$message->repack();
	445	}
	446	}
	447	}
9e6a3202 MC	448
	449	sub modify_cert_verify_sigalg
	450	{
	451	my $proxy = shift;
	452
	453	# We're only interested in the CertificateVerify
	454	if ($proxy->flight != 1) {
	455	return;
	456	}
	457
	458	foreach my $message (@{$proxy->message_list}) {
	459	if ($message->mt == TLSProxy::Message::MT_CERTIFICATE_VERIFY) {
	460	$message->sigalg(TLSProxy::Message::SIG_ALG_RSA_PSS_PSS_SHA256);
	461	$message->repack();
	462	}
	463	}
	464	}
3656c08a BK	465
	466	sub inject_unrecognized_sigalg
	467	{
	468	my $proxy = shift;
	469	my $type;
	470
	471	# We're only interested in the initial ClientHello
	472	if ($proxy->flight != 0) {
	473	return;
	474	}
	475	if ($testtype == UNRECOGNIZED_SIGALGS_CERT) {
	476	$type = TLSProxy::Message::EXT_SIG_ALGS_CERT;
	477	} elsif ($testtype == UNRECOGNIZED_SIGALG) {
	478	$type = TLSProxy::Message::EXT_SIG_ALGS;
	479	} else {
	480	return;
	481	}
	482
	483	my $ext = pack "C8",
	484	0x00, 0x06, #Extension length
	485	0xfe, 0x18, #private use
	486	0x04, 0x01, #rsa_pkcs1_sha256
	487	0x08, 0x04; #rsa_pss_rsae_sha256;
	488	my $message = ${$proxy->message_list}[0];
	489	$message->set_extension($type, $ext);
	490	$message->repack;
	491	}