]>
Commit | Line | Data |
---|---|---|
717afd93 | 1 | #! /usr/bin/env perl |
6738bf14 | 2 | # Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. |
717afd93 | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
717afd93 MC |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; | |
11 | use OpenSSL::Test::Utils; | |
12 | use File::Temp qw(tempfile); | |
13 | use TLSProxy::Proxy; | |
14 | ||
15 | my $test_name = "test_tls13psk"; | |
16 | setup($test_name); | |
17 | ||
18 | plan skip_all => "TLSProxy isn't usable on $^O" | |
c5856878 | 19 | if $^O =~ /^(VMS)$/; |
717afd93 MC |
20 | |
21 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
22 | if disabled("engine") || disabled("dynamic-engine"); | |
23 | ||
24 | plan skip_all => "$test_name needs the sock feature enabled" | |
25 | if disabled("sock"); | |
26 | ||
27 | plan skip_all => "$test_name needs TLSv1.3 enabled" | |
28 | if disabled("tls1_3"); | |
29 | ||
30 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; | |
433deaff | 31 | $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf"); |
717afd93 MC |
32 | |
33 | my $proxy = TLSProxy::Proxy->new( | |
34 | undef, | |
35 | cmdstr(app(["openssl"]), display => 1), | |
36 | srctop_file("apps", "server.pem"), | |
37 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
38 | ); | |
39 | ||
807551ac MC |
40 | use constant { |
41 | PSK_LAST_FIRST_CH => 0, | |
42 | ILLEGAL_EXT_SECOND_CH => 1 | |
43 | }; | |
44 | ||
964f2788 MC |
45 | #Most PSK tests are done in test_ssl_new. This tests various failure scenarios |
46 | #around PSK | |
717afd93 MC |
47 | |
48 | #Test 1: First get a session | |
49 | (undef, my $session) = tempfile(); | |
50 | $proxy->clientflags("-sess_out ".$session); | |
db919b1e | 51 | $proxy->serverflags("-servername localhost"); |
717afd93 MC |
52 | $proxy->sessionfile($session); |
53 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; | |
964f2788 | 54 | plan tests => 5; |
717afd93 MC |
55 | ok(TLSProxy::Message->success(), "Initial connection"); |
56 | ||
57 | #Test 2: Attempt a resume with PSK not in last place. Should fail | |
58 | $proxy->clear(); | |
59 | $proxy->clientflags("-sess_in ".$session); | |
60 | $proxy->filter(\&modify_psk_filter); | |
807551ac | 61 | my $testtype = PSK_LAST_FIRST_CH; |
717afd93 MC |
62 | $proxy->start(); |
63 | ok(TLSProxy::Message->fail(), "PSK not last"); | |
64 | ||
807551ac | 65 | #Test 3: Attempt a resume after an HRR where PSK hash matches selected |
dd07e68b | 66 | # ciphersuite. Should see PSK on second ClientHello |
807551ac MC |
67 | $proxy->clear(); |
68 | $proxy->clientflags("-sess_in ".$session); | |
dbc6268f MC |
69 | if (disabled("ec")) { |
70 | $proxy->serverflags("-curves ffdhe3072"); | |
71 | } else { | |
72 | $proxy->serverflags("-curves P-256"); | |
73 | } | |
807551ac MC |
74 | $proxy->filter(undef); |
75 | $proxy->start(); | |
76 | #Check if the PSK is present in the second ClientHello | |
77 | my $ch2 = ${$proxy->message_list}[2]; | |
78 | my $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO; | |
79 | my $pskseen = $ch2seen | |
80 | && defined ${$ch2->{extension_data}}{TLSProxy::Message::EXT_PSK}; | |
81 | ok($pskseen, "PSK hash matches"); | |
82 | ||
83 | #Test 4: Attempt a resume after an HRR where PSK hash does not match selected | |
84 | # ciphersuite. Should not see PSK on second ClientHello | |
85 | $proxy->clear(); | |
86 | $proxy->clientflags("-sess_in ".$session); | |
87 | $proxy->filter(\&modify_psk_filter); | |
dbc6268f MC |
88 | if (disabled("ec")) { |
89 | $proxy->serverflags("-curves ffdhe3072"); | |
90 | } else { | |
91 | $proxy->serverflags("-curves P-256"); | |
92 | } | |
f865b081 MC |
93 | $proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); |
94 | $proxy->ciphersuitess("TLS_AES_256_GCM_SHA384"); | |
807551ac | 95 | #We force an early failure because TLS Proxy doesn't actually support |
f865b081 | 96 | #TLS_AES_256_GCM_SHA384. That doesn't matter for this test though. |
807551ac MC |
97 | $testtype = ILLEGAL_EXT_SECOND_CH; |
98 | $proxy->start(); | |
99 | #Check if the PSK is present in the second ClientHello | |
100 | $ch2 = ${$proxy->message_list}[2]; | |
101 | $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO; | |
102 | $pskseen = $ch2seen | |
103 | && defined ${$ch2->extension_data}{TLSProxy::Message::EXT_PSK}; | |
104 | ok($ch2seen && !$pskseen, "PSK hash does not match"); | |
105 | ||
964f2788 MC |
106 | #Test 5: Attempt a resume without a sig agls extension. Should succeed because |
107 | # sig algs is not needed in a resumption. | |
108 | $proxy->clear(); | |
109 | $proxy->clientflags("-sess_in ".$session); | |
110 | $proxy->filter(\&remove_sig_algs_filter); | |
111 | $proxy->start(); | |
112 | ok(TLSProxy::Message->success(), "Remove sig algs"); | |
807551ac | 113 | |
717afd93 MC |
114 | unlink $session; |
115 | ||
116 | sub modify_psk_filter | |
117 | { | |
118 | my $proxy = shift; | |
807551ac MC |
119 | my $flight; |
120 | my $message; | |
121 | ||
122 | if ($testtype == PSK_LAST_FIRST_CH) { | |
123 | $flight = 0; | |
124 | } else { | |
125 | $flight = 2; | |
126 | } | |
127 | ||
128 | # Only look at the first or second ClientHello | |
129 | return if $proxy->flight != $flight; | |
130 | ||
131 | if ($testtype == PSK_LAST_FIRST_CH) { | |
132 | $message = ${$proxy->message_list}[0]; | |
133 | } else { | |
134 | $message = ${$proxy->message_list}[2]; | |
135 | } | |
717afd93 | 136 | |
807551ac MC |
137 | return if (!defined $message |
138 | || $message->mt != TLSProxy::Message::MT_CLIENT_HELLO); | |
717afd93 | 139 | |
807551ac MC |
140 | if ($testtype == PSK_LAST_FIRST_CH) { |
141 | $message->set_extension(TLSProxy::Message::EXT_FORCE_LAST, ""); | |
142 | } else { | |
143 | #Deliberately break the connection | |
144 | $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_GROUPS, ""); | |
717afd93 | 145 | } |
807551ac | 146 | $message->repack(); |
717afd93 | 147 | } |
964f2788 MC |
148 | |
149 | sub remove_sig_algs_filter | |
150 | { | |
151 | my $proxy = shift; | |
152 | my $message; | |
153 | ||
154 | # Only look at the first ClientHello | |
155 | return if $proxy->flight != 0; | |
156 | ||
157 | $message = ${$proxy->message_list}[0]; | |
158 | $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS); | |
159 | $message->repack(); | |
160 | } |