]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
a28d06f3 | 2 | # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. |
42a8b3f9 | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
42a8b3f9 DSH |
8 | |
9 | use strict; | |
42e0ccdf | 10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; |
3f22ed2f | 11 | use OpenSSL::Test::Utils; |
42a8b3f9 DSH |
12 | use TLSProxy::Proxy; |
13 | use File::Temp qw(tempfile); | |
14 | ||
15 | my $test_name = "test_tlsextms"; | |
16 | setup($test_name); | |
17 | ||
60f9f1e1 | 18 | plan skip_all => "TLSProxy isn't usable on $^O" |
c5856878 | 19 | if $^O =~ /^(VMS)$/; |
60f9f1e1 | 20 | |
2dd400bd | 21 | plan skip_all => "$test_name needs the dynamic engine feature enabled" |
19ab5790 | 22 | if disabled("engine") || disabled("dynamic-engine"); |
42a8b3f9 | 23 | |
f9e55034 MC |
24 | plan skip_all => "$test_name needs the sock feature enabled" |
25 | if disabled("sock"); | |
26 | ||
0f1e51ea MC |
27 | plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled" |
28 | if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2"); | |
b273fcc5 | 29 | |
42a8b3f9 DSH |
30 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; |
31 | ||
32 | sub checkmessages($$$$$); | |
33 | sub setrmextms($$); | |
34 | sub clearall(); | |
35 | ||
36 | my $crmextms = 0; | |
37 | my $srmextms = 0; | |
38 | my $cextms = 0; | |
39 | my $sextms = 0; | |
40 | my $fullhand = 0; | |
41 | ||
42 | my $proxy = TLSProxy::Proxy->new( | |
43 | \&extms_filter, | |
25c78440 | 44 | cmdstr(app(["openssl"]), display => 1), |
42e0ccdf | 45 | srctop_file("apps", "server.pem"), |
b44b935e | 46 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) |
42a8b3f9 DSH |
47 | ); |
48 | ||
0f1e51ea MC |
49 | #Note that EXTMS is only relevant for <TLS1.3 |
50 | ||
42a8b3f9 DSH |
51 | #Test 1: By default server and client should send extended master secret |
52 | # extension. | |
53 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
54 | # Full handshake | |
55 | ||
56 | setrmextms(0, 0); | |
0f1e51ea | 57 | $proxy->clientflags("-no_tls1_3"); |
b02b5743 | 58 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; |
a763ca11 | 59 | plan tests => 10; |
42a8b3f9 DSH |
60 | checkmessages(1, "Default extended master secret test", 1, 1, 1); |
61 | ||
62 | #Test 2: If client omits extended master secret extension, server should too. | |
63 | #Expected result: ClientHello extension not seen; ServerHello extension not seen | |
64 | # Full handshake | |
65 | ||
66 | clearall(); | |
67 | setrmextms(1, 0); | |
0f1e51ea | 68 | $proxy->clientflags("-no_tls1_3"); |
42a8b3f9 DSH |
69 | $proxy->start(); |
70 | checkmessages(2, "No client extension extended master secret test", 0, 0, 1); | |
71 | ||
72 | # Test 3: same as 1 but with session tickets disabled. | |
73 | # Expected result: same as test 1. | |
74 | ||
75 | clearall(); | |
0f1e51ea | 76 | $proxy->clientflags("-no_ticket -no_tls1_3"); |
42a8b3f9 DSH |
77 | setrmextms(0, 0); |
78 | $proxy->start(); | |
79 | checkmessages(3, "No ticket extended master secret test", 1, 1, 1); | |
80 | ||
81 | # Test 4: same as 2 but with session tickets disabled. | |
82 | # Expected result: same as test 2. | |
83 | ||
84 | clearall(); | |
0f1e51ea | 85 | $proxy->clientflags("-no_ticket -no_tls1_3"); |
42a8b3f9 DSH |
86 | setrmextms(1, 0); |
87 | $proxy->start(); | |
0f1e51ea | 88 | checkmessages(4, "No ticket, no client extension extended master secret test", 0, 0, 1); |
42a8b3f9 DSH |
89 | |
90 | #Test 5: Session resumption extended master secret test | |
91 | # | |
92 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
93 | # Abbreviated handshake | |
94 | ||
95 | clearall(); | |
96 | setrmextms(0, 0); | |
b38c43f7 | 97 | (undef, my $session) = tempfile(); |
42a8b3f9 | 98 | $proxy->serverconnects(2); |
0f1e51ea | 99 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 100 | $proxy->start(); |
5427976d | 101 | $proxy->clearClient(); |
0f1e51ea | 102 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
103 | $proxy->clientstart(); |
104 | checkmessages(5, "Session resumption extended master secret test", 1, 1, 0); | |
b38c43f7 | 105 | unlink $session; |
42a8b3f9 | 106 | |
b6453a68 | 107 | #Test 6: Session resumption extended master secret test original session |
42a8b3f9 DSH |
108 | # omits extension. Server must not resume session. |
109 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
110 | # Full handshake | |
111 | ||
112 | clearall(); | |
113 | setrmextms(1, 0); | |
b38c43f7 | 114 | (undef, $session) = tempfile(); |
42a8b3f9 | 115 | $proxy->serverconnects(2); |
0f1e51ea | 116 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 117 | $proxy->start(); |
5427976d | 118 | $proxy->clearClient(); |
0f1e51ea | 119 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
120 | setrmextms(0, 0); |
121 | $proxy->clientstart(); | |
122 | checkmessages(6, "Session resumption extended master secret test", 1, 1, 1); | |
b38c43f7 | 123 | unlink $session; |
42a8b3f9 DSH |
124 | |
125 | #Test 7: Session resumption extended master secret test resumed session | |
126 | # omits client extension. Server must abort connection. | |
127 | #Expected result: aborted connection. | |
128 | ||
129 | clearall(); | |
130 | setrmextms(0, 0); | |
b38c43f7 | 131 | (undef, $session) = tempfile(); |
42a8b3f9 | 132 | $proxy->serverconnects(2); |
0f1e51ea | 133 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 134 | $proxy->start(); |
5427976d | 135 | $proxy->clearClient(); |
0f1e51ea | 136 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
137 | setrmextms(1, 0); |
138 | $proxy->clientstart(); | |
b6453a68 | 139 | ok(TLSProxy::Message->fail(), "Client inconsistent session resumption"); |
b38c43f7 | 140 | unlink $session; |
42a8b3f9 DSH |
141 | |
142 | #Test 8: Session resumption extended master secret test resumed session | |
143 | # omits server extension. Client must abort connection. | |
144 | #Expected result: aborted connection. | |
145 | ||
146 | clearall(); | |
147 | setrmextms(0, 0); | |
b38c43f7 | 148 | (undef, $session) = tempfile(); |
42a8b3f9 | 149 | $proxy->serverconnects(2); |
0f1e51ea | 150 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 151 | $proxy->start(); |
5427976d | 152 | $proxy->clearClient(); |
0f1e51ea | 153 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
154 | setrmextms(0, 1); |
155 | $proxy->clientstart(); | |
156 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1"); | |
b38c43f7 | 157 | unlink $session; |
42a8b3f9 DSH |
158 | |
159 | #Test 9: Session resumption extended master secret test initial session | |
160 | # omits server extension. Client must abort connection. | |
161 | #Expected result: aborted connection. | |
162 | ||
163 | clearall(); | |
164 | setrmextms(0, 1); | |
b38c43f7 | 165 | (undef, $session) = tempfile(); |
42a8b3f9 | 166 | $proxy->serverconnects(2); |
0f1e51ea | 167 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
42a8b3f9 | 168 | $proxy->start(); |
5427976d | 169 | $proxy->clearClient(); |
0f1e51ea | 170 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
42a8b3f9 DSH |
171 | setrmextms(0, 0); |
172 | $proxy->clientstart(); | |
173 | ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); | |
b38c43f7 | 174 | unlink $session; |
42a8b3f9 | 175 | |
a763ca11 MC |
176 | SKIP: { |
177 | skip "TLS 1.3 disabled", 1 | |
178 | if disabled("tls1_3") || (disabled("ec") && disabled("dh")); | |
179 | ||
180 | #Test 10: In TLS1.3 we should not negotiate extended master secret | |
181 | #Expected result: ClientHello extension seen; ServerHello extension not seen | |
182 | # TLS1.3 handshake (will appear as abbreviated handshake | |
183 | # because of no CKE message) | |
0f1e51ea MC |
184 | clearall(); |
185 | setrmextms(0, 0); | |
186 | $proxy->start(); | |
187 | checkmessages(10, "TLS1.3 extended master secret test", 1, 0, 0); | |
188 | } | |
189 | ||
190 | ||
42a8b3f9 DSH |
191 | sub extms_filter |
192 | { | |
193 | my $proxy = shift; | |
194 | ||
195 | foreach my $message (@{$proxy->message_list}) { | |
196 | if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { | |
aa474d1f | 197 | $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); |
42a8b3f9 DSH |
198 | $message->repack(); |
199 | } | |
200 | if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
aa474d1f | 201 | $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); |
42a8b3f9 DSH |
202 | $message->repack(); |
203 | } | |
204 | } | |
205 | } | |
206 | ||
207 | sub checkmessages($$$$$) | |
208 | { | |
209 | my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_; | |
210 | ||
211 | subtest $testname => sub { | |
212 | ||
213 | foreach my $message (@{$proxy->message_list}) { | |
214 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO | |
215 | || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
216 | #Get the extensions data | |
217 | my %extensions = %{$message->extension_data}; | |
218 | if (defined | |
aa474d1f | 219 | $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) { |
42a8b3f9 DSH |
220 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { |
221 | $cextms = 1; | |
222 | } else { | |
223 | $sextms = 1; | |
224 | } | |
225 | } | |
226 | } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { | |
227 | #Must be doing a full handshake | |
228 | $fullhand = 1; | |
229 | } | |
230 | } | |
231 | ||
232 | plan tests => 4; | |
233 | ||
234 | ok(TLSProxy::Message->success, "Handshake"); | |
235 | ||
236 | ok($testcextms == $cextms, | |
237 | "ClientHello extension extended master secret check"); | |
238 | ok($testsextms == $sextms, | |
239 | "ServerHello extension extended master secret check"); | |
240 | ok($testhand == $fullhand, | |
241 | "Extended master secret full handshake check"); | |
242 | ||
243 | } | |
244 | } | |
245 | ||
246 | sub setrmextms($$) | |
247 | { | |
248 | ($crmextms, $srmextms) = @_; | |
249 | } | |
250 | ||
251 | sub clearall() | |
252 | { | |
253 | $cextms = 0; | |
254 | $sextms = 0; | |
255 | $fullhand = 0; | |
256 | $proxy->clear(); | |
257 | } |