test/recipes/70-test_sslsigalgs.t

   1 #! /usr/bin/env perl
   2 # Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the OpenSSL license (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9 use strict;
  10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
  11 use OpenSSL::Test::Utils;
  12 use TLSProxy::Proxy;
  13
  14 my $test_name = "test_sslsigalgs";
  15 setup($test_name);
  16
  17 plan skip_all => "TLSProxy isn't usable on $^O"
  18     if $^O =~ /^(VMS|MSWin32)$/;
  19
  20 plan skip_all => "$test_name needs the dynamic engine feature enabled"
  21     if disabled("engine") || disabled("dynamic-engine");
  22
  23 plan skip_all => "$test_name needs the sock feature enabled"
  24     if disabled("sock");
  25
  26 plan skip_all => "$test_name needs TLS1.2 or TLS1.3 enabled"
  27     if disabled("tls1_2") && disabled("tls1_3");
  28
  29 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
  30 my $proxy = TLSProxy::Proxy->new(
  31     undef,
  32     cmdstr(app(["openssl"]), display => 1),
  33     srctop_file("apps", "server.pem"),
  34     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
  35 );
  36
  37 use constant {
  38     NO_SIG_ALGS_EXT => 0,
  39     EMPTY_SIG_ALGS_EXT => 1,
  40     NO_KNOWN_SIG_ALGS => 2,
  41     NO_PSS_SIG_ALGS => 3,
  42     PSS_ONLY_SIG_ALGS => 4
  43 };
  44
  45 #Test 1: Default sig algs should succeed
  46 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
  47 plan tests => 14;
  48 ok(TLSProxy::Message->success, "Default sigalgs");
  49 my $testtype;
  50
  51 SKIP: {
  52     skip "TLSv1.3 disabled", 5 if disabled("tls1_3");
  53
  54     $proxy->filter(\&sigalgs_filter);
  55
  56     #Test 2: Sending no sig algs extension in TLSv1.3 should fail
  57     $proxy->clear();
  58     $testtype = NO_SIG_ALGS_EXT;
  59     $proxy->start();
  60     ok(TLSProxy::Message->fail, "No TLSv1.3 sigalgs");
  61
  62     #Test 3: Sending an empty sig algs extension in TLSv1.3 should fail
  63     $proxy->clear();
  64     $testtype = EMPTY_SIG_ALGS_EXT;
  65     $proxy->start();
  66     ok(TLSProxy::Message->fail, "Empty TLSv1.3 sigalgs");
  67
  68     #Test 4: Sending a list with no recognised sig algs in TLSv1.3 should fail
  69     $proxy->clear();
  70     $testtype = NO_KNOWN_SIG_ALGS;
  71     $proxy->start();
  72     ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
  73
  74     #Test 5: Sending a sig algs list without pss for an RSA cert in TLSv1.3
  75     #        should fail
  76     $proxy->clear();
  77     $testtype = NO_PSS_SIG_ALGS;
  78     $proxy->start();
  79     ok(TLSProxy::Message->fail, "No PSS TLSv1.3 sigalgs");
  80
  81     #Test 6: Sending only TLSv1.3 PSS sig algs in TLSv1.3 should succeed
  82     #TODO(TLS1.3): Do we need to verify the cert to make sure its a PSS only
  83     #cert in this case?
  84     $proxy->clear();
  85     $testtype = PSS_ONLY_SIG_ALGS;
  86     $proxy->start();
  87     ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.3");
  88 }
  89
  90 SKIP: {
  91     skip "TLSv1.3 or TLSv1.2 disabled", 2
  92         if disabled("tls1_2") || disabled("tls1_3");
  93
  94     #Test 7: Sending a valid sig algs list but not including a sig type that
  95     #        matches the certificate should fail in TLSv1.3. We need TLSv1.2
  96     #        enabled for this test - otherwise the client will not attempt to
  97     #        connect due to no TLSv1.3 ciphers being available.
  98     #        TODO(TLS1.3): When proper TLSv1.3 certificate selection is working
  99     #        we can move this test into the section above
 100     $proxy->clear();
 101     $proxy->clientflags("-sigalgs ECDSA+SHA256");
 102     $proxy->filter(undef);
 103     $proxy->start();
 104     ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs");
 105
 106     #Test 8: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2
 107     #        should succeed
 108     $proxy->clear();
 109     $proxy->serverflags("-no_tls1_3");
 110     $proxy->filter(undef);
 111     $proxy->start();
 112     ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server");
 113 }
 114
 115 SKIP: {
 116     skip "TLSv1.2 disabled", 6 if disabled("tls1_2");
 117
 118     $proxy->filter(\&sigalgs_filter);
 119
 120     #Test 9: Sending no sig algs extension in TLSv1.2 should succeed
 121     $proxy->clear();
 122     $testtype = NO_SIG_ALGS_EXT;
 123     $proxy->clientflags("-no_tls1_3");
 124     $proxy->start();
 125     ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs");
 126
 127     #Test 10: Sending an empty sig algs extension in TLSv1.2 should fail
 128     $proxy->clear();
 129     $testtype = EMPTY_SIG_ALGS_EXT;
 130     $proxy->clientflags("-no_tls1_3");
 131     $proxy->start();
 132     ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs");
 133
 134     #Test 11: Sending a list with no recognised sig algs in TLSv1.2 should fail
 135     $proxy->clear();
 136     $testtype = NO_KNOWN_SIG_ALGS;
 137     $proxy->clientflags("-no_tls1_3");
 138     $proxy->start();
 139     ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
 140
 141     #Test 12: Sending a sig algs list without pss for an RSA cert in TLSv1.2
 142     #         should succeed
 143     $proxy->clear();
 144     $testtype = NO_PSS_SIG_ALGS;
 145     $proxy->clientflags("-no_tls1_3");
 146     $proxy->start();
 147     ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs");
 148
 149     #Test 13: Sending only TLSv1.3 PSS sig algs in TLSv1.2 should succeed
 150     $proxy->clear();
 151     $testtype = PSS_ONLY_SIG_ALGS;
 152     $proxy->serverflags("-no_tls1_3");
 153     $proxy->start();
 154     ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2");
 155
 156     #Test 14: Sending a valid sig algs list but not including a sig type that
 157     #         matches the certificate should fail in TLSv1.2
 158     $proxy->clear();
 159     $proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256");
 160     $proxy->filter(undef);
 161     $proxy->start();
 162     ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
 163     $proxy->filter(\&sigalgs_filter);
 164 }
 165
 166
 167
 168 sub sigalgs_filter
 169 {
 170     my $proxy = shift;
 171
 172     # We're only interested in the initial ClientHello
 173     if ($proxy->flight != 0) {
 174         return;
 175     }
 176
 177     foreach my $message (@{$proxy->message_list}) {
 178         if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
 179             if ($testtype == NO_SIG_ALGS_EXT) {
 180                 $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS);
 181             } else {
 182                 my $sigalg;
 183                 if ($testtype == EMPTY_SIG_ALGS_EXT) {
 184                     $sigalg = pack "C2", 0x00, 0x00;
 185                 } elsif ($testtype == NO_KNOWN_SIG_ALGS) {
 186                     $sigalg = pack "C4", 0x00, 0x02, 0xff, 0xff;
 187                 } elsif ($testtype == NO_PSS_SIG_ALGS) {
 188                     #No PSS sig algs - just send rsa_pkcs1_sha256
 189                     $sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01;
 190                 } else {
 191                     #PSS sig algs only - just send rsa_pss_sha256
 192                     $sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04;
 193                 }
 194                 $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS, $sigalg);
 195             }
 196
 197             $message->repack();
 198         }
 199     }
 200 }