70-test_sslsigalgs.t 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491
  1. #! /usr/bin/env perl
  2. # Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the OpenSSL license (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
  10. use OpenSSL::Test::Utils;
  11. use TLSProxy::Proxy;
  12. my $test_name = "test_sslsigalgs";
  13. setup($test_name);
  14. plan skip_all => "TLSProxy isn't usable on $^O"
  15. if $^O =~ /^(VMS)$/;
  16. plan skip_all => "$test_name needs the dynamic engine feature enabled"
  17. if disabled("engine") || disabled("dynamic-engine");
  18. plan skip_all => "$test_name needs the sock feature enabled"
  19. if disabled("sock");
  20. plan skip_all => "$test_name needs TLS1.2 or TLS1.3 enabled"
  21. if disabled("tls1_2") && disabled("tls1_3");
  22. $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
  23. my $proxy = TLSProxy::Proxy->new(
  24. undef,
  25. cmdstr(app(["openssl"]), display => 1),
  26. srctop_file("apps", "server.pem"),
  27. (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
  28. );
  29. use constant {
  30. NO_SIG_ALGS_EXT => 0,
  31. EMPTY_SIG_ALGS_EXT => 1,
  32. NO_KNOWN_SIG_ALGS => 2,
  33. NO_PSS_SIG_ALGS => 3,
  34. PSS_ONLY_SIG_ALGS => 4,
  35. PURE_SIGALGS => 5,
  36. COMPAT_SIGALGS => 6,
  37. SIGALGS_CERT_ALL => 7,
  38. SIGALGS_CERT_PKCS => 8,
  39. SIGALGS_CERT_INVALID => 9,
  40. UNRECOGNIZED_SIGALGS_CERT => 10,
  41. UNRECOGNIZED_SIGALG => 11
  42. };
  43. #Note: Throughout this test we override the default ciphersuites where TLSv1.2
  44. # is expected to ensure that a ServerKeyExchange message is sent that uses
  45. # the sigalgs
  46. #Test 1: Default sig algs should succeed
  47. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
  48. plan tests => 26;
  49. ok(TLSProxy::Message->success, "Default sigalgs");
  50. my $testtype;
  51. SKIP: {
  52. skip "TLSv1.3 disabled", 6 if disabled("tls1_3");
  53. $proxy->filter(\&sigalgs_filter);
  54. #Test 2: Sending no sig algs extension in TLSv1.3 should fail
  55. $proxy->clear();
  56. $testtype = NO_SIG_ALGS_EXT;
  57. $proxy->start();
  58. ok(TLSProxy::Message->fail, "No TLSv1.3 sigalgs");
  59. #Test 3: Sending an empty sig algs extension in TLSv1.3 should fail
  60. $proxy->clear();
  61. $testtype = EMPTY_SIG_ALGS_EXT;
  62. $proxy->start();
  63. ok(TLSProxy::Message->fail, "Empty TLSv1.3 sigalgs");
  64. #Test 4: Sending a list with no recognised sig algs in TLSv1.3 should fail
  65. $proxy->clear();
  66. $testtype = NO_KNOWN_SIG_ALGS;
  67. $proxy->start();
  68. ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
  69. #Test 5: Sending a sig algs list without pss for an RSA cert in TLSv1.3
  70. # should fail
  71. $proxy->clear();
  72. $testtype = NO_PSS_SIG_ALGS;
  73. $proxy->start();
  74. ok(TLSProxy::Message->fail, "No PSS TLSv1.3 sigalgs");
  75. #Test 6: Sending only TLSv1.3 PSS sig algs in TLSv1.3 should succeed
  76. #TODO(TLS1.3): Do we need to verify the cert to make sure its a PSS only
  77. #cert in this case?
  78. $proxy->clear();
  79. $testtype = PSS_ONLY_SIG_ALGS;
  80. $proxy->start();
  81. ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.3");
  82. #Test 7: Modify the CertificateVerify sigalg from rsa_pss_rsae_sha256 to
  83. # rsa_pss_pss_sha256. This should fail because the public key OID
  84. # in the certificate is rsaEncryption and not rsassaPss
  85. $proxy->filter(\&modify_cert_verify_sigalg);
  86. $proxy->clear();
  87. $proxy->start();
  88. ok(TLSProxy::Message->fail,
  89. "Mismatch between CertVerify sigalg and public key OID");
  90. }
  91. SKIP: {
  92. skip "EC or TLSv1.3 disabled", 1
  93. if disabled("tls1_3") || disabled("ec");
  94. #Test 8: Sending a valid sig algs list but not including a sig type that
  95. # matches the certificate should fail in TLSv1.3.
  96. $proxy->clear();
  97. $proxy->clientflags("-sigalgs ECDSA+SHA256");
  98. $proxy->filter(undef);
  99. $proxy->start();
  100. ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs");
  101. }
  102. SKIP: {
  103. skip "EC, TLSv1.3 or TLSv1.2 disabled", 1
  104. if disabled("tls1_2") || disabled("tls1_3") || disabled("ec");
  105. #Test 9: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2
  106. # should succeed
  107. $proxy->clear();
  108. $proxy->serverflags("-no_tls1_3");
  109. $proxy->ciphers("ECDHE-RSA-AES128-SHA");
  110. $proxy->filter(undef);
  111. $proxy->start();
  112. ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server");
  113. }
  114. SKIP: {
  115. skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") || disabled("ec");
  116. $proxy->filter(\&sigalgs_filter);
  117. #Test 10: Sending no sig algs extension in TLSv1.2 should succeed at
  118. # security level 1
  119. $proxy->clear();
  120. $testtype = NO_SIG_ALGS_EXT;
  121. $proxy->clientflags("-no_tls1_3 -cipher DEFAULT\@SECLEVEL=1");
  122. $proxy->ciphers("ECDHE-RSA-AES128-SHA\@SECLEVEL=1");
  123. $proxy->start();
  124. ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 1");
  125. #Test 11: Sending no sig algs extension in TLSv1.2 should fail at security
  126. # level 2 since it will try to use SHA1. Testing client at level 1,
  127. # server level 2.
  128. $proxy->clear();
  129. $testtype = NO_SIG_ALGS_EXT;
  130. $proxy->clientflags("-tls1_2 -cipher DEFAULT\@SECLEVEL=1");
  131. $proxy->ciphers("DEFAULT\@SECLEVEL=2");
  132. $proxy->start();
  133. ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 2");
  134. #Test 12: Sending no sig algs extension in TLSv1.2 should fail at security
  135. # level 2 since it will try to use SHA1. Testing client at level 2,
  136. # server level 1.
  137. $proxy->clear();
  138. $testtype = NO_SIG_ALGS_EXT;
  139. $proxy->clientflags("-tls1_2 -cipher DEFAULT\@SECLEVEL=2");
  140. $proxy->ciphers("DEFAULT\@SECLEVEL=1");
  141. $proxy->start();
  142. ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2");
  143. #Test 13: Sending an empty sig algs extension in TLSv1.2 should fail
  144. $proxy->clear();
  145. $testtype = EMPTY_SIG_ALGS_EXT;
  146. $proxy->clientflags("-no_tls1_3");
  147. $proxy->ciphers("ECDHE-RSA-AES128-SHA");
  148. $proxy->start();
  149. ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs");
  150. #Test 14: Sending a list with no recognised sig algs in TLSv1.2 should fail
  151. $proxy->clear();
  152. $testtype = NO_KNOWN_SIG_ALGS;
  153. $proxy->clientflags("-no_tls1_3");
  154. $proxy->ciphers("ECDHE-RSA-AES128-SHA");
  155. $proxy->start();
  156. ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
  157. #Test 15: Sending a sig algs list without pss for an RSA cert in TLSv1.2
  158. # should succeed
  159. $proxy->clear();
  160. $testtype = NO_PSS_SIG_ALGS;
  161. $proxy->clientflags("-no_tls1_3");
  162. $proxy->ciphers("ECDHE-RSA-AES128-SHA");
  163. $proxy->start();
  164. ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs");
  165. #Test 16: Sending only TLSv1.3 PSS sig algs in TLSv1.2 should succeed
  166. $proxy->clear();
  167. $testtype = PSS_ONLY_SIG_ALGS;
  168. $proxy->serverflags("-no_tls1_3");
  169. $proxy->ciphers("ECDHE-RSA-AES128-SHA");
  170. $proxy->start();
  171. ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2");
  172. #Test 17: Responding with a sig alg we did not send in TLSv1.2 should fail
  173. # We send rsa_pkcs1_sha256 and respond with rsa_pss_rsae_sha256
  174. # TODO(TLS1.3): Add a similar test to the TLSv1.3 section above
  175. # when we have an API capable of configuring the TLSv1.3 sig algs
  176. $proxy->clear();
  177. $testtype = PSS_ONLY_SIG_ALGS;
  178. $proxy->clientflags("-no_tls1_3 -sigalgs RSA+SHA256");
  179. $proxy->ciphers("ECDHE-RSA-AES128-SHA");
  180. $proxy->start();
  181. ok(TLSProxy::Message->fail, "Sigalg we did not send in TLSv1.2");
  182. #Test 18: Sending a valid sig algs list but not including a sig type that
  183. # matches the certificate should fail in TLSv1.2
  184. $proxy->clear();
  185. $proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256");
  186. $proxy->ciphers("ECDHE-RSA-AES128-SHA");
  187. $proxy->filter(undef);
  188. $proxy->start();
  189. ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
  190. $proxy->filter(\&sigalgs_filter);
  191. #Test 19: No sig algs extension, ECDSA cert, TLSv1.2 should succeed
  192. $proxy->clear();
  193. $testtype = NO_SIG_ALGS_EXT;
  194. $proxy->clientflags("-no_tls1_3");
  195. $proxy->serverflags("-cert " . srctop_file("test", "certs",
  196. "server-ecdsa-cert.pem") .
  197. " -key " . srctop_file("test", "certs",
  198. "server-ecdsa-key.pem")),
  199. $proxy->ciphers("ECDHE-ECDSA-AES128-SHA");
  200. $proxy->start();
  201. ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA");
  202. }
  203. my ($dsa_status, $sha1_status, $sha224_status);
  204. SKIP: {
  205. skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa");
  206. #Test 20: signature_algorithms with 1.3-only ClientHello
  207. $testtype = PURE_SIGALGS;
  208. $dsa_status = $sha1_status = $sha224_status = 0;
  209. $proxy->clear();
  210. $proxy->clientflags("-tls1_3");
  211. $proxy->filter(\&modify_sigalgs_filter);
  212. $proxy->start();
  213. ok($dsa_status && $sha1_status && $sha224_status,
  214. "DSA/SHA2 sigalg sent for 1.3-only ClientHello");
  215. #Test 21: signature_algorithms with backwards compatible ClientHello
  216. SKIP: {
  217. skip "TLSv1.2 disabled", 1 if disabled("tls1_2");
  218. $testtype = COMPAT_SIGALGS;
  219. $dsa_status = $sha1_status = $sha224_status = 0;
  220. $proxy->clear();
  221. $proxy->filter(\&modify_sigalgs_filter);
  222. $proxy->start();
  223. ok($dsa_status && $sha1_status && $sha224_status,
  224. "DSA sigalg not sent for compat ClientHello");
  225. }
  226. }
  227. SKIP: {
  228. skip "TLSv1.3 disabled", 3 if disabled("tls1_3");
  229. #Test 22: Insert signature_algorithms_cert that match normal sigalgs
  230. $testtype = SIGALGS_CERT_ALL;
  231. $proxy->clear();
  232. $proxy->filter(\&modify_sigalgs_cert_filter);
  233. $proxy->start();
  234. ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3");
  235. #Test 23: Insert signature_algorithms_cert that forces PKCS#1 cert
  236. $testtype = SIGALGS_CERT_PKCS;
  237. $proxy->clear();
  238. $proxy->filter(\&modify_sigalgs_cert_filter);
  239. $proxy->start();
  240. ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3 with PKCS#1 cert");
  241. #Test 24: Insert signature_algorithms_cert that fails
  242. $testtype = SIGALGS_CERT_INVALID;
  243. $proxy->clear();
  244. $proxy->filter(\&modify_sigalgs_cert_filter);
  245. $proxy->start();
  246. ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
  247. }
  248. SKIP: {
  249. skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
  250. #Test 25: Send an unrecognized signature_algorithms_cert
  251. # We should be able to skip over the unrecognized value and use a
  252. # valid one that appears later in the list.
  253. $proxy->clear();
  254. $proxy->filter(\&inject_unrecognized_sigalg);
  255. $proxy->clientflags("-tls1_3");
  256. # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is
  257. # needed to trigger (e.g.) CVE-2020-1967
  258. $proxy->serverflags("" .
  259. " -xcert " . srctop_file("test", "certs", "servercert.pem") .
  260. " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
  261. " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
  262. $testtype = UNRECOGNIZED_SIGALGS_CERT;
  263. $proxy->start();
  264. ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello");
  265. #Test 26: Send an unrecognized signature_algorithms
  266. # We should be able to skip over the unrecognized value and use a
  267. # valid one that appears later in the list.
  268. $proxy->clear();
  269. $proxy->filter(\&inject_unrecognized_sigalg);
  270. $proxy->clientflags("-tls1_3");
  271. $proxy->serverflags("" .
  272. " -xcert " . srctop_file("test", "certs", "servercert.pem") .
  273. " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
  274. " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
  275. $testtype = UNRECOGNIZED_SIGALG;
  276. $proxy->start();
  277. ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
  278. }
  279. sub sigalgs_filter
  280. {
  281. my $proxy = shift;
  282. # We're only interested in the initial ClientHello
  283. if ($proxy->flight != 0) {
  284. return;
  285. }
  286. foreach my $message (@{$proxy->message_list}) {
  287. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
  288. if ($testtype == NO_SIG_ALGS_EXT) {
  289. $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS);
  290. } else {
  291. my $sigalg;
  292. if ($testtype == EMPTY_SIG_ALGS_EXT) {
  293. $sigalg = pack "C2", 0x00, 0x00;
  294. } elsif ($testtype == NO_KNOWN_SIG_ALGS) {
  295. $sigalg = pack "C4", 0x00, 0x02, 0xff, 0xff;
  296. } elsif ($testtype == NO_PSS_SIG_ALGS) {
  297. #No PSS sig algs - just send rsa_pkcs1_sha256
  298. $sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01;
  299. } else {
  300. #PSS sig algs only - just send rsa_pss_rsae_sha256
  301. $sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04;
  302. }
  303. $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS, $sigalg);
  304. }
  305. $message->repack();
  306. }
  307. }
  308. }
  309. sub modify_sigalgs_filter
  310. {
  311. my $proxy = shift;
  312. # We're only interested in the initial ClientHello
  313. return if ($proxy->flight != 0);
  314. foreach my $message (@{$proxy->message_list}) {
  315. my $ext;
  316. my @algs;
  317. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
  318. if ($testtype == PURE_SIGALGS) {
  319. my $ok = 1;
  320. $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
  321. @algs = unpack('S>*', $ext);
  322. # unpack will unpack the length as well
  323. shift @algs;
  324. foreach (@algs) {
  325. if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
  326. || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
  327. || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512
  328. || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
  329. || $_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
  330. || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
  331. || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
  332. $ok = 0;
  333. }
  334. }
  335. $sha1_status = $dsa_status = $sha224_status = 1 if ($ok);
  336. } elsif ($testtype == COMPAT_SIGALGS) {
  337. $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
  338. @algs = unpack('S>*', $ext);
  339. # unpack will unpack the length as well
  340. shift @algs;
  341. foreach (@algs) {
  342. if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
  343. || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
  344. || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512) {
  345. $dsa_status = 1;
  346. }
  347. if ($_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
  348. || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
  349. || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
  350. $sha1_status = 1;
  351. }
  352. if ($_ == TLSProxy::Message::OSSL_SIG_ALG_RSA_PKCS1_SHA224
  353. || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
  354. || $_ == TLSProxy::Message::OSSL_SIG_ALG_ECDSA_SHA224) {
  355. $sha224_status = 1;
  356. }
  357. }
  358. }
  359. }
  360. }
  361. }
  362. sub modify_sigalgs_cert_filter
  363. {
  364. my $proxy = shift;
  365. # We're only interested in the initial ClientHello
  366. if ($proxy->flight != 0) {
  367. return;
  368. }
  369. foreach my $message (@{$proxy->message_list}) {
  370. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
  371. my $sigs;
  372. # two byte length at front of sigs, then two-byte sigschemes
  373. if ($testtype == SIGALGS_CERT_ALL) {
  374. $sigs = pack "C26", 0x00, 0x18,
  375. # rsa_pkcs_sha{256,512} rsa_pss_rsae_sha{256,512}
  376. 0x04, 0x01, 0x06, 0x01, 0x08, 0x04, 0x08, 0x06,
  377. # ed25518 ed448 rsa_pss_pss_sha{256,512}
  378. 0x08, 0x07, 0x08, 0x08, 0x08, 0x09, 0x08, 0x0b,
  379. # ecdsa_secp{256,512} rsa+sha1 ecdsa+sha1
  380. 0x04, 0x03, 0x06, 0x03, 0x02, 0x01, 0x02, 0x03;
  381. } elsif ($testtype == SIGALGS_CERT_PKCS) {
  382. $sigs = pack "C10", 0x00, 0x08,
  383. # rsa_pkcs_sha{256,384,512,1}
  384. 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01;
  385. } elsif ($testtype == SIGALGS_CERT_INVALID) {
  386. $sigs = pack "C4", 0x00, 0x02,
  387. # unregistered codepoint
  388. 0xb2, 0x6f;
  389. }
  390. $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs);
  391. $message->repack();
  392. }
  393. }
  394. }
  395. sub modify_cert_verify_sigalg
  396. {
  397. my $proxy = shift;
  398. # We're only interested in the CertificateVerify
  399. if ($proxy->flight != 1) {
  400. return;
  401. }
  402. foreach my $message (@{$proxy->message_list}) {
  403. if ($message->mt == TLSProxy::Message::MT_CERTIFICATE_VERIFY) {
  404. $message->sigalg(TLSProxy::Message::SIG_ALG_RSA_PSS_PSS_SHA256);
  405. $message->repack();
  406. }
  407. }
  408. }
  409. sub inject_unrecognized_sigalg
  410. {
  411. my $proxy = shift;
  412. my $type;
  413. # We're only interested in the initial ClientHello
  414. if ($proxy->flight != 0) {
  415. return;
  416. }
  417. if ($testtype == UNRECOGNIZED_SIGALGS_CERT) {
  418. $type = TLSProxy::Message::EXT_SIG_ALGS_CERT;
  419. } elsif ($testtype == UNRECOGNIZED_SIGALG) {
  420. $type = TLSProxy::Message::EXT_SIG_ALGS;
  421. } else {
  422. return;
  423. }
  424. my $ext = pack "C8",
  425. 0x00, 0x06, #Extension length
  426. 0xfe, 0x18, #private use
  427. 0x04, 0x01, #rsa_pkcs1_sha256
  428. 0x08, 0x04; #rsa_pss_rsae_sha256;
  429. my $message = ${$proxy->message_list}[0];
  430. $message->set_extension($type, $ext);
  431. $message->repack;
  432. }