70-test_tlsextms.t 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
  10. use OpenSSL::Test::Utils;
  11. use TLSProxy::Proxy;
  12. use File::Temp qw(tempfile);
  13. my $test_name = "test_tlsextms";
  14. setup($test_name);
  15. plan skip_all => "TLSProxy isn't usable on $^O"
  16. if $^O =~ /^(VMS)$/;
  17. plan skip_all => "$test_name needs the dynamic engine feature enabled"
  18. if disabled("engine") || disabled("dynamic-engine");
  19. plan skip_all => "$test_name needs the sock feature enabled"
  20. if disabled("sock");
  21. plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled"
  22. if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2");
  23. $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
  24. sub checkmessages($$$$$);
  25. sub setrmextms($$);
  26. sub clearall();
  27. my $crmextms = 0;
  28. my $srmextms = 0;
  29. my $cextms = 0;
  30. my $sextms = 0;
  31. my $fullhand = 0;
  32. my $proxy = TLSProxy::Proxy->new(
  33. \&extms_filter,
  34. cmdstr(app(["openssl"]), display => 1),
  35. srctop_file("apps", "server.pem"),
  36. (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
  37. );
  38. #Note that EXTMS is only relevant for <TLS1.3
  39. #Test 1: By default server and client should send extended master secret
  40. # extension.
  41. #Expected result: ClientHello extension seen; ServerHello extension seen
  42. # Full handshake
  43. setrmextms(0, 0);
  44. $proxy->clientflags("-no_tls1_3");
  45. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
  46. my $numtests = 9;
  47. $numtests++ if (!disabled("tls1_3"));
  48. plan tests => $numtests;
  49. checkmessages(1, "Default extended master secret test", 1, 1, 1);
  50. #Test 2: If client omits extended master secret extension, server should too.
  51. #Expected result: ClientHello extension not seen; ServerHello extension not seen
  52. # Full handshake
  53. clearall();
  54. setrmextms(1, 0);
  55. $proxy->clientflags("-no_tls1_3");
  56. $proxy->start();
  57. checkmessages(2, "No client extension extended master secret test", 0, 0, 1);
  58. # Test 3: same as 1 but with session tickets disabled.
  59. # Expected result: same as test 1.
  60. clearall();
  61. $proxy->clientflags("-no_ticket -no_tls1_3");
  62. setrmextms(0, 0);
  63. $proxy->start();
  64. checkmessages(3, "No ticket extended master secret test", 1, 1, 1);
  65. # Test 4: same as 2 but with session tickets disabled.
  66. # Expected result: same as test 2.
  67. clearall();
  68. $proxy->clientflags("-no_ticket -no_tls1_3");
  69. setrmextms(1, 0);
  70. $proxy->start();
  71. checkmessages(4, "No ticket, no client extension extended master secret test", 0, 0, 1);
  72. #Test 5: Session resumption extended master secret test
  73. #
  74. #Expected result: ClientHello extension seen; ServerHello extension seen
  75. # Abbreviated handshake
  76. clearall();
  77. setrmextms(0, 0);
  78. (undef, my $session) = tempfile();
  79. $proxy->serverconnects(2);
  80. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  81. $proxy->start();
  82. $proxy->clearClient();
  83. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  84. $proxy->clientstart();
  85. checkmessages(5, "Session resumption extended master secret test", 1, 1, 0);
  86. unlink $session;
  87. #Test 6: Session resumption extended master secret test original session
  88. # omits extension. Server must not resume session.
  89. #Expected result: ClientHello extension seen; ServerHello extension seen
  90. # Full handshake
  91. clearall();
  92. setrmextms(1, 0);
  93. (undef, $session) = tempfile();
  94. $proxy->serverconnects(2);
  95. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  96. $proxy->start();
  97. $proxy->clearClient();
  98. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  99. setrmextms(0, 0);
  100. $proxy->clientstart();
  101. checkmessages(6, "Session resumption extended master secret test", 1, 1, 1);
  102. unlink $session;
  103. #Test 7: Session resumption extended master secret test resumed session
  104. # omits client extension. Server must abort connection.
  105. #Expected result: aborted connection.
  106. clearall();
  107. setrmextms(0, 0);
  108. (undef, $session) = tempfile();
  109. $proxy->serverconnects(2);
  110. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  111. $proxy->start();
  112. $proxy->clearClient();
  113. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  114. setrmextms(1, 0);
  115. $proxy->clientstart();
  116. ok(TLSProxy::Message->fail(), "Client inconsistent session resumption");
  117. unlink $session;
  118. #Test 8: Session resumption extended master secret test resumed session
  119. # omits server extension. Client must abort connection.
  120. #Expected result: aborted connection.
  121. clearall();
  122. setrmextms(0, 0);
  123. (undef, $session) = tempfile();
  124. $proxy->serverconnects(2);
  125. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  126. $proxy->start();
  127. $proxy->clearClient();
  128. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  129. setrmextms(0, 1);
  130. $proxy->clientstart();
  131. ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1");
  132. unlink $session;
  133. #Test 9: Session resumption extended master secret test initial session
  134. # omits server extension. Client must abort connection.
  135. #Expected result: aborted connection.
  136. clearall();
  137. setrmextms(0, 1);
  138. (undef, $session) = tempfile();
  139. $proxy->serverconnects(2);
  140. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  141. $proxy->start();
  142. $proxy->clearClient();
  143. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  144. setrmextms(0, 0);
  145. $proxy->clientstart();
  146. ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2");
  147. unlink $session;
  148. #Test 10: In TLS1.3 we should not negotiate extended master secret
  149. #Expected result: ClientHello extension seen; ServerHello extension not seen
  150. # TLS1.3 handshake (will appear as abbreviated handshake
  151. # because of no CKE message)
  152. if (!disabled("tls1_3")) {
  153. clearall();
  154. setrmextms(0, 0);
  155. $proxy->start();
  156. checkmessages(10, "TLS1.3 extended master secret test", 1, 0, 0);
  157. }
  158. sub extms_filter
  159. {
  160. my $proxy = shift;
  161. foreach my $message (@{$proxy->message_list}) {
  162. if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
  163. $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
  164. $message->repack();
  165. }
  166. if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
  167. $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
  168. $message->repack();
  169. }
  170. }
  171. }
  172. sub checkmessages($$$$$)
  173. {
  174. my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_;
  175. subtest $testname => sub {
  176. foreach my $message (@{$proxy->message_list}) {
  177. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
  178. || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
  179. #Get the extensions data
  180. my %extensions = %{$message->extension_data};
  181. if (defined
  182. $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) {
  183. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
  184. $cextms = 1;
  185. } else {
  186. $sextms = 1;
  187. }
  188. }
  189. } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
  190. #Must be doing a full handshake
  191. $fullhand = 1;
  192. }
  193. }
  194. plan tests => 4;
  195. ok(TLSProxy::Message->success, "Handshake");
  196. ok($testcextms == $cextms,
  197. "ClientHello extension extended master secret check");
  198. ok($testsextms == $sextms,
  199. "ServerHello extension extended master secret check");
  200. ok($testhand == $fullhand,
  201. "Extended master secret full handshake check");
  202. }
  203. }
  204. sub setrmextms($$)
  205. {
  206. ($crmextms, $srmextms) = @_;
  207. }
  208. sub clearall()
  209. {
  210. $cextms = 0;
  211. $sextms = 0;
  212. $fullhand = 0;
  213. $proxy->clear();
  214. }