1 1.1 christos #! /usr/bin/env perl 2 1.1 christos # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos # 4 1.1 christos # Licensed under the OpenSSL license (the "License"). You may not use 5 1.1 christos # this file except in compliance with the License. You can obtain a copy 6 1.1 christos # in the file LICENSE in the source distribution or at 7 1.1 christos # https://www.openssl.org/source/license.html 8 1.1 christos 9 1.1 christos use strict; 10 1.1 christos use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; 11 1.1 christos use OpenSSL::Test::Utils; 12 1.1 christos use TLSProxy::Proxy; 13 1.1 christos use File::Temp qw(tempfile); 14 1.1 christos 15 1.1 christos my $test_name = "test_tlsextms"; 16 1.1 christos setup($test_name); 17 1.1 christos 18 1.1 christos plan skip_all => "TLSProxy isn't usable on $^O" 19 1.1 christos if $^O =~ /^(VMS)$/; 20 1.1 christos 21 1.1 christos plan skip_all => "$test_name needs the dynamic engine feature enabled" 22 1.1 christos if disabled("engine") || disabled("dynamic-engine"); 23 1.1 christos 24 1.1 christos plan skip_all => "$test_name needs the sock feature enabled" 25 1.1 christos if disabled("sock"); 26 1.1 christos 27 1.1 christos plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled" 28 1.1 christos if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2"); 29 1.1 christos 30 1.1 christos $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; 31 1.1 christos 32 1.1 christos sub checkmessages($$$$$); 33 1.1 christos sub setrmextms($$); 34 1.1 christos sub clearall(); 35 1.1 christos 36 1.1 christos my $crmextms = 0; 37 1.1 christos my $srmextms = 0; 38 1.1 christos my $cextms = 0; 39 1.1 christos my $sextms = 0; 40 1.1 christos my $fullhand = 0; 41 1.1 christos 42 1.1 christos my $proxy = TLSProxy::Proxy->new( 43 1.1 christos \&extms_filter, 44 1.1 christos cmdstr(app(["openssl"]), display => 1), 45 1.1 christos srctop_file("apps", "server.pem"), 46 1.1 christos (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 47 1.1 christos ); 48 1.1 christos 49 1.1 christos #Note that EXTMS is only relevant for <TLS1.3 50 1.1 christos 51 1.1 christos #Test 1: By default server and client should send extended master secret 52 1.1 christos # extension. 53 1.1 christos #Expected result: ClientHello extension seen; ServerHello extension seen 54 1.1 christos # Full handshake 55 1.1 christos 56 1.1 christos setrmextms(0, 0); 57 1.1 christos $proxy->clientflags("-no_tls1_3"); 58 1.1 christos $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 59 1.1 christos my $numtests = 9; 60 1.1 christos $numtests++ if (!disabled("tls1_3")); 61 1.1 christos plan tests => $numtests; 62 1.1 christos checkmessages(1, "Default extended master secret test", 1, 1, 1); 63 1.1 christos 64 1.1 christos #Test 2: If client omits extended master secret extension, server should too. 65 1.1 christos #Expected result: ClientHello extension not seen; ServerHello extension not seen 66 1.1 christos # Full handshake 67 1.1 christos 68 1.1 christos clearall(); 69 1.1 christos setrmextms(1, 0); 70 1.1 christos $proxy->clientflags("-no_tls1_3"); 71 1.1 christos $proxy->start(); 72 1.1 christos checkmessages(2, "No client extension extended master secret test", 0, 0, 1); 73 1.1 christos 74 1.1 christos # Test 3: same as 1 but with session tickets disabled. 75 1.1 christos # Expected result: same as test 1. 76 1.1 christos 77 1.1 christos clearall(); 78 1.1 christos $proxy->clientflags("-no_ticket -no_tls1_3"); 79 1.1 christos setrmextms(0, 0); 80 1.1 christos $proxy->start(); 81 1.1 christos checkmessages(3, "No ticket extended master secret test", 1, 1, 1); 82 1.1 christos 83 1.1 christos # Test 4: same as 2 but with session tickets disabled. 84 1.1 christos # Expected result: same as test 2. 85 1.1 christos 86 1.1 christos clearall(); 87 1.1 christos $proxy->clientflags("-no_ticket -no_tls1_3"); 88 1.1 christos setrmextms(1, 0); 89 1.1 christos $proxy->start(); 90 1.1 christos checkmessages(4, "No ticket, no client extension extended master secret test", 0, 0, 1); 91 1.1 christos 92 1.1 christos #Test 5: Session resumption extended master secret test 93 1.1 christos # 94 1.1 christos #Expected result: ClientHello extension seen; ServerHello extension seen 95 1.1 christos # Abbreviated handshake 96 1.1 christos 97 1.1 christos clearall(); 98 1.1 christos setrmextms(0, 0); 99 1.1 christos (undef, my $session) = tempfile(); 100 1.1 christos $proxy->serverconnects(2); 101 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_out ".$session); 102 1.1 christos $proxy->start(); 103 1.1 christos $proxy->clearClient(); 104 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_in ".$session); 105 1.1 christos $proxy->clientstart(); 106 1.1 christos checkmessages(5, "Session resumption extended master secret test", 1, 1, 0); 107 1.1 christos unlink $session; 108 1.1 christos 109 1.1 christos #Test 6: Session resumption extended master secret test original session 110 1.1 christos # omits extension. Server must not resume session. 111 1.1 christos #Expected result: ClientHello extension seen; ServerHello extension seen 112 1.1 christos # Full handshake 113 1.1 christos 114 1.1 christos clearall(); 115 1.1 christos setrmextms(1, 0); 116 1.1 christos (undef, $session) = tempfile(); 117 1.1 christos $proxy->serverconnects(2); 118 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_out ".$session); 119 1.1 christos $proxy->start(); 120 1.1 christos $proxy->clearClient(); 121 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_in ".$session); 122 1.1 christos setrmextms(0, 0); 123 1.1 christos $proxy->clientstart(); 124 1.1 christos checkmessages(6, "Session resumption extended master secret test", 1, 1, 1); 125 1.1 christos unlink $session; 126 1.1 christos 127 1.1 christos #Test 7: Session resumption extended master secret test resumed session 128 1.1 christos # omits client extension. Server must abort connection. 129 1.1 christos #Expected result: aborted connection. 130 1.1 christos 131 1.1 christos clearall(); 132 1.1 christos setrmextms(0, 0); 133 1.1 christos (undef, $session) = tempfile(); 134 1.1 christos $proxy->serverconnects(2); 135 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_out ".$session); 136 1.1 christos $proxy->start(); 137 1.1 christos $proxy->clearClient(); 138 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_in ".$session); 139 1.1 christos setrmextms(1, 0); 140 1.1 christos $proxy->clientstart(); 141 1.1 christos ok(TLSProxy::Message->fail(), "Client inconsistent session resumption"); 142 1.1 christos unlink $session; 143 1.1 christos 144 1.1 christos #Test 8: Session resumption extended master secret test resumed session 145 1.1 christos # omits server extension. Client must abort connection. 146 1.1 christos #Expected result: aborted connection. 147 1.1 christos 148 1.1 christos clearall(); 149 1.1 christos setrmextms(0, 0); 150 1.1 christos (undef, $session) = tempfile(); 151 1.1 christos $proxy->serverconnects(2); 152 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_out ".$session); 153 1.1 christos $proxy->start(); 154 1.1 christos $proxy->clearClient(); 155 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_in ".$session); 156 1.1 christos setrmextms(0, 1); 157 1.1 christos $proxy->clientstart(); 158 1.1 christos ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1"); 159 1.1 christos unlink $session; 160 1.1 christos 161 1.1 christos #Test 9: Session resumption extended master secret test initial session 162 1.1 christos # omits server extension. Client must abort connection. 163 1.1 christos #Expected result: aborted connection. 164 1.1 christos 165 1.1 christos clearall(); 166 1.1 christos setrmextms(0, 1); 167 1.1 christos (undef, $session) = tempfile(); 168 1.1 christos $proxy->serverconnects(2); 169 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_out ".$session); 170 1.1 christos $proxy->start(); 171 1.1 christos $proxy->clearClient(); 172 1.1 christos $proxy->clientflags("-no_tls1_3 -sess_in ".$session); 173 1.1 christos setrmextms(0, 0); 174 1.1 christos $proxy->clientstart(); 175 1.1 christos ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); 176 1.1 christos unlink $session; 177 1.1 christos 178 1.1 christos #Test 10: In TLS1.3 we should not negotiate extended master secret 179 1.1 christos #Expected result: ClientHello extension seen; ServerHello extension not seen 180 1.1 christos # TLS1.3 handshake (will appear as abbreviated handshake 181 1.1 christos # because of no CKE message) 182 1.1 christos if (!disabled("tls1_3")) { 183 1.1 christos clearall(); 184 1.1 christos setrmextms(0, 0); 185 1.1 christos $proxy->start(); 186 1.1 christos checkmessages(10, "TLS1.3 extended master secret test", 1, 0, 0); 187 1.1 christos } 188 1.1 christos 189 1.1 christos 190 1.1 christos sub extms_filter 191 1.1 christos { 192 1.1 christos my $proxy = shift; 193 1.1 christos 194 1.1 christos foreach my $message (@{$proxy->message_list}) { 195 1.1 christos if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { 196 1.1 christos $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); 197 1.1 christos $message->repack(); 198 1.1 christos } 199 1.1 christos if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { 200 1.1 christos $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); 201 1.1 christos $message->repack(); 202 1.1 christos } 203 1.1 christos } 204 1.1 christos } 205 1.1 christos 206 1.1 christos sub checkmessages($$$$$) 207 1.1 christos { 208 1.1 christos my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_; 209 1.1 christos 210 1.1 christos subtest $testname => sub { 211 1.1 christos 212 1.1 christos foreach my $message (@{$proxy->message_list}) { 213 1.1 christos if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO 214 1.1 christos || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { 215 1.1 christos #Get the extensions data 216 1.1 christos my %extensions = %{$message->extension_data}; 217 1.1 christos if (defined 218 1.1 christos $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) { 219 1.1 christos if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { 220 1.1 christos $cextms = 1; 221 1.1 christos } else { 222 1.1 christos $sextms = 1; 223 1.1 christos } 224 1.1 christos } 225 1.1 christos } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { 226 1.1 christos #Must be doing a full handshake 227 1.1 christos $fullhand = 1; 228 1.1 christos } 229 1.1 christos } 230 1.1 christos 231 1.1 christos plan tests => 4; 232 1.1 christos 233 1.1 christos ok(TLSProxy::Message->success, "Handshake"); 234 1.1 christos 235 1.1 christos ok($testcextms == $cextms, 236 1.1 christos "ClientHello extension extended master secret check"); 237 1.1 christos ok($testsextms == $sextms, 238 1.1 christos "ServerHello extension extended master secret check"); 239 1.1 christos ok($testhand == $fullhand, 240 1.1 christos "Extended master secret full handshake check"); 241 1.1 christos 242 1.1 christos } 243 1.1 christos } 244 1.1 christos 245 1.1 christos sub setrmextms($$) 246 1.1 christos { 247 1.1 christos ($crmextms, $srmextms) = @_; 248 1.1 christos } 249 1.1 christos 250 1.1 christos sub clearall() 251 1.1 christos { 252 1.1 christos $cextms = 0; 253 1.1 christos $sextms = 0; 254 1.1 christos $fullhand = 0; 255 1.1 christos $proxy->clear(); 256 1.1 christos } 257
Indexes created Sun Mar 01 05:31:48 UTC 2026