1#! /usr/bin/env perl 2# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use strict; 10use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; 11use OpenSSL::Test::Utils; 12use TLSProxy::Proxy; 13 14my $test_name = "test_sslsigalgs"; 15setup($test_name); 16 17plan skip_all => "TLSProxy isn't usable on $^O" 18 if $^O =~ /^(VMS)$/; 19 20plan skip_all => "$test_name needs the dynamic engine feature enabled" 21 if disabled("engine") || disabled("dynamic-engine"); 22 23plan skip_all => "$test_name needs the sock feature enabled" 24 if disabled("sock"); 25 26plan skip_all => "$test_name needs TLS1.2 or TLS1.3 enabled" 27 if disabled("tls1_2") && disabled("tls1_3"); 28 29$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; 30my $proxy = TLSProxy::Proxy->new( 31 undef, 32 cmdstr(app(["openssl"]), display => 1), 33 srctop_file("apps", "server.pem"), 34 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 35); 36 37use constant { 38 NO_SIG_ALGS_EXT => 0, 39 EMPTY_SIG_ALGS_EXT => 1, 40 NO_KNOWN_SIG_ALGS => 2, 41 NO_PSS_SIG_ALGS => 3, 42 PSS_ONLY_SIG_ALGS => 4, 43 PURE_SIGALGS => 5, 44 COMPAT_SIGALGS => 6, 45 SIGALGS_CERT_ALL => 7, 46 SIGALGS_CERT_PKCS => 8, 47 SIGALGS_CERT_INVALID => 9, 48 UNRECOGNIZED_SIGALGS_CERT => 10, 49 UNRECOGNIZED_SIGALG => 11 50}; 51 52#Note: Throughout this test we override the default ciphersuites where TLSv1.2 53# is expected to ensure that a ServerKeyExchange message is sent that uses 54# the sigalgs 55 56#Test 1: Default sig algs should succeed 57$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); 58$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 59plan tests => 26; 60ok(TLSProxy::Message->success, "Default sigalgs"); 61my $testtype; 62 63SKIP: { 64 skip "TLSv1.3 disabled", 6 65 if disabled("tls1_3") || (disabled("ec") && disabled("dh")); 66 67 $proxy->filter(\&sigalgs_filter); 68 69 #Test 2: Sending no sig algs extension in TLSv1.3 should fail 70 $proxy->clear(); 71 $testtype = NO_SIG_ALGS_EXT; 72 $proxy->start(); 73 ok(TLSProxy::Message->fail, "No TLSv1.3 sigalgs"); 74 75 #Test 3: Sending an empty sig algs extension in TLSv1.3 should fail 76 $proxy->clear(); 77 $testtype = EMPTY_SIG_ALGS_EXT; 78 $proxy->start(); 79 ok(TLSProxy::Message->fail, "Empty TLSv1.3 sigalgs"); 80 81 #Test 4: Sending a list with no recognised sig algs in TLSv1.3 should fail 82 $proxy->clear(); 83 $testtype = NO_KNOWN_SIG_ALGS; 84 $proxy->start(); 85 ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs"); 86 87 #Test 5: Sending a sig algs list without pss for an RSA cert in TLSv1.3 88 # should fail 89 $proxy->clear(); 90 $testtype = NO_PSS_SIG_ALGS; 91 $proxy->start(); 92 ok(TLSProxy::Message->fail, "No PSS TLSv1.3 sigalgs"); 93 94 #Test 6: Sending only TLSv1.3 PSS sig algs in TLSv1.3 should succeed 95 #TODO(TLS1.3): Do we need to verify the cert to make sure its a PSS only 96 #cert in this case? 97 $proxy->clear(); 98 $testtype = PSS_ONLY_SIG_ALGS; 99 $proxy->start(); 100 ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.3"); 101 102 #Test 7: Modify the CertificateVerify sigalg from rsa_pss_rsae_sha256 to 103 # rsa_pss_pss_sha256. This should fail because the public key OID 104 # in the certificate is rsaEncryption and not rsassaPss 105 $proxy->filter(\&modify_cert_verify_sigalg); 106 $proxy->clear(); 107 $proxy->start(); 108 ok(TLSProxy::Message->fail, 109 "Mismatch between CertVerify sigalg and public key OID"); 110} 111 112SKIP: { 113 skip "EC or TLSv1.3 disabled", 1 114 if disabled("tls1_3") || disabled("ec"); 115 #Test 8: Sending a valid sig algs list but not including a sig type that 116 # matches the certificate should fail in TLSv1.3. 117 $proxy->clear(); 118 $proxy->clientflags("-sigalgs ECDSA+SHA256"); 119 $proxy->filter(undef); 120 $proxy->start(); 121 ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs"); 122} 123 124SKIP: { 125 skip "EC, TLSv1.3 or TLSv1.2 disabled", 1 126 if disabled("tls1_2") || disabled("tls1_3") || disabled("ec"); 127 128 #Test 9: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2 129 # should succeed 130 $proxy->clear(); 131 $proxy->serverflags("-no_tls1_3"); 132 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 133 $proxy->filter(undef); 134 $proxy->start(); 135 ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server"); 136} 137 138SKIP: { 139 skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") || disabled("ec"); 140 141 $proxy->filter(\&sigalgs_filter); 142 143 #Test 10: Sending no sig algs extension in TLSv1.2 will make it use 144 # SHA1, which is only supported at security level 0. 145 $proxy->clear(); 146 $testtype = NO_SIG_ALGS_EXT; 147 $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0"); 148 $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=0"); 149 $proxy->start(); 150 ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 0"); 151 152 #Test 11: Sending no sig algs extension in TLSv1.2 should fail at security 153 # level 1 since it will try to use SHA1. Testing client at level 0, 154 # server level 1. 155 $proxy->clear(); 156 $testtype = NO_SIG_ALGS_EXT; 157 $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=0"); 158 $proxy->ciphers("DEFAULT:\@SECLEVEL=1"); 159 $proxy->start(); 160 ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 1"); 161 162 #Test 12: Sending no sig algs extension in TLSv1.2 should fail at security 163 # level 1 since it will try to use SHA1. Testing client at level 1, 164 # server level 0. 165 $proxy->clear(); 166 $testtype = NO_SIG_ALGS_EXT; 167 $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1"); 168 $proxy->ciphers("DEFAULT:\@SECLEVEL=0"); 169 $proxy->start(); 170 ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2"); 171 172 #Test 13: Sending an empty sig algs extension in TLSv1.2 should fail 173 $proxy->clear(); 174 $testtype = EMPTY_SIG_ALGS_EXT; 175 $proxy->clientflags("-no_tls1_3"); 176 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 177 $proxy->start(); 178 ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs"); 179 180 #Test 14: Sending a list with no recognised sig algs in TLSv1.2 should fail 181 $proxy->clear(); 182 $testtype = NO_KNOWN_SIG_ALGS; 183 $proxy->clientflags("-no_tls1_3"); 184 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 185 $proxy->start(); 186 ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs"); 187 188 #Test 15: Sending a sig algs list without pss for an RSA cert in TLSv1.2 189 # should succeed 190 $proxy->clear(); 191 $testtype = NO_PSS_SIG_ALGS; 192 $proxy->clientflags("-no_tls1_3"); 193 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 194 $proxy->start(); 195 ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs"); 196 197 #Test 16: Sending only TLSv1.3 PSS sig algs in TLSv1.2 should succeed 198 $proxy->clear(); 199 $testtype = PSS_ONLY_SIG_ALGS; 200 $proxy->serverflags("-no_tls1_3"); 201 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 202 $proxy->start(); 203 ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2"); 204 205 #Test 17: Responding with a sig alg we did not send in TLSv1.2 should fail 206 # We send rsa_pkcs1_sha256 and respond with rsa_pss_rsae_sha256 207 # TODO(TLS1.3): Add a similar test to the TLSv1.3 section above 208 # when we have an API capable of configuring the TLSv1.3 sig algs 209 $proxy->clear(); 210 $testtype = PSS_ONLY_SIG_ALGS; 211 $proxy->clientflags("-no_tls1_3 -sigalgs RSA+SHA256"); 212 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 213 $proxy->start(); 214 ok(TLSProxy::Message->fail, "Sigalg we did not send in TLSv1.2"); 215 216 #Test 18: Sending a valid sig algs list but not including a sig type that 217 # matches the certificate should fail in TLSv1.2 218 $proxy->clear(); 219 $proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256"); 220 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 221 $proxy->filter(undef); 222 $proxy->start(); 223 ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs"); 224 $proxy->filter(\&sigalgs_filter); 225 226 #Test 19: No sig algs extension, ECDSA cert, will use SHA1, 227 # TLSv1.2 should succeed at security level 0 228 $proxy->clear(); 229 $testtype = NO_SIG_ALGS_EXT; 230 $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0"); 231 $proxy->serverflags("-cert " . srctop_file("test", "certs", 232 "server-ecdsa-cert.pem") . 233 " -key " . srctop_file("test", "certs", 234 "server-ecdsa-key.pem")), 235 $proxy->ciphers("ECDHE-ECDSA-AES128-SHA:\@SECLEVEL=0"); 236 $proxy->start(); 237 ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA"); 238} 239 240my ($dsa_status, $sha1_status, $sha224_status); 241SKIP: { 242 skip "TLSv1.3 disabled", 2 243 if disabled("tls1_3") 244 || disabled("dsa") 245 || (disabled("ec") && disabled("dh")); 246 #Test 20: signature_algorithms with 1.3-only ClientHello 247 $testtype = PURE_SIGALGS; 248 $dsa_status = $sha1_status = $sha224_status = 0; 249 $proxy->clear(); 250 $proxy->clientflags("-tls1_3"); 251 $proxy->filter(\&modify_sigalgs_filter); 252 $proxy->start(); 253 ok($dsa_status && $sha1_status && $sha224_status, 254 "DSA and SHA1 sigalgs not sent for 1.3-only ClientHello"); 255 256 #Test 21: signature_algorithms with backwards compatible ClientHello 257 SKIP: { 258 skip "TLSv1.2 disabled", 1 if disabled("tls1_2"); 259 $testtype = COMPAT_SIGALGS; 260 $dsa_status = $sha1_status = $sha224_status = 0; 261 $proxy->clear(); 262 $proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0"); 263 $proxy->filter(\&modify_sigalgs_filter); 264 $proxy->start(); 265 ok($dsa_status && $sha1_status && $sha224_status, 266 "backwards compatible sigalg sent for compat ClientHello"); 267 } 268} 269 270SKIP: { 271 skip "TLSv1.3 disabled", 5 272 if disabled("tls1_3") || (disabled("ec") && disabled("dh")); 273 #Test 22: Insert signature_algorithms_cert that match normal sigalgs 274 $testtype = SIGALGS_CERT_ALL; 275 $proxy->clear(); 276 $proxy->filter(\&modify_sigalgs_cert_filter); 277 $proxy->start(); 278 ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3"); 279 280 #Test 23: Insert signature_algorithms_cert that forces PKCS#1 cert 281 $testtype = SIGALGS_CERT_PKCS; 282 $proxy->clear(); 283 $proxy->filter(\&modify_sigalgs_cert_filter); 284 $proxy->start(); 285 ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3 with PKCS#1 cert"); 286 287 #Test 24: Insert signature_algorithms_cert that fails 288 $testtype = SIGALGS_CERT_INVALID; 289 $proxy->clear(); 290 $proxy->filter(\&modify_sigalgs_cert_filter); 291 $proxy->start(); 292 ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); 293 294 #Test 25: Send an unrecognized signature_algorithms_cert 295 # We should be able to skip over the unrecognized value and use a 296 # valid one that appears later in the list. 297 $proxy->clear(); 298 $proxy->filter(\&inject_unrecognized_sigalg); 299 $proxy->clientflags("-tls1_3"); 300 # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is 301 # needed to trigger (e.g.) CVE-2020-1967 302 $proxy->serverflags("" . 303 " -xcert " . srctop_file("test", "certs", "servercert.pem") . 304 " -xkey " . srctop_file("test", "certs", "serverkey.pem") . 305 " -xchain " . srctop_file("test", "certs", "rootcert.pem")); 306 $testtype = UNRECOGNIZED_SIGALGS_CERT; 307 $proxy->start(); 308 ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello"); 309 310 #Test 26: Send an unrecognized signature_algorithms 311 # We should be able to skip over the unrecognized value and use a 312 # valid one that appears later in the list. 313 $proxy->clear(); 314 $proxy->filter(\&inject_unrecognized_sigalg); 315 $proxy->clientflags("-tls1_3"); 316 $proxy->serverflags("" . 317 " -xcert " . srctop_file("test", "certs", "servercert.pem") . 318 " -xkey " . srctop_file("test", "certs", "serverkey.pem") . 319 " -xchain " . srctop_file("test", "certs", "rootcert.pem")); 320 $testtype = UNRECOGNIZED_SIGALG; 321 $proxy->start(); 322 ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello"); 323} 324 325 326 327sub sigalgs_filter 328{ 329 my $proxy = shift; 330 331 # We're only interested in the initial ClientHello 332 if ($proxy->flight != 0) { 333 return; 334 } 335 336 foreach my $message (@{$proxy->message_list}) { 337 if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { 338 if ($testtype == NO_SIG_ALGS_EXT) { 339 $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS); 340 } else { 341 my $sigalg; 342 if ($testtype == EMPTY_SIG_ALGS_EXT) { 343 $sigalg = pack "C2", 0x00, 0x00; 344 } elsif ($testtype == NO_KNOWN_SIG_ALGS) { 345 $sigalg = pack "C4", 0x00, 0x02, 0xff, 0xff; 346 } elsif ($testtype == NO_PSS_SIG_ALGS) { 347 #No PSS sig algs - just send rsa_pkcs1_sha256 348 $sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01; 349 } else { 350 #PSS sig algs only - just send rsa_pss_rsae_sha256 351 $sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04; 352 } 353 $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS, $sigalg); 354 } 355 356 $message->repack(); 357 } 358 } 359} 360 361sub modify_sigalgs_filter 362{ 363 my $proxy = shift; 364 365 # We're only interested in the initial ClientHello 366 return if ($proxy->flight != 0); 367 368 foreach my $message (@{$proxy->message_list}) { 369 my $ext; 370 my @algs; 371 372 if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { 373 if ($testtype == PURE_SIGALGS) { 374 my $ok = 1; 375 $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS}; 376 @algs = unpack('S>*', $ext); 377 # unpack will unpack the length as well 378 shift @algs; 379 foreach (@algs) { 380 if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256 381 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384 382 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512 383 || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224 384 || $_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1 385 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1 386 || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) { 387 $ok = 0; 388 } 389 } 390 $sha1_status = $dsa_status = $sha224_status = 1 if ($ok); 391 } elsif ($testtype == COMPAT_SIGALGS) { 392 $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS}; 393 @algs = unpack('S>*', $ext); 394 # unpack will unpack the length as well 395 shift @algs; 396 foreach (@algs) { 397 if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256 398 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384 399 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512) { 400 $dsa_status = 1; 401 } 402 if ($_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1 403 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1 404 || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) { 405 $sha1_status = 1; 406 } 407 if ($_ == TLSProxy::Message::OSSL_SIG_ALG_RSA_PKCS1_SHA224 408 || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224 409 || $_ == TLSProxy::Message::OSSL_SIG_ALG_ECDSA_SHA224) { 410 $sha224_status = 1; 411 } 412 } 413 } 414 } 415 } 416} 417 418sub modify_sigalgs_cert_filter 419{ 420 my $proxy = shift; 421 422 # We're only interested in the initial ClientHello 423 if ($proxy->flight != 0) { 424 return; 425 } 426 427 foreach my $message (@{$proxy->message_list}) { 428 if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { 429 my $sigs; 430 # two byte length at front of sigs, then two-byte sigschemes 431 if ($testtype == SIGALGS_CERT_ALL) { 432 $sigs = pack "C26", 0x00, 0x18, 433 # rsa_pkcs_sha{256,512} rsa_pss_rsae_sha{256,512} 434 0x04, 0x01, 0x06, 0x01, 0x08, 0x04, 0x08, 0x06, 435 # ed25518 ed448 rsa_pss_pss_sha{256,512} 436 0x08, 0x07, 0x08, 0x08, 0x08, 0x09, 0x08, 0x0b, 437 # ecdsa_secp{256,512} rsa+sha1 ecdsa+sha1 438 0x04, 0x03, 0x06, 0x03, 0x02, 0x01, 0x02, 0x03; 439 } elsif ($testtype == SIGALGS_CERT_PKCS) { 440 $sigs = pack "C10", 0x00, 0x08, 441 # rsa_pkcs_sha{256,384,512,1} 442 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01; 443 } elsif ($testtype == SIGALGS_CERT_INVALID) { 444 $sigs = pack "C4", 0x00, 0x02, 445 # unregistered codepoint 446 0xb2, 0x6f; 447 } 448 $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs); 449 $message->repack(); 450 } 451 } 452} 453 454sub modify_cert_verify_sigalg 455{ 456 my $proxy = shift; 457 458 # We're only interested in the CertificateVerify 459 if ($proxy->flight != 1) { 460 return; 461 } 462 463 foreach my $message (@{$proxy->message_list}) { 464 if ($message->mt == TLSProxy::Message::MT_CERTIFICATE_VERIFY) { 465 $message->sigalg(TLSProxy::Message::SIG_ALG_RSA_PSS_PSS_SHA256); 466 $message->repack(); 467 } 468 } 469} 470 471sub inject_unrecognized_sigalg 472{ 473 my $proxy = shift; 474 my $type; 475 476 # We're only interested in the initial ClientHello 477 if ($proxy->flight != 0) { 478 return; 479 } 480 if ($testtype == UNRECOGNIZED_SIGALGS_CERT) { 481 $type = TLSProxy::Message::EXT_SIG_ALGS_CERT; 482 } elsif ($testtype == UNRECOGNIZED_SIGALG) { 483 $type = TLSProxy::Message::EXT_SIG_ALGS; 484 } else { 485 return; 486 } 487 488 my $ext = pack "C8", 489 0x00, 0x06, #Extension length 490 0xfe, 0x18, #private use 491 0x04, 0x01, #rsa_pkcs1_sha256 492 0x08, 0x04; #rsa_pss_rsae_sha256; 493 my $message = ${$proxy->message_list}[0]; 494 $message->set_extension($type, $ext); 495 $message->repack; 496} 497