xref: /freebsd/crypto/openssl/test/recipes/70-test_sslsigalgs.t (revision 7fdf597e96a02165cfe22ff357b857d5fa15ed8a)
1#! /usr/bin/env perl
2# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9use strict;
10use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
11use OpenSSL::Test::Utils;
12use TLSProxy::Proxy;
13
14my $test_name = "test_sslsigalgs";
15setup($test_name);
16
17plan skip_all => "TLSProxy isn't usable on $^O"
18    if $^O =~ /^(VMS)$/;
19
20plan skip_all => "$test_name needs the dynamic engine feature enabled"
21    if disabled("engine") || disabled("dynamic-engine");
22
23plan skip_all => "$test_name needs the sock feature enabled"
24    if disabled("sock");
25
26plan skip_all => "$test_name needs TLS1.2 or TLS1.3 enabled"
27    if disabled("tls1_2") && disabled("tls1_3");
28
29$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
30my $proxy = TLSProxy::Proxy->new(
31    undef,
32    cmdstr(app(["openssl"]), display => 1),
33    srctop_file("apps", "server.pem"),
34    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
35);
36
37use constant {
38    NO_SIG_ALGS_EXT => 0,
39    EMPTY_SIG_ALGS_EXT => 1,
40    NO_KNOWN_SIG_ALGS => 2,
41    NO_PSS_SIG_ALGS => 3,
42    PSS_ONLY_SIG_ALGS => 4,
43    PURE_SIGALGS => 5,
44    COMPAT_SIGALGS => 6,
45    SIGALGS_CERT_ALL => 7,
46    SIGALGS_CERT_PKCS => 8,
47    SIGALGS_CERT_INVALID => 9,
48    UNRECOGNIZED_SIGALGS_CERT => 10,
49    UNRECOGNIZED_SIGALG => 11
50};
51
52#Note: Throughout this test we override the default ciphersuites where TLSv1.2
53#      is expected to ensure that a ServerKeyExchange message is sent that uses
54#      the sigalgs
55
56#Test 1: Default sig algs should succeed
57$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh");
58$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
59plan tests => 26;
60ok(TLSProxy::Message->success, "Default sigalgs");
61my $testtype;
62
63SKIP: {
64    skip "TLSv1.3 disabled", 6
65        if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
66
67    $proxy->filter(\&sigalgs_filter);
68
69    #Test 2: Sending no sig algs extension in TLSv1.3 should fail
70    $proxy->clear();
71    $testtype = NO_SIG_ALGS_EXT;
72    $proxy->start();
73    ok(TLSProxy::Message->fail, "No TLSv1.3 sigalgs");
74
75    #Test 3: Sending an empty sig algs extension in TLSv1.3 should fail
76    $proxy->clear();
77    $testtype = EMPTY_SIG_ALGS_EXT;
78    $proxy->start();
79    ok(TLSProxy::Message->fail, "Empty TLSv1.3 sigalgs");
80
81    #Test 4: Sending a list with no recognised sig algs in TLSv1.3 should fail
82    $proxy->clear();
83    $testtype = NO_KNOWN_SIG_ALGS;
84    $proxy->start();
85    ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
86
87    #Test 5: Sending a sig algs list without pss for an RSA cert in TLSv1.3
88    #        should fail
89    $proxy->clear();
90    $testtype = NO_PSS_SIG_ALGS;
91    $proxy->start();
92    ok(TLSProxy::Message->fail, "No PSS TLSv1.3 sigalgs");
93
94    #Test 6: Sending only TLSv1.3 PSS sig algs in TLSv1.3 should succeed
95    #TODO(TLS1.3): Do we need to verify the cert to make sure its a PSS only
96    #cert in this case?
97    $proxy->clear();
98    $testtype = PSS_ONLY_SIG_ALGS;
99    $proxy->start();
100    ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.3");
101
102    #Test 7: Modify the CertificateVerify sigalg from rsa_pss_rsae_sha256 to
103    #        rsa_pss_pss_sha256. This should fail because the public key OID
104    #        in the certificate is rsaEncryption and not rsassaPss
105    $proxy->filter(\&modify_cert_verify_sigalg);
106    $proxy->clear();
107    $proxy->start();
108    ok(TLSProxy::Message->fail,
109       "Mismatch between CertVerify sigalg and public key OID");
110}
111
112SKIP: {
113    skip "EC or TLSv1.3 disabled", 1
114        if disabled("tls1_3") || disabled("ec");
115    #Test 8: Sending a valid sig algs list but not including a sig type that
116    #        matches the certificate should fail in TLSv1.3.
117    $proxy->clear();
118    $proxy->clientflags("-sigalgs ECDSA+SHA256");
119    $proxy->filter(undef);
120    $proxy->start();
121    ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs");
122}
123
124SKIP: {
125    skip "EC, TLSv1.3 or TLSv1.2 disabled", 1
126        if disabled("tls1_2") || disabled("tls1_3") || disabled("ec");
127
128    #Test 9: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2
129    #        should succeed
130    $proxy->clear();
131    $proxy->serverflags("-no_tls1_3");
132    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
133    $proxy->filter(undef);
134    $proxy->start();
135    ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server");
136}
137
138SKIP: {
139    skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") || disabled("ec");
140
141    $proxy->filter(\&sigalgs_filter);
142
143    #Test 10: Sending no sig algs extension in TLSv1.2 will make it use
144    #         SHA1, which is only supported at security level 0.
145    $proxy->clear();
146    $testtype = NO_SIG_ALGS_EXT;
147    $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0");
148    $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=0");
149    $proxy->start();
150    ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 0");
151
152    #Test 11: Sending no sig algs extension in TLSv1.2 should fail at security
153    #         level 1 since it will try to use SHA1. Testing client at level 0,
154    #         server level 1.
155    $proxy->clear();
156    $testtype = NO_SIG_ALGS_EXT;
157    $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=0");
158    $proxy->ciphers("DEFAULT:\@SECLEVEL=1");
159    $proxy->start();
160    ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 1");
161
162    #Test 12: Sending no sig algs extension in TLSv1.2 should fail at security
163    #         level 1 since it will try to use SHA1. Testing client at level 1,
164    #         server level 0.
165    $proxy->clear();
166    $testtype = NO_SIG_ALGS_EXT;
167    $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1");
168    $proxy->ciphers("DEFAULT:\@SECLEVEL=0");
169    $proxy->start();
170    ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2");
171
172    #Test 13: Sending an empty sig algs extension in TLSv1.2 should fail
173    $proxy->clear();
174    $testtype = EMPTY_SIG_ALGS_EXT;
175    $proxy->clientflags("-no_tls1_3");
176    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
177    $proxy->start();
178    ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs");
179
180    #Test 14: Sending a list with no recognised sig algs in TLSv1.2 should fail
181    $proxy->clear();
182    $testtype = NO_KNOWN_SIG_ALGS;
183    $proxy->clientflags("-no_tls1_3");
184    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
185    $proxy->start();
186    ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
187
188    #Test 15: Sending a sig algs list without pss for an RSA cert in TLSv1.2
189    #         should succeed
190    $proxy->clear();
191    $testtype = NO_PSS_SIG_ALGS;
192    $proxy->clientflags("-no_tls1_3");
193    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
194    $proxy->start();
195    ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs");
196
197    #Test 16: Sending only TLSv1.3 PSS sig algs in TLSv1.2 should succeed
198    $proxy->clear();
199    $testtype = PSS_ONLY_SIG_ALGS;
200    $proxy->serverflags("-no_tls1_3");
201    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
202    $proxy->start();
203    ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2");
204
205    #Test 17: Responding with a sig alg we did not send in TLSv1.2 should fail
206    #         We send rsa_pkcs1_sha256 and respond with rsa_pss_rsae_sha256
207    #         TODO(TLS1.3): Add a similar test to the TLSv1.3 section above
208    #         when we have an API capable of configuring the TLSv1.3 sig algs
209    $proxy->clear();
210    $testtype = PSS_ONLY_SIG_ALGS;
211    $proxy->clientflags("-no_tls1_3 -sigalgs RSA+SHA256");
212    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
213    $proxy->start();
214    ok(TLSProxy::Message->fail, "Sigalg we did not send in TLSv1.2");
215
216    #Test 18: Sending a valid sig algs list but not including a sig type that
217    #         matches the certificate should fail in TLSv1.2
218    $proxy->clear();
219    $proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256");
220    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
221    $proxy->filter(undef);
222    $proxy->start();
223    ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
224    $proxy->filter(\&sigalgs_filter);
225
226    #Test 19: No sig algs extension, ECDSA cert, will use SHA1,
227    #         TLSv1.2 should succeed at security level 0
228    $proxy->clear();
229    $testtype = NO_SIG_ALGS_EXT;
230    $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0");
231    $proxy->serverflags("-cert " . srctop_file("test", "certs",
232                                               "server-ecdsa-cert.pem") .
233                        " -key " . srctop_file("test", "certs",
234                                               "server-ecdsa-key.pem")),
235    $proxy->ciphers("ECDHE-ECDSA-AES128-SHA:\@SECLEVEL=0");
236    $proxy->start();
237    ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA");
238}
239
240my ($dsa_status, $sha1_status, $sha224_status);
241SKIP: {
242    skip "TLSv1.3 disabled", 2
243        if disabled("tls1_3")
244           || disabled("dsa")
245           || (disabled("ec") && disabled("dh"));
246    #Test 20: signature_algorithms with 1.3-only ClientHello
247    $testtype = PURE_SIGALGS;
248    $dsa_status = $sha1_status = $sha224_status = 0;
249    $proxy->clear();
250    $proxy->clientflags("-tls1_3");
251    $proxy->filter(\&modify_sigalgs_filter);
252    $proxy->start();
253    ok($dsa_status && $sha1_status && $sha224_status,
254       "DSA and SHA1 sigalgs not sent for 1.3-only ClientHello");
255
256    #Test 21: signature_algorithms with backwards compatible ClientHello
257    SKIP: {
258        skip "TLSv1.2 disabled", 1 if disabled("tls1_2");
259        $testtype = COMPAT_SIGALGS;
260        $dsa_status = $sha1_status = $sha224_status = 0;
261        $proxy->clear();
262        $proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0");
263        $proxy->filter(\&modify_sigalgs_filter);
264        $proxy->start();
265        ok($dsa_status && $sha1_status && $sha224_status,
266           "backwards compatible sigalg sent for compat ClientHello");
267   }
268}
269
270SKIP: {
271    skip "TLSv1.3 disabled", 5
272        if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
273    #Test 22: Insert signature_algorithms_cert that match normal sigalgs
274    $testtype = SIGALGS_CERT_ALL;
275    $proxy->clear();
276    $proxy->filter(\&modify_sigalgs_cert_filter);
277    $proxy->start();
278    ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3");
279
280    #Test 23: Insert signature_algorithms_cert that forces PKCS#1 cert
281    $testtype = SIGALGS_CERT_PKCS;
282    $proxy->clear();
283    $proxy->filter(\&modify_sigalgs_cert_filter);
284    $proxy->start();
285    ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3 with PKCS#1 cert");
286
287    #Test 24: Insert signature_algorithms_cert that fails
288    $testtype = SIGALGS_CERT_INVALID;
289    $proxy->clear();
290    $proxy->filter(\&modify_sigalgs_cert_filter);
291    $proxy->start();
292    ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
293
294    #Test 25: Send an unrecognized signature_algorithms_cert
295    #        We should be able to skip over the unrecognized value and use a
296    #        valid one that appears later in the list.
297    $proxy->clear();
298    $proxy->filter(\&inject_unrecognized_sigalg);
299    $proxy->clientflags("-tls1_3");
300    # Use -xcert to get SSL_check_chain() to run in the cert_cb.  This is
301    # needed to trigger (e.g.) CVE-2020-1967
302    $proxy->serverflags("" .
303            " -xcert " . srctop_file("test", "certs", "servercert.pem") .
304            " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
305            " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
306    $testtype = UNRECOGNIZED_SIGALGS_CERT;
307    $proxy->start();
308    ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello");
309
310    #Test 26: Send an unrecognized signature_algorithms
311    #        We should be able to skip over the unrecognized value and use a
312    #        valid one that appears later in the list.
313    $proxy->clear();
314    $proxy->filter(\&inject_unrecognized_sigalg);
315    $proxy->clientflags("-tls1_3");
316    $proxy->serverflags("" .
317            " -xcert " . srctop_file("test", "certs", "servercert.pem") .
318            " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
319            " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
320    $testtype = UNRECOGNIZED_SIGALG;
321    $proxy->start();
322    ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
323}
324
325
326
327sub sigalgs_filter
328{
329    my $proxy = shift;
330
331    # We're only interested in the initial ClientHello
332    if ($proxy->flight != 0) {
333        return;
334    }
335
336    foreach my $message (@{$proxy->message_list}) {
337        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
338            if ($testtype == NO_SIG_ALGS_EXT) {
339                $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS);
340            } else {
341                my $sigalg;
342                if ($testtype == EMPTY_SIG_ALGS_EXT) {
343                    $sigalg = pack "C2", 0x00, 0x00;
344                } elsif ($testtype == NO_KNOWN_SIG_ALGS) {
345                    $sigalg = pack "C4", 0x00, 0x02, 0xff, 0xff;
346                } elsif ($testtype == NO_PSS_SIG_ALGS) {
347                    #No PSS sig algs - just send rsa_pkcs1_sha256
348                    $sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01;
349                } else {
350                    #PSS sig algs only - just send rsa_pss_rsae_sha256
351                    $sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04;
352                }
353                $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS, $sigalg);
354            }
355
356            $message->repack();
357        }
358    }
359}
360
361sub modify_sigalgs_filter
362{
363    my $proxy = shift;
364
365    # We're only interested in the initial ClientHello
366    return if ($proxy->flight != 0);
367
368    foreach my $message (@{$proxy->message_list}) {
369        my $ext;
370        my @algs;
371
372        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
373            if ($testtype == PURE_SIGALGS) {
374                my $ok = 1;
375                $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
376                @algs = unpack('S>*', $ext);
377                # unpack will unpack the length as well
378                shift @algs;
379                foreach (@algs) {
380                    if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
381                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
382                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512
383                        || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
384                        || $_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
385                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
386                        || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
387                        $ok = 0;
388                    }
389                }
390                $sha1_status = $dsa_status = $sha224_status = 1 if ($ok);
391            } elsif ($testtype == COMPAT_SIGALGS) {
392                $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS};
393                @algs = unpack('S>*', $ext);
394                # unpack will unpack the length as well
395                shift @algs;
396                foreach (@algs) {
397                    if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256
398                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384
399                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512) {
400                        $dsa_status = 1;
401                    }
402                    if ($_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1
403                        || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1
404                        || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) {
405                        $sha1_status = 1;
406                    }
407                    if ($_ == TLSProxy::Message::OSSL_SIG_ALG_RSA_PKCS1_SHA224
408                        || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224
409                        || $_ == TLSProxy::Message::OSSL_SIG_ALG_ECDSA_SHA224) {
410                        $sha224_status = 1;
411                    }
412                }
413            }
414        }
415    }
416}
417
418sub modify_sigalgs_cert_filter
419{
420    my $proxy = shift;
421
422    # We're only interested in the initial ClientHello
423    if ($proxy->flight != 0) {
424        return;
425    }
426
427    foreach my $message (@{$proxy->message_list}) {
428        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
429            my $sigs;
430            # two byte length at front of sigs, then two-byte sigschemes
431            if ($testtype == SIGALGS_CERT_ALL) {
432                $sigs = pack "C26", 0x00, 0x18,
433                             # rsa_pkcs_sha{256,512}  rsa_pss_rsae_sha{256,512}
434                             0x04, 0x01,  0x06, 0x01,  0x08, 0x04,  0x08, 0x06,
435                             # ed25518    ed448        rsa_pss_pss_sha{256,512}
436                             0x08, 0x07,  0x08, 0x08,  0x08, 0x09,  0x08, 0x0b,
437                             # ecdsa_secp{256,512}     rsa+sha1     ecdsa+sha1
438                             0x04, 0x03,  0x06, 0x03,  0x02, 0x01,  0x02, 0x03;
439            } elsif ($testtype == SIGALGS_CERT_PKCS) {
440                $sigs = pack "C10", 0x00, 0x08,
441                             # rsa_pkcs_sha{256,384,512,1}
442                             0x04, 0x01,  0x05, 0x01,  0x06, 0x01,  0x02, 0x01;
443            } elsif ($testtype == SIGALGS_CERT_INVALID) {
444                $sigs = pack "C4", 0x00, 0x02,
445                             # unregistered codepoint
446                             0xb2, 0x6f;
447            }
448            $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs);
449            $message->repack();
450        }
451    }
452}
453
454sub modify_cert_verify_sigalg
455{
456    my $proxy = shift;
457
458    # We're only interested in the CertificateVerify
459    if ($proxy->flight != 1) {
460        return;
461    }
462
463    foreach my $message (@{$proxy->message_list}) {
464        if ($message->mt == TLSProxy::Message::MT_CERTIFICATE_VERIFY) {
465            $message->sigalg(TLSProxy::Message::SIG_ALG_RSA_PSS_PSS_SHA256);
466            $message->repack();
467        }
468    }
469}
470
471sub inject_unrecognized_sigalg
472{
473    my $proxy = shift;
474    my $type;
475
476    # We're only interested in the initial ClientHello
477    if ($proxy->flight != 0) {
478        return;
479    }
480    if ($testtype == UNRECOGNIZED_SIGALGS_CERT) {
481        $type = TLSProxy::Message::EXT_SIG_ALGS_CERT;
482    } elsif ($testtype == UNRECOGNIZED_SIGALG) {
483        $type = TLSProxy::Message::EXT_SIG_ALGS;
484    } else {
485        return;
486    }
487
488    my $ext = pack "C8",
489        0x00, 0x06, #Extension length
490        0xfe, 0x18, #private use
491        0x04, 0x01, #rsa_pkcs1_sha256
492        0x08, 0x04; #rsa_pss_rsae_sha256;
493    my $message = ${$proxy->message_list}[0];
494    $message->set_extension($type, $ext);
495    $message->repack;
496}
497