1#! /usr/bin/env perl 2# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use strict; 10use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; 11use OpenSSL::Test::Utils; 12use TLSProxy::Proxy; 13 14my $test_name = "test_tls13hrr"; 15setup($test_name); 16 17plan skip_all => "TLSProxy isn't usable on $^O" 18 if $^O =~ /^(VMS)$/; 19 20plan skip_all => "$test_name needs the dynamic engine feature enabled" 21 if disabled("engine") || disabled("dynamic-engine"); 22 23plan skip_all => "$test_name needs the sock feature enabled" 24 if disabled("sock"); 25 26plan skip_all => "$test_name needs TLS1.3 enabled" 27 if disabled("tls1_3") || (disabled("ec") && disabled("dh")); 28 29$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; 30 31my $proxy = TLSProxy::Proxy->new( 32 undef, 33 cmdstr(app(["openssl"]), display => 1), 34 srctop_file("apps", "server.pem"), 35 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 36); 37 38use constant { 39 CHANGE_HRR_CIPHERSUITE => 0, 40 CHANGE_CH1_CIPHERSUITE => 1, 41 DUPLICATE_HRR => 2, 42 INVALID_GROUP => 3 43}; 44 45#Test 1: A client should fail if the server changes the ciphersuite between the 46# HRR and the SH 47$proxy->filter(\&hrr_filter); 48if (disabled("ec")) { 49 $proxy->serverflags("-curves ffdhe3072"); 50} else { 51 $proxy->serverflags("-curves P-256"); 52} 53my $testtype = CHANGE_HRR_CIPHERSUITE; 54$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 55plan tests => 4; 56ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); 57 58#Test 2: It is an error if the client changes the offered ciphersuites so that 59# we end up selecting a different ciphersuite between HRR and the SH 60$proxy->clear(); 61if (disabled("ec")) { 62 $proxy->serverflags("-curves ffdhe3072"); 63} else { 64 $proxy->serverflags("-curves P-256"); 65} 66$proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); 67$testtype = CHANGE_CH1_CIPHERSUITE; 68$proxy->start(); 69ok(TLSProxy::Message->fail(), "Client ciphersuite changes"); 70 71#Test 3: A client should fail with unexpected_message alert if the server 72# sends more than 1 HRR 73my $fatal_alert = 0; 74$proxy->clear(); 75if (disabled("ec")) { 76 $proxy->serverflags("-curves ffdhe3072"); 77} else { 78 $proxy->serverflags("-curves P-256"); 79} 80$testtype = DUPLICATE_HRR; 81$proxy->start(); 82ok($fatal_alert, "Server duplicated HRR"); 83 84#Test 4: If the client sends a group that is in the supported_groups list but 85# otherwise not valid (e.g. not suitable for TLSv1.3) we should reject it 86# and not consider it when sending the HRR. We send brainpoolP512r1 in 87# the ClientHello, which is acceptable to the server but is not valid in 88# TLSv1.3. We expect the server to select X25519 in the HRR and the 89# handshake to complete successfully 90SKIP: { 91 skip "EC/TLSv1.2 is disabled in this build", 1 92 if disabled("ec") || disabled("tls1_2"); 93 94 $proxy->clear(); 95 $proxy->clientflags("-groups P-256:brainpoolP512r1:X25519"); 96 $proxy->serverflags("-groups brainpoolP512r1:X25519"); 97 $testtype = INVALID_GROUP; 98 $proxy->start(); 99 ok(TLSProxy::Message->success(), "Invalid group with HRR"); 100} 101 102sub hrr_filter 103{ 104 my $proxy = shift; 105 106 if ($testtype == CHANGE_HRR_CIPHERSUITE) { 107 # We're only interested in the HRR 108 if ($proxy->flight != 1) { 109 return; 110 } 111 112 my $hrr = ${$proxy->message_list}[1]; 113 114 # We will normally only ever select CIPHER_TLS13_AES_128_GCM_SHA256 115 # because that's what Proxy tells s_server to do. Setting as below means 116 # the ciphersuite will change will we get the ServerHello 117 $hrr->ciphersuite(TLSProxy::Message::CIPHER_TLS13_AES_256_GCM_SHA384); 118 $hrr->repack(); 119 return; 120 } 121 122 if ($testtype == DUPLICATE_HRR) { 123 # We're only interested in the HRR 124 # and the unexpected_message alert from client 125 if ($proxy->flight == 4) { 126 $fatal_alert = 1 127 if @{$proxy->record_list}[-1]->is_fatal_alert(0) == 10; 128 return; 129 } 130 if ($proxy->flight != 3) { 131 return; 132 } 133 134 # Find ServerHello record (HRR actually) and insert after that 135 my $i; 136 for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) { 137 next; 138 } 139 my $hrr_record = ${$proxy->record_list}[$i]; 140 my $dup_hrr = TLSProxy::Record->new(3, 141 $hrr_record->content_type(), 142 $hrr_record->version(), 143 $hrr_record->len(), 144 $hrr_record->sslv2(), 145 $hrr_record->len_real(), 146 $hrr_record->decrypt_len(), 147 $hrr_record->data(), 148 $hrr_record->decrypt_data()); 149 150 $i++; 151 splice @{$proxy->record_list}, $i, 0, $dup_hrr; 152 return; 153 } 154 155 if ($proxy->flight != 0) { 156 return; 157 } 158 159 my $ch1 = ${$proxy->message_list}[0]; 160 161 if ($testtype == CHANGE_CH1_CIPHERSUITE) { 162 # The server will always pick TLS_AES_256_GCM_SHA384 163 my @ciphersuites = (TLSProxy::Message::CIPHER_TLS13_AES_128_GCM_SHA256); 164 $ch1->ciphersuite_len(2 * scalar @ciphersuites); 165 $ch1->ciphersuites(\@ciphersuites); 166 } elsif ($testtype == INVALID_GROUP) { 167 # INVALID_GROUP 168 my $ext = pack "C7", 169 0x00, 0x05, #List Length 170 0x00, 0x1c, #brainpoolP512r1 (not compatible with TLSv1.3) 171 0x00, 0x01, 0xff; #key_exchange data 172 $ch1->set_extension( 173 TLSProxy::Message::EXT_KEY_SHARE, $ext); 174 } 175 $ch1->repack(); 176} 177