1#! /usr/bin/env perl 2# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use strict; 10use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; 11use OpenSSL::Test::Utils; 12use TLSProxy::Proxy; 13 14my $test_name = "test_sslsigalgs"; 15setup($test_name); 16 17plan skip_all => "TLSProxy isn't usable on $^O" 18 if $^O =~ /^(VMS)$/; 19 20plan skip_all => "$test_name needs the dynamic engine feature enabled" 21 if disabled("engine") || disabled("dynamic-engine"); 22 23plan skip_all => "$test_name needs the sock feature enabled" 24 if disabled("sock"); 25 26plan skip_all => "$test_name needs TLS1.2 or TLS1.3 enabled" 27 if disabled("tls1_2") && disabled("tls1_3"); 28 29my $proxy = TLSProxy::Proxy->new( 30 undef, 31 cmdstr(app(["openssl"]), display => 1), 32 srctop_file("apps", "server.pem"), 33 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 34); 35 36use constant { 37 NO_SIG_ALGS_EXT => 0, 38 EMPTY_SIG_ALGS_EXT => 1, 39 NO_KNOWN_SIG_ALGS => 2, 40 NO_PSS_SIG_ALGS => 3, 41 PSS_ONLY_SIG_ALGS => 4, 42 PURE_SIGALGS => 5, 43 COMPAT_SIGALGS => 6, 44 SIGALGS_CERT_ALL => 7, 45 SIGALGS_CERT_PKCS => 8, 46 SIGALGS_CERT_INVALID => 9, 47 UNRECOGNIZED_SIGALGS_CERT => 10, 48 UNRECOGNIZED_SIGALG => 11 49}; 50 51#Note: Throughout this test we override the default ciphersuites where TLSv1.2 52# is expected to ensure that a ServerKeyExchange message is sent that uses 53# the sigalgs 54 55#Test 1: Default sig algs should succeed 56$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); 57$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 58plan tests => 26; 59ok(TLSProxy::Message->success, "Default sigalgs"); 60my $testtype; 61 62SKIP: { 63 skip "TLSv1.3 disabled", 6 64 if disabled("tls1_3") || (disabled("ec") && disabled("dh")); 65 66 $proxy->filter(\&sigalgs_filter); 67 68 #Test 2: Sending no sig algs extension in TLSv1.3 should fail 69 $proxy->clear(); 70 $testtype = NO_SIG_ALGS_EXT; 71 $proxy->start(); 72 ok(TLSProxy::Message->fail, "No TLSv1.3 sigalgs"); 73 74 #Test 3: Sending an empty sig algs extension in TLSv1.3 should fail 75 $proxy->clear(); 76 $testtype = EMPTY_SIG_ALGS_EXT; 77 $proxy->start(); 78 ok(TLSProxy::Message->fail, "Empty TLSv1.3 sigalgs"); 79 80 #Test 4: Sending a list with no recognised sig algs in TLSv1.3 should fail 81 $proxy->clear(); 82 $testtype = NO_KNOWN_SIG_ALGS; 83 $proxy->start(); 84 ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs"); 85 86 #Test 5: Sending a sig algs list without pss for an RSA cert in TLSv1.3 87 # should fail 88 $proxy->clear(); 89 $testtype = NO_PSS_SIG_ALGS; 90 $proxy->start(); 91 ok(TLSProxy::Message->fail, "No PSS TLSv1.3 sigalgs"); 92 93 #Test 6: Sending only TLSv1.3 PSS sig algs in TLSv1.3 should succeed 94 #TODO(TLS1.3): Do we need to verify the cert to make sure its a PSS only 95 #cert in this case? 96 $proxy->clear(); 97 $testtype = PSS_ONLY_SIG_ALGS; 98 $proxy->start(); 99 ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.3"); 100 101 #Test 7: Modify the CertificateVerify sigalg from rsa_pss_rsae_sha256 to 102 # rsa_pss_pss_sha256. This should fail because the public key OID 103 # in the certificate is rsaEncryption and not rsassaPss 104 $proxy->filter(\&modify_cert_verify_sigalg); 105 $proxy->clear(); 106 $proxy->start(); 107 ok(TLSProxy::Message->fail, 108 "Mismatch between CertVerify sigalg and public key OID"); 109} 110 111SKIP: { 112 skip "EC or TLSv1.3 disabled", 1 113 if disabled("tls1_3") || disabled("ec"); 114 #Test 8: Sending a valid sig algs list but not including a sig type that 115 # matches the certificate should fail in TLSv1.3. 116 $proxy->clear(); 117 $proxy->clientflags("-sigalgs ECDSA+SHA256"); 118 $proxy->filter(undef); 119 $proxy->start(); 120 ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs"); 121} 122 123SKIP: { 124 skip "EC, TLSv1.3 or TLSv1.2 disabled", 1 125 if disabled("tls1_2") || disabled("tls1_3") || disabled("ec"); 126 127 #Test 9: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2 128 # should succeed 129 $proxy->clear(); 130 $proxy->serverflags("-no_tls1_3"); 131 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 132 $proxy->filter(undef); 133 $proxy->start(); 134 ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server"); 135} 136 137SKIP: { 138 skip "EC or TLSv1.2 disabled", 10 if disabled("tls1_2") || disabled("ec"); 139 140 $proxy->filter(\&sigalgs_filter); 141 142 #Test 10: Sending no sig algs extension in TLSv1.2 will make it use 143 # SHA1, which is only supported at security level 0. 144 $proxy->clear(); 145 $testtype = NO_SIG_ALGS_EXT; 146 $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0"); 147 $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=0"); 148 $proxy->start(); 149 ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs seclevel 0"); 150 151 #Test 11: Sending no sig algs extension in TLSv1.2 should fail at security 152 # level 1 since it will try to use SHA1. Testing client at level 0, 153 # server level 1. 154 $proxy->clear(); 155 $testtype = NO_SIG_ALGS_EXT; 156 $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=0"); 157 $proxy->ciphers("DEFAULT:\@SECLEVEL=1"); 158 $proxy->start(); 159 ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs server seclevel 1"); 160 161 #Test 12: Sending no sig algs extension in TLSv1.2 should fail at security 162 # level 1 since it will try to use SHA1. Testing client at level 1, 163 # server level 0. 164 $proxy->clear(); 165 $testtype = NO_SIG_ALGS_EXT; 166 $proxy->clientflags("-tls1_2 -cipher DEFAULT:\@SECLEVEL=1"); 167 $proxy->ciphers("DEFAULT:\@SECLEVEL=0"); 168 $proxy->start(); 169 ok(TLSProxy::Message->fail, "No TLSv1.2 sigalgs client seclevel 2"); 170 171 #Test 13: Sending an empty sig algs extension in TLSv1.2 should fail 172 $proxy->clear(); 173 $testtype = EMPTY_SIG_ALGS_EXT; 174 $proxy->clientflags("-no_tls1_3"); 175 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 176 $proxy->start(); 177 ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs"); 178 179 #Test 14: Sending a list with no recognised sig algs in TLSv1.2 should fail 180 $proxy->clear(); 181 $testtype = NO_KNOWN_SIG_ALGS; 182 $proxy->clientflags("-no_tls1_3"); 183 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 184 $proxy->start(); 185 ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs"); 186 187 #Test 15: Sending a sig algs list without pss for an RSA cert in TLSv1.2 188 # should succeed 189 $proxy->clear(); 190 $testtype = NO_PSS_SIG_ALGS; 191 $proxy->clientflags("-no_tls1_3"); 192 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 193 $proxy->start(); 194 ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs"); 195 196 #Test 16: Sending only TLSv1.3 PSS sig algs in TLSv1.2 should succeed 197 $proxy->clear(); 198 $testtype = PSS_ONLY_SIG_ALGS; 199 $proxy->serverflags("-no_tls1_3"); 200 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 201 $proxy->start(); 202 ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2"); 203 204 #Test 17: Responding with a sig alg we did not send in TLSv1.2 should fail 205 # We send rsa_pkcs1_sha256 and respond with rsa_pss_rsae_sha256 206 # TODO(TLS1.3): Add a similar test to the TLSv1.3 section above 207 # when we have an API capable of configuring the TLSv1.3 sig algs 208 $proxy->clear(); 209 $testtype = PSS_ONLY_SIG_ALGS; 210 $proxy->clientflags("-no_tls1_3 -sigalgs RSA+SHA256"); 211 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 212 $proxy->start(); 213 ok(TLSProxy::Message->fail, "Sigalg we did not send in TLSv1.2"); 214 215 #Test 18: Sending a valid sig algs list but not including a sig type that 216 # matches the certificate should fail in TLSv1.2 217 $proxy->clear(); 218 $proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256"); 219 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 220 $proxy->filter(undef); 221 $proxy->start(); 222 ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs"); 223 $proxy->filter(\&sigalgs_filter); 224 225 #Test 19: No sig algs extension, ECDSA cert, will use SHA1, 226 # TLSv1.2 should succeed at security level 0 227 $proxy->clear(); 228 $testtype = NO_SIG_ALGS_EXT; 229 $proxy->clientflags("-no_tls1_3 -cipher DEFAULT:\@SECLEVEL=0"); 230 $proxy->serverflags("-cert " . srctop_file("test", "certs", 231 "server-ecdsa-cert.pem") . 232 " -key " . srctop_file("test", "certs", 233 "server-ecdsa-key.pem")), 234 $proxy->ciphers("ECDHE-ECDSA-AES128-SHA:\@SECLEVEL=0"); 235 $proxy->start(); 236 ok(TLSProxy::Message->success, "No TLSv1.2 sigalgs, ECDSA"); 237} 238 239my ($dsa_status, $sha1_status, $sha224_status); 240SKIP: { 241 skip "TLSv1.3 disabled", 2 242 if disabled("tls1_3") 243 || disabled("dsa") 244 || (disabled("ec") && disabled("dh")); 245 #Test 20: signature_algorithms with 1.3-only ClientHello 246 $testtype = PURE_SIGALGS; 247 $dsa_status = $sha1_status = $sha224_status = 0; 248 $proxy->clear(); 249 $proxy->clientflags("-tls1_3"); 250 $proxy->filter(\&modify_sigalgs_filter); 251 $proxy->start(); 252 ok($dsa_status && $sha1_status && $sha224_status, 253 "DSA and SHA1 sigalgs not sent for 1.3-only ClientHello"); 254 255 #Test 21: signature_algorithms with backwards compatible ClientHello 256 SKIP: { 257 skip "TLSv1.2 disabled", 1 if disabled("tls1_2"); 258 $testtype = COMPAT_SIGALGS; 259 $dsa_status = $sha1_status = $sha224_status = 0; 260 $proxy->clear(); 261 $proxy->clientflags("-cipher AES128-SHA\@SECLEVEL=0"); 262 $proxy->filter(\&modify_sigalgs_filter); 263 $proxy->start(); 264 ok($dsa_status && $sha1_status && $sha224_status, 265 "backwards compatible sigalg sent for compat ClientHello"); 266 } 267} 268 269SKIP: { 270 skip "TLSv1.3 disabled", 5 271 if disabled("tls1_3") || (disabled("ec") && disabled("dh")); 272 #Test 22: Insert signature_algorithms_cert that match normal sigalgs 273 $testtype = SIGALGS_CERT_ALL; 274 $proxy->clear(); 275 $proxy->filter(\&modify_sigalgs_cert_filter); 276 $proxy->start(); 277 ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3"); 278 279 #Test 23: Insert signature_algorithms_cert that forces PKCS#1 cert 280 $testtype = SIGALGS_CERT_PKCS; 281 $proxy->clear(); 282 $proxy->filter(\&modify_sigalgs_cert_filter); 283 $proxy->start(); 284 ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3 with PKCS#1 cert"); 285 286 #Test 24: Insert signature_algorithms_cert that fails 287 $testtype = SIGALGS_CERT_INVALID; 288 $proxy->clear(); 289 $proxy->filter(\&modify_sigalgs_cert_filter); 290 $proxy->start(); 291 ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); 292 293 #Test 25: Send an unrecognized signature_algorithms_cert 294 # We should be able to skip over the unrecognized value and use a 295 # valid one that appears later in the list. 296 $proxy->clear(); 297 $proxy->filter(\&inject_unrecognized_sigalg); 298 $proxy->clientflags("-tls1_3"); 299 # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is 300 # needed to trigger (e.g.) CVE-2020-1967 301 $proxy->serverflags("" . 302 " -xcert " . srctop_file("test", "certs", "servercert.pem") . 303 " -xkey " . srctop_file("test", "certs", "serverkey.pem") . 304 " -xchain " . srctop_file("test", "certs", "rootcert.pem")); 305 $testtype = UNRECOGNIZED_SIGALGS_CERT; 306 $proxy->start(); 307 ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello"); 308 309 #Test 26: Send an unrecognized signature_algorithms 310 # We should be able to skip over the unrecognized value and use a 311 # valid one that appears later in the list. 312 $proxy->clear(); 313 $proxy->filter(\&inject_unrecognized_sigalg); 314 $proxy->clientflags("-tls1_3"); 315 $proxy->serverflags("" . 316 " -xcert " . srctop_file("test", "certs", "servercert.pem") . 317 " -xkey " . srctop_file("test", "certs", "serverkey.pem") . 318 " -xchain " . srctop_file("test", "certs", "rootcert.pem")); 319 $testtype = UNRECOGNIZED_SIGALG; 320 $proxy->start(); 321 ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello"); 322} 323 324 325 326sub sigalgs_filter 327{ 328 my $proxy = shift; 329 330 # We're only interested in the initial ClientHello 331 if ($proxy->flight != 0) { 332 return; 333 } 334 335 foreach my $message (@{$proxy->message_list}) { 336 if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { 337 if ($testtype == NO_SIG_ALGS_EXT) { 338 $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS); 339 } else { 340 my $sigalg; 341 if ($testtype == EMPTY_SIG_ALGS_EXT) { 342 $sigalg = pack "C2", 0x00, 0x00; 343 } elsif ($testtype == NO_KNOWN_SIG_ALGS) { 344 $sigalg = pack "C4", 0x00, 0x02, 0xff, 0xff; 345 } elsif ($testtype == NO_PSS_SIG_ALGS) { 346 #No PSS sig algs - just send rsa_pkcs1_sha256 347 $sigalg = pack "C4", 0x00, 0x02, 0x04, 0x01; 348 } else { 349 #PSS sig algs only - just send rsa_pss_rsae_sha256 350 $sigalg = pack "C4", 0x00, 0x02, 0x08, 0x04; 351 } 352 $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS, $sigalg); 353 } 354 355 $message->repack(); 356 } 357 } 358} 359 360sub modify_sigalgs_filter 361{ 362 my $proxy = shift; 363 364 # We're only interested in the initial ClientHello 365 return if ($proxy->flight != 0); 366 367 foreach my $message (@{$proxy->message_list}) { 368 my $ext; 369 my @algs; 370 371 if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { 372 if ($testtype == PURE_SIGALGS) { 373 my $ok = 1; 374 $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS}; 375 @algs = unpack('S>*', $ext); 376 # unpack will unpack the length as well 377 shift @algs; 378 foreach (@algs) { 379 if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256 380 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384 381 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512 382 || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224 383 || $_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1 384 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1 385 || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) { 386 $ok = 0; 387 } 388 } 389 $sha1_status = $dsa_status = $sha224_status = 1 if ($ok); 390 } elsif ($testtype == COMPAT_SIGALGS) { 391 $ext = $message->extension_data->{TLSProxy::Message::EXT_SIG_ALGS}; 392 @algs = unpack('S>*', $ext); 393 # unpack will unpack the length as well 394 shift @algs; 395 foreach (@algs) { 396 if ($_ == TLSProxy::Message::SIG_ALG_DSA_SHA256 397 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA384 398 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA512) { 399 $dsa_status = 1; 400 } 401 if ($_ == TLSProxy::Message::SIG_ALG_RSA_PKCS1_SHA1 402 || $_ == TLSProxy::Message::SIG_ALG_DSA_SHA1 403 || $_ == TLSProxy::Message::SIG_ALG_ECDSA_SHA1) { 404 $sha1_status = 1; 405 } 406 if ($_ == TLSProxy::Message::OSSL_SIG_ALG_RSA_PKCS1_SHA224 407 || $_ == TLSProxy::Message::OSSL_SIG_ALG_DSA_SHA224 408 || $_ == TLSProxy::Message::OSSL_SIG_ALG_ECDSA_SHA224) { 409 $sha224_status = 1; 410 } 411 } 412 } 413 } 414 } 415} 416 417sub modify_sigalgs_cert_filter 418{ 419 my $proxy = shift; 420 421 # We're only interested in the initial ClientHello 422 if ($proxy->flight != 0) { 423 return; 424 } 425 426 foreach my $message (@{$proxy->message_list}) { 427 if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { 428 my $sigs; 429 # two byte length at front of sigs, then two-byte sigschemes 430 if ($testtype == SIGALGS_CERT_ALL) { 431 $sigs = pack "C26", 0x00, 0x18, 432 # rsa_pkcs_sha{256,512} rsa_pss_rsae_sha{256,512} 433 0x04, 0x01, 0x06, 0x01, 0x08, 0x04, 0x08, 0x06, 434 # ed25518 ed448 rsa_pss_pss_sha{256,512} 435 0x08, 0x07, 0x08, 0x08, 0x08, 0x09, 0x08, 0x0b, 436 # ecdsa_secp{256,512} rsa+sha1 ecdsa+sha1 437 0x04, 0x03, 0x06, 0x03, 0x02, 0x01, 0x02, 0x03; 438 } elsif ($testtype == SIGALGS_CERT_PKCS) { 439 $sigs = pack "C10", 0x00, 0x08, 440 # rsa_pkcs_sha{256,384,512,1} 441 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01; 442 } elsif ($testtype == SIGALGS_CERT_INVALID) { 443 $sigs = pack "C4", 0x00, 0x02, 444 # unregistered codepoint 445 0xb2, 0x6f; 446 } 447 $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs); 448 $message->repack(); 449 } 450 } 451} 452 453sub modify_cert_verify_sigalg 454{ 455 my $proxy = shift; 456 457 # We're only interested in the CertificateVerify 458 if ($proxy->flight != 1) { 459 return; 460 } 461 462 foreach my $message (@{$proxy->message_list}) { 463 if ($message->mt == TLSProxy::Message::MT_CERTIFICATE_VERIFY) { 464 $message->sigalg(TLSProxy::Message::SIG_ALG_RSA_PSS_PSS_SHA256); 465 $message->repack(); 466 } 467 } 468} 469 470sub inject_unrecognized_sigalg 471{ 472 my $proxy = shift; 473 my $type; 474 475 # We're only interested in the initial ClientHello 476 if ($proxy->flight != 0) { 477 return; 478 } 479 if ($testtype == UNRECOGNIZED_SIGALGS_CERT) { 480 $type = TLSProxy::Message::EXT_SIG_ALGS_CERT; 481 } elsif ($testtype == UNRECOGNIZED_SIGALG) { 482 $type = TLSProxy::Message::EXT_SIG_ALGS; 483 } else { 484 return; 485 } 486 487 my $ext = pack "C8", 488 0x00, 0x06, #Extension length 489 0xfe, 0x18, #private use 490 0x04, 0x01, #rsa_pkcs1_sha256 491 0x08, 0x04; #rsa_pss_rsae_sha256; 492 my $message = ${$proxy->message_list}[0]; 493 $message->set_extension($type, $ext); 494 $message->repack; 495} 496
