Add TLSProxy tests for signature_algorithms_cert

We don't need to send this extension in normal operation since
we are our own X.509 library, but add some test cases that force
the extension to be sent and exercise our code to process the extension.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5068)

diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index 7d4a0516bef98b3d321bc545665b27a353e001e9..d1ed6ec7f4458b7add7f4405276c5aa7d64c1406 100644 (file)
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -41,7 +41,10 @@ use constant {
     NO_PSS_SIG_ALGS => 3,
     PSS_ONLY_SIG_ALGS => 4,
     PURE_SIGALGS => 5,
-    COMPAT_SIGALGS => 6
+    COMPAT_SIGALGS => 6,
+    SIGALGS_CERT_ALL => 7,
+    SIGALGS_CERT_PKCS => 8,
+    SIGALGS_CERT_INVALID => 9
 };
 
 #Note: Throughout this test we override the default ciphersuites where TLSv1.2
@@ -50,7 +53,7 @@ use constant {
 
 #Test 1: Default sig algs should succeed
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 18;
+plan tests => 21;
 ok(TLSProxy::Message->success, "Default sigalgs");
 my $testtype;
 
@@ -222,6 +225,30 @@ SKIP: {
        "DSA sigalg not sent for compat ClientHello");
 }
 
+SKIP: {
+    skip "TLSv1.3 disabled", 3 if disabled("tls1_3");
+    #Test 19: Insert signature_algorithms_cert that match normal sigalgs
+    $testtype = SIGALGS_CERT_ALL;
+    $proxy->clear();
+    $proxy->filter(\&modify_sigalgs_cert_filter);
+    $proxy->start();
+    ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3");
+
+    #Test 19: Insert signature_algorithms_cert that forces PKCS#1 cert
+    $testtype = SIGALGS_CERT_PKCS;
+    $proxy->clear();
+    $proxy->filter(\&modify_sigalgs_cert_filter);
+    $proxy->start();
+    ok(TLSProxy::Message->success, "sigalgs_cert in TLSv1.3 with PKCS#1 cert");
+
+    #Test 19: Insert signature_algorithms_cert that fails
+    $testtype = SIGALGS_CERT_INVALID;
+    $proxy->clear();
+    $proxy->filter(\&modify_sigalgs_cert_filter);
+    $proxy->start();
+    ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
+}
+
 
 
 sub sigalgs_filter
@@ -314,3 +341,39 @@ sub modify_sigalgs_filter
         }
     }
 }
+
+sub modify_sigalgs_cert_filter
+{
+    my $proxy = shift;
+
+    # We're only interested in the initial ClientHello
+    if ($proxy->flight != 0) {
+        return;
+    }
+
+    foreach my $message (@{$proxy->message_list}) {
+        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
+            my $sigs;
+            # two byte length at front of sigs, then two-byte sigschemes
+            if ($testtype == SIGALGS_CERT_ALL) {
+                $sigs = pack "C26", 0x00, 0x18,
+                             # rsa_pkcs_sha{256,512}  rsa_pss_rsae_sha{256,512}
+                             0x04, 0x01,  0x06, 0x01,  0x08, 0x04,  0x08, 0x06,
+                             # ed25518    ed448        rsa_pss_pss_sha{256,512}
+                             0x08, 0x07,  0x08, 0x08,  0x08, 0x09,  0x08, 0x0b,
+                             # ecdsa_secp{256,512}     rsa+sha1     ecdsa+sha1
+                             0x04, 0x03,  0x06, 0x03,  0x02, 0x01,  0x02, 0x03;
+            } elsif ($testtype == SIGALGS_CERT_PKCS) {
+                $sigs = pack "C10", 0x00, 0x08,
+                             # rsa_pkcs_sha{256,384,512,1}
+                             0x04, 0x01,  0x05, 0x01,  0x06, 0x01,  0x02, 0x01;
+            } elsif ($testtype == SIGALGS_CERT_INVALID) {
+                $sigs = pack "C4", 0x00, 0x02,
+                             # unregistered codepoint
+                             0xb2, 0x6f;
+            }
+            $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs);
+            $message->repack();
+        }
+    }
+}

diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
index d55486de8c887fb8fc860e0a515b1a42256133e2..eea272f653e793ac724b09b1c510ed5def987448 100644 (file)
--- a/util/perl/TLSProxy/Message.pm
+++ b/util/perl/TLSProxy/Message.pm
@@ -79,6 +79,7 @@ use constant {
     EXT_SUPPORTED_VERSIONS => 43,
     EXT_COOKIE => 44,
     EXT_PSK_KEX_MODES => 45,
+    EXT_SIG_ALGS_CERT => 50,
     EXT_RENEGOTIATE => 65281,
     EXT_NPN => 13172,
     # This extension is an unofficial extension only ever written by OpenSSL