2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
14 use checkhandshake qw(checkhandshake @handmessages @extensions);
16 my $test_name = "test_sslmessages";
19 plan skip_all => "TLSProxy isn't usable on $^O"
20 if $^O =~ /^(VMS|MSWin32)$/;
22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
23 if disabled("engine") || disabled("dynamic-engine");
25 plan skip_all => "$test_name needs the sock feature enabled"
28 plan skip_all => "$test_name needs TLS enabled"
29 if alldisabled(available_protocols("tls"));
31 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
32 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
34 my $proxy = TLSProxy::Proxy->new(
36 cmdstr(app(["openssl"]), display => 1),
37 srctop_file("apps", "server.pem"),
38 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
42 [TLSProxy::Message::MT_CLIENT_HELLO,
43 checkhandshake::ALL_HANDSHAKES],
44 [TLSProxy::Message::MT_SERVER_HELLO,
45 checkhandshake::ALL_HANDSHAKES],
46 [TLSProxy::Message::MT_CERTIFICATE,
47 checkhandshake::ALL_HANDSHAKES
48 & ~checkhandshake::RESUME_HANDSHAKE],
49 (disabled("ec") ? () :
50 [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
51 checkhandshake::EC_HANDSHAKE]),
52 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
53 checkhandshake::OCSP_HANDSHAKE],
54 #ServerKeyExchange handshakes not currently supported by TLSProxy
55 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
56 checkhandshake::CLIENT_AUTH_HANDSHAKE],
57 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
58 checkhandshake::ALL_HANDSHAKES
59 & ~checkhandshake::RESUME_HANDSHAKE],
60 [TLSProxy::Message::MT_CERTIFICATE,
61 checkhandshake::CLIENT_AUTH_HANDSHAKE],
62 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
63 checkhandshake::ALL_HANDSHAKES
64 & ~checkhandshake::RESUME_HANDSHAKE],
65 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
66 checkhandshake::CLIENT_AUTH_HANDSHAKE],
67 [TLSProxy::Message::MT_NEXT_PROTO,
68 checkhandshake::NPN_HANDSHAKE],
69 [TLSProxy::Message::MT_FINISHED,
70 checkhandshake::ALL_HANDSHAKES],
71 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
72 checkhandshake::ALL_HANDSHAKES
73 & ~checkhandshake::RESUME_HANDSHAKE],
74 [TLSProxy::Message::MT_FINISHED,
75 checkhandshake::ALL_HANDSHAKES],
76 [TLSProxy::Message::MT_CLIENT_HELLO,
77 checkhandshake::RENEG_HANDSHAKE],
78 [TLSProxy::Message::MT_SERVER_HELLO,
79 checkhandshake::RENEG_HANDSHAKE],
80 [TLSProxy::Message::MT_CERTIFICATE,
81 checkhandshake::RENEG_HANDSHAKE],
82 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
83 checkhandshake::RENEG_HANDSHAKE],
84 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
85 checkhandshake::RENEG_HANDSHAKE],
86 [TLSProxy::Message::MT_FINISHED,
87 checkhandshake::RENEG_HANDSHAKE],
88 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
89 checkhandshake::RENEG_HANDSHAKE],
90 [TLSProxy::Message::MT_FINISHED,
91 checkhandshake::RENEG_HANDSHAKE],
96 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
97 checkhandshake::SERVER_NAME_CLI_EXTENSION],
98 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
99 checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
100 (disabled("ec") ? () :
101 [TLSProxy::Message::MT_CLIENT_HELLO,
102 TLSProxy::Message::EXT_SUPPORTED_GROUPS,
103 checkhandshake::DEFAULT_EXTENSIONS]),
104 (disabled("ec") ? () :
105 [TLSProxy::Message::MT_CLIENT_HELLO,
106 TLSProxy::Message::EXT_EC_POINT_FORMATS,
107 checkhandshake::DEFAULT_EXTENSIONS]),
108 (disabled("tls1_2") ? () :
109 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
110 checkhandshake::DEFAULT_EXTENSIONS]),
111 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
112 checkhandshake::ALPN_CLI_EXTENSION],
113 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
114 checkhandshake::SCT_CLI_EXTENSION],
115 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
116 checkhandshake::DEFAULT_EXTENSIONS],
117 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
118 checkhandshake::DEFAULT_EXTENSIONS],
119 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
120 checkhandshake::DEFAULT_EXTENSIONS],
121 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
122 checkhandshake::RENEGOTIATE_CLI_EXTENSION],
123 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
124 checkhandshake::NPN_CLI_EXTENSION],
125 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
126 checkhandshake::SRP_CLI_EXTENSION],
128 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
129 checkhandshake::DEFAULT_EXTENSIONS],
130 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
131 checkhandshake::DEFAULT_EXTENSIONS],
132 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
133 checkhandshake::DEFAULT_EXTENSIONS],
134 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
135 checkhandshake::SESSION_TICKET_SRV_EXTENSION],
136 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
137 checkhandshake::SERVER_NAME_SRV_EXTENSION],
138 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
139 checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
140 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
141 checkhandshake::ALPN_SRV_EXTENSION],
142 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
143 checkhandshake::SCT_SRV_EXTENSION],
144 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
145 checkhandshake::NPN_SRV_EXTENSION],
146 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
147 checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
151 #Test 1: Check we get all the right messages for a default handshake
152 (undef, my $session) = tempfile();
153 $proxy->serverconnects(2);
154 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
155 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
157 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
158 checkhandshake::DEFAULT_EXTENSIONS,
159 "Default handshake test");
161 #Test 2: Resumption handshake
162 $proxy->clearClient();
163 $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
164 $proxy->clientstart();
165 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
166 checkhandshake::DEFAULT_EXTENSIONS
167 & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION
168 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
169 "Resumption handshake test");
173 skip "No OCSP support in this OpenSSL build", 3
176 #Test 3: A status_request handshake (client request only)
178 $proxy->clientflags("-no_tls1_3 -status");
180 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
181 checkhandshake::DEFAULT_EXTENSIONS
182 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
183 "status_request handshake test (client)");
185 #Test 4: A status_request handshake (server support only)
187 $proxy->clientflags("-no_tls1_3");
188 $proxy->serverflags("-status_file "
189 .srctop_file("test", "recipes", "ocsp-response.der"));
191 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
192 checkhandshake::DEFAULT_EXTENSIONS,
193 "status_request handshake test (server)");
195 #Test 5: A status_request handshake (client and server)
197 $proxy->clientflags("-no_tls1_3 -status");
198 $proxy->serverflags("-status_file "
199 .srctop_file("test", "recipes", "ocsp-response.der"));
201 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
202 checkhandshake::DEFAULT_EXTENSIONS
203 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
204 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
205 "status_request handshake test");
208 #Test 6: A client auth handshake
210 $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
211 $proxy->serverflags("-Verify 5");
213 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
214 checkhandshake::DEFAULT_EXTENSIONS,
215 "Client auth handshake test");
217 #Test 7: A handshake with a renegotiation
219 $proxy->clientflags("-no_tls1_3");
222 checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
223 checkhandshake::DEFAULT_EXTENSIONS,
224 "Renegotiation handshake test");
226 #Test 8: Server name handshake (no client request)
228 $proxy->clientflags("-no_tls1_3 -noservername");
230 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
231 checkhandshake::DEFAULT_EXTENSIONS
232 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
233 "Server name handshake test (client)");
235 #Test 9: Server name handshake (server support only)
237 $proxy->clientflags("-no_tls1_3 -noservername");
238 $proxy->serverflags("-servername testhost");
240 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
241 checkhandshake::DEFAULT_EXTENSIONS
242 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
243 "Server name handshake test (server)");
245 #Test 10: Server name handshake (client and server)
247 $proxy->clientflags("-no_tls1_3 -servername testhost");
248 $proxy->serverflags("-servername testhost");
250 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
251 checkhandshake::DEFAULT_EXTENSIONS
252 | checkhandshake::SERVER_NAME_SRV_EXTENSION,
253 "Server name handshake test");
255 #Test 11: ALPN handshake (client request only)
257 $proxy->clientflags("-no_tls1_3 -alpn test");
259 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
260 checkhandshake::DEFAULT_EXTENSIONS
261 | checkhandshake::ALPN_CLI_EXTENSION,
262 "ALPN handshake test (client)");
264 #Test 12: ALPN handshake (server support only)
266 $proxy->clientflags("-no_tls1_3");
267 $proxy->serverflags("-alpn test");
269 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
270 checkhandshake::DEFAULT_EXTENSIONS,
271 "ALPN handshake test (server)");
273 #Test 13: ALPN handshake (client and server)
275 $proxy->clientflags("-no_tls1_3 -alpn test");
276 $proxy->serverflags("-alpn test");
278 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
279 checkhandshake::DEFAULT_EXTENSIONS
280 | checkhandshake::ALPN_CLI_EXTENSION
281 | checkhandshake::ALPN_SRV_EXTENSION,
282 "ALPN handshake test");
285 skip "No CT, EC or OCSP support in this OpenSSL build", 1
286 if disabled("ct") || disabled("ec") || disabled("ocsp");
288 #Test 14: SCT handshake (client request only)
290 #Note: -ct also sends status_request
291 $proxy->clientflags("-no_tls1_3 -ct");
292 $proxy->serverflags("-status_file "
293 .srctop_file("test", "recipes", "ocsp-response.der"));
295 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
296 checkhandshake::DEFAULT_EXTENSIONS
297 | checkhandshake::SCT_CLI_EXTENSION
298 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
299 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
300 "SCT handshake test (client)");
304 skip "No OCSP support in this OpenSSL build", 1
307 #Test 15: SCT handshake (server support only)
309 #Note: -ct also sends status_request
310 $proxy->clientflags("-no_tls1_3");
311 $proxy->serverflags("-status_file "
312 .srctop_file("test", "recipes", "ocsp-response.der"));
314 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
315 checkhandshake::DEFAULT_EXTENSIONS,
316 "SCT handshake test (server)");
320 skip "No CT, EC or OCSP support in this OpenSSL build", 1
321 if disabled("ct") || disabled("ec") || disabled("ocsp");
323 #Test 16: SCT handshake (client and server)
324 #There is no built-in server side support for this so we are actually also
325 #testing custom extensions here
327 #Note: -ct also sends status_request
328 $proxy->clientflags("-no_tls1_3 -ct");
329 $proxy->serverflags("-status_file "
330 .srctop_file("test", "recipes", "ocsp-response.der")
331 ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
333 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
334 checkhandshake::DEFAULT_EXTENSIONS
335 | checkhandshake::SCT_CLI_EXTENSION
336 | checkhandshake::SCT_SRV_EXTENSION
337 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
338 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
339 "SCT handshake test");
344 skip "No NPN support in this OpenSSL build", 3
345 if disabled("nextprotoneg");
347 #Test 17: NPN handshake (client request only)
349 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
351 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
352 checkhandshake::DEFAULT_EXTENSIONS
353 | checkhandshake::NPN_CLI_EXTENSION,
354 "NPN handshake test (client)");
356 #Test 18: NPN handshake (server support only)
358 $proxy->clientflags("-no_tls1_3");
359 $proxy->serverflags("-nextprotoneg test");
361 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
362 checkhandshake::DEFAULT_EXTENSIONS,
363 "NPN handshake test (server)");
365 #Test 19: NPN handshake (client and server)
367 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
368 $proxy->serverflags("-nextprotoneg test");
370 checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
371 checkhandshake::DEFAULT_EXTENSIONS
372 | checkhandshake::NPN_CLI_EXTENSION
373 | checkhandshake::NPN_SRV_EXTENSION,
374 "NPN handshake test");
378 skip "No SRP support in this OpenSSL build", 1
381 #Test 20: SRP extension
382 #Note: We are not actually going to perform an SRP handshake (TLSProxy
383 #does not support it). However it is sufficient for us to check that the
384 #SRP extension gets added on the client side. There is no SRP extension
385 #generated on the server side anyway.
387 $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
389 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
390 checkhandshake::DEFAULT_EXTENSIONS
391 | checkhandshake::SRP_CLI_EXTENSION,
392 "SRP extension test");
395 #Test 21: EC handshake
397 skip "No EC support in this OpenSSL build", 1 if disabled("ec");
399 $proxy->clientflags("-no_tls1_3");
400 $proxy->serverflags("-no_tls1_3");
401 $proxy->ciphers("ECDHE-RSA-AES128-SHA");
403 checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
404 checkhandshake::DEFAULT_EXTENSIONS
405 | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
406 "EC handshake test");