2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
17 # This block needs to run before 'use lib srctop_dir' directives.
19 $test_name = "test_sslmessages";
20 OpenSSL::Test::setup($test_name);
23 use lib srctop_dir("test", "recipes");
25 use recipes::checkhandshake qw(checkhandshake @handmessages @extensions);
27 plan skip_all => "TLSProxy isn't usable on $^O"
28 if $^O =~ /^(VMS|MSWin32)$/;
30 plan skip_all => "$test_name needs the dynamic engine feature enabled"
31 if disabled("engine") || disabled("dynamic-engine");
33 plan skip_all => "$test_name needs the sock feature enabled"
36 plan skip_all => "$test_name needs TLS enabled"
37 if alldisabled(available_protocols("tls"));
39 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
40 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
42 my $proxy = TLSProxy::Proxy->new(
44 cmdstr(app(["openssl"]), display => 1),
45 srctop_file("apps", "server.pem"),
46 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
50 [TLSProxy::Message::MT_CLIENT_HELLO,
51 recipes::checkhandshake::ALL_HANDSHAKES],
52 [TLSProxy::Message::MT_SERVER_HELLO,
53 recipes::checkhandshake::ALL_HANDSHAKES],
54 [TLSProxy::Message::MT_CERTIFICATE,
55 recipes::checkhandshake::ALL_HANDSHAKES
56 & ~recipes::checkhandshake::RESUME_HANDSHAKE],
57 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
58 recipes::checkhandshake::OCSP_HANDSHAKE],
59 #ServerKeyExchange handshakes not currently supported by TLSProxy
60 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
61 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
62 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
63 recipes::checkhandshake::ALL_HANDSHAKES
64 & ~recipes::checkhandshake::RESUME_HANDSHAKE],
65 [TLSProxy::Message::MT_CERTIFICATE,
66 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
67 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
68 recipes::checkhandshake::ALL_HANDSHAKES
69 & ~recipes::checkhandshake::RESUME_HANDSHAKE],
70 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
71 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
72 [TLSProxy::Message::MT_NEXT_PROTO,
73 recipes::checkhandshake::NPN_HANDSHAKE],
74 [TLSProxy::Message::MT_FINISHED,
75 recipes::checkhandshake::ALL_HANDSHAKES],
76 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
77 recipes::checkhandshake::ALL_HANDSHAKES
78 & ~recipes::checkhandshake::RESUME_HANDSHAKE],
79 [TLSProxy::Message::MT_FINISHED,
80 recipes::checkhandshake::ALL_HANDSHAKES],
81 [TLSProxy::Message::MT_CLIENT_HELLO,
82 recipes::checkhandshake::RENEG_HANDSHAKE],
83 [TLSProxy::Message::MT_SERVER_HELLO,
84 recipes::checkhandshake::RENEG_HANDSHAKE],
85 [TLSProxy::Message::MT_CERTIFICATE,
86 recipes::checkhandshake::RENEG_HANDSHAKE],
87 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
88 recipes::checkhandshake::RENEG_HANDSHAKE],
89 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
90 recipes::checkhandshake::RENEG_HANDSHAKE],
91 [TLSProxy::Message::MT_FINISHED,
92 recipes::checkhandshake::RENEG_HANDSHAKE],
93 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
94 recipes::checkhandshake::RENEG_HANDSHAKE],
95 [TLSProxy::Message::MT_FINISHED,
96 recipes::checkhandshake::RENEG_HANDSHAKE],
101 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
102 recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION],
103 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
104 recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
105 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
106 recipes::checkhandshake::DEFAULT_EXTENSIONS],
107 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
108 recipes::checkhandshake::DEFAULT_EXTENSIONS],
109 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
110 recipes::checkhandshake::DEFAULT_EXTENSIONS],
111 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
112 recipes::checkhandshake::ALPN_CLI_EXTENSION],
113 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
114 recipes::checkhandshake::SCT_CLI_EXTENSION],
115 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
116 recipes::checkhandshake::DEFAULT_EXTENSIONS],
117 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
118 recipes::checkhandshake::DEFAULT_EXTENSIONS],
119 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
120 recipes::checkhandshake::DEFAULT_EXTENSIONS],
121 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
122 recipes::checkhandshake::RENEGOTIATE_CLI_EXTENSION],
123 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
124 recipes::checkhandshake::NPN_CLI_EXTENSION],
125 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
126 recipes::checkhandshake::SRP_CLI_EXTENSION],
128 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
129 recipes::checkhandshake::DEFAULT_EXTENSIONS],
130 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
131 recipes::checkhandshake::DEFAULT_EXTENSIONS],
132 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
133 recipes::checkhandshake::DEFAULT_EXTENSIONS],
134 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
135 recipes::checkhandshake::SESSION_TICKET_SRV_EXTENSION],
136 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
137 recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION],
138 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
139 recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
140 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
141 recipes::checkhandshake::ALPN_SRV_EXTENSION],
142 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
143 recipes::checkhandshake::SCT_SRV_EXTENSION],
144 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
145 recipes::checkhandshake::NPN_SRV_EXTENSION],
149 #Test 1: Check we get all the right messages for a default handshake
150 (undef, my $session) = tempfile();
151 $proxy->serverconnects(2);
152 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
153 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
155 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
156 recipes::checkhandshake::DEFAULT_EXTENSIONS,
157 "Default handshake test");
159 #Test 2: Resumption handshake
160 $proxy->clearClient();
161 $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
162 $proxy->clientstart();
163 checkhandshake($proxy, recipes::checkhandshake::RESUME_HANDSHAKE,
164 recipes::checkhandshake::DEFAULT_EXTENSIONS
165 & ~recipes::checkhandshake::SESSION_TICKET_SRV_EXTENSION,
166 "Resumption handshake test");
169 #Test 3: A status_request handshake (client request only)
171 $proxy->clientflags("-no_tls1_3 -status");
173 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
174 recipes::checkhandshake::DEFAULT_EXTENSIONS
175 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
176 "status_request handshake test (client)");
178 #Test 4: A status_request handshake (server support only)
180 $proxy->clientflags("-no_tls1_3");
181 $proxy->serverflags("-status_file "
182 .srctop_file("test", "recipes", "ocsp-response.der"));
184 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
185 recipes::checkhandshake::DEFAULT_EXTENSIONS,
186 "status_request handshake test (server)");
188 #Test 5: A status_request handshake (client and server)
190 $proxy->clientflags("-no_tls1_3 -status");
191 $proxy->serverflags("-status_file "
192 .srctop_file("test", "recipes", "ocsp-response.der"));
194 checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE,
195 recipes::checkhandshake::DEFAULT_EXTENSIONS
196 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION
197 | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
198 "status_request handshake test");
200 #Test 6: A client auth handshake
202 $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
203 $proxy->serverflags("-Verify 5");
205 checkhandshake($proxy, recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE,
206 recipes::checkhandshake::DEFAULT_EXTENSIONS,
207 "Client auth handshake test");
209 #Test 7: A handshake with a renegotiation
211 $proxy->clientflags("-no_tls1_3");
214 checkhandshake($proxy, recipes::checkhandshake::RENEG_HANDSHAKE,
215 recipes::checkhandshake::DEFAULT_EXTENSIONS,
216 "Rengotiation handshake test");
218 #Test 8: Server name handshake (client request only)
220 $proxy->clientflags("-no_tls1_3 -servername testhost");
222 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
223 recipes::checkhandshake::DEFAULT_EXTENSIONS
224 | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION,
225 "Server name handshake test (client)");
227 #Test 9: Server name handshake (server support only)
229 $proxy->clientflags("-no_tls1_3");
230 $proxy->serverflags("-servername testhost");
232 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
233 recipes::checkhandshake::DEFAULT_EXTENSIONS,
234 "Server name handshake test (server)");
236 #Test 10: Server name handshake (client and server)
238 $proxy->clientflags("-no_tls1_3 -servername testhost");
239 $proxy->serverflags("-servername testhost");
241 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
242 recipes::checkhandshake::DEFAULT_EXTENSIONS
243 | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION
244 | recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION,
245 "Server name handshake test");
247 #Test 11: ALPN handshake (client request only)
249 $proxy->clientflags("-no_tls1_3 -alpn test");
251 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
252 recipes::checkhandshake::DEFAULT_EXTENSIONS
253 | recipes::checkhandshake::ALPN_CLI_EXTENSION,
254 "ALPN handshake test (client)");
256 #Test 12: ALPN handshake (server support only)
258 $proxy->clientflags("-no_tls1_3");
259 $proxy->serverflags("-alpn test");
261 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
262 recipes::checkhandshake::DEFAULT_EXTENSIONS,
263 "ALPN handshake test (server)");
265 #Test 13: ALPN handshake (client and server)
267 $proxy->clientflags("-no_tls1_3 -alpn test");
268 $proxy->serverflags("-alpn test");
270 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
271 recipes::checkhandshake::DEFAULT_EXTENSIONS
272 | recipes::checkhandshake::ALPN_CLI_EXTENSION
273 | recipes::checkhandshake::ALPN_SRV_EXTENSION,
274 "ALPN handshake test");
276 #Test 14: SCT handshake (client request only)
278 #Note: -ct also sends status_request
279 $proxy->clientflags("-no_tls1_3 -ct");
280 $proxy->serverflags("-status_file "
281 .srctop_file("test", "recipes", "ocsp-response.der"));
283 checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE,
284 recipes::checkhandshake::DEFAULT_EXTENSIONS
285 | recipes::checkhandshake::SCT_CLI_EXTENSION
286 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION
287 | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
288 "SCT handshake test (client)");
290 #Test 15: SCT handshake (server support only)
292 #Note: -ct also sends status_request
293 $proxy->clientflags("-no_tls1_3");
294 $proxy->serverflags("-status_file "
295 .srctop_file("test", "recipes", "ocsp-response.der"));
297 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
298 recipes::checkhandshake::DEFAULT_EXTENSIONS,
299 "SCT handshake test (server)");
301 #Test 16: SCT handshake (client and server)
302 #There is no built-in server side support for this so we are actually also
303 #testing custom extensions here
305 #Note: -ct also sends status_request
306 $proxy->clientflags("-no_tls1_3 -ct");
307 $proxy->serverflags("-status_file "
308 .srctop_file("test", "recipes", "ocsp-response.der")
309 ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
311 checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE,
312 recipes::checkhandshake::DEFAULT_EXTENSIONS
313 | recipes::checkhandshake::SCT_CLI_EXTENSION
314 | recipes::checkhandshake::SCT_SRV_EXTENSION
315 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION
316 | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
317 "SCT handshake test");
320 #Test 17: NPN handshake (client request only)
322 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
324 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
325 recipes::checkhandshake::DEFAULT_EXTENSIONS
326 | recipes::checkhandshake::NPN_CLI_EXTENSION,
327 "NPN handshake test (client)");
329 #Test 18: NPN handshake (server support only)
331 $proxy->clientflags("-no_tls1_3");
332 $proxy->serverflags("-nextprotoneg test");
334 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
335 recipes::checkhandshake::DEFAULT_EXTENSIONS,
336 "NPN handshake test (server)");
338 #Test 19: NPN handshake (client and server)
340 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
341 $proxy->serverflags("-nextprotoneg test");
343 checkhandshake($proxy, recipes::checkhandshake::NPN_HANDSHAKE,
344 recipes::checkhandshake::DEFAULT_EXTENSIONS
345 | recipes::checkhandshake::NPN_CLI_EXTENSION
346 | recipes::checkhandshake::NPN_SRV_EXTENSION,
347 "NPN handshake test");
349 #Test 20: SRP extension
350 #Note: We are not actually going to perform an SRP handshake (TLSProxy does not
351 #support it). However it is sufficient for us to check that the SRP extension
352 #gets added on the client side. There is no SRP extension generated on the
355 $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
357 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
358 recipes::checkhandshake::DEFAULT_EXTENSIONS
359 | recipes::checkhandshake::SRP_CLI_EXTENSION,
360 "SRP extension test");