2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
14 use checkhandshake qw(checkhandshake @handmessages @extensions);
16 my $test_name = "test_sslmessages";
19 plan skip_all => "TLSProxy isn't usable on $^O"
20 if $^O =~ /^(VMS|MSWin32)$/;
22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
23 if disabled("engine") || disabled("dynamic-engine");
25 plan skip_all => "$test_name needs the sock feature enabled"
28 plan skip_all => "$test_name needs TLS enabled"
29 if alldisabled(available_protocols("tls"));
31 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
32 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
34 my $proxy = TLSProxy::Proxy->new(
36 cmdstr(app(["openssl"]), display => 1),
37 srctop_file("apps", "server.pem"),
38 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
42 [TLSProxy::Message::MT_CLIENT_HELLO,
43 checkhandshake::ALL_HANDSHAKES],
44 [TLSProxy::Message::MT_SERVER_HELLO,
45 checkhandshake::ALL_HANDSHAKES],
46 [TLSProxy::Message::MT_CERTIFICATE,
47 checkhandshake::ALL_HANDSHAKES
48 & ~checkhandshake::RESUME_HANDSHAKE],
49 (disabled("ec") ? () :
50 [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
51 checkhandshake::EC_HANDSHAKE]),
52 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
53 checkhandshake::OCSP_HANDSHAKE],
54 #ServerKeyExchange handshakes not currently supported by TLSProxy
55 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
56 checkhandshake::CLIENT_AUTH_HANDSHAKE],
57 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
58 checkhandshake::ALL_HANDSHAKES
59 & ~checkhandshake::RESUME_HANDSHAKE],
60 [TLSProxy::Message::MT_CERTIFICATE,
61 checkhandshake::CLIENT_AUTH_HANDSHAKE],
62 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
63 checkhandshake::ALL_HANDSHAKES
64 & ~checkhandshake::RESUME_HANDSHAKE],
65 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
66 checkhandshake::CLIENT_AUTH_HANDSHAKE],
67 [TLSProxy::Message::MT_NEXT_PROTO,
68 checkhandshake::NPN_HANDSHAKE],
69 [TLSProxy::Message::MT_FINISHED,
70 checkhandshake::ALL_HANDSHAKES],
71 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
72 checkhandshake::ALL_HANDSHAKES
73 & ~checkhandshake::RESUME_HANDSHAKE],
74 [TLSProxy::Message::MT_FINISHED,
75 checkhandshake::ALL_HANDSHAKES],
76 [TLSProxy::Message::MT_CLIENT_HELLO,
77 checkhandshake::RENEG_HANDSHAKE],
78 [TLSProxy::Message::MT_SERVER_HELLO,
79 checkhandshake::RENEG_HANDSHAKE],
80 [TLSProxy::Message::MT_CERTIFICATE,
81 checkhandshake::RENEG_HANDSHAKE],
82 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
83 checkhandshake::RENEG_HANDSHAKE],
84 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
85 checkhandshake::RENEG_HANDSHAKE],
86 [TLSProxy::Message::MT_FINISHED,
87 checkhandshake::RENEG_HANDSHAKE],
88 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
89 checkhandshake::RENEG_HANDSHAKE],
90 [TLSProxy::Message::MT_FINISHED,
91 checkhandshake::RENEG_HANDSHAKE],
96 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
97 checkhandshake::SERVER_NAME_CLI_EXTENSION],
98 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
99 checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
100 (disabled("ec") ? () :
101 [TLSProxy::Message::MT_CLIENT_HELLO,
102 TLSProxy::Message::EXT_SUPPORTED_GROUPS,
103 checkhandshake::DEFAULT_EXTENSIONS]),
104 (disabled("ec") ? () :
105 [TLSProxy::Message::MT_CLIENT_HELLO,
106 TLSProxy::Message::EXT_EC_POINT_FORMATS,
107 checkhandshake::DEFAULT_EXTENSIONS]),
108 (disabled("tls1_2") ? () :
109 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
110 checkhandshake::DEFAULT_EXTENSIONS]),
111 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
112 checkhandshake::ALPN_CLI_EXTENSION],
113 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
114 checkhandshake::SCT_CLI_EXTENSION],
115 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
116 checkhandshake::DEFAULT_EXTENSIONS],
117 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
118 checkhandshake::DEFAULT_EXTENSIONS],
119 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
120 checkhandshake::DEFAULT_EXTENSIONS],
121 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
122 checkhandshake::RENEGOTIATE_CLI_EXTENSION],
123 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
124 checkhandshake::NPN_CLI_EXTENSION],
125 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
126 checkhandshake::SRP_CLI_EXTENSION],
128 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
129 checkhandshake::DEFAULT_EXTENSIONS],
130 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
131 checkhandshake::DEFAULT_EXTENSIONS],
132 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
133 checkhandshake::DEFAULT_EXTENSIONS],
134 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
135 checkhandshake::SESSION_TICKET_SRV_EXTENSION],
136 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
137 checkhandshake::SERVER_NAME_SRV_EXTENSION],
138 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
139 checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
140 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
141 checkhandshake::ALPN_SRV_EXTENSION],
142 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
143 checkhandshake::SCT_SRV_EXTENSION],
144 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
145 checkhandshake::NPN_SRV_EXTENSION],
146 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
147 checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
151 #Test 1: Check we get all the right messages for a default handshake
152 (undef, my $session) = tempfile();
153 $proxy->serverconnects(2);
154 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
155 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
157 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
158 checkhandshake::DEFAULT_EXTENSIONS,
159 "Default handshake test");
161 #Test 2: Resumption handshake
162 $proxy->clearClient();
163 $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
164 $proxy->clientstart();
165 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
166 checkhandshake::DEFAULT_EXTENSIONS
167 & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
168 "Resumption handshake test");
172 skip "No OCSP support in this OpenSSL build", 3
175 #Test 3: A status_request handshake (client request only)
177 $proxy->clientflags("-no_tls1_3 -status");
179 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
180 checkhandshake::DEFAULT_EXTENSIONS
181 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
182 "status_request handshake test (client)");
184 #Test 4: A status_request handshake (server support only)
186 $proxy->clientflags("-no_tls1_3");
187 $proxy->serverflags("-status_file "
188 .srctop_file("test", "recipes", "ocsp-response.der"));
190 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
191 checkhandshake::DEFAULT_EXTENSIONS,
192 "status_request handshake test (server)");
194 #Test 5: A status_request handshake (client and server)
196 $proxy->clientflags("-no_tls1_3 -status");
197 $proxy->serverflags("-status_file "
198 .srctop_file("test", "recipes", "ocsp-response.der"));
200 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
201 checkhandshake::DEFAULT_EXTENSIONS
202 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
203 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
204 "status_request handshake test");
207 #Test 6: A client auth handshake
209 $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
210 $proxy->serverflags("-Verify 5");
212 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
213 checkhandshake::DEFAULT_EXTENSIONS,
214 "Client auth handshake test");
216 #Test 7: A handshake with a renegotiation
218 $proxy->clientflags("-no_tls1_3");
221 checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
222 checkhandshake::DEFAULT_EXTENSIONS,
223 "Rengotiation handshake test");
225 #Test 8: Server name handshake (no client request)
227 $proxy->clientflags("-no_tls1_3 -noservername");
229 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
230 checkhandshake::DEFAULT_EXTENSIONS
231 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
232 "Server name handshake test (client)");
234 #Test 9: Server name handshake (server support only)
236 $proxy->clientflags("-no_tls1_3 -noservername");
237 $proxy->serverflags("-servername testhost");
239 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
240 checkhandshake::DEFAULT_EXTENSIONS
241 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
242 "Server name handshake test (server)");
244 #Test 10: Server name handshake (client and server)
246 $proxy->clientflags("-no_tls1_3 -servername testhost");
247 $proxy->serverflags("-servername testhost");
249 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
250 checkhandshake::DEFAULT_EXTENSIONS
251 | checkhandshake::SERVER_NAME_SRV_EXTENSION,
252 "Server name handshake test");
254 #Test 11: ALPN handshake (client request only)
256 $proxy->clientflags("-no_tls1_3 -alpn test");
258 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
259 checkhandshake::DEFAULT_EXTENSIONS
260 | checkhandshake::ALPN_CLI_EXTENSION,
261 "ALPN handshake test (client)");
263 #Test 12: ALPN handshake (server support only)
265 $proxy->clientflags("-no_tls1_3");
266 $proxy->serverflags("-alpn test");
268 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
269 checkhandshake::DEFAULT_EXTENSIONS,
270 "ALPN handshake test (server)");
272 #Test 13: ALPN handshake (client and server)
274 $proxy->clientflags("-no_tls1_3 -alpn test");
275 $proxy->serverflags("-alpn test");
277 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
278 checkhandshake::DEFAULT_EXTENSIONS
279 | checkhandshake::ALPN_CLI_EXTENSION
280 | checkhandshake::ALPN_SRV_EXTENSION,
281 "ALPN handshake test");
284 skip "No CT, EC or OCSP support in this OpenSSL build", 1
285 if disabled("ct") || disabled("ec") || disabled("ocsp");
287 #Test 14: SCT handshake (client request only)
289 #Note: -ct also sends status_request
290 $proxy->clientflags("-no_tls1_3 -ct");
291 $proxy->serverflags("-status_file "
292 .srctop_file("test", "recipes", "ocsp-response.der"));
294 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
295 checkhandshake::DEFAULT_EXTENSIONS
296 | checkhandshake::SCT_CLI_EXTENSION
297 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
298 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
299 "SCT handshake test (client)");
303 skip "No OCSP support in this OpenSSL build", 1
306 #Test 15: SCT handshake (server support only)
308 #Note: -ct also sends status_request
309 $proxy->clientflags("-no_tls1_3");
310 $proxy->serverflags("-status_file "
311 .srctop_file("test", "recipes", "ocsp-response.der"));
313 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
314 checkhandshake::DEFAULT_EXTENSIONS,
315 "SCT handshake test (server)");
319 skip "No CT, EC or OCSP support in this OpenSSL build", 1
320 if disabled("ct") || disabled("ec") || disabled("ocsp");
322 #Test 16: SCT handshake (client and server)
323 #There is no built-in server side support for this so we are actually also
324 #testing custom extensions here
326 #Note: -ct also sends status_request
327 $proxy->clientflags("-no_tls1_3 -ct");
328 $proxy->serverflags("-status_file "
329 .srctop_file("test", "recipes", "ocsp-response.der")
330 ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
332 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
333 checkhandshake::DEFAULT_EXTENSIONS
334 | checkhandshake::SCT_CLI_EXTENSION
335 | checkhandshake::SCT_SRV_EXTENSION
336 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
337 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
338 "SCT handshake test");
343 skip "No NPN support in this OpenSSL build", 3
344 if disabled("nextprotoneg");
346 #Test 17: NPN handshake (client request only)
348 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
350 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
351 checkhandshake::DEFAULT_EXTENSIONS
352 | checkhandshake::NPN_CLI_EXTENSION,
353 "NPN handshake test (client)");
355 #Test 18: NPN handshake (server support only)
357 $proxy->clientflags("-no_tls1_3");
358 $proxy->serverflags("-nextprotoneg test");
360 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
361 checkhandshake::DEFAULT_EXTENSIONS,
362 "NPN handshake test (server)");
364 #Test 19: NPN handshake (client and server)
366 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
367 $proxy->serverflags("-nextprotoneg test");
369 checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
370 checkhandshake::DEFAULT_EXTENSIONS
371 | checkhandshake::NPN_CLI_EXTENSION
372 | checkhandshake::NPN_SRV_EXTENSION,
373 "NPN handshake test");
377 skip "No SRP support in this OpenSSL build", 1
380 #Test 20: SRP extension
381 #Note: We are not actually going to perform an SRP handshake (TLSProxy
382 #does not support it). However it is sufficient for us to check that the
383 #SRP extension gets added on the client side. There is no SRP extension
384 #generated on the server side anyway.
386 $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
388 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
389 checkhandshake::DEFAULT_EXTENSIONS
390 | checkhandshake::SRP_CLI_EXTENSION,
391 "SRP extension test");
394 #Test 21: EC handshake
396 skip "No EC support in this OpenSSL build", 1 if disabled("ec");
398 $proxy->clientflags("-no_tls1_3");
399 $proxy->serverflags("-no_tls1_3");
400 $proxy->ciphers("ECDHE-RSA-AES128-SHA");
402 checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
403 checkhandshake::DEFAULT_EXTENSIONS
404 | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
405 "EC handshake test");