2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
14 use checkhandshake qw(checkhandshake @handmessages @extensions);
16 my $test_name = "test_sslmessages";
19 plan skip_all => "TLSProxy isn't usable on $^O"
20 if $^O =~ /^(VMS|MSWin32)$/;
22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
23 if disabled("engine") || disabled("dynamic-engine");
25 plan skip_all => "$test_name needs the sock feature enabled"
28 plan skip_all => "$test_name needs TLS enabled"
29 if alldisabled(available_protocols("tls"));
31 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
32 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
34 my $proxy = TLSProxy::Proxy->new(
36 cmdstr(app(["openssl"]), display => 1),
37 srctop_file("apps", "server.pem"),
38 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
42 [TLSProxy::Message::MT_CLIENT_HELLO,
43 checkhandshake::ALL_HANDSHAKES],
44 [TLSProxy::Message::MT_SERVER_HELLO,
45 checkhandshake::ALL_HANDSHAKES],
46 [TLSProxy::Message::MT_CERTIFICATE,
47 checkhandshake::ALL_HANDSHAKES
48 & ~checkhandshake::RESUME_HANDSHAKE],
49 (disabled("ec") ? () :
50 [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
51 checkhandshake::EC_HANDSHAKE]),
52 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
53 checkhandshake::OCSP_HANDSHAKE],
54 #ServerKeyExchange handshakes not currently supported by TLSProxy
55 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
56 checkhandshake::CLIENT_AUTH_HANDSHAKE],
57 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
58 checkhandshake::ALL_HANDSHAKES
59 & ~checkhandshake::RESUME_HANDSHAKE],
60 [TLSProxy::Message::MT_CERTIFICATE,
61 checkhandshake::CLIENT_AUTH_HANDSHAKE],
62 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
63 checkhandshake::ALL_HANDSHAKES
64 & ~checkhandshake::RESUME_HANDSHAKE],
65 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
66 checkhandshake::CLIENT_AUTH_HANDSHAKE],
67 [TLSProxy::Message::MT_NEXT_PROTO,
68 checkhandshake::NPN_HANDSHAKE],
69 [TLSProxy::Message::MT_FINISHED,
70 checkhandshake::ALL_HANDSHAKES],
71 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
72 checkhandshake::ALL_HANDSHAKES
73 & ~checkhandshake::RESUME_HANDSHAKE],
74 [TLSProxy::Message::MT_FINISHED,
75 checkhandshake::ALL_HANDSHAKES],
76 [TLSProxy::Message::MT_CLIENT_HELLO,
77 checkhandshake::RENEG_HANDSHAKE],
78 [TLSProxy::Message::MT_SERVER_HELLO,
79 checkhandshake::RENEG_HANDSHAKE],
80 [TLSProxy::Message::MT_CERTIFICATE,
81 checkhandshake::RENEG_HANDSHAKE],
82 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
83 checkhandshake::RENEG_HANDSHAKE],
84 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
85 checkhandshake::RENEG_HANDSHAKE],
86 [TLSProxy::Message::MT_FINISHED,
87 checkhandshake::RENEG_HANDSHAKE],
88 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
89 checkhandshake::RENEG_HANDSHAKE],
90 [TLSProxy::Message::MT_FINISHED,
91 checkhandshake::RENEG_HANDSHAKE],
96 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
97 checkhandshake::SERVER_NAME_CLI_EXTENSION],
98 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
99 checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
100 (disabled("ec") ? () :
101 [TLSProxy::Message::MT_CLIENT_HELLO,
102 TLSProxy::Message::EXT_SUPPORTED_GROUPS,
103 checkhandshake::DEFAULT_EXTENSIONS]),
104 (disabled("ec") ? () :
105 [TLSProxy::Message::MT_CLIENT_HELLO,
106 TLSProxy::Message::EXT_EC_POINT_FORMATS,
107 checkhandshake::DEFAULT_EXTENSIONS]),
108 (disabled("tls1_2") ? () :
109 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
110 checkhandshake::DEFAULT_EXTENSIONS]),
111 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
112 checkhandshake::ALPN_CLI_EXTENSION],
113 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
114 checkhandshake::SCT_CLI_EXTENSION],
115 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
116 checkhandshake::DEFAULT_EXTENSIONS],
117 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
118 checkhandshake::DEFAULT_EXTENSIONS],
119 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
120 checkhandshake::DEFAULT_EXTENSIONS],
121 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
122 checkhandshake::RENEGOTIATE_CLI_EXTENSION],
123 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
124 checkhandshake::NPN_CLI_EXTENSION],
125 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
126 checkhandshake::SRP_CLI_EXTENSION],
128 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
129 checkhandshake::DEFAULT_EXTENSIONS],
130 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
131 checkhandshake::DEFAULT_EXTENSIONS],
132 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
133 checkhandshake::DEFAULT_EXTENSIONS],
134 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
135 checkhandshake::SESSION_TICKET_SRV_EXTENSION],
136 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
137 checkhandshake::SERVER_NAME_SRV_EXTENSION],
138 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
139 checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
140 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
141 checkhandshake::ALPN_SRV_EXTENSION],
142 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
143 checkhandshake::SCT_SRV_EXTENSION],
144 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
145 checkhandshake::NPN_SRV_EXTENSION],
146 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
147 checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
151 #Test 1: Check we get all the right messages for a default handshake
152 (undef, my $session) = tempfile();
153 $proxy->serverconnects(2);
154 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
155 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
157 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
158 checkhandshake::DEFAULT_EXTENSIONS,
159 "Default handshake test");
161 #Test 2: Resumption handshake
162 $proxy->clearClient();
163 $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
164 $proxy->clientstart();
165 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
166 checkhandshake::DEFAULT_EXTENSIONS
167 & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
168 "Resumption handshake test");
171 #Test 3: A status_request handshake (client request only)
173 $proxy->clientflags("-no_tls1_3 -status");
175 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
176 checkhandshake::DEFAULT_EXTENSIONS
177 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
178 "status_request handshake test (client)");
180 #Test 4: A status_request handshake (server support only)
182 $proxy->clientflags("-no_tls1_3");
183 $proxy->serverflags("-status_file "
184 .srctop_file("test", "recipes", "ocsp-response.der"));
186 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
187 checkhandshake::DEFAULT_EXTENSIONS,
188 "status_request handshake test (server)");
190 #Test 5: A status_request handshake (client and server)
192 $proxy->clientflags("-no_tls1_3 -status");
193 $proxy->serverflags("-status_file "
194 .srctop_file("test", "recipes", "ocsp-response.der"));
196 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
197 checkhandshake::DEFAULT_EXTENSIONS
198 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
199 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
200 "status_request handshake test");
202 #Test 6: A client auth handshake
204 $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
205 $proxy->serverflags("-Verify 5");
207 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
208 checkhandshake::DEFAULT_EXTENSIONS,
209 "Client auth handshake test");
211 #Test 7: A handshake with a renegotiation
213 $proxy->clientflags("-no_tls1_3");
216 checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
217 checkhandshake::DEFAULT_EXTENSIONS,
218 "Rengotiation handshake test");
220 #Test 8: Server name handshake (client request only)
222 $proxy->clientflags("-no_tls1_3 -servername testhost");
224 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
225 checkhandshake::DEFAULT_EXTENSIONS
226 | checkhandshake::SERVER_NAME_CLI_EXTENSION,
227 "Server name handshake test (client)");
229 #Test 9: Server name handshake (server support only)
231 $proxy->clientflags("-no_tls1_3");
232 $proxy->serverflags("-servername testhost");
234 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
235 checkhandshake::DEFAULT_EXTENSIONS,
236 "Server name handshake test (server)");
238 #Test 10: Server name handshake (client and server)
240 $proxy->clientflags("-no_tls1_3 -servername testhost");
241 $proxy->serverflags("-servername testhost");
243 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
244 checkhandshake::DEFAULT_EXTENSIONS
245 | checkhandshake::SERVER_NAME_CLI_EXTENSION
246 | checkhandshake::SERVER_NAME_SRV_EXTENSION,
247 "Server name handshake test");
249 #Test 11: ALPN handshake (client request only)
251 $proxy->clientflags("-no_tls1_3 -alpn test");
253 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
254 checkhandshake::DEFAULT_EXTENSIONS
255 | checkhandshake::ALPN_CLI_EXTENSION,
256 "ALPN handshake test (client)");
258 #Test 12: ALPN handshake (server support only)
260 $proxy->clientflags("-no_tls1_3");
261 $proxy->serverflags("-alpn test");
263 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
264 checkhandshake::DEFAULT_EXTENSIONS,
265 "ALPN handshake test (server)");
267 #Test 13: ALPN handshake (client and server)
269 $proxy->clientflags("-no_tls1_3 -alpn test");
270 $proxy->serverflags("-alpn test");
272 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
273 checkhandshake::DEFAULT_EXTENSIONS
274 | checkhandshake::ALPN_CLI_EXTENSION
275 | checkhandshake::ALPN_SRV_EXTENSION,
276 "ALPN handshake test");
279 skip "No CT and/or EC support in this OpenSSL build", 1
280 if disabled("ct") || disabled("ec");
282 #Test 14: SCT handshake (client request only)
284 #Note: -ct also sends status_request
285 $proxy->clientflags("-no_tls1_3 -ct");
286 $proxy->serverflags("-status_file "
287 .srctop_file("test", "recipes", "ocsp-response.der"));
289 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
290 checkhandshake::DEFAULT_EXTENSIONS
291 | checkhandshake::SCT_CLI_EXTENSION
292 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
293 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
294 "SCT handshake test (client)");
297 #Test 15: SCT handshake (server support only)
299 #Note: -ct also sends status_request
300 $proxy->clientflags("-no_tls1_3");
301 $proxy->serverflags("-status_file "
302 .srctop_file("test", "recipes", "ocsp-response.der"));
304 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
305 checkhandshake::DEFAULT_EXTENSIONS,
306 "SCT handshake test (server)");
309 skip "No CT and/or EC support in this OpenSSL build", 1
310 if disabled("ct") || disabled("ec");
312 #Test 16: SCT handshake (client and server)
313 #There is no built-in server side support for this so we are actually also
314 #testing custom extensions here
316 #Note: -ct also sends status_request
317 $proxy->clientflags("-no_tls1_3 -ct");
318 $proxy->serverflags("-status_file "
319 .srctop_file("test", "recipes", "ocsp-response.der")
320 ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
322 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
323 checkhandshake::DEFAULT_EXTENSIONS
324 | checkhandshake::SCT_CLI_EXTENSION
325 | checkhandshake::SCT_SRV_EXTENSION
326 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
327 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
328 "SCT handshake test");
333 skip "No NPN support in this OpenSSL build", 3
334 if disabled("nextprotoneg");
336 #Test 17: NPN handshake (client request only)
338 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
340 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
341 checkhandshake::DEFAULT_EXTENSIONS
342 | checkhandshake::NPN_CLI_EXTENSION,
343 "NPN handshake test (client)");
345 #Test 18: NPN handshake (server support only)
347 $proxy->clientflags("-no_tls1_3");
348 $proxy->serverflags("-nextprotoneg test");
350 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
351 checkhandshake::DEFAULT_EXTENSIONS,
352 "NPN handshake test (server)");
354 #Test 19: NPN handshake (client and server)
356 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
357 $proxy->serverflags("-nextprotoneg test");
359 checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
360 checkhandshake::DEFAULT_EXTENSIONS
361 | checkhandshake::NPN_CLI_EXTENSION
362 | checkhandshake::NPN_SRV_EXTENSION,
363 "NPN handshake test");
367 skip "No SRP support in this OpenSSL build", 1
370 #Test 20: SRP extension
371 #Note: We are not actually going to perform an SRP handshake (TLSProxy
372 #does not support it). However it is sufficient for us to check that the
373 #SRP extension gets added on the client side. There is no SRP extension
374 #generated on the server side anyway.
376 $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
378 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
379 checkhandshake::DEFAULT_EXTENSIONS
380 | checkhandshake::SRP_CLI_EXTENSION,
381 "SRP extension test");
384 #Test 21: EC handshake
386 skip "No EC support in this OpenSSL build", 1 if disabled("ec");
388 $proxy->clientflags("-no_tls1_3");
389 $proxy->ciphers("ECDHE-RSA-AES128-SHA");
391 checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
392 checkhandshake::DEFAULT_EXTENSIONS
393 | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
394 "EC handshake test");