2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
14 use checkhandshake qw(checkhandshake @handmessages @extensions);
16 my $test_name = "test_sslmessages";
19 plan skip_all => "TLSProxy isn't usable on $^O"
22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
23 if disabled("engine") || disabled("dynamic-engine");
25 plan skip_all => "$test_name needs the sock feature enabled"
28 plan skip_all => "$test_name needs TLS enabled"
29 if alldisabled(available_protocols("tls"))
30 || (!disabled("tls1_3") && disabled("tls1_2"));
32 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
33 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
35 my $proxy = TLSProxy::Proxy->new(
37 cmdstr(app(["openssl"]), display => 1),
38 srctop_file("apps", "server.pem"),
39 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
43 [TLSProxy::Message::MT_CLIENT_HELLO,
44 checkhandshake::ALL_HANDSHAKES],
45 [TLSProxy::Message::MT_SERVER_HELLO,
46 checkhandshake::ALL_HANDSHAKES],
47 [TLSProxy::Message::MT_CERTIFICATE,
48 checkhandshake::ALL_HANDSHAKES
49 & ~checkhandshake::RESUME_HANDSHAKE],
50 (disabled("ec") ? () :
51 [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
52 checkhandshake::EC_HANDSHAKE]),
53 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
54 checkhandshake::OCSP_HANDSHAKE],
55 #ServerKeyExchange handshakes not currently supported by TLSProxy
56 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
57 checkhandshake::CLIENT_AUTH_HANDSHAKE],
58 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
59 checkhandshake::ALL_HANDSHAKES
60 & ~checkhandshake::RESUME_HANDSHAKE],
61 [TLSProxy::Message::MT_CERTIFICATE,
62 checkhandshake::CLIENT_AUTH_HANDSHAKE],
63 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
64 checkhandshake::ALL_HANDSHAKES
65 & ~checkhandshake::RESUME_HANDSHAKE],
66 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
67 checkhandshake::CLIENT_AUTH_HANDSHAKE],
68 [TLSProxy::Message::MT_NEXT_PROTO,
69 checkhandshake::NPN_HANDSHAKE],
70 [TLSProxy::Message::MT_FINISHED,
71 checkhandshake::ALL_HANDSHAKES],
72 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
73 checkhandshake::ALL_HANDSHAKES
74 & ~checkhandshake::RESUME_HANDSHAKE],
75 [TLSProxy::Message::MT_FINISHED,
76 checkhandshake::ALL_HANDSHAKES],
77 [TLSProxy::Message::MT_CLIENT_HELLO,
78 checkhandshake::RENEG_HANDSHAKE],
79 [TLSProxy::Message::MT_SERVER_HELLO,
80 checkhandshake::RENEG_HANDSHAKE],
81 [TLSProxy::Message::MT_CERTIFICATE,
82 checkhandshake::RENEG_HANDSHAKE],
83 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
84 checkhandshake::RENEG_HANDSHAKE],
85 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
86 checkhandshake::RENEG_HANDSHAKE],
87 [TLSProxy::Message::MT_FINISHED,
88 checkhandshake::RENEG_HANDSHAKE],
89 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
90 checkhandshake::RENEG_HANDSHAKE],
91 [TLSProxy::Message::MT_FINISHED,
92 checkhandshake::RENEG_HANDSHAKE],
97 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
98 checkhandshake::SERVER_NAME_CLI_EXTENSION],
99 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
100 checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
101 (disabled("ec") ? () :
102 [TLSProxy::Message::MT_CLIENT_HELLO,
103 TLSProxy::Message::EXT_SUPPORTED_GROUPS,
104 checkhandshake::DEFAULT_EXTENSIONS]),
105 (disabled("ec") ? () :
106 [TLSProxy::Message::MT_CLIENT_HELLO,
107 TLSProxy::Message::EXT_EC_POINT_FORMATS,
108 checkhandshake::DEFAULT_EXTENSIONS]),
109 (disabled("tls1_2") ? () :
110 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
111 checkhandshake::DEFAULT_EXTENSIONS]),
112 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
113 checkhandshake::ALPN_CLI_EXTENSION],
114 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
115 checkhandshake::SCT_CLI_EXTENSION],
116 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
117 checkhandshake::DEFAULT_EXTENSIONS],
118 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
119 checkhandshake::DEFAULT_EXTENSIONS],
120 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
121 checkhandshake::DEFAULT_EXTENSIONS],
122 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
123 checkhandshake::RENEGOTIATE_CLI_EXTENSION],
124 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
125 checkhandshake::NPN_CLI_EXTENSION],
126 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
127 checkhandshake::SRP_CLI_EXTENSION],
129 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
130 checkhandshake::DEFAULT_EXTENSIONS],
131 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
132 checkhandshake::DEFAULT_EXTENSIONS],
133 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
134 checkhandshake::DEFAULT_EXTENSIONS],
135 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
136 checkhandshake::SESSION_TICKET_SRV_EXTENSION],
137 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
138 checkhandshake::SERVER_NAME_SRV_EXTENSION],
139 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
140 checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
141 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
142 checkhandshake::ALPN_SRV_EXTENSION],
143 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
144 checkhandshake::SCT_SRV_EXTENSION],
145 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
146 checkhandshake::NPN_SRV_EXTENSION],
147 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
148 checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
152 #Test 1: Check we get all the right messages for a default handshake
153 (undef, my $session) = tempfile();
154 $proxy->serverconnects(2);
155 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
156 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
158 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
159 checkhandshake::DEFAULT_EXTENSIONS,
160 "Default handshake test");
162 #Test 2: Resumption handshake
163 $proxy->clearClient();
164 $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
165 $proxy->clientstart();
166 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
167 checkhandshake::DEFAULT_EXTENSIONS
168 & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
169 "Resumption handshake test");
173 skip "No OCSP support in this OpenSSL build", 3
176 #Test 3: A status_request handshake (client request only)
178 $proxy->clientflags("-no_tls1_3 -status");
180 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
181 checkhandshake::DEFAULT_EXTENSIONS
182 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
183 "status_request handshake test (client)");
185 #Test 4: A status_request handshake (server support only)
187 $proxy->clientflags("-no_tls1_3");
188 $proxy->serverflags("-status_file "
189 .srctop_file("test", "recipes", "ocsp-response.der"));
191 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
192 checkhandshake::DEFAULT_EXTENSIONS,
193 "status_request handshake test (server)");
195 #Test 5: A status_request handshake (client and server)
197 $proxy->clientflags("-no_tls1_3 -status");
198 $proxy->serverflags("-status_file "
199 .srctop_file("test", "recipes", "ocsp-response.der"));
201 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
202 checkhandshake::DEFAULT_EXTENSIONS
203 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
204 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
205 "status_request handshake test");
208 #Test 6: A client auth handshake
210 $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
211 $proxy->serverflags("-Verify 5");
213 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
214 checkhandshake::DEFAULT_EXTENSIONS,
215 "Client auth handshake test");
217 #Test 7: A handshake with a renegotiation
219 $proxy->clientflags("-no_tls1_3");
222 checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
223 checkhandshake::DEFAULT_EXTENSIONS,
224 "Renegotiation handshake test");
226 #Test 8: Server name handshake (no client request)
228 $proxy->clientflags("-no_tls1_3 -noservername");
230 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
231 checkhandshake::DEFAULT_EXTENSIONS
232 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
233 "Server name handshake test (client)");
235 #Test 9: Server name handshake (server support only)
237 $proxy->clientflags("-no_tls1_3 -noservername");
238 $proxy->serverflags("-servername testhost");
240 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
241 checkhandshake::DEFAULT_EXTENSIONS
242 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
243 "Server name handshake test (server)");
245 #Test 10: Server name handshake (client and server)
247 $proxy->clientflags("-no_tls1_3 -servername testhost");
248 $proxy->serverflags("-servername testhost");
250 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
251 checkhandshake::DEFAULT_EXTENSIONS
252 | checkhandshake::SERVER_NAME_SRV_EXTENSION,
253 "Server name handshake test");
255 #Test 11: ALPN handshake (client request only)
257 $proxy->clientflags("-no_tls1_3 -alpn test");
259 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
260 checkhandshake::DEFAULT_EXTENSIONS
261 | checkhandshake::ALPN_CLI_EXTENSION,
262 "ALPN handshake test (client)");
264 #Test 12: ALPN handshake (server support only)
266 $proxy->clientflags("-no_tls1_3");
267 $proxy->serverflags("-alpn test");
269 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
270 checkhandshake::DEFAULT_EXTENSIONS,
271 "ALPN handshake test (server)");
273 #Test 13: ALPN handshake (client and server)
275 $proxy->clientflags("-no_tls1_3 -alpn test");
276 $proxy->serverflags("-alpn test");
278 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
279 checkhandshake::DEFAULT_EXTENSIONS
280 | checkhandshake::ALPN_CLI_EXTENSION
281 | checkhandshake::ALPN_SRV_EXTENSION,
282 "ALPN handshake test");
285 skip "No CT, EC or OCSP support in this OpenSSL build", 1
286 if disabled("ct") || disabled("ec") || disabled("ocsp");
288 #Test 14: SCT handshake (client request only)
290 #Note: -ct also sends status_request
291 $proxy->clientflags("-no_tls1_3 -ct");
292 $proxy->serverflags("-status_file "
293 .srctop_file("test", "recipes", "ocsp-response.der"));
295 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
296 checkhandshake::DEFAULT_EXTENSIONS
297 | checkhandshake::SCT_CLI_EXTENSION
298 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
299 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
300 "SCT handshake test (client)");
304 skip "No OCSP support in this OpenSSL build", 1
307 #Test 15: SCT handshake (server support only)
309 #Note: -ct also sends status_request
310 $proxy->clientflags("-no_tls1_3");
311 $proxy->serverflags("-status_file "
312 .srctop_file("test", "recipes", "ocsp-response.der"));
314 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
315 checkhandshake::DEFAULT_EXTENSIONS,
316 "SCT handshake test (server)");
320 skip "No CT, EC or OCSP support in this OpenSSL build", 1
321 if disabled("ct") || disabled("ec") || disabled("ocsp");
323 #Test 16: SCT handshake (client and server)
324 #There is no built-in server side support for this so we are actually also
325 #testing custom extensions here
327 #Note: -ct also sends status_request
328 $proxy->clientflags("-no_tls1_3 -ct");
329 $proxy->serverflags("-status_file "
330 .srctop_file("test", "recipes", "ocsp-response.der")
331 ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
333 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
334 checkhandshake::DEFAULT_EXTENSIONS
335 | checkhandshake::SCT_CLI_EXTENSION
336 | checkhandshake::SCT_SRV_EXTENSION
337 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
338 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
339 "SCT handshake test");
344 skip "No NPN support in this OpenSSL build", 3
345 if disabled("nextprotoneg");
347 #Test 17: NPN handshake (client request only)
349 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
351 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
352 checkhandshake::DEFAULT_EXTENSIONS
353 | checkhandshake::NPN_CLI_EXTENSION,
354 "NPN handshake test (client)");
356 #Test 18: NPN handshake (server support only)
358 $proxy->clientflags("-no_tls1_3");
359 $proxy->serverflags("-nextprotoneg test");
361 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
362 checkhandshake::DEFAULT_EXTENSIONS,
363 "NPN handshake test (server)");
365 #Test 19: NPN handshake (client and server)
367 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
368 $proxy->serverflags("-nextprotoneg test");
370 checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
371 checkhandshake::DEFAULT_EXTENSIONS
372 | checkhandshake::NPN_CLI_EXTENSION
373 | checkhandshake::NPN_SRV_EXTENSION,
374 "NPN handshake test");
378 skip "No SRP support in this OpenSSL build", 1
381 #Test 20: SRP extension
382 #Note: We are not actually going to perform an SRP handshake (TLSProxy
383 #does not support it). However it is sufficient for us to check that the
384 #SRP extension gets added on the client side. There is no SRP extension
385 #generated on the server side anyway.
387 $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
389 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
390 checkhandshake::DEFAULT_EXTENSIONS
391 | checkhandshake::SRP_CLI_EXTENSION,
392 "SRP extension test");
395 #Test 21: EC handshake
397 skip "No EC support in this OpenSSL build", 1 if disabled("ec");
399 $proxy->clientflags("-no_tls1_3");
400 $proxy->serverflags("-no_tls1_3");
401 $proxy->ciphers("ECDHE-RSA-AES128-SHA");
403 checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
404 checkhandshake::DEFAULT_EXTENSIONS
405 | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
406 "EC handshake test");