[thirdparty/openssl.git] / test / recipes / 70-test_sslmessages.t

#! /usr/bin/env perl
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
use OpenSSL::Test::Utils;
use File::Temp qw(tempfile);
use TLSProxy::Proxy;
use checkhandshake qw(checkhandshake @handmessages @extensions);

my $test_name = "test_sslmessages";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLS enabled"
    if alldisabled(available_protocols("tls"))
       || (!disabled("tls1_3") && disabled("tls1_2"));

my $proxy = TLSProxy::Proxy->new(
    undef,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

@handmessages = (
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
                          checkhandshake::EC_HANDSHAKE]),
    [TLSProxy::Message::MT_CERTIFICATE_STATUS,
        checkhandshake::OCSP_HANDSHAKE],
    #ServerKeyExchange handshakes not currently supported by TLSProxy
    [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_NEXT_PROTO,
        checkhandshake::NPN_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [0, 0]
);

@extensions = (
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        TLSProxy::Message::CLIENT,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        TLSProxy::Message::CLIENT,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_SUPPORTED_GROUPS,
                       TLSProxy::Message::CLIENT,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_EC_POINT_FORMATS,
                       TLSProxy::Message::CLIENT,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("tls1_2") ? () :
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS]),
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        TLSProxy::Message::CLIENT,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        TLSProxy::Message::CLIENT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
        TLSProxy::Message::CLIENT,
        checkhandshake::NPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
        TLSProxy::Message::CLIENT,
        checkhandshake::SRP_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        TLSProxy::Message::SERVER,
        checkhandshake::SESSION_TICKET_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        TLSProxy::Message::SERVER,
        checkhandshake::SERVER_NAME_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        TLSProxy::Message::SERVER,
        checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
        TLSProxy::Message::SERVER,
        checkhandshake::ALPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
        TLSProxy::Message::SERVER,
        checkhandshake::SCT_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
        TLSProxy::Message::SERVER,
        checkhandshake::NPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        TLSProxy::Message::SERVER,
        checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
    [0,0,0,0]
);

#Test 1: Check we get all the right messages for a default handshake
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 21;
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Default handshake test");

#Test 2: Resumption handshake
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
               "Resumption handshake test");
unlink $session;

SKIP: {
    skip "No OCSP support in this OpenSSL build", 3
        if disabled("ocsp");

    #Test 3: A status_request handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -status");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
                   "status_request handshake test (client)");

    #Test 4: A status_request handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "status_request handshake test (server)");

    #Test 5: A status_request handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -status");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "status_request handshake test");
}

#Test 6: A client auth handshake
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-Verify 5");
$proxy->start();
checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Client auth handshake test");

#Test 7: A handshake with a renegotiation
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-client_renegotiation");
$proxy->reneg(1);
$proxy->start();
checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Renegotiation handshake test");

#Test 8: Server name handshake (no client request)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (client)");

#Test 9: Server name handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (server)");

#Test 10: Server name handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -servername testhost");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SERVER_NAME_SRV_EXTENSION,
               "Server name handshake test");

#Test 11: ALPN handshake (client request only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION,
               "ALPN handshake test (client)");

#Test 12: ALPN handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "ALPN handshake test (server)");

#Test 13: ALPN handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION
               | checkhandshake::ALPN_SRV_EXTENSION,
               "ALPN handshake test");

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 14: SCT handshake (client request only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test (client)");
}

SKIP: {
    skip "No OCSP support in this OpenSSL build", 1
        if disabled("ocsp");

    #Test 15: SCT handshake (server support only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "SCT handshake test (server)");
}

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 16: SCT handshake (client and server)
    #There is no built-in server side support for this so we are actually also
    #testing custom extensions here
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der")
                        ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::SCT_SRV_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test");
}


SKIP: {
    skip "No NPN support in this OpenSSL build", 3
        if disabled("nextprotoneg");

    #Test 17: NPN handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION,
                   "NPN handshake test (client)");

    #Test 18: NPN handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "NPN handshake test (server)");

    #Test 19: NPN handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION
                   | checkhandshake::NPN_SRV_EXTENSION,
                   "NPN handshake test");
}

SKIP: {
    skip "No SRP support in this OpenSSL build", 1
        if disabled("srp");

    #Test 20: SRP extension
    #Note: We are not actually going to perform an SRP handshake (TLSProxy
    #does not support it). However it is sufficient for us to check that the
    #SRP extension gets added on the client side. There is no SRP extension
    #generated on the server side anyway.
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SRP_CLI_EXTENSION,
                   "SRP extension test");
}

#Test 21: EC handshake
SKIP: {
    skip "No EC support in this OpenSSL build", 1 if disabled("ec");
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
                   "EC handshake test");
}
Commit	Line	Data
0bfe166b	1	#! /usr/bin/env perl
0789c7d8	2	# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
0bfe166b	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
0bfe166b MC	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
f50306c2	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
0bfe166b MC	11	use OpenSSL::Test::Utils;
	12	use File::Temp qw(tempfile);
	13	use TLSProxy::Proxy;
1e566129	14	use checkhandshake qw(checkhandshake @handmessages @extensions);
f50306c2	15
1e566129 MC	16	my $test_name = "test_sslmessages";
1e566129 MC	17	setup($test_name);
f50306c2	18
0bfe166b	19	plan skip_all => "TLSProxy isn't usable on $^O"
c5856878	20	if $^O =~ /^(VMS)$/;
0bfe166b MC	21
	22	plan skip_all => "$test_name needs the dynamic engine feature enabled"
	23	if disabled("engine") \|\| disabled("dynamic-engine");
	24
	25	plan skip_all => "$test_name needs the sock feature enabled"
	26	if disabled("sock");
	27
	28	plan skip_all => "$test_name needs TLS enabled"
c423ecaa MC	29	if alldisabled(available_protocols("tls"))
c423ecaa MC	30	\|\| (!disabled("tls1_3") && disabled("tls1_2"));
0bfe166b	31
0bfe166b MC	32	my $proxy = TLSProxy::Proxy->new(
	33	undef,
	34	cmdstr(app(["openssl"]), display => 1),
	35	srctop_file("apps", "server.pem"),
	36	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
	37	);
	38
f50306c2 MC	39	@handmessages = (
f50306c2 MC	40	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	41	checkhandshake::ALL_HANDSHAKES],
f50306c2	42	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	43	checkhandshake::ALL_HANDSHAKES],
f50306c2	44	[TLSProxy::Message::MT_CERTIFICATE,
1e566129 MC	45	checkhandshake::ALL_HANDSHAKES
1e566129 MC	46	& ~checkhandshake::RESUME_HANDSHAKE],
397f4f78 MC	47	(disabled("ec") ? () :
	48	[TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
	49	checkhandshake::EC_HANDSHAKE]),
f50306c2	50	[TLSProxy::Message::MT_CERTIFICATE_STATUS,
1e566129	51	checkhandshake::OCSP_HANDSHAKE],
f50306c2 MC	52	#ServerKeyExchange handshakes not currently supported by TLSProxy
f50306c2 MC	53	[TLSProxy::Message::MT_CERTIFICATE_REQUEST,
1e566129	54	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	55	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129 MC	56	checkhandshake::ALL_HANDSHAKES
1e566129 MC	57	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	58	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	59	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	60	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129 MC	61	checkhandshake::ALL_HANDSHAKES
1e566129 MC	62	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	63	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
1e566129	64	checkhandshake::CLIENT_AUTH_HANDSHAKE],
60ea0034	65	[TLSProxy::Message::MT_NEXT_PROTO,
1e566129	66	checkhandshake::NPN_HANDSHAKE],
f50306c2	67	[TLSProxy::Message::MT_FINISHED,
1e566129	68	checkhandshake::ALL_HANDSHAKES],
f50306c2	69	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129 MC	70	checkhandshake::ALL_HANDSHAKES
1e566129 MC	71	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	72	[TLSProxy::Message::MT_FINISHED,
1e566129	73	checkhandshake::ALL_HANDSHAKES],
f50306c2	74	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	75	checkhandshake::RENEG_HANDSHAKE],
f50306c2	76	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	77	checkhandshake::RENEG_HANDSHAKE],
f50306c2	78	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	79	checkhandshake::RENEG_HANDSHAKE],
f50306c2	80	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129	81	checkhandshake::RENEG_HANDSHAKE],
f50306c2	82	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129	83	checkhandshake::RENEG_HANDSHAKE],
f50306c2	84	[TLSProxy::Message::MT_FINISHED,
1e566129	85	checkhandshake::RENEG_HANDSHAKE],
f50306c2	86	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129	87	checkhandshake::RENEG_HANDSHAKE],
f50306c2	88	[TLSProxy::Message::MT_FINISHED,
1e566129	89	checkhandshake::RENEG_HANDSHAKE],
f50306c2 MC	90	[0, 0]
	91	);
	92
	93	@extensions = (
	94	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
dc5bcb88	95	TLSProxy::Message::CLIENT,
1e566129	96	checkhandshake::SERVER_NAME_CLI_EXTENSION],
f50306c2	97	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
dc5bcb88	98	TLSProxy::Message::CLIENT,
1e566129	99	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
397f4f78 MC	100	(disabled("ec") ? () :
	101	[TLSProxy::Message::MT_CLIENT_HELLO,
	102	TLSProxy::Message::EXT_SUPPORTED_GROUPS,
dc5bcb88	103	TLSProxy::Message::CLIENT,
397f4f78 MC	104	checkhandshake::DEFAULT_EXTENSIONS]),
	105	(disabled("ec") ? () :
	106	[TLSProxy::Message::MT_CLIENT_HELLO,
	107	TLSProxy::Message::EXT_EC_POINT_FORMATS,
dc5bcb88	108	TLSProxy::Message::CLIENT,
397f4f78	109	checkhandshake::DEFAULT_EXTENSIONS]),
f6e752c0 RL	110	(disabled("tls1_2") ? () :
f6e752c0 RL	111	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
dc5bcb88	112	TLSProxy::Message::CLIENT,
f6e752c0	113	checkhandshake::DEFAULT_EXTENSIONS]),
f50306c2	114	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
dc5bcb88	115	TLSProxy::Message::CLIENT,
1e566129	116	checkhandshake::ALPN_CLI_EXTENSION],
f50306c2	117	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
dc5bcb88	118	TLSProxy::Message::CLIENT,
1e566129	119	checkhandshake::SCT_CLI_EXTENSION],
f50306c2	120	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
dc5bcb88	121	TLSProxy::Message::CLIENT,
1e566129	122	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	123	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
dc5bcb88	124	TLSProxy::Message::CLIENT,
1e566129	125	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	126	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
dc5bcb88	127	TLSProxy::Message::CLIENT,
1e566129	128	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	129	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
dc5bcb88	130	TLSProxy::Message::CLIENT,
972ee925	131	checkhandshake::DEFAULT_EXTENSIONS],
60ea0034	132	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
dc5bcb88	133	TLSProxy::Message::CLIENT,
1e566129	134	checkhandshake::NPN_CLI_EXTENSION],
60ea0034	135	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
dc5bcb88	136	TLSProxy::Message::CLIENT,
1e566129	137	checkhandshake::SRP_CLI_EXTENSION],
f50306c2 MC	138
f50306c2 MC	139	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
dc5bcb88	140	TLSProxy::Message::SERVER,
1e566129	141	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	142	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
dc5bcb88	143	TLSProxy::Message::SERVER,
1e566129	144	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	145	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
dc5bcb88	146	TLSProxy::Message::SERVER,
1e566129	147	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	148	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
dc5bcb88	149	TLSProxy::Message::SERVER,
1e566129	150	checkhandshake::SESSION_TICKET_SRV_EXTENSION],
f50306c2	151	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
dc5bcb88	152	TLSProxy::Message::SERVER,
1e566129	153	checkhandshake::SERVER_NAME_SRV_EXTENSION],
f50306c2	154	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
dc5bcb88	155	TLSProxy::Message::SERVER,
1e566129	156	checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
f50306c2	157	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
dc5bcb88	158	TLSProxy::Message::SERVER,
1e566129	159	checkhandshake::ALPN_SRV_EXTENSION],
60ea0034	160	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
dc5bcb88	161	TLSProxy::Message::SERVER,
1e566129	162	checkhandshake::SCT_SRV_EXTENSION],
60ea0034	163	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
dc5bcb88	164	TLSProxy::Message::SERVER,
1e566129	165	checkhandshake::NPN_SRV_EXTENSION],
397f4f78	166	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
dc5bcb88	167	TLSProxy::Message::SERVER,
397f4f78	168	checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
dc5bcb88	169	[0,0,0,0]
f50306c2	170	);
0bfe166b MC	171
	172	#Test 1: Check we get all the right messages for a default handshake
	173	(undef, my $session) = tempfile();
	174	$proxy->serverconnects(2);
	175	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
	176	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
397f4f78	177	plan tests => 21;
1e566129 MC	178	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	179	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	180	"Default handshake test");
0bfe166b MC	181
	182	#Test 2: Resumption handshake
	183	$proxy->clearClient();
	184	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
	185	$proxy->clientstart();
1e566129 MC	186	checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
1e566129 MC	187	checkhandshake::DEFAULT_EXTENSIONS
b510b740	188	& ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
f50306c2	189	"Resumption handshake test");
0bfe166b MC	190	unlink $session;
0bfe166b MC	191
aec23ece RL	192	SKIP: {
	193	skip "No OCSP support in this OpenSSL build", 3
	194	if disabled("ocsp");
60ea0034	195
aec23ece RL	196	#Test 3: A status_request handshake (client request only)
	197	$proxy->clear();
	198	$proxy->clientflags("-no_tls1_3 -status");
	199	$proxy->start();
	200	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	201	checkhandshake::DEFAULT_EXTENSIONS
	202	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
	203	"status_request handshake test (client)");
60ea0034	204
aec23ece RL	205	#Test 4: A status_request handshake (server support only)
	206	$proxy->clear();
	207	$proxy->clientflags("-no_tls1_3");
	208	$proxy->serverflags("-status_file "
	209	.srctop_file("test", "recipes", "ocsp-response.der"));
	210	$proxy->start();
	211	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	212	checkhandshake::DEFAULT_EXTENSIONS,
	213	"status_request handshake test (server)");
	214
	215	#Test 5: A status_request handshake (client and server)
	216	$proxy->clear();
	217	$proxy->clientflags("-no_tls1_3 -status");
	218	$proxy->serverflags("-status_file "
	219	.srctop_file("test", "recipes", "ocsp-response.der"));
	220	$proxy->start();
	221	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	222	checkhandshake::DEFAULT_EXTENSIONS
	223	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	224	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	225	"status_request handshake test");
	226	}
0bfe166b	227
60ea0034	228	#Test 6: A client auth handshake
0bfe166b MC	229	$proxy->clear();
	230	$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
	231	$proxy->serverflags("-Verify 5");
	232	$proxy->start();
1e566129 MC	233	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
1e566129 MC	234	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	235	"Client auth handshake test");
0bfe166b	236
60ea0034	237	#Test 7: A handshake with a renegotiation
0bfe166b MC	238	$proxy->clear();
0bfe166b MC	239	$proxy->clientflags("-no_tls1_3");
55373bfd	240	$proxy->serverflags("-client_renegotiation");
0bfe166b MC	241	$proxy->reneg(1);
0bfe166b MC	242	$proxy->start();
1e566129 MC	243	checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
1e566129 MC	244	checkhandshake::DEFAULT_EXTENSIONS,
46f4e1be	245	"Renegotiation handshake test");
f50306c2	246
11ba87f2	247	#Test 8: Server name handshake (no client request)
60ea0034	248	$proxy->clear();
11ba87f2	249	$proxy->clientflags("-no_tls1_3 -noservername");
60ea0034	250	$proxy->start();
1e566129 MC	251	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	252	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2	253	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	254	"Server name handshake test (client)");
60ea0034 MC	255
	256	#Test 9: Server name handshake (server support only)
	257	$proxy->clear();
11ba87f2	258	$proxy->clientflags("-no_tls1_3 -noservername");
60ea0034 MC	259	$proxy->serverflags("-servername testhost");
60ea0034 MC	260	$proxy->start();
1e566129	261	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
11ba87f2 MC	262	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2 MC	263	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	264	"Server name handshake test (server)");
60ea0034 MC	265
	266	#Test 10: Server name handshake (client and server)
	267	$proxy->clear();
	268	$proxy->clientflags("-no_tls1_3 -servername testhost");
	269	$proxy->serverflags("-servername testhost");
	270	$proxy->start();
1e566129	271	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874	272	checkhandshake::DEFAULT_EXTENSIONS
96153874 MC	273	\| checkhandshake::SERVER_NAME_SRV_EXTENSION,
96153874 MC	274	"Server name handshake test");
60ea0034 MC	275
	276	#Test 11: ALPN handshake (client request only)
	277	$proxy->clear();
	278	$proxy->clientflags("-no_tls1_3 -alpn test");
	279	$proxy->start();
1e566129 MC	280	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	281	checkhandshake::DEFAULT_EXTENSIONS
	282	\| checkhandshake::ALPN_CLI_EXTENSION,
96153874	283	"ALPN handshake test (client)");
f50306c2	284
60ea0034 MC	285	#Test 12: ALPN handshake (server support only)
	286	$proxy->clear();
	287	$proxy->clientflags("-no_tls1_3");
	288	$proxy->serverflags("-alpn test");
	289	$proxy->start();
1e566129 MC	290	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	291	checkhandshake::DEFAULT_EXTENSIONS,
96153874	292	"ALPN handshake test (server)");
a1448c26	293
60ea0034 MC	294	#Test 13: ALPN handshake (client and server)
	295	$proxy->clear();
	296	$proxy->clientflags("-no_tls1_3 -alpn test");
	297	$proxy->serverflags("-alpn test");
	298	$proxy->start();
1e566129	299	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	300	checkhandshake::DEFAULT_EXTENSIONS
	301	\| checkhandshake::ALPN_CLI_EXTENSION
	302	\| checkhandshake::ALPN_SRV_EXTENSION,
	303	"ALPN handshake test");
60ea0034	304
a05bed19	305	SKIP: {
aec23ece RL	306	skip "No CT, EC or OCSP support in this OpenSSL build", 1
aec23ece RL	307	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
a05bed19 RL	308
	309	#Test 14: SCT handshake (client request only)
	310	$proxy->clear();
	311	#Note: -ct also sends status_request
	312	$proxy->clientflags("-no_tls1_3 -ct");
	313	$proxy->serverflags("-status_file "
	314	.srctop_file("test", "recipes", "ocsp-response.der"));
	315	$proxy->start();
	316	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	317	checkhandshake::DEFAULT_EXTENSIONS
	318	\| checkhandshake::SCT_CLI_EXTENSION
	319	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	320	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	321	"SCT handshake test (client)");
	322	}
60ea0034	323
aec23ece RL	324	SKIP: {
	325	skip "No OCSP support in this OpenSSL build", 1
	326	if disabled("ocsp");
	327
	328	#Test 15: SCT handshake (server support only)
	329	$proxy->clear();
	330	#Note: -ct also sends status_request
	331	$proxy->clientflags("-no_tls1_3");
	332	$proxy->serverflags("-status_file "
	333	.srctop_file("test", "recipes", "ocsp-response.der"));
	334	$proxy->start();
	335	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	336	checkhandshake::DEFAULT_EXTENSIONS,
	337	"SCT handshake test (server)");
	338	}
60ea0034	339
a05bed19	340	SKIP: {
aec23ece RL	341	skip "No CT, EC or OCSP support in this OpenSSL build", 1
aec23ece RL	342	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
a05bed19 RL	343
	344	#Test 16: SCT handshake (client and server)
	345	#There is no built-in server side support for this so we are actually also
	346	#testing custom extensions here
	347	$proxy->clear();
	348	#Note: -ct also sends status_request
	349	$proxy->clientflags("-no_tls1_3 -ct");
	350	$proxy->serverflags("-status_file "
	351	.srctop_file("test", "recipes", "ocsp-response.der")
	352	." -serverinfo ".srctop_file("test", "serverinfo.pem"));
	353	$proxy->start();
	354	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	355	checkhandshake::DEFAULT_EXTENSIONS
	356	\| checkhandshake::SCT_CLI_EXTENSION
	357	\| checkhandshake::SCT_SRV_EXTENSION
	358	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	359	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	360	"SCT handshake test");
	361	}
60ea0034 MC	362
60ea0034 MC	363
e0c47b2c RL	364	SKIP: {
	365	skip "No NPN support in this OpenSSL build", 3
	366	if disabled("nextprotoneg");
60ea0034	367
e0c47b2c RL	368	#Test 17: NPN handshake (client request only)
	369	$proxy->clear();
	370	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	371	$proxy->start();
	372	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	373	checkhandshake::DEFAULT_EXTENSIONS
	374	\| checkhandshake::NPN_CLI_EXTENSION,
	375	"NPN handshake test (client)");
a1448c26	376
e0c47b2c RL	377	#Test 18: NPN handshake (server support only)
	378	$proxy->clear();
	379	$proxy->clientflags("-no_tls1_3");
	380	$proxy->serverflags("-nextprotoneg test");
	381	$proxy->start();
	382	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	383	checkhandshake::DEFAULT_EXTENSIONS,
	384	"NPN handshake test (server)");
	385
	386	#Test 19: NPN handshake (client and server)
	387	$proxy->clear();
	388	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	389	$proxy->serverflags("-nextprotoneg test");
	390	$proxy->start();
	391	checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
	392	checkhandshake::DEFAULT_EXTENSIONS
	393	\| checkhandshake::NPN_CLI_EXTENSION
	394	\| checkhandshake::NPN_SRV_EXTENSION,
	395	"NPN handshake test");
	396	}
60ea0034	397
327d38d0 RL	398	SKIP: {
	399	skip "No SRP support in this OpenSSL build", 1
	400	if disabled("srp");
	401
	402	#Test 20: SRP extension
	403	#Note: We are not actually going to perform an SRP handshake (TLSProxy
	404	#does not support it). However it is sufficient for us to check that the
	405	#SRP extension gets added on the client side. There is no SRP extension
	406	#generated on the server side anyway.
	407	$proxy->clear();
	408	$proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
	409	$proxy->start();
	410	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	411	checkhandshake::DEFAULT_EXTENSIONS
	412	\| checkhandshake::SRP_CLI_EXTENSION,
	413	"SRP extension test");
	414	}
397f4f78 MC	415
	416	#Test 21: EC handshake
	417	SKIP: {
	418	skip "No EC support in this OpenSSL build", 1 if disabled("ec");
	419	$proxy->clear();
	420	$proxy->clientflags("-no_tls1_3");
38a73150	421	$proxy->serverflags("-no_tls1_3");
397f4f78 MC	422	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
	423	$proxy->start();
	424	checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
	425	checkhandshake::DEFAULT_EXTENSIONS
	426	\| checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
	427	"EC handshake test");
	428	}