[thirdparty/openssl.git] / test / recipes / 70-test_sslmessages.t

#! /usr/bin/env perl
# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
use OpenSSL::Test::Utils;
use File::Temp qw(tempfile);
use TLSProxy::Proxy;
use checkhandshake qw(checkhandshake @handmessages @extensions);

my $test_name = "test_sslmessages";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLS enabled"
    if alldisabled(available_protocols("tls"))
       || (!disabled("tls1_3") && disabled("tls1_2"));

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf");

my $proxy = TLSProxy::Proxy->new(
    undef,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

@handmessages = (
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
                          checkhandshake::EC_HANDSHAKE]),
    [TLSProxy::Message::MT_CERTIFICATE_STATUS,
        checkhandshake::OCSP_HANDSHAKE],
    #ServerKeyExchange handshakes not currently supported by TLSProxy
    [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_NEXT_PROTO,
        checkhandshake::NPN_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [0, 0]
);

@extensions = (
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        TLSProxy::Message::CLIENT,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        TLSProxy::Message::CLIENT,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_SUPPORTED_GROUPS,
                       TLSProxy::Message::CLIENT,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_EC_POINT_FORMATS,
                       TLSProxy::Message::CLIENT,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("tls1_2") ? () :
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS]),
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        TLSProxy::Message::CLIENT,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        TLSProxy::Message::CLIENT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        TLSProxy::Message::CLIENT,
        checkhandshake::RENEGOTIATE_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
        TLSProxy::Message::CLIENT,
        checkhandshake::NPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
        TLSProxy::Message::CLIENT,
        checkhandshake::SRP_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        TLSProxy::Message::SERVER,
        checkhandshake::SESSION_TICKET_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        TLSProxy::Message::SERVER,
        checkhandshake::SERVER_NAME_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        TLSProxy::Message::SERVER,
        checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
        TLSProxy::Message::SERVER,
        checkhandshake::ALPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
        TLSProxy::Message::SERVER,
        checkhandshake::SCT_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
        TLSProxy::Message::SERVER,
        checkhandshake::NPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        TLSProxy::Message::SERVER,
        checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
    [0,0,0,0]
);

#Test 1: Check we get all the right messages for a default handshake
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 21;
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Default handshake test");

#Test 2: Resumption handshake
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
               "Resumption handshake test");
unlink $session;

SKIP: {
    skip "No OCSP support in this OpenSSL build", 3
        if disabled("ocsp");

    #Test 3: A status_request handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -status");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
                   "status_request handshake test (client)");

    #Test 4: A status_request handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "status_request handshake test (server)");

    #Test 5: A status_request handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -status");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "status_request handshake test");
}

#Test 6: A client auth handshake
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-Verify 5");
$proxy->start();
checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Client auth handshake test");

#Test 7: A handshake with a renegotiation
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->reneg(1);
$proxy->start();
checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Renegotiation handshake test");

#Test 8: Server name handshake (no client request)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (client)");

#Test 9: Server name handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (server)");

#Test 10: Server name handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -servername testhost");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SERVER_NAME_SRV_EXTENSION,
               "Server name handshake test");

#Test 11: ALPN handshake (client request only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION,
               "ALPN handshake test (client)");

#Test 12: ALPN handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "ALPN handshake test (server)");

#Test 13: ALPN handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION
               | checkhandshake::ALPN_SRV_EXTENSION,
               "ALPN handshake test");

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 14: SCT handshake (client request only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test (client)");
}

SKIP: {
    skip "No OCSP support in this OpenSSL build", 1
        if disabled("ocsp");

    #Test 15: SCT handshake (server support only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "SCT handshake test (server)");
}

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 16: SCT handshake (client and server)
    #There is no built-in server side support for this so we are actually also
    #testing custom extensions here
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der")
                        ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::SCT_SRV_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test");
}


SKIP: {
    skip "No NPN support in this OpenSSL build", 3
        if disabled("nextprotoneg");

    #Test 17: NPN handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION,
                   "NPN handshake test (client)");

    #Test 18: NPN handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "NPN handshake test (server)");

    #Test 19: NPN handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION
                   | checkhandshake::NPN_SRV_EXTENSION,
                   "NPN handshake test");
}

SKIP: {
    skip "No SRP support in this OpenSSL build", 1
        if disabled("srp");

    #Test 20: SRP extension
    #Note: We are not actually going to perform an SRP handshake (TLSProxy
    #does not support it). However it is sufficient for us to check that the
    #SRP extension gets added on the client side. There is no SRP extension
    #generated on the server side anyway.
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SRP_CLI_EXTENSION,
                   "SRP extension test");
}

#Test 21: EC handshake
SKIP: {
    skip "No EC support in this OpenSSL build", 1 if disabled("ec");
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
                   "EC handshake test");
}
Commit	Line	Data
0bfe166b	1	#! /usr/bin/env perl
33388b44	2	# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
0bfe166b	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
0bfe166b MC	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
f50306c2	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
0bfe166b MC	11	use OpenSSL::Test::Utils;
	12	use File::Temp qw(tempfile);
	13	use TLSProxy::Proxy;
1e566129	14	use checkhandshake qw(checkhandshake @handmessages @extensions);
f50306c2	15
1e566129 MC	16	my $test_name = "test_sslmessages";
1e566129 MC	17	setup($test_name);
f50306c2	18
0bfe166b	19	plan skip_all => "TLSProxy isn't usable on $^O"
c5856878	20	if $^O =~ /^(VMS)$/;
0bfe166b MC	21
	22	plan skip_all => "$test_name needs the dynamic engine feature enabled"
	23	if disabled("engine") \|\| disabled("dynamic-engine");
	24
	25	plan skip_all => "$test_name needs the sock feature enabled"
	26	if disabled("sock");
	27
	28	plan skip_all => "$test_name needs TLS enabled"
c423ecaa MC	29	if alldisabled(available_protocols("tls"))
c423ecaa MC	30	\|\| (!disabled("tls1_3") && disabled("tls1_2"));
0bfe166b MC	31
0bfe166b MC	32	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
433deaff	33	$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf");
6ca94f10	34
0bfe166b MC	35	my $proxy = TLSProxy::Proxy->new(
	36	undef,
	37	cmdstr(app(["openssl"]), display => 1),
	38	srctop_file("apps", "server.pem"),
	39	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
	40	);
	41
f50306c2 MC	42	@handmessages = (
f50306c2 MC	43	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	44	checkhandshake::ALL_HANDSHAKES],
f50306c2	45	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	46	checkhandshake::ALL_HANDSHAKES],
f50306c2	47	[TLSProxy::Message::MT_CERTIFICATE,
1e566129 MC	48	checkhandshake::ALL_HANDSHAKES
1e566129 MC	49	& ~checkhandshake::RESUME_HANDSHAKE],
397f4f78 MC	50	(disabled("ec") ? () :
	51	[TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
	52	checkhandshake::EC_HANDSHAKE]),
f50306c2	53	[TLSProxy::Message::MT_CERTIFICATE_STATUS,
1e566129	54	checkhandshake::OCSP_HANDSHAKE],
f50306c2 MC	55	#ServerKeyExchange handshakes not currently supported by TLSProxy
f50306c2 MC	56	[TLSProxy::Message::MT_CERTIFICATE_REQUEST,
1e566129	57	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	58	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129 MC	59	checkhandshake::ALL_HANDSHAKES
1e566129 MC	60	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	61	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	62	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	63	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129 MC	64	checkhandshake::ALL_HANDSHAKES
1e566129 MC	65	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	66	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
1e566129	67	checkhandshake::CLIENT_AUTH_HANDSHAKE],
60ea0034	68	[TLSProxy::Message::MT_NEXT_PROTO,
1e566129	69	checkhandshake::NPN_HANDSHAKE],
f50306c2	70	[TLSProxy::Message::MT_FINISHED,
1e566129	71	checkhandshake::ALL_HANDSHAKES],
f50306c2	72	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129 MC	73	checkhandshake::ALL_HANDSHAKES
1e566129 MC	74	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	75	[TLSProxy::Message::MT_FINISHED,
1e566129	76	checkhandshake::ALL_HANDSHAKES],
f50306c2	77	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	78	checkhandshake::RENEG_HANDSHAKE],
f50306c2	79	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	80	checkhandshake::RENEG_HANDSHAKE],
f50306c2	81	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	82	checkhandshake::RENEG_HANDSHAKE],
f50306c2	83	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129	84	checkhandshake::RENEG_HANDSHAKE],
f50306c2	85	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129	86	checkhandshake::RENEG_HANDSHAKE],
f50306c2	87	[TLSProxy::Message::MT_FINISHED,
1e566129	88	checkhandshake::RENEG_HANDSHAKE],
f50306c2	89	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129	90	checkhandshake::RENEG_HANDSHAKE],
f50306c2	91	[TLSProxy::Message::MT_FINISHED,
1e566129	92	checkhandshake::RENEG_HANDSHAKE],
f50306c2 MC	93	[0, 0]
	94	);
	95
	96	@extensions = (
	97	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
dc5bcb88	98	TLSProxy::Message::CLIENT,
1e566129	99	checkhandshake::SERVER_NAME_CLI_EXTENSION],
f50306c2	100	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
dc5bcb88	101	TLSProxy::Message::CLIENT,
1e566129	102	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
397f4f78 MC	103	(disabled("ec") ? () :
	104	[TLSProxy::Message::MT_CLIENT_HELLO,
	105	TLSProxy::Message::EXT_SUPPORTED_GROUPS,
dc5bcb88	106	TLSProxy::Message::CLIENT,
397f4f78 MC	107	checkhandshake::DEFAULT_EXTENSIONS]),
	108	(disabled("ec") ? () :
	109	[TLSProxy::Message::MT_CLIENT_HELLO,
	110	TLSProxy::Message::EXT_EC_POINT_FORMATS,
dc5bcb88	111	TLSProxy::Message::CLIENT,
397f4f78	112	checkhandshake::DEFAULT_EXTENSIONS]),
f6e752c0 RL	113	(disabled("tls1_2") ? () :
f6e752c0 RL	114	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
dc5bcb88	115	TLSProxy::Message::CLIENT,
f6e752c0	116	checkhandshake::DEFAULT_EXTENSIONS]),
f50306c2	117	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
dc5bcb88	118	TLSProxy::Message::CLIENT,
1e566129	119	checkhandshake::ALPN_CLI_EXTENSION],
f50306c2	120	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
dc5bcb88	121	TLSProxy::Message::CLIENT,
1e566129	122	checkhandshake::SCT_CLI_EXTENSION],
f50306c2	123	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
dc5bcb88	124	TLSProxy::Message::CLIENT,
1e566129	125	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	126	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
dc5bcb88	127	TLSProxy::Message::CLIENT,
1e566129	128	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	129	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
dc5bcb88	130	TLSProxy::Message::CLIENT,
1e566129	131	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	132	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
dc5bcb88	133	TLSProxy::Message::CLIENT,
1e566129	134	checkhandshake::RENEGOTIATE_CLI_EXTENSION],
60ea0034	135	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
dc5bcb88	136	TLSProxy::Message::CLIENT,
1e566129	137	checkhandshake::NPN_CLI_EXTENSION],
60ea0034	138	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
dc5bcb88	139	TLSProxy::Message::CLIENT,
1e566129	140	checkhandshake::SRP_CLI_EXTENSION],
f50306c2 MC	141
f50306c2 MC	142	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
dc5bcb88	143	TLSProxy::Message::SERVER,
1e566129	144	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	145	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
dc5bcb88	146	TLSProxy::Message::SERVER,
1e566129	147	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	148	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
dc5bcb88	149	TLSProxy::Message::SERVER,
1e566129	150	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	151	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
dc5bcb88	152	TLSProxy::Message::SERVER,
1e566129	153	checkhandshake::SESSION_TICKET_SRV_EXTENSION],
f50306c2	154	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
dc5bcb88	155	TLSProxy::Message::SERVER,
1e566129	156	checkhandshake::SERVER_NAME_SRV_EXTENSION],
f50306c2	157	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
dc5bcb88	158	TLSProxy::Message::SERVER,
1e566129	159	checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
f50306c2	160	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
dc5bcb88	161	TLSProxy::Message::SERVER,
1e566129	162	checkhandshake::ALPN_SRV_EXTENSION],
60ea0034	163	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
dc5bcb88	164	TLSProxy::Message::SERVER,
1e566129	165	checkhandshake::SCT_SRV_EXTENSION],
60ea0034	166	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
dc5bcb88	167	TLSProxy::Message::SERVER,
1e566129	168	checkhandshake::NPN_SRV_EXTENSION],
397f4f78	169	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
dc5bcb88	170	TLSProxy::Message::SERVER,
397f4f78	171	checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
dc5bcb88	172	[0,0,0,0]
f50306c2	173	);
0bfe166b MC	174
	175	#Test 1: Check we get all the right messages for a default handshake
	176	(undef, my $session) = tempfile();
	177	$proxy->serverconnects(2);
	178	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
	179	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
397f4f78	180	plan tests => 21;
1e566129 MC	181	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	182	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	183	"Default handshake test");
0bfe166b MC	184
	185	#Test 2: Resumption handshake
	186	$proxy->clearClient();
	187	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
	188	$proxy->clientstart();
1e566129 MC	189	checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
1e566129 MC	190	checkhandshake::DEFAULT_EXTENSIONS
b510b740	191	& ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
f50306c2	192	"Resumption handshake test");
0bfe166b MC	193	unlink $session;
0bfe166b MC	194
aec23ece RL	195	SKIP: {
	196	skip "No OCSP support in this OpenSSL build", 3
	197	if disabled("ocsp");
60ea0034	198
aec23ece RL	199	#Test 3: A status_request handshake (client request only)
	200	$proxy->clear();
	201	$proxy->clientflags("-no_tls1_3 -status");
	202	$proxy->start();
	203	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	204	checkhandshake::DEFAULT_EXTENSIONS
	205	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
	206	"status_request handshake test (client)");
60ea0034	207
aec23ece RL	208	#Test 4: A status_request handshake (server support only)
	209	$proxy->clear();
	210	$proxy->clientflags("-no_tls1_3");
	211	$proxy->serverflags("-status_file "
	212	.srctop_file("test", "recipes", "ocsp-response.der"));
	213	$proxy->start();
	214	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	215	checkhandshake::DEFAULT_EXTENSIONS,
	216	"status_request handshake test (server)");
	217
	218	#Test 5: A status_request handshake (client and server)
	219	$proxy->clear();
	220	$proxy->clientflags("-no_tls1_3 -status");
	221	$proxy->serverflags("-status_file "
	222	.srctop_file("test", "recipes", "ocsp-response.der"));
	223	$proxy->start();
	224	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	225	checkhandshake::DEFAULT_EXTENSIONS
	226	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	227	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	228	"status_request handshake test");
	229	}
0bfe166b	230
60ea0034	231	#Test 6: A client auth handshake
0bfe166b MC	232	$proxy->clear();
	233	$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
	234	$proxy->serverflags("-Verify 5");
	235	$proxy->start();
1e566129 MC	236	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
1e566129 MC	237	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	238	"Client auth handshake test");
0bfe166b	239
60ea0034	240	#Test 7: A handshake with a renegotiation
0bfe166b MC	241	$proxy->clear();
	242	$proxy->clientflags("-no_tls1_3");
	243	$proxy->reneg(1);
	244	$proxy->start();
1e566129 MC	245	checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
1e566129 MC	246	checkhandshake::DEFAULT_EXTENSIONS,
46f4e1be	247	"Renegotiation handshake test");
f50306c2	248
11ba87f2	249	#Test 8: Server name handshake (no client request)
60ea0034	250	$proxy->clear();
11ba87f2	251	$proxy->clientflags("-no_tls1_3 -noservername");
60ea0034	252	$proxy->start();
1e566129 MC	253	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	254	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2	255	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	256	"Server name handshake test (client)");
60ea0034 MC	257
	258	#Test 9: Server name handshake (server support only)
	259	$proxy->clear();
11ba87f2	260	$proxy->clientflags("-no_tls1_3 -noservername");
60ea0034 MC	261	$proxy->serverflags("-servername testhost");
60ea0034 MC	262	$proxy->start();
1e566129	263	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
11ba87f2 MC	264	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2 MC	265	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	266	"Server name handshake test (server)");
60ea0034 MC	267
	268	#Test 10: Server name handshake (client and server)
	269	$proxy->clear();
	270	$proxy->clientflags("-no_tls1_3 -servername testhost");
	271	$proxy->serverflags("-servername testhost");
	272	$proxy->start();
1e566129	273	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874	274	checkhandshake::DEFAULT_EXTENSIONS
96153874 MC	275	\| checkhandshake::SERVER_NAME_SRV_EXTENSION,
96153874 MC	276	"Server name handshake test");
60ea0034 MC	277
	278	#Test 11: ALPN handshake (client request only)
	279	$proxy->clear();
	280	$proxy->clientflags("-no_tls1_3 -alpn test");
	281	$proxy->start();
1e566129 MC	282	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	283	checkhandshake::DEFAULT_EXTENSIONS
	284	\| checkhandshake::ALPN_CLI_EXTENSION,
96153874	285	"ALPN handshake test (client)");
f50306c2	286
60ea0034 MC	287	#Test 12: ALPN handshake (server support only)
	288	$proxy->clear();
	289	$proxy->clientflags("-no_tls1_3");
	290	$proxy->serverflags("-alpn test");
	291	$proxy->start();
1e566129 MC	292	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	293	checkhandshake::DEFAULT_EXTENSIONS,
96153874	294	"ALPN handshake test (server)");
a1448c26	295
60ea0034 MC	296	#Test 13: ALPN handshake (client and server)
	297	$proxy->clear();
	298	$proxy->clientflags("-no_tls1_3 -alpn test");
	299	$proxy->serverflags("-alpn test");
	300	$proxy->start();
1e566129	301	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	302	checkhandshake::DEFAULT_EXTENSIONS
	303	\| checkhandshake::ALPN_CLI_EXTENSION
	304	\| checkhandshake::ALPN_SRV_EXTENSION,
	305	"ALPN handshake test");
60ea0034	306
a05bed19	307	SKIP: {
aec23ece RL	308	skip "No CT, EC or OCSP support in this OpenSSL build", 1
aec23ece RL	309	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
a05bed19 RL	310
	311	#Test 14: SCT handshake (client request only)
	312	$proxy->clear();
	313	#Note: -ct also sends status_request
	314	$proxy->clientflags("-no_tls1_3 -ct");
	315	$proxy->serverflags("-status_file "
	316	.srctop_file("test", "recipes", "ocsp-response.der"));
	317	$proxy->start();
	318	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	319	checkhandshake::DEFAULT_EXTENSIONS
	320	\| checkhandshake::SCT_CLI_EXTENSION
	321	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	322	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	323	"SCT handshake test (client)");
	324	}
60ea0034	325
aec23ece RL	326	SKIP: {
	327	skip "No OCSP support in this OpenSSL build", 1
	328	if disabled("ocsp");
	329
	330	#Test 15: SCT handshake (server support only)
	331	$proxy->clear();
	332	#Note: -ct also sends status_request
	333	$proxy->clientflags("-no_tls1_3");
	334	$proxy->serverflags("-status_file "
	335	.srctop_file("test", "recipes", "ocsp-response.der"));
	336	$proxy->start();
	337	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	338	checkhandshake::DEFAULT_EXTENSIONS,
	339	"SCT handshake test (server)");
	340	}
60ea0034	341
a05bed19	342	SKIP: {
aec23ece RL	343	skip "No CT, EC or OCSP support in this OpenSSL build", 1
aec23ece RL	344	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
a05bed19 RL	345
	346	#Test 16: SCT handshake (client and server)
	347	#There is no built-in server side support for this so we are actually also
	348	#testing custom extensions here
	349	$proxy->clear();
	350	#Note: -ct also sends status_request
	351	$proxy->clientflags("-no_tls1_3 -ct");
	352	$proxy->serverflags("-status_file "
	353	.srctop_file("test", "recipes", "ocsp-response.der")
	354	." -serverinfo ".srctop_file("test", "serverinfo.pem"));
	355	$proxy->start();
	356	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	357	checkhandshake::DEFAULT_EXTENSIONS
	358	\| checkhandshake::SCT_CLI_EXTENSION
	359	\| checkhandshake::SCT_SRV_EXTENSION
	360	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	361	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	362	"SCT handshake test");
	363	}
60ea0034 MC	364
60ea0034 MC	365
e0c47b2c RL	366	SKIP: {
	367	skip "No NPN support in this OpenSSL build", 3
	368	if disabled("nextprotoneg");
60ea0034	369
e0c47b2c RL	370	#Test 17: NPN handshake (client request only)
	371	$proxy->clear();
	372	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	373	$proxy->start();
	374	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	375	checkhandshake::DEFAULT_EXTENSIONS
	376	\| checkhandshake::NPN_CLI_EXTENSION,
	377	"NPN handshake test (client)");
a1448c26	378
e0c47b2c RL	379	#Test 18: NPN handshake (server support only)
	380	$proxy->clear();
	381	$proxy->clientflags("-no_tls1_3");
	382	$proxy->serverflags("-nextprotoneg test");
	383	$proxy->start();
	384	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	385	checkhandshake::DEFAULT_EXTENSIONS,
	386	"NPN handshake test (server)");
	387
	388	#Test 19: NPN handshake (client and server)
	389	$proxy->clear();
	390	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	391	$proxy->serverflags("-nextprotoneg test");
	392	$proxy->start();
	393	checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
	394	checkhandshake::DEFAULT_EXTENSIONS
	395	\| checkhandshake::NPN_CLI_EXTENSION
	396	\| checkhandshake::NPN_SRV_EXTENSION,
	397	"NPN handshake test");
	398	}
60ea0034	399
327d38d0 RL	400	SKIP: {
	401	skip "No SRP support in this OpenSSL build", 1
	402	if disabled("srp");
	403
	404	#Test 20: SRP extension
	405	#Note: We are not actually going to perform an SRP handshake (TLSProxy
	406	#does not support it). However it is sufficient for us to check that the
	407	#SRP extension gets added on the client side. There is no SRP extension
	408	#generated on the server side anyway.
	409	$proxy->clear();
	410	$proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
	411	$proxy->start();
	412	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	413	checkhandshake::DEFAULT_EXTENSIONS
	414	\| checkhandshake::SRP_CLI_EXTENSION,
	415	"SRP extension test");
	416	}
397f4f78 MC	417
	418	#Test 21: EC handshake
	419	SKIP: {
	420	skip "No EC support in this OpenSSL build", 1 if disabled("ec");
	421	$proxy->clear();
	422	$proxy->clientflags("-no_tls1_3");
38a73150	423	$proxy->serverflags("-no_tls1_3");
397f4f78 MC	424	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
	425	$proxy->start();
	426	checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
	427	checkhandshake::DEFAULT_EXTENSIONS
	428	\| checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
	429	"EC handshake test");
	430	}