[thirdparty/openssl.git] / test / recipes / 70-test_sslmessages.t

#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
use OpenSSL::Test::Utils;
use File::Temp qw(tempfile);
use TLSProxy::Proxy;
use checkhandshake qw(checkhandshake @handmessages @extensions);

my $test_name = "test_sslmessages";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS|MSWin32)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLS enabled"
    if alldisabled(available_protocols("tls"));

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");

my $proxy = TLSProxy::Proxy->new(
    undef,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

@handmessages = (
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
                          checkhandshake::EC_HANDSHAKE]),
    [TLSProxy::Message::MT_CERTIFICATE_STATUS,
        checkhandshake::OCSP_HANDSHAKE],
    #ServerKeyExchange handshakes not currently supported by TLSProxy
    [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_NEXT_PROTO,
        checkhandshake::NPN_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [0, 0]
);

@extensions = (
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_SUPPORTED_GROUPS,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_EC_POINT_FORMATS,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("tls1_2") ? () :
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
         checkhandshake::DEFAULT_EXTENSIONS]),
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        checkhandshake::RENEGOTIATE_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
        checkhandshake::NPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
        checkhandshake::SRP_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        checkhandshake::SESSION_TICKET_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
        checkhandshake::NPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
    [0,0,0]
);

#Test 1: Check we get all the right messages for a default handshake
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 21;
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Default handshake test");

#Test 2: Resumption handshake
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
               "Resumption handshake test");
unlink $session;

SKIP: {
    skip "No OCSP support in this OpenSSL build", 3
        if disabled("ocsp");

    #Test 3: A status_request handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -status");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
                   "status_request handshake test (client)");

    #Test 4: A status_request handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "status_request handshake test (server)");

    #Test 5: A status_request handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -status");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "status_request handshake test");
}

#Test 6: A client auth handshake
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-Verify 5");
$proxy->start();
checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Client auth handshake test");

#Test 7: A handshake with a renegotiation
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->reneg(1);
$proxy->start();
checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Renegotiation handshake test");

#Test 8: Server name handshake (no client request)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (client)");

#Test 9: Server name handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (server)");

#Test 10: Server name handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -servername testhost");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SERVER_NAME_SRV_EXTENSION,
               "Server name handshake test");

#Test 11: ALPN handshake (client request only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION,
               "ALPN handshake test (client)");

#Test 12: ALPN handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "ALPN handshake test (server)");

#Test 13: ALPN handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION
               | checkhandshake::ALPN_SRV_EXTENSION,
               "ALPN handshake test");

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 14: SCT handshake (client request only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test (client)");
}

SKIP: {
    skip "No OCSP support in this OpenSSL build", 1
        if disabled("ocsp");

    #Test 15: SCT handshake (server support only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "SCT handshake test (server)");
}

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 16: SCT handshake (client and server)
    #There is no built-in server side support for this so we are actually also
    #testing custom extensions here
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der")
                        ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::SCT_SRV_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test");
}


SKIP: {
    skip "No NPN support in this OpenSSL build", 3
        if disabled("nextprotoneg");

    #Test 17: NPN handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION,
                   "NPN handshake test (client)");

    #Test 18: NPN handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "NPN handshake test (server)");

    #Test 19: NPN handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION
                   | checkhandshake::NPN_SRV_EXTENSION,
                   "NPN handshake test");
}

SKIP: {
    skip "No SRP support in this OpenSSL build", 1
        if disabled("srp");

    #Test 20: SRP extension
    #Note: We are not actually going to perform an SRP handshake (TLSProxy
    #does not support it). However it is sufficient for us to check that the
    #SRP extension gets added on the client side. There is no SRP extension
    #generated on the server side anyway.
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SRP_CLI_EXTENSION,
                   "SRP extension test");
}

#Test 21: EC handshake
SKIP: {
    skip "No EC support in this OpenSSL build", 1 if disabled("ec");
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
                   "EC handshake test");
}
Commit	Line	Data
0bfe166b MC	1	#! /usr/bin/env perl
	2	# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	#
	4	# Licensed under the OpenSSL license (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
f50306c2	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
0bfe166b MC	11	use OpenSSL::Test::Utils;
	12	use File::Temp qw(tempfile);
	13	use TLSProxy::Proxy;
1e566129	14	use checkhandshake qw(checkhandshake @handmessages @extensions);
f50306c2	15
1e566129 MC	16	my $test_name = "test_sslmessages";
1e566129 MC	17	setup($test_name);
f50306c2	18
0bfe166b MC	19	plan skip_all => "TLSProxy isn't usable on $^O"
	20	if $^O =~ /^(VMS\|MSWin32)$/;
	21
	22	plan skip_all => "$test_name needs the dynamic engine feature enabled"
	23	if disabled("engine") \|\| disabled("dynamic-engine");
	24
	25	plan skip_all => "$test_name needs the sock feature enabled"
	26	if disabled("sock");
	27
	28	plan skip_all => "$test_name needs TLS enabled"
	29	if alldisabled(available_protocols("tls"));
	30
	31	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
60ea0034	32	$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
6ca94f10	33
0bfe166b MC	34	my $proxy = TLSProxy::Proxy->new(
	35	undef,
	36	cmdstr(app(["openssl"]), display => 1),
	37	srctop_file("apps", "server.pem"),
	38	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
	39	);
	40
f50306c2 MC	41	@handmessages = (
f50306c2 MC	42	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	43	checkhandshake::ALL_HANDSHAKES],
f50306c2	44	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	45	checkhandshake::ALL_HANDSHAKES],
f50306c2	46	[TLSProxy::Message::MT_CERTIFICATE,
1e566129 MC	47	checkhandshake::ALL_HANDSHAKES
1e566129 MC	48	& ~checkhandshake::RESUME_HANDSHAKE],
397f4f78 MC	49	(disabled("ec") ? () :
	50	[TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
	51	checkhandshake::EC_HANDSHAKE]),
f50306c2	52	[TLSProxy::Message::MT_CERTIFICATE_STATUS,
1e566129	53	checkhandshake::OCSP_HANDSHAKE],
f50306c2 MC	54	#ServerKeyExchange handshakes not currently supported by TLSProxy
f50306c2 MC	55	[TLSProxy::Message::MT_CERTIFICATE_REQUEST,
1e566129	56	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	57	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129 MC	58	checkhandshake::ALL_HANDSHAKES
1e566129 MC	59	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	60	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	61	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	62	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129 MC	63	checkhandshake::ALL_HANDSHAKES
1e566129 MC	64	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	65	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
1e566129	66	checkhandshake::CLIENT_AUTH_HANDSHAKE],
60ea0034	67	[TLSProxy::Message::MT_NEXT_PROTO,
1e566129	68	checkhandshake::NPN_HANDSHAKE],
f50306c2	69	[TLSProxy::Message::MT_FINISHED,
1e566129	70	checkhandshake::ALL_HANDSHAKES],
f50306c2	71	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129 MC	72	checkhandshake::ALL_HANDSHAKES
1e566129 MC	73	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	74	[TLSProxy::Message::MT_FINISHED,
1e566129	75	checkhandshake::ALL_HANDSHAKES],
f50306c2	76	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	77	checkhandshake::RENEG_HANDSHAKE],
f50306c2	78	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	79	checkhandshake::RENEG_HANDSHAKE],
f50306c2	80	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	81	checkhandshake::RENEG_HANDSHAKE],
f50306c2	82	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129	83	checkhandshake::RENEG_HANDSHAKE],
f50306c2	84	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129	85	checkhandshake::RENEG_HANDSHAKE],
f50306c2	86	[TLSProxy::Message::MT_FINISHED,
1e566129	87	checkhandshake::RENEG_HANDSHAKE],
f50306c2	88	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129	89	checkhandshake::RENEG_HANDSHAKE],
f50306c2	90	[TLSProxy::Message::MT_FINISHED,
1e566129	91	checkhandshake::RENEG_HANDSHAKE],
f50306c2 MC	92	[0, 0]
	93	);
	94
	95	@extensions = (
	96	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
1e566129	97	checkhandshake::SERVER_NAME_CLI_EXTENSION],
f50306c2	98	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
1e566129	99	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
397f4f78 MC	100	(disabled("ec") ? () :
	101	[TLSProxy::Message::MT_CLIENT_HELLO,
	102	TLSProxy::Message::EXT_SUPPORTED_GROUPS,
	103	checkhandshake::DEFAULT_EXTENSIONS]),
	104	(disabled("ec") ? () :
	105	[TLSProxy::Message::MT_CLIENT_HELLO,
	106	TLSProxy::Message::EXT_EC_POINT_FORMATS,
	107	checkhandshake::DEFAULT_EXTENSIONS]),
f6e752c0 RL	108	(disabled("tls1_2") ? () :
	109	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
	110	checkhandshake::DEFAULT_EXTENSIONS]),
f50306c2	111	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
1e566129	112	checkhandshake::ALPN_CLI_EXTENSION],
f50306c2	113	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
1e566129	114	checkhandshake::SCT_CLI_EXTENSION],
f50306c2	115	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
1e566129	116	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	117	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
1e566129	118	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	119	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
1e566129	120	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	121	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
1e566129	122	checkhandshake::RENEGOTIATE_CLI_EXTENSION],
60ea0034	123	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
1e566129	124	checkhandshake::NPN_CLI_EXTENSION],
60ea0034	125	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
1e566129	126	checkhandshake::SRP_CLI_EXTENSION],
f50306c2 MC	127
f50306c2 MC	128	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
1e566129	129	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	130	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
1e566129	131	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	132	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
1e566129	133	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	134	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
1e566129	135	checkhandshake::SESSION_TICKET_SRV_EXTENSION],
f50306c2	136	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
1e566129	137	checkhandshake::SERVER_NAME_SRV_EXTENSION],
f50306c2	138	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
1e566129	139	checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
f50306c2	140	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
1e566129	141	checkhandshake::ALPN_SRV_EXTENSION],
60ea0034	142	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
1e566129	143	checkhandshake::SCT_SRV_EXTENSION],
60ea0034	144	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
1e566129	145	checkhandshake::NPN_SRV_EXTENSION],
397f4f78 MC	146	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
397f4f78 MC	147	checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
f50306c2 MC	148	[0,0,0]
f50306c2 MC	149	);
0bfe166b MC	150
	151	#Test 1: Check we get all the right messages for a default handshake
	152	(undef, my $session) = tempfile();
	153	$proxy->serverconnects(2);
	154	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
	155	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
397f4f78	156	plan tests => 21;
1e566129 MC	157	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	158	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	159	"Default handshake test");
0bfe166b MC	160
	161	#Test 2: Resumption handshake
	162	$proxy->clearClient();
	163	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
	164	$proxy->clientstart();
1e566129 MC	165	checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
1e566129 MC	166	checkhandshake::DEFAULT_EXTENSIONS
b510b740	167	& ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
f50306c2	168	"Resumption handshake test");
0bfe166b MC	169	unlink $session;
0bfe166b MC	170
aec23ece RL	171	SKIP: {
	172	skip "No OCSP support in this OpenSSL build", 3
	173	if disabled("ocsp");
60ea0034	174
aec23ece RL	175	#Test 3: A status_request handshake (client request only)
	176	$proxy->clear();
	177	$proxy->clientflags("-no_tls1_3 -status");
	178	$proxy->start();
	179	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	180	checkhandshake::DEFAULT_EXTENSIONS
	181	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
	182	"status_request handshake test (client)");
60ea0034	183
aec23ece RL	184	#Test 4: A status_request handshake (server support only)
	185	$proxy->clear();
	186	$proxy->clientflags("-no_tls1_3");
	187	$proxy->serverflags("-status_file "
	188	.srctop_file("test", "recipes", "ocsp-response.der"));
	189	$proxy->start();
	190	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	191	checkhandshake::DEFAULT_EXTENSIONS,
	192	"status_request handshake test (server)");
	193
	194	#Test 5: A status_request handshake (client and server)
	195	$proxy->clear();
	196	$proxy->clientflags("-no_tls1_3 -status");
	197	$proxy->serverflags("-status_file "
	198	.srctop_file("test", "recipes", "ocsp-response.der"));
	199	$proxy->start();
	200	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	201	checkhandshake::DEFAULT_EXTENSIONS
	202	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	203	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	204	"status_request handshake test");
	205	}
0bfe166b	206
60ea0034	207	#Test 6: A client auth handshake
0bfe166b MC	208	$proxy->clear();
	209	$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
	210	$proxy->serverflags("-Verify 5");
	211	$proxy->start();
1e566129 MC	212	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
1e566129 MC	213	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	214	"Client auth handshake test");
0bfe166b	215
60ea0034	216	#Test 7: A handshake with a renegotiation
0bfe166b MC	217	$proxy->clear();
	218	$proxy->clientflags("-no_tls1_3");
	219	$proxy->reneg(1);
	220	$proxy->start();
1e566129 MC	221	checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
1e566129 MC	222	checkhandshake::DEFAULT_EXTENSIONS,
46f4e1be	223	"Renegotiation handshake test");
f50306c2	224
11ba87f2	225	#Test 8: Server name handshake (no client request)
60ea0034	226	$proxy->clear();
11ba87f2	227	$proxy->clientflags("-no_tls1_3 -noservername");
60ea0034	228	$proxy->start();
1e566129 MC	229	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	230	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2	231	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	232	"Server name handshake test (client)");
60ea0034 MC	233
	234	#Test 9: Server name handshake (server support only)
	235	$proxy->clear();
11ba87f2	236	$proxy->clientflags("-no_tls1_3 -noservername");
60ea0034 MC	237	$proxy->serverflags("-servername testhost");
60ea0034 MC	238	$proxy->start();
1e566129	239	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
11ba87f2 MC	240	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2 MC	241	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	242	"Server name handshake test (server)");
60ea0034 MC	243
	244	#Test 10: Server name handshake (client and server)
	245	$proxy->clear();
	246	$proxy->clientflags("-no_tls1_3 -servername testhost");
	247	$proxy->serverflags("-servername testhost");
	248	$proxy->start();
1e566129	249	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874	250	checkhandshake::DEFAULT_EXTENSIONS
96153874 MC	251	\| checkhandshake::SERVER_NAME_SRV_EXTENSION,
96153874 MC	252	"Server name handshake test");
60ea0034 MC	253
	254	#Test 11: ALPN handshake (client request only)
	255	$proxy->clear();
	256	$proxy->clientflags("-no_tls1_3 -alpn test");
	257	$proxy->start();
1e566129 MC	258	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	259	checkhandshake::DEFAULT_EXTENSIONS
	260	\| checkhandshake::ALPN_CLI_EXTENSION,
96153874	261	"ALPN handshake test (client)");
f50306c2	262
60ea0034 MC	263	#Test 12: ALPN handshake (server support only)
	264	$proxy->clear();
	265	$proxy->clientflags("-no_tls1_3");
	266	$proxy->serverflags("-alpn test");
	267	$proxy->start();
1e566129 MC	268	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	269	checkhandshake::DEFAULT_EXTENSIONS,
96153874	270	"ALPN handshake test (server)");
a1448c26	271
60ea0034 MC	272	#Test 13: ALPN handshake (client and server)
	273	$proxy->clear();
	274	$proxy->clientflags("-no_tls1_3 -alpn test");
	275	$proxy->serverflags("-alpn test");
	276	$proxy->start();
1e566129	277	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	278	checkhandshake::DEFAULT_EXTENSIONS
	279	\| checkhandshake::ALPN_CLI_EXTENSION
	280	\| checkhandshake::ALPN_SRV_EXTENSION,
	281	"ALPN handshake test");
60ea0034	282
a05bed19	283	SKIP: {
aec23ece RL	284	skip "No CT, EC or OCSP support in this OpenSSL build", 1
aec23ece RL	285	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
a05bed19 RL	286
	287	#Test 14: SCT handshake (client request only)
	288	$proxy->clear();
	289	#Note: -ct also sends status_request
	290	$proxy->clientflags("-no_tls1_3 -ct");
	291	$proxy->serverflags("-status_file "
	292	.srctop_file("test", "recipes", "ocsp-response.der"));
	293	$proxy->start();
	294	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	295	checkhandshake::DEFAULT_EXTENSIONS
	296	\| checkhandshake::SCT_CLI_EXTENSION
	297	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	298	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	299	"SCT handshake test (client)");
	300	}
60ea0034	301
aec23ece RL	302	SKIP: {
	303	skip "No OCSP support in this OpenSSL build", 1
	304	if disabled("ocsp");
	305
	306	#Test 15: SCT handshake (server support only)
	307	$proxy->clear();
	308	#Note: -ct also sends status_request
	309	$proxy->clientflags("-no_tls1_3");
	310	$proxy->serverflags("-status_file "
	311	.srctop_file("test", "recipes", "ocsp-response.der"));
	312	$proxy->start();
	313	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	314	checkhandshake::DEFAULT_EXTENSIONS,
	315	"SCT handshake test (server)");
	316	}
60ea0034	317
a05bed19	318	SKIP: {
aec23ece RL	319	skip "No CT, EC or OCSP support in this OpenSSL build", 1
aec23ece RL	320	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
a05bed19 RL	321
	322	#Test 16: SCT handshake (client and server)
	323	#There is no built-in server side support for this so we are actually also
	324	#testing custom extensions here
	325	$proxy->clear();
	326	#Note: -ct also sends status_request
	327	$proxy->clientflags("-no_tls1_3 -ct");
	328	$proxy->serverflags("-status_file "
	329	.srctop_file("test", "recipes", "ocsp-response.der")
	330	." -serverinfo ".srctop_file("test", "serverinfo.pem"));
	331	$proxy->start();
	332	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	333	checkhandshake::DEFAULT_EXTENSIONS
	334	\| checkhandshake::SCT_CLI_EXTENSION
	335	\| checkhandshake::SCT_SRV_EXTENSION
	336	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	337	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	338	"SCT handshake test");
	339	}
60ea0034 MC	340
60ea0034 MC	341
e0c47b2c RL	342	SKIP: {
	343	skip "No NPN support in this OpenSSL build", 3
	344	if disabled("nextprotoneg");
60ea0034	345
e0c47b2c RL	346	#Test 17: NPN handshake (client request only)
	347	$proxy->clear();
	348	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	349	$proxy->start();
	350	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	351	checkhandshake::DEFAULT_EXTENSIONS
	352	\| checkhandshake::NPN_CLI_EXTENSION,
	353	"NPN handshake test (client)");
a1448c26	354
e0c47b2c RL	355	#Test 18: NPN handshake (server support only)
	356	$proxy->clear();
	357	$proxy->clientflags("-no_tls1_3");
	358	$proxy->serverflags("-nextprotoneg test");
	359	$proxy->start();
	360	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	361	checkhandshake::DEFAULT_EXTENSIONS,
	362	"NPN handshake test (server)");
	363
	364	#Test 19: NPN handshake (client and server)
	365	$proxy->clear();
	366	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	367	$proxy->serverflags("-nextprotoneg test");
	368	$proxy->start();
	369	checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
	370	checkhandshake::DEFAULT_EXTENSIONS
	371	\| checkhandshake::NPN_CLI_EXTENSION
	372	\| checkhandshake::NPN_SRV_EXTENSION,
	373	"NPN handshake test");
	374	}
60ea0034	375
327d38d0 RL	376	SKIP: {
	377	skip "No SRP support in this OpenSSL build", 1
	378	if disabled("srp");
	379
	380	#Test 20: SRP extension
	381	#Note: We are not actually going to perform an SRP handshake (TLSProxy
	382	#does not support it). However it is sufficient for us to check that the
	383	#SRP extension gets added on the client side. There is no SRP extension
	384	#generated on the server side anyway.
	385	$proxy->clear();
	386	$proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
	387	$proxy->start();
	388	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	389	checkhandshake::DEFAULT_EXTENSIONS
	390	\| checkhandshake::SRP_CLI_EXTENSION,
	391	"SRP extension test");
	392	}
397f4f78 MC	393
	394	#Test 21: EC handshake
	395	SKIP: {
	396	skip "No EC support in this OpenSSL build", 1 if disabled("ec");
	397	$proxy->clear();
	398	$proxy->clientflags("-no_tls1_3");
38a73150	399	$proxy->serverflags("-no_tls1_3");
397f4f78 MC	400	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
	401	$proxy->start();
	402	checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
	403	checkhandshake::DEFAULT_EXTENSIONS
	404	\| checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
	405	"EC handshake test");
	406	}