]>
Commit | Line | Data |
---|---|---|
c11237c2 MC |
1 | #! /usr/bin/env perl |
2 | # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the OpenSSL license (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
f50306c2 | 10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; |
c11237c2 | 11 | use OpenSSL::Test::Utils; |
cc24a22b | 12 | use File::Temp qw(tempfile); |
c11237c2 | 13 | use TLSProxy::Proxy; |
f50306c2 | 14 | |
60ea0034 MC |
15 | my $test_name; |
16 | ||
f50306c2 MC |
17 | # This block needs to run before 'use lib srctop_dir' directives. |
18 | BEGIN { | |
60ea0034 MC |
19 | $test_name = "test_tls13messages"; |
20 | OpenSSL::Test::setup($test_name); | |
f50306c2 | 21 | } |
22ab4b7d | 22 | use lib srctop_dir("test"); |
f50306c2 MC |
23 | |
24 | use recipes::checkhandshake qw(checkhandshake @handmessages @extensions); | |
25 | ||
c11237c2 MC |
26 | plan skip_all => "TLSProxy isn't usable on $^O" |
27 | if $^O =~ /^(VMS|MSWin32)$/; | |
28 | ||
29 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
30 | if disabled("engine") || disabled("dynamic-engine"); | |
31 | ||
32 | plan skip_all => "$test_name needs the sock feature enabled" | |
33 | if disabled("sock"); | |
34 | ||
35 | plan skip_all => "$test_name needs TLSv1.3 enabled" | |
36 | if disabled("tls1_3"); | |
37 | ||
38 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; | |
9ce3ed2a | 39 | $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); |
c11237c2 | 40 | |
c11237c2 | 41 | |
f50306c2 MC |
42 | @handmessages = ( |
43 | [TLSProxy::Message::MT_CLIENT_HELLO, | |
44 | recipes::checkhandshake::ALL_HANDSHAKES], | |
45 | [TLSProxy::Message::MT_SERVER_HELLO, | |
46 | recipes::checkhandshake::ALL_HANDSHAKES], | |
47 | [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, | |
48 | recipes::checkhandshake::ALL_HANDSHAKES], | |
49 | [TLSProxy::Message::MT_CERTIFICATE_REQUEST, | |
50 | recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], | |
51 | [TLSProxy::Message::MT_CERTIFICATE, | |
52 | recipes::checkhandshake::ALL_HANDSHAKES & ~recipes::checkhandshake::RESUME_HANDSHAKE], | |
53 | [TLSProxy::Message::MT_CERTIFICATE_STATUS, | |
54 | recipes::checkhandshake::OCSP_HANDSHAKE], | |
55 | [TLSProxy::Message::MT_FINISHED, | |
56 | recipes::checkhandshake::ALL_HANDSHAKES], | |
57 | [TLSProxy::Message::MT_CERTIFICATE, | |
58 | recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], | |
59 | [TLSProxy::Message::MT_CERTIFICATE_VERIFY, | |
60 | recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], | |
61 | [TLSProxy::Message::MT_FINISHED, | |
62 | recipes::checkhandshake::ALL_HANDSHAKES], | |
c11237c2 MC |
63 | [0, 0] |
64 | ); | |
65 | ||
f50306c2 MC |
66 | @extensions = ( |
67 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, | |
68 | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION], | |
69 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, | |
70 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION], | |
71 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, | |
72 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
73 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, | |
74 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
75 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, | |
76 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
77 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, | |
78 | recipes::checkhandshake::ALPN_CLI_EXTENSION], | |
79 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, | |
80 | recipes::checkhandshake::SCT_CLI_EXTENSION], | |
81 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, | |
82 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
83 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, | |
84 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
85 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, | |
86 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
87 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, | |
88 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
89 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, | |
90 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
91 | ||
92 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, | |
93 | recipes::checkhandshake::DEFAULT_EXTENSIONS], | |
94 | ||
95 | [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, | |
96 | recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION], | |
97 | [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_STATUS_REQUEST, | |
98 | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION], | |
99 | [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, | |
100 | recipes::checkhandshake::ALPN_SRV_EXTENSION], | |
9ce3ed2a MC |
101 | [0,0,0] |
102 | ); | |
103 | ||
c11237c2 MC |
104 | my $proxy = TLSProxy::Proxy->new( |
105 | undef, | |
106 | cmdstr(app(["openssl"]), display => 1), | |
107 | srctop_file("apps", "server.pem"), | |
108 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
109 | ); | |
110 | ||
c11237c2 | 111 | #Test 1: Check we get all the right messages for a default handshake |
cc24a22b | 112 | (undef, my $session) = tempfile(); |
71728dd8 | 113 | #$proxy->serverconnects(2); |
cc24a22b | 114 | $proxy->clientflags("-sess_out ".$session); |
c11237c2 | 115 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; |
9ce3ed2a | 116 | plan tests => 12; |
f50306c2 MC |
117 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
118 | recipes::checkhandshake::DEFAULT_EXTENSIONS, | |
119 | "Default handshake test"); | |
c11237c2 | 120 | |
71728dd8 | 121 | #TODO(TLS1.3): Test temporarily disabled until we implement TLS1.3 resumption |
cc24a22b | 122 | #Test 2: Resumption handshake |
71728dd8 MC |
123 | #$proxy->clearClient(); |
124 | #$proxy->clientflags("-sess_in ".$session); | |
125 | #$proxy->clientstart(); | |
126 | #checkmessages(RESUME_HANDSHAKE, "Resumption handshake test"); | |
cc24a22b MC |
127 | unlink $session; |
128 | ||
9ce3ed2a MC |
129 | #Test 3: A status_request handshake (client request only) |
130 | $proxy->clear(); | |
131 | $proxy->clientflags("-status"); | |
132 | $proxy->start(); | |
f50306c2 MC |
133 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
134 | recipes::checkhandshake::DEFAULT_EXTENSIONS | |
135 | | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION, | |
9ce3ed2a MC |
136 | "status_request handshake test (client)"); |
137 | ||
138 | #Test 4: A status_request handshake (server support only) | |
139 | $proxy->clear(); | |
140 | $proxy->serverflags("-status_file " | |
141 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
142 | $proxy->start(); | |
f50306c2 MC |
143 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
144 | recipes::checkhandshake::DEFAULT_EXTENSIONS, | |
9ce3ed2a MC |
145 | "status_request handshake test (server)"); |
146 | ||
147 | #Test 5: A status_request handshake (client and server) | |
cc24a22b MC |
148 | #TODO(TLS1.3): TLS1.3 doesn't actually have CertificateStatus messages. This is |
149 | #a temporary test until such time as we do proper TLS1.3 style certificate | |
150 | #status | |
151 | $proxy->clear(); | |
152 | $proxy->clientflags("-status"); | |
153 | $proxy->serverflags("-status_file " | |
154 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
155 | $proxy->start(); | |
f50306c2 MC |
156 | checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE, |
157 | recipes::checkhandshake::DEFAULT_EXTENSIONS | |
158 | | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION | |
159 | | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION, | |
9ce3ed2a | 160 | "status_request handshake test"); |
cc24a22b | 161 | |
9ce3ed2a | 162 | #Test 6: A client auth handshake |
cc24a22b MC |
163 | $proxy->clear(); |
164 | $proxy->clientflags("-cert ".srctop_file("apps", "server.pem")); | |
165 | $proxy->serverflags("-Verify 5"); | |
166 | $proxy->start(); | |
f50306c2 MC |
167 | checkhandshake($proxy, recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE, |
168 | recipes::checkhandshake::DEFAULT_EXTENSIONS, | |
9ce3ed2a | 169 | "Client auth handshake test"); |
cc24a22b | 170 | |
9ce3ed2a MC |
171 | #Test 7: Server name handshake (client request only) |
172 | $proxy->clear(); | |
173 | $proxy->clientflags("-servername testhost"); | |
174 | $proxy->start(); | |
f50306c2 MC |
175 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
176 | recipes::checkhandshake::DEFAULT_EXTENSIONS | |
177 | | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION, | |
9ce3ed2a MC |
178 | "Server name handshake test (client)"); |
179 | ||
180 | #Test 8: Server name handshake (server support only) | |
181 | $proxy->clear(); | |
182 | $proxy->serverflags("-servername testhost"); | |
183 | $proxy->start(); | |
f50306c2 MC |
184 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
185 | recipes::checkhandshake::DEFAULT_EXTENSIONS, | |
9ce3ed2a MC |
186 | "Server name handshake test (server)"); |
187 | ||
188 | #Test 9: Server name handshake (client and server) | |
189 | $proxy->clear(); | |
190 | $proxy->clientflags("-servername testhost"); | |
191 | $proxy->serverflags("-servername testhost"); | |
192 | $proxy->start(); | |
f50306c2 MC |
193 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
194 | recipes::checkhandshake::DEFAULT_EXTENSIONS | |
195 | | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION | |
196 | | recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION, | |
9ce3ed2a MC |
197 | "Server name handshake test"); |
198 | ||
199 | #Test 10: ALPN handshake (client request only) | |
200 | $proxy->clear(); | |
201 | $proxy->clientflags("-alpn test"); | |
202 | $proxy->start(); | |
f50306c2 MC |
203 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
204 | recipes::checkhandshake::DEFAULT_EXTENSIONS | |
205 | | recipes::checkhandshake::ALPN_CLI_EXTENSION, | |
9ce3ed2a MC |
206 | "ALPN handshake test (client)"); |
207 | ||
208 | #Test 11: ALPN handshake (server support only) | |
209 | $proxy->clear(); | |
210 | $proxy->serverflags("-alpn test"); | |
211 | $proxy->start(); | |
f50306c2 MC |
212 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
213 | recipes::checkhandshake::DEFAULT_EXTENSIONS, | |
9ce3ed2a | 214 | "ALPN handshake test (server)"); |
a1448c26 | 215 | |
9ce3ed2a MC |
216 | #Test 12: ALPN handshake (client and server) |
217 | $proxy->clear(); | |
218 | $proxy->clientflags("-alpn test"); | |
219 | $proxy->serverflags("-alpn test"); | |
220 | $proxy->start(); | |
f50306c2 MC |
221 | checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, |
222 | recipes::checkhandshake::DEFAULT_EXTENSIONS | |
223 | | recipes::checkhandshake::ALPN_CLI_EXTENSION | |
224 | | recipes::checkhandshake::ALPN_SRV_EXTENSION, | |
9ce3ed2a MC |
225 | "ALPN handshake test"); |
226 | ||
227 | #Test 13: SCT handshake (client request only) | |
228 | #TODO(TLS1.3): This only checks that the client side extension appears. The | |
229 | #SCT extension is unusual in that we have no built-in server side implementation | |
230 | #The server side implementation can nomrally be added using the custom | |
231 | #extensions framework (e.g. by using the "-serverinfo" s_server option). However | |
232 | #currently we only support <= TLS1.2 for custom extensions because the existing | |
233 | #framework and API has no knowledge of the TLS1.3 messages | |
234 | $proxy->clear(); | |
235 | #Note: -ct also sends status_request | |
236 | $proxy->clientflags("-ct"); | |
237 | $proxy->serverflags("-status_file " | |
238 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
239 | $proxy->start(); | |
f50306c2 MC |
240 | checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE, |
241 | recipes::checkhandshake::DEFAULT_EXTENSIONS | |
242 | | recipes::checkhandshake::SCT_CLI_EXTENSION | |
243 | | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION | |
244 | | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION, | |
9ce3ed2a | 245 | "SCT handshake test"); |