]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/70-test_tls13messages.t
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Raise an error on syscall failure in tls_retry_write_records
[thirdparty/openssl.git] / test / recipes / 70-test_tls13messages.t
1 #! /usr/bin/env perl
2 # Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 use strict;
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
13 use TLSProxy::Proxy;
14 use checkhandshake qw(checkhandshake @handmessages @extensions);
15
16 my $test_name = "test_tls13messages";
17 setup($test_name);
18
19 plan skip_all => "TLSProxy isn't usable on $^O"
20 if $^O =~ /^(VMS)$/;
21
22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
23 if disabled("engine") || disabled("dynamic-engine");
24
25 plan skip_all => "$test_name needs the sock feature enabled"
26 if disabled("sock");
27
28 plan skip_all => "$test_name needs TLSv1.3 enabled"
29 if disabled("tls1_3");
30
31 plan skip_all => "$test_name needs EC enabled"
32 if disabled("ec");
33
34 @handmessages = (
35 [TLSProxy::Message::MT_CLIENT_HELLO,
36 checkhandshake::ALL_HANDSHAKES],
37 [TLSProxy::Message::MT_SERVER_HELLO,
38 checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
39 [TLSProxy::Message::MT_CLIENT_HELLO,
40 checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
41 [TLSProxy::Message::MT_SERVER_HELLO,
42 checkhandshake::ALL_HANDSHAKES],
43 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
44 checkhandshake::ALL_HANDSHAKES],
45 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
46 checkhandshake::CLIENT_AUTH_HANDSHAKE],
47 [TLSProxy::Message::MT_CERTIFICATE,
48 checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
49 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
50 checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
51 [TLSProxy::Message::MT_FINISHED,
52 checkhandshake::ALL_HANDSHAKES],
53 [TLSProxy::Message::MT_CERTIFICATE,
54 checkhandshake::CLIENT_AUTH_HANDSHAKE],
55 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
56 checkhandshake::CLIENT_AUTH_HANDSHAKE],
57 [TLSProxy::Message::MT_FINISHED,
58 checkhandshake::ALL_HANDSHAKES],
59 [0, 0]
60 );
61
62 @extensions = (
63 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
64 TLSProxy::Message::CLIENT,
65 checkhandshake::SERVER_NAME_CLI_EXTENSION],
66 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
67 TLSProxy::Message::CLIENT,
68 checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
69 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
70 TLSProxy::Message::CLIENT,
71 checkhandshake::DEFAULT_EXTENSIONS],
72 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
73 TLSProxy::Message::CLIENT,
74 checkhandshake::DEFAULT_EXTENSIONS],
75 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
76 TLSProxy::Message::CLIENT,
77 checkhandshake::DEFAULT_EXTENSIONS],
78 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
79 TLSProxy::Message::CLIENT,
80 checkhandshake::ALPN_CLI_EXTENSION],
81 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
82 TLSProxy::Message::CLIENT,
83 checkhandshake::SCT_CLI_EXTENSION],
84 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
85 TLSProxy::Message::CLIENT,
86 checkhandshake::DEFAULT_EXTENSIONS],
87 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
88 TLSProxy::Message::CLIENT,
89 checkhandshake::DEFAULT_EXTENSIONS],
90 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
91 TLSProxy::Message::CLIENT,
92 checkhandshake::DEFAULT_EXTENSIONS],
93 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
94 TLSProxy::Message::CLIENT,
95 checkhandshake::DEFAULT_EXTENSIONS],
96 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
97 TLSProxy::Message::CLIENT,
98 checkhandshake::DEFAULT_EXTENSIONS],
99 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
100 TLSProxy::Message::CLIENT,
101 checkhandshake::DEFAULT_EXTENSIONS],
102 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
103 TLSProxy::Message::CLIENT,
104 checkhandshake::PSK_CLI_EXTENSION],
105 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
106 TLSProxy::Message::CLIENT,
107 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
108 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
109 TLSProxy::Message::CLIENT,
110 checkhandshake::DEFAULT_EXTENSIONS],
111
112 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
113 TLSProxy::Message::SERVER,
114 checkhandshake::DEFAULT_EXTENSIONS],
115 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
116 TLSProxy::Message::SERVER,
117 checkhandshake::KEY_SHARE_HRR_EXTENSION],
118
119 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
120 TLSProxy::Message::CLIENT,
121 checkhandshake::SERVER_NAME_CLI_EXTENSION],
122 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
123 TLSProxy::Message::CLIENT,
124 checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
125 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
126 TLSProxy::Message::CLIENT,
127 checkhandshake::DEFAULT_EXTENSIONS],
128 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
129 TLSProxy::Message::CLIENT,
130 checkhandshake::DEFAULT_EXTENSIONS],
131 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
132 TLSProxy::Message::CLIENT,
133 checkhandshake::DEFAULT_EXTENSIONS],
134 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
135 TLSProxy::Message::CLIENT,
136 checkhandshake::ALPN_CLI_EXTENSION],
137 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
138 TLSProxy::Message::CLIENT,
139 checkhandshake::SCT_CLI_EXTENSION],
140 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
141 TLSProxy::Message::CLIENT,
142 checkhandshake::DEFAULT_EXTENSIONS],
143 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
144 TLSProxy::Message::CLIENT,
145 checkhandshake::DEFAULT_EXTENSIONS],
146 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
147 TLSProxy::Message::CLIENT,
148 checkhandshake::DEFAULT_EXTENSIONS],
149 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
150 TLSProxy::Message::CLIENT,
151 checkhandshake::DEFAULT_EXTENSIONS],
152 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
153 TLSProxy::Message::CLIENT,
154 checkhandshake::DEFAULT_EXTENSIONS],
155 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
156 TLSProxy::Message::CLIENT,
157 checkhandshake::DEFAULT_EXTENSIONS],
158 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
159 TLSProxy::Message::CLIENT,
160 checkhandshake::PSK_CLI_EXTENSION],
161 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
162 TLSProxy::Message::CLIENT,
163 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
164 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
165 TLSProxy::Message::CLIENT,
166 checkhandshake::DEFAULT_EXTENSIONS],
167
168 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
169 TLSProxy::Message::SERVER,
170 checkhandshake::DEFAULT_EXTENSIONS],
171 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
172 TLSProxy::Message::SERVER,
173 checkhandshake::DEFAULT_EXTENSIONS],
174 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
175 TLSProxy::Message::SERVER,
176 checkhandshake::PSK_SRV_EXTENSION],
177
178 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
179 TLSProxy::Message::SERVER,
180 checkhandshake::SERVER_NAME_SRV_EXTENSION],
181 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
182 TLSProxy::Message::SERVER,
183 checkhandshake::ALPN_SRV_EXTENSION],
184 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
185 TLSProxy::Message::SERVER,
186 checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION],
187
188 [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS,
189 TLSProxy::Message::SERVER,
190 checkhandshake::DEFAULT_EXTENSIONS],
191
192 [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
193 TLSProxy::Message::SERVER,
194 checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
195 [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
196 TLSProxy::Message::SERVER,
197 checkhandshake::SCT_SRV_EXTENSION],
198
199 [0,0,0,0]
200 );
201
202 my $proxy = TLSProxy::Proxy->new(
203 undef,
204 cmdstr(app(["openssl"]), display => 1),
205 srctop_file("apps", "server.pem"),
206 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
207 );
208
209 #Test 1: Check we get all the right messages for a default handshake
210 (undef, my $session) = tempfile();
211 $proxy->serverconnects(2);
212 $proxy->clientflags("-no_rx_cert_comp -sess_out ".$session);
213 $proxy->sessionfile($session);
214 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
215 plan tests => 17;
216 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
217 checkhandshake::DEFAULT_EXTENSIONS,
218 "Default handshake test");
219
220 #Test 2: Resumption handshake
221 $proxy->clearClient();
222 $proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
223 $proxy->clientstart();
224 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
225 (checkhandshake::DEFAULT_EXTENSIONS
226 | checkhandshake::PSK_CLI_EXTENSION
227 | checkhandshake::PSK_SRV_EXTENSION),
228 "Resumption handshake test");
229
230 SKIP: {
231 skip "No OCSP support in this OpenSSL build", 4
232 if disabled("ct") || disabled("ec") || disabled("ocsp");
233 #Test 3: A status_request handshake (client request only)
234 $proxy->clear();
235 $proxy->clientflags("-no_rx_cert_comp -status");
236 $proxy->start();
237 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
238 checkhandshake::DEFAULT_EXTENSIONS
239 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
240 "status_request handshake test (client)");
241
242 #Test 4: A status_request handshake (server support only)
243 $proxy->clear();
244 $proxy->clientflags("-no_rx_cert_comp");
245 $proxy->serverflags("-no_rx_cert_comp -status_file "
246 .srctop_file("test", "recipes", "ocsp-response.der"));
247 $proxy->start();
248 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
249 checkhandshake::DEFAULT_EXTENSIONS,
250 "status_request handshake test (server)");
251
252 #Test 5: A status_request handshake (client and server)
253 $proxy->clear();
254 $proxy->clientflags("-no_rx_cert_comp -status");
255 $proxy->serverflags("-no_rx_cert_comp -status_file "
256 .srctop_file("test", "recipes", "ocsp-response.der"));
257 $proxy->start();
258 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
259 checkhandshake::DEFAULT_EXTENSIONS
260 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
261 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
262 "status_request handshake test");
263
264 #Test 6: A status_request handshake (client and server) with client auth
265 $proxy->clear();
266 $proxy->clientflags("-no_rx_cert_comp -status -enable_pha -cert "
267 .srctop_file("apps", "server.pem"));
268 $proxy->serverflags("-no_rx_cert_comp -Verify 5 -status_file "
269 .srctop_file("test", "recipes", "ocsp-response.der"));
270 $proxy->start();
271 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
272 checkhandshake::DEFAULT_EXTENSIONS
273 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
274 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION
275 | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
276 "status_request handshake with client auth test");
277 }
278
279 #Test 7: A client auth handshake
280 $proxy->clear();
281 $proxy->clientflags("-no_rx_cert_comp -enable_pha -cert ".srctop_file("apps", "server.pem"));
282 $proxy->serverflags("-no_rx_cert_comp -Verify 5");
283 $proxy->start();
284 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
285 checkhandshake::DEFAULT_EXTENSIONS |
286 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
287 "Client auth handshake test");
288
289 #Test 8: Server name handshake (no client request)
290 $proxy->clear();
291 $proxy->clientflags("-no_rx_cert_comp -noservername");
292 $proxy->start();
293 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
294 checkhandshake::DEFAULT_EXTENSIONS
295 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
296 "Server name handshake test (client)");
297
298 #Test 9: Server name handshake (server support only)
299 $proxy->clear();
300 $proxy->clientflags("-no_rx_cert_comp -noservername");
301 $proxy->serverflags("-no_rx_cert_comp -servername testhost");
302 $proxy->start();
303 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
304 checkhandshake::DEFAULT_EXTENSIONS
305 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
306 "Server name handshake test (server)");
307
308 #Test 10: Server name handshake (client and server)
309 $proxy->clear();
310 $proxy->clientflags("-no_rx_cert_comp -servername testhost");
311 $proxy->serverflags("-no_rx_cert_comp -servername testhost");
312 $proxy->start();
313 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
314 checkhandshake::DEFAULT_EXTENSIONS
315 | checkhandshake::SERVER_NAME_SRV_EXTENSION,
316 "Server name handshake test");
317
318 #Test 11: ALPN handshake (client request only)
319 $proxy->clear();
320 $proxy->clientflags("-no_rx_cert_comp -alpn test");
321 $proxy->start();
322 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
323 checkhandshake::DEFAULT_EXTENSIONS
324 | checkhandshake::ALPN_CLI_EXTENSION,
325 "ALPN handshake test (client)");
326
327 #Test 12: ALPN handshake (server support only)
328 $proxy->clear();
329 $proxy->clientflags("-no_rx_cert_comp");
330 $proxy->serverflags("-no_rx_cert_comp -alpn test");
331 $proxy->start();
332 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
333 checkhandshake::DEFAULT_EXTENSIONS,
334 "ALPN handshake test (server)");
335
336 #Test 13: ALPN handshake (client and server)
337 $proxy->clear();
338 $proxy->clientflags("-no_rx_cert_comp -alpn test");
339 $proxy->serverflags("-no_rx_cert_comp -alpn test");
340 $proxy->start();
341 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
342 checkhandshake::DEFAULT_EXTENSIONS
343 | checkhandshake::ALPN_CLI_EXTENSION
344 | checkhandshake::ALPN_SRV_EXTENSION,
345 "ALPN handshake test");
346
347 SKIP: {
348 skip "No CT, EC or OCSP support in this OpenSSL build", 1
349 if disabled("ct") || disabled("ec") || disabled("ocsp");
350
351 #Test 14: SCT handshake (client request only)
352 $proxy->clear();
353 #Note: -ct also sends status_request
354 $proxy->clientflags("-no_rx_cert_comp -ct");
355 $proxy->serverflags("-no_rx_cert_comp -status_file "
356 .srctop_file("test", "recipes", "ocsp-response.der")
357 ." -serverinfo ".srctop_file("test", "serverinfo2.pem"));
358 $proxy->start();
359 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
360 checkhandshake::DEFAULT_EXTENSIONS
361 | checkhandshake::SCT_CLI_EXTENSION
362 | checkhandshake::SCT_SRV_EXTENSION
363 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
364 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
365 "SCT handshake test");
366 }
367
368 #Test 15: HRR Handshake
369 $proxy->clear();
370 $proxy->clientflags("-no_rx_cert_comp");
371 $proxy->serverflags("-no_rx_cert_comp -curves P-384");
372 $proxy->start();
373 checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
374 checkhandshake::DEFAULT_EXTENSIONS
375 | checkhandshake::KEY_SHARE_HRR_EXTENSION,
376 "HRR handshake test");
377
378 #Test 16: Resumption handshake with HRR
379 $proxy->clear();
380 $proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
381 $proxy->serverflags("-no_rx_cert_comp -curves P-384");
382 $proxy->start();
383 checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
384 (checkhandshake::DEFAULT_EXTENSIONS
385 | checkhandshake::KEY_SHARE_HRR_EXTENSION
386 | checkhandshake::PSK_CLI_EXTENSION
387 | checkhandshake::PSK_SRV_EXTENSION),
388 "Resumption handshake with HRR test");
389
390 #Test 17: Acceptable but non preferred key_share
391 $proxy->clear();
392 $proxy->clientflags("-no_rx_cert_comp -curves P-384");
393 $proxy->start();
394 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
395 checkhandshake::DEFAULT_EXTENSIONS
396 | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION,
397 "Acceptable but non preferred key_share");
398
399 unlink $session;
A mirror of the official openssl repository