[thirdparty/openssl.git] / test / recipes / 70-test_sslmessages.t

#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
use OpenSSL::Test::Utils;
use File::Temp qw(tempfile);
use TLSProxy::Proxy;
use checkhandshake qw(checkhandshake @handmessages @extensions);

my $test_name = "test_sslmessages";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS|MSWin32)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLS enabled"
    if alldisabled(available_protocols("tls"));

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");

my $proxy = TLSProxy::Proxy->new(
    undef,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

@handmessages = (
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
                          checkhandshake::EC_HANDSHAKE]),
    [TLSProxy::Message::MT_CERTIFICATE_STATUS,
        checkhandshake::OCSP_HANDSHAKE],
    #ServerKeyExchange handshakes not currently supported by TLSProxy
    [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_NEXT_PROTO,
        checkhandshake::NPN_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [0, 0]
);

@extensions = (
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_SUPPORTED_GROUPS,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_EC_POINT_FORMATS,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("tls1_2") ? () :
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
         checkhandshake::DEFAULT_EXTENSIONS]),
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        checkhandshake::RENEGOTIATE_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
        checkhandshake::NPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
        checkhandshake::SRP_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        checkhandshake::SESSION_TICKET_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
        checkhandshake::NPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
    [0,0,0]
);

#Test 1: Check we get all the right messages for a default handshake
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 21;
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Default handshake test");

#Test 2: Resumption handshake
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Resumption handshake test");
unlink $session;

SKIP: {
    skip "No OCSP support in this OpenSSL build", 3
        if disabled("ocsp");

    #Test 3: A status_request handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -status");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
                   "status_request handshake test (client)");

    #Test 4: A status_request handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "status_request handshake test (server)");

    #Test 5: A status_request handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -status");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "status_request handshake test");
}

#Test 6: A client auth handshake
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-Verify 5");
$proxy->start();
checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Client auth handshake test");

#Test 7: A handshake with a renegotiation
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->reneg(1);
$proxy->start();
checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Renegotiation handshake test");

#Test 8: Server name handshake (no client request)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (client)");

#Test 9: Server name handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -noservername");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (server)");

#Test 10: Server name handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -servername testhost");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SERVER_NAME_SRV_EXTENSION,
               "Server name handshake test");

#Test 11: ALPN handshake (client request only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION,
               "ALPN handshake test (client)");

#Test 12: ALPN handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "ALPN handshake test (server)");

#Test 13: ALPN handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION
               | checkhandshake::ALPN_SRV_EXTENSION,
               "ALPN handshake test");

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 14: SCT handshake (client request only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test (client)");
}

SKIP: {
    skip "No OCSP support in this OpenSSL build", 1
        if disabled("ocsp");

    #Test 15: SCT handshake (server support only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "SCT handshake test (server)");
}

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 16: SCT handshake (client and server)
    #There is no built-in server side support for this so we are actually also
    #testing custom extensions here
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der")
                        ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::SCT_SRV_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test");
}


SKIP: {
    skip "No NPN support in this OpenSSL build", 3
        if disabled("nextprotoneg");

    #Test 17: NPN handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION,
                   "NPN handshake test (client)");

    #Test 18: NPN handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "NPN handshake test (server)");

    #Test 19: NPN handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION
                   | checkhandshake::NPN_SRV_EXTENSION,
                   "NPN handshake test");
}

SKIP: {
    skip "No SRP support in this OpenSSL build", 1
        if disabled("srp");

    #Test 20: SRP extension
    #Note: We are not actually going to perform an SRP handshake (TLSProxy
    #does not support it). However it is sufficient for us to check that the
    #SRP extension gets added on the client side. There is no SRP extension
    #generated on the server side anyway.
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SRP_CLI_EXTENSION,
                   "SRP extension test");
}

#Test 21: EC handshake
SKIP: {
    skip "No EC support in this OpenSSL build", 1 if disabled("ec");
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
                   "EC handshake test");
}
Commit	Line	Data
0bfe166b MC	1	#! /usr/bin/env perl
	2	# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	#
	4	# Licensed under the OpenSSL license (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
f50306c2	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
0bfe166b MC	11	use OpenSSL::Test::Utils;
	12	use File::Temp qw(tempfile);
	13	use TLSProxy::Proxy;
1e566129	14	use checkhandshake qw(checkhandshake @handmessages @extensions);
f50306c2	15
1e566129 MC	16	my $test_name = "test_sslmessages";
1e566129 MC	17	setup($test_name);
f50306c2	18
0bfe166b MC	19	plan skip_all => "TLSProxy isn't usable on $^O"
	20	if $^O =~ /^(VMS\|MSWin32)$/;
	21
	22	plan skip_all => "$test_name needs the dynamic engine feature enabled"
	23	if disabled("engine") \|\| disabled("dynamic-engine");
	24
	25	plan skip_all => "$test_name needs the sock feature enabled"
	26	if disabled("sock");
	27
	28	plan skip_all => "$test_name needs TLS enabled"
	29	if alldisabled(available_protocols("tls"));
	30
	31	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
60ea0034	32	$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
6ca94f10	33
0bfe166b MC	34	my $proxy = TLSProxy::Proxy->new(
	35	undef,
	36	cmdstr(app(["openssl"]), display => 1),
	37	srctop_file("apps", "server.pem"),
	38	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
	39	);
	40
f50306c2 MC	41	@handmessages = (
f50306c2 MC	42	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	43	checkhandshake::ALL_HANDSHAKES],
f50306c2	44	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	45	checkhandshake::ALL_HANDSHAKES],
f50306c2	46	[TLSProxy::Message::MT_CERTIFICATE,
1e566129 MC	47	checkhandshake::ALL_HANDSHAKES
1e566129 MC	48	& ~checkhandshake::RESUME_HANDSHAKE],
397f4f78 MC	49	(disabled("ec") ? () :
	50	[TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
	51	checkhandshake::EC_HANDSHAKE]),
f50306c2	52	[TLSProxy::Message::MT_CERTIFICATE_STATUS,
1e566129	53	checkhandshake::OCSP_HANDSHAKE],
f50306c2 MC	54	#ServerKeyExchange handshakes not currently supported by TLSProxy
f50306c2 MC	55	[TLSProxy::Message::MT_CERTIFICATE_REQUEST,
1e566129	56	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	57	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129 MC	58	checkhandshake::ALL_HANDSHAKES
1e566129 MC	59	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	60	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	61	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	62	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129 MC	63	checkhandshake::ALL_HANDSHAKES
1e566129 MC	64	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	65	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
1e566129	66	checkhandshake::CLIENT_AUTH_HANDSHAKE],
60ea0034	67	[TLSProxy::Message::MT_NEXT_PROTO,
1e566129	68	checkhandshake::NPN_HANDSHAKE],
f50306c2	69	[TLSProxy::Message::MT_FINISHED,
1e566129	70	checkhandshake::ALL_HANDSHAKES],
f50306c2	71	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129 MC	72	checkhandshake::ALL_HANDSHAKES
1e566129 MC	73	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	74	[TLSProxy::Message::MT_FINISHED,
1e566129	75	checkhandshake::ALL_HANDSHAKES],
f50306c2	76	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	77	checkhandshake::RENEG_HANDSHAKE],
f50306c2	78	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	79	checkhandshake::RENEG_HANDSHAKE],
f50306c2	80	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	81	checkhandshake::RENEG_HANDSHAKE],
f50306c2	82	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129	83	checkhandshake::RENEG_HANDSHAKE],
f50306c2	84	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129	85	checkhandshake::RENEG_HANDSHAKE],
f50306c2	86	[TLSProxy::Message::MT_FINISHED,
1e566129	87	checkhandshake::RENEG_HANDSHAKE],
f50306c2	88	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129	89	checkhandshake::RENEG_HANDSHAKE],
f50306c2	90	[TLSProxy::Message::MT_FINISHED,
1e566129	91	checkhandshake::RENEG_HANDSHAKE],
f50306c2 MC	92	[0, 0]
	93	);
	94
	95	@extensions = (
	96	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
1e566129	97	checkhandshake::SERVER_NAME_CLI_EXTENSION],
f50306c2	98	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
1e566129	99	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
397f4f78 MC	100	(disabled("ec") ? () :
	101	[TLSProxy::Message::MT_CLIENT_HELLO,
	102	TLSProxy::Message::EXT_SUPPORTED_GROUPS,
	103	checkhandshake::DEFAULT_EXTENSIONS]),
	104	(disabled("ec") ? () :
	105	[TLSProxy::Message::MT_CLIENT_HELLO,
	106	TLSProxy::Message::EXT_EC_POINT_FORMATS,
	107	checkhandshake::DEFAULT_EXTENSIONS]),
f6e752c0 RL	108	(disabled("tls1_2") ? () :
	109	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
	110	checkhandshake::DEFAULT_EXTENSIONS]),
f50306c2	111	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
1e566129	112	checkhandshake::ALPN_CLI_EXTENSION],
f50306c2	113	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
1e566129	114	checkhandshake::SCT_CLI_EXTENSION],
f50306c2	115	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
1e566129	116	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	117	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
1e566129	118	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	119	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
1e566129	120	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	121	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
1e566129	122	checkhandshake::RENEGOTIATE_CLI_EXTENSION],
60ea0034	123	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
1e566129	124	checkhandshake::NPN_CLI_EXTENSION],
60ea0034	125	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
1e566129	126	checkhandshake::SRP_CLI_EXTENSION],
f50306c2 MC	127
f50306c2 MC	128	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
1e566129	129	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	130	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
1e566129	131	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	132	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
1e566129	133	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	134	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
1e566129	135	checkhandshake::SESSION_TICKET_SRV_EXTENSION],
f50306c2	136	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
1e566129	137	checkhandshake::SERVER_NAME_SRV_EXTENSION],
f50306c2	138	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
1e566129	139	checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
f50306c2	140	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
1e566129	141	checkhandshake::ALPN_SRV_EXTENSION],
60ea0034	142	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
1e566129	143	checkhandshake::SCT_SRV_EXTENSION],
60ea0034	144	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
1e566129	145	checkhandshake::NPN_SRV_EXTENSION],
397f4f78 MC	146	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
397f4f78 MC	147	checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
f50306c2 MC	148	[0,0,0]
f50306c2 MC	149	);
0bfe166b MC	150
	151	#Test 1: Check we get all the right messages for a default handshake
	152	(undef, my $session) = tempfile();
	153	$proxy->serverconnects(2);
	154	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
	155	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
397f4f78	156	plan tests => 21;
1e566129 MC	157	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	158	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	159	"Default handshake test");
0bfe166b MC	160
	161	#Test 2: Resumption handshake
	162	$proxy->clearClient();
	163	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
	164	$proxy->clientstart();
1e566129 MC	165	checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
1e566129 MC	166	checkhandshake::DEFAULT_EXTENSIONS
db919b1e MC	167	& ~checkhandshake::SESSION_TICKET_SRV_EXTENSION
db919b1e MC	168	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
f50306c2	169	"Resumption handshake test");
0bfe166b MC	170	unlink $session;
0bfe166b MC	171
aec23ece RL	172	SKIP: {
	173	skip "No OCSP support in this OpenSSL build", 3
	174	if disabled("ocsp");
60ea0034	175
aec23ece RL	176	#Test 3: A status_request handshake (client request only)
	177	$proxy->clear();
	178	$proxy->clientflags("-no_tls1_3 -status");
	179	$proxy->start();
	180	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	181	checkhandshake::DEFAULT_EXTENSIONS
	182	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
	183	"status_request handshake test (client)");
60ea0034	184
aec23ece RL	185	#Test 4: A status_request handshake (server support only)
	186	$proxy->clear();
	187	$proxy->clientflags("-no_tls1_3");
	188	$proxy->serverflags("-status_file "
	189	.srctop_file("test", "recipes", "ocsp-response.der"));
	190	$proxy->start();
	191	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	192	checkhandshake::DEFAULT_EXTENSIONS,
	193	"status_request handshake test (server)");
	194
	195	#Test 5: A status_request handshake (client and server)
	196	$proxy->clear();
	197	$proxy->clientflags("-no_tls1_3 -status");
	198	$proxy->serverflags("-status_file "
	199	.srctop_file("test", "recipes", "ocsp-response.der"));
	200	$proxy->start();
	201	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	202	checkhandshake::DEFAULT_EXTENSIONS
	203	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	204	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	205	"status_request handshake test");
	206	}
0bfe166b	207
60ea0034	208	#Test 6: A client auth handshake
0bfe166b MC	209	$proxy->clear();
	210	$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
	211	$proxy->serverflags("-Verify 5");
	212	$proxy->start();
1e566129 MC	213	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
1e566129 MC	214	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	215	"Client auth handshake test");
0bfe166b	216
60ea0034	217	#Test 7: A handshake with a renegotiation
0bfe166b MC	218	$proxy->clear();
	219	$proxy->clientflags("-no_tls1_3");
	220	$proxy->reneg(1);
	221	$proxy->start();
1e566129 MC	222	checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
1e566129 MC	223	checkhandshake::DEFAULT_EXTENSIONS,
46f4e1be	224	"Renegotiation handshake test");
f50306c2	225
11ba87f2	226	#Test 8: Server name handshake (no client request)
60ea0034	227	$proxy->clear();
11ba87f2	228	$proxy->clientflags("-no_tls1_3 -noservername");
60ea0034	229	$proxy->start();
1e566129 MC	230	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	231	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2	232	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	233	"Server name handshake test (client)");
60ea0034 MC	234
	235	#Test 9: Server name handshake (server support only)
	236	$proxy->clear();
11ba87f2	237	$proxy->clientflags("-no_tls1_3 -noservername");
60ea0034 MC	238	$proxy->serverflags("-servername testhost");
60ea0034 MC	239	$proxy->start();
1e566129	240	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
11ba87f2 MC	241	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2 MC	242	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	243	"Server name handshake test (server)");
60ea0034 MC	244
	245	#Test 10: Server name handshake (client and server)
	246	$proxy->clear();
	247	$proxy->clientflags("-no_tls1_3 -servername testhost");
	248	$proxy->serverflags("-servername testhost");
	249	$proxy->start();
1e566129	250	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874	251	checkhandshake::DEFAULT_EXTENSIONS
96153874 MC	252	\| checkhandshake::SERVER_NAME_SRV_EXTENSION,
96153874 MC	253	"Server name handshake test");
60ea0034 MC	254
	255	#Test 11: ALPN handshake (client request only)
	256	$proxy->clear();
	257	$proxy->clientflags("-no_tls1_3 -alpn test");
	258	$proxy->start();
1e566129 MC	259	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	260	checkhandshake::DEFAULT_EXTENSIONS
	261	\| checkhandshake::ALPN_CLI_EXTENSION,
96153874	262	"ALPN handshake test (client)");
f50306c2	263
60ea0034 MC	264	#Test 12: ALPN handshake (server support only)
	265	$proxy->clear();
	266	$proxy->clientflags("-no_tls1_3");
	267	$proxy->serverflags("-alpn test");
	268	$proxy->start();
1e566129 MC	269	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	270	checkhandshake::DEFAULT_EXTENSIONS,
96153874	271	"ALPN handshake test (server)");
a1448c26	272
60ea0034 MC	273	#Test 13: ALPN handshake (client and server)
	274	$proxy->clear();
	275	$proxy->clientflags("-no_tls1_3 -alpn test");
	276	$proxy->serverflags("-alpn test");
	277	$proxy->start();
1e566129	278	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	279	checkhandshake::DEFAULT_EXTENSIONS
	280	\| checkhandshake::ALPN_CLI_EXTENSION
	281	\| checkhandshake::ALPN_SRV_EXTENSION,
	282	"ALPN handshake test");
60ea0034	283
a05bed19	284	SKIP: {
aec23ece RL	285	skip "No CT, EC or OCSP support in this OpenSSL build", 1
aec23ece RL	286	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
a05bed19 RL	287
	288	#Test 14: SCT handshake (client request only)
	289	$proxy->clear();
	290	#Note: -ct also sends status_request
	291	$proxy->clientflags("-no_tls1_3 -ct");
	292	$proxy->serverflags("-status_file "
	293	.srctop_file("test", "recipes", "ocsp-response.der"));
	294	$proxy->start();
	295	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	296	checkhandshake::DEFAULT_EXTENSIONS
	297	\| checkhandshake::SCT_CLI_EXTENSION
	298	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	299	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	300	"SCT handshake test (client)");
	301	}
60ea0034	302
aec23ece RL	303	SKIP: {
	304	skip "No OCSP support in this OpenSSL build", 1
	305	if disabled("ocsp");
	306
	307	#Test 15: SCT handshake (server support only)
	308	$proxy->clear();
	309	#Note: -ct also sends status_request
	310	$proxy->clientflags("-no_tls1_3");
	311	$proxy->serverflags("-status_file "
	312	.srctop_file("test", "recipes", "ocsp-response.der"));
	313	$proxy->start();
	314	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	315	checkhandshake::DEFAULT_EXTENSIONS,
	316	"SCT handshake test (server)");
	317	}
60ea0034	318
a05bed19	319	SKIP: {
aec23ece RL	320	skip "No CT, EC or OCSP support in this OpenSSL build", 1
aec23ece RL	321	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
a05bed19 RL	322
	323	#Test 16: SCT handshake (client and server)
	324	#There is no built-in server side support for this so we are actually also
	325	#testing custom extensions here
	326	$proxy->clear();
	327	#Note: -ct also sends status_request
	328	$proxy->clientflags("-no_tls1_3 -ct");
	329	$proxy->serverflags("-status_file "
	330	.srctop_file("test", "recipes", "ocsp-response.der")
	331	." -serverinfo ".srctop_file("test", "serverinfo.pem"));
	332	$proxy->start();
	333	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	334	checkhandshake::DEFAULT_EXTENSIONS
	335	\| checkhandshake::SCT_CLI_EXTENSION
	336	\| checkhandshake::SCT_SRV_EXTENSION
	337	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	338	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	339	"SCT handshake test");
	340	}
60ea0034 MC	341
60ea0034 MC	342
e0c47b2c RL	343	SKIP: {
	344	skip "No NPN support in this OpenSSL build", 3
	345	if disabled("nextprotoneg");
60ea0034	346
e0c47b2c RL	347	#Test 17: NPN handshake (client request only)
	348	$proxy->clear();
	349	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	350	$proxy->start();
	351	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	352	checkhandshake::DEFAULT_EXTENSIONS
	353	\| checkhandshake::NPN_CLI_EXTENSION,
	354	"NPN handshake test (client)");
a1448c26	355
e0c47b2c RL	356	#Test 18: NPN handshake (server support only)
	357	$proxy->clear();
	358	$proxy->clientflags("-no_tls1_3");
	359	$proxy->serverflags("-nextprotoneg test");
	360	$proxy->start();
	361	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	362	checkhandshake::DEFAULT_EXTENSIONS,
	363	"NPN handshake test (server)");
	364
	365	#Test 19: NPN handshake (client and server)
	366	$proxy->clear();
	367	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	368	$proxy->serverflags("-nextprotoneg test");
	369	$proxy->start();
	370	checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
	371	checkhandshake::DEFAULT_EXTENSIONS
	372	\| checkhandshake::NPN_CLI_EXTENSION
	373	\| checkhandshake::NPN_SRV_EXTENSION,
	374	"NPN handshake test");
	375	}
60ea0034	376
327d38d0 RL	377	SKIP: {
	378	skip "No SRP support in this OpenSSL build", 1
	379	if disabled("srp");
	380
	381	#Test 20: SRP extension
	382	#Note: We are not actually going to perform an SRP handshake (TLSProxy
	383	#does not support it). However it is sufficient for us to check that the
	384	#SRP extension gets added on the client side. There is no SRP extension
	385	#generated on the server side anyway.
	386	$proxy->clear();
	387	$proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
	388	$proxy->start();
	389	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	390	checkhandshake::DEFAULT_EXTENSIONS
	391	\| checkhandshake::SRP_CLI_EXTENSION,
	392	"SRP extension test");
	393	}
397f4f78 MC	394
	395	#Test 21: EC handshake
	396	SKIP: {
	397	skip "No EC support in this OpenSSL build", 1 if disabled("ec");
	398	$proxy->clear();
	399	$proxy->clientflags("-no_tls1_3");
38a73150	400	$proxy->serverflags("-no_tls1_3");
397f4f78 MC	401	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
	402	$proxy->start();
	403	checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
	404	checkhandshake::DEFAULT_EXTENSIONS
	405	\| checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
	406	"EC handshake test");
	407	}