[thirdparty/openssl.git] / test / recipes / 70-test_sslmessages.t

#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
use OpenSSL::Test::Utils;
use File::Temp qw(tempfile);
use TLSProxy::Proxy;
use checkhandshake qw(checkhandshake @handmessages @extensions);

my $test_name = "test_sslmessages";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS|MSWin32)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLS enabled"
    if alldisabled(available_protocols("tls"));

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");

my $proxy = TLSProxy::Proxy->new(
    undef,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

@handmessages = (
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
                          checkhandshake::EC_HANDSHAKE]),
    [TLSProxy::Message::MT_CERTIFICATE_STATUS,
        checkhandshake::OCSP_HANDSHAKE],
    #ServerKeyExchange handshakes not currently supported by TLSProxy
    [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_NEXT_PROTO,
        checkhandshake::NPN_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::ALL_HANDSHAKES
        & ~checkhandshake::RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO_DONE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_NEW_SESSION_TICKET,
        checkhandshake::RENEG_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::RENEG_HANDSHAKE],
    [0, 0]
);

@extensions = (
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_SUPPORTED_GROUPS,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("ec") ? () :
                      [TLSProxy::Message::MT_CLIENT_HELLO,
                       TLSProxy::Message::EXT_EC_POINT_FORMATS,
                       checkhandshake::DEFAULT_EXTENSIONS]),
    (disabled("tls1_2") ? () :
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
         checkhandshake::DEFAULT_EXTENSIONS]),
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        checkhandshake::RENEGOTIATE_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
        checkhandshake::NPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
        checkhandshake::SRP_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        checkhandshake::SESSION_TICKET_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
        checkhandshake::NPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
    [0,0,0]
);

#Test 1: Check we get all the right messages for a default handshake
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 21;
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Default handshake test");

#Test 2: Resumption handshake
$proxy->clearClient();
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
               "Resumption handshake test");
unlink $session;

#Test 3: A status_request handshake (client request only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -status");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
               "status_request handshake test (client)");

#Test 4: A status_request handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-status_file "
                    .srctop_file("test", "recipes", "ocsp-response.der"));
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "status_request handshake test (server)");

#Test 5: A status_request handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -status");
$proxy->serverflags("-status_file "
                    .srctop_file("test", "recipes", "ocsp-response.der"));
$proxy->start();
checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
               | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
               "status_request handshake test");

#Test 6: A client auth handshake
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-Verify 5");
$proxy->start();
checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Client auth handshake test");

#Test 7: A handshake with a renegotiation
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->reneg(1);
$proxy->start();
checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Rengotiation handshake test");

#Test 8: Server name handshake (client request only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (client)");

#Test 9: Server name handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Server name handshake test (server)");

#Test 10: Server name handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -servername testhost");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SERVER_NAME_CLI_EXTENSION
               | checkhandshake::SERVER_NAME_SRV_EXTENSION,
               "Server name handshake test");

#Test 11: ALPN handshake (client request only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION,
               "ALPN handshake test (client)");

#Test 12: ALPN handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "ALPN handshake test (server)");

#Test 13: ALPN handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -alpn test");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION
               | checkhandshake::ALPN_SRV_EXTENSION,
               "ALPN handshake test");

SKIP: {
    skip "No CT and/or EC support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec");

    #Test 14: SCT handshake (client request only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test (client)");
}

#Test 15: SCT handshake (server support only)
$proxy->clear();
#Note: -ct also sends status_request
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-status_file "
                    .srctop_file("test", "recipes", "ocsp-response.der"));
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "SCT handshake test (server)");

SKIP: {
    skip "No CT and/or EC support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec");

    #Test 16: SCT handshake (client and server)
    #There is no built-in server side support for this so we are actually also
    #testing custom extensions here
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_tls1_3 -ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der")
                        ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::SCT_SRV_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test");
}


SKIP: {
    skip "No NPN support in this OpenSSL build", 3
        if disabled("nextprotoneg");

    #Test 17: NPN handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION,
                   "NPN handshake test (client)");

    #Test 18: NPN handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "NPN handshake test (server)");

    #Test 19: NPN handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
    $proxy->serverflags("-nextprotoneg test");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::NPN_CLI_EXTENSION
                   | checkhandshake::NPN_SRV_EXTENSION,
                   "NPN handshake test");
}

SKIP: {
    skip "No SRP support in this OpenSSL build", 1
        if disabled("srp");

    #Test 20: SRP extension
    #Note: We are not actually going to perform an SRP handshake (TLSProxy
    #does not support it). However it is sufficient for us to check that the
    #SRP extension gets added on the client side. There is no SRP extension
    #generated on the server side anyway.
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SRP_CLI_EXTENSION,
                   "SRP extension test");
}

#Test 21: EC handshake
SKIP: {
    skip "No EC support in this OpenSSL build", 1 if disabled("ec");
    $proxy->clear();
    $proxy->clientflags("-no_tls1_3");
    $proxy->ciphers("ECDHE-RSA-AES128-SHA");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
                   "EC handshake test");
}
Commit	Line	Data
0bfe166b MC	1	#! /usr/bin/env perl
	2	# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	#
	4	# Licensed under the OpenSSL license (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
f50306c2	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
0bfe166b MC	11	use OpenSSL::Test::Utils;
	12	use File::Temp qw(tempfile);
	13	use TLSProxy::Proxy;
1e566129	14	use checkhandshake qw(checkhandshake @handmessages @extensions);
f50306c2	15
1e566129 MC	16	my $test_name = "test_sslmessages";
1e566129 MC	17	setup($test_name);
f50306c2	18
0bfe166b MC	19	plan skip_all => "TLSProxy isn't usable on $^O"
	20	if $^O =~ /^(VMS\|MSWin32)$/;
	21
	22	plan skip_all => "$test_name needs the dynamic engine feature enabled"
	23	if disabled("engine") \|\| disabled("dynamic-engine");
	24
	25	plan skip_all => "$test_name needs the sock feature enabled"
	26	if disabled("sock");
	27
	28	plan skip_all => "$test_name needs TLS enabled"
	29	if alldisabled(available_protocols("tls"));
	30
	31	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
60ea0034	32	$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
6ca94f10	33
0bfe166b MC	34	my $proxy = TLSProxy::Proxy->new(
	35	undef,
	36	cmdstr(app(["openssl"]), display => 1),
	37	srctop_file("apps", "server.pem"),
	38	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
	39	);
	40
f50306c2 MC	41	@handmessages = (
f50306c2 MC	42	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	43	checkhandshake::ALL_HANDSHAKES],
f50306c2	44	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	45	checkhandshake::ALL_HANDSHAKES],
f50306c2	46	[TLSProxy::Message::MT_CERTIFICATE,
1e566129 MC	47	checkhandshake::ALL_HANDSHAKES
1e566129 MC	48	& ~checkhandshake::RESUME_HANDSHAKE],
397f4f78 MC	49	(disabled("ec") ? () :
	50	[TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
	51	checkhandshake::EC_HANDSHAKE]),
f50306c2	52	[TLSProxy::Message::MT_CERTIFICATE_STATUS,
1e566129	53	checkhandshake::OCSP_HANDSHAKE],
f50306c2 MC	54	#ServerKeyExchange handshakes not currently supported by TLSProxy
f50306c2 MC	55	[TLSProxy::Message::MT_CERTIFICATE_REQUEST,
1e566129	56	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	57	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129 MC	58	checkhandshake::ALL_HANDSHAKES
1e566129 MC	59	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	60	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	61	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	62	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129 MC	63	checkhandshake::ALL_HANDSHAKES
1e566129 MC	64	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	65	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
1e566129	66	checkhandshake::CLIENT_AUTH_HANDSHAKE],
60ea0034	67	[TLSProxy::Message::MT_NEXT_PROTO,
1e566129	68	checkhandshake::NPN_HANDSHAKE],
f50306c2	69	[TLSProxy::Message::MT_FINISHED,
1e566129	70	checkhandshake::ALL_HANDSHAKES],
f50306c2	71	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129 MC	72	checkhandshake::ALL_HANDSHAKES
1e566129 MC	73	& ~checkhandshake::RESUME_HANDSHAKE],
f50306c2	74	[TLSProxy::Message::MT_FINISHED,
1e566129	75	checkhandshake::ALL_HANDSHAKES],
f50306c2	76	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	77	checkhandshake::RENEG_HANDSHAKE],
f50306c2	78	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	79	checkhandshake::RENEG_HANDSHAKE],
f50306c2	80	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	81	checkhandshake::RENEG_HANDSHAKE],
f50306c2	82	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
1e566129	83	checkhandshake::RENEG_HANDSHAKE],
f50306c2	84	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
1e566129	85	checkhandshake::RENEG_HANDSHAKE],
f50306c2	86	[TLSProxy::Message::MT_FINISHED,
1e566129	87	checkhandshake::RENEG_HANDSHAKE],
f50306c2	88	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
1e566129	89	checkhandshake::RENEG_HANDSHAKE],
f50306c2	90	[TLSProxy::Message::MT_FINISHED,
1e566129	91	checkhandshake::RENEG_HANDSHAKE],
f50306c2 MC	92	[0, 0]
	93	);
	94
	95	@extensions = (
	96	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
1e566129	97	checkhandshake::SERVER_NAME_CLI_EXTENSION],
f50306c2	98	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
1e566129	99	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
397f4f78 MC	100	(disabled("ec") ? () :
	101	[TLSProxy::Message::MT_CLIENT_HELLO,
	102	TLSProxy::Message::EXT_SUPPORTED_GROUPS,
	103	checkhandshake::DEFAULT_EXTENSIONS]),
	104	(disabled("ec") ? () :
	105	[TLSProxy::Message::MT_CLIENT_HELLO,
	106	TLSProxy::Message::EXT_EC_POINT_FORMATS,
	107	checkhandshake::DEFAULT_EXTENSIONS]),
f6e752c0 RL	108	(disabled("tls1_2") ? () :
	109	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
	110	checkhandshake::DEFAULT_EXTENSIONS]),
f50306c2	111	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
1e566129	112	checkhandshake::ALPN_CLI_EXTENSION],
f50306c2	113	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
1e566129	114	checkhandshake::SCT_CLI_EXTENSION],
f50306c2	115	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
1e566129	116	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	117	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
1e566129	118	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	119	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
1e566129	120	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	121	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
1e566129	122	checkhandshake::RENEGOTIATE_CLI_EXTENSION],
60ea0034	123	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
1e566129	124	checkhandshake::NPN_CLI_EXTENSION],
60ea0034	125	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
1e566129	126	checkhandshake::SRP_CLI_EXTENSION],
f50306c2 MC	127
f50306c2 MC	128	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
1e566129	129	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	130	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
1e566129	131	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	132	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
1e566129	133	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	134	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
1e566129	135	checkhandshake::SESSION_TICKET_SRV_EXTENSION],
f50306c2	136	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
1e566129	137	checkhandshake::SERVER_NAME_SRV_EXTENSION],
f50306c2	138	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
1e566129	139	checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
f50306c2	140	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
1e566129	141	checkhandshake::ALPN_SRV_EXTENSION],
60ea0034	142	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
1e566129	143	checkhandshake::SCT_SRV_EXTENSION],
60ea0034	144	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
1e566129	145	checkhandshake::NPN_SRV_EXTENSION],
397f4f78 MC	146	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
397f4f78 MC	147	checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
f50306c2 MC	148	[0,0,0]
f50306c2 MC	149	);
0bfe166b MC	150
	151	#Test 1: Check we get all the right messages for a default handshake
	152	(undef, my $session) = tempfile();
	153	$proxy->serverconnects(2);
	154	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
	155	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
397f4f78	156	plan tests => 21;
1e566129 MC	157	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	158	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	159	"Default handshake test");
0bfe166b MC	160
	161	#Test 2: Resumption handshake
	162	$proxy->clearClient();
	163	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
	164	$proxy->clientstart();
1e566129 MC	165	checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
	166	checkhandshake::DEFAULT_EXTENSIONS
	167	& ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
f50306c2	168	"Resumption handshake test");
0bfe166b MC	169	unlink $session;
0bfe166b MC	170
60ea0034 MC	171	#Test 3: A status_request handshake (client request only)
	172	$proxy->clear();
	173	$proxy->clientflags("-no_tls1_3 -status");
	174	$proxy->start();
1e566129	175	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	176	checkhandshake::DEFAULT_EXTENSIONS
	177	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
	178	"status_request handshake test (client)");
60ea0034 MC	179
	180	#Test 4: A status_request handshake (server support only)
	181	$proxy->clear();
	182	$proxy->clientflags("-no_tls1_3");
	183	$proxy->serverflags("-status_file "
	184	.srctop_file("test", "recipes", "ocsp-response.der"));
	185	$proxy->start();
1e566129 MC	186	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	187	checkhandshake::DEFAULT_EXTENSIONS,
96153874	188	"status_request handshake test (server)");
60ea0034 MC	189
60ea0034 MC	190	#Test 5: A status_request handshake (client and server)
2de94a36 MC	191	$proxy->clear();
	192	$proxy->clientflags("-no_tls1_3 -status");
	193	$proxy->serverflags("-status_file "
	194	.srctop_file("test", "recipes", "ocsp-response.der"));
	195	$proxy->start();
1e566129	196	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
96153874 MC	197	checkhandshake::DEFAULT_EXTENSIONS
	198	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	199	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	200	"status_request handshake test");
0bfe166b	201
60ea0034	202	#Test 6: A client auth handshake
0bfe166b MC	203	$proxy->clear();
	204	$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
	205	$proxy->serverflags("-Verify 5");
	206	$proxy->start();
1e566129 MC	207	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
1e566129 MC	208	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	209	"Client auth handshake test");
0bfe166b	210
60ea0034	211	#Test 7: A handshake with a renegotiation
0bfe166b MC	212	$proxy->clear();
	213	$proxy->clientflags("-no_tls1_3");
	214	$proxy->reneg(1);
	215	$proxy->start();
1e566129 MC	216	checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
1e566129 MC	217	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2 MC	218	"Rengotiation handshake test");
f50306c2 MC	219
60ea0034 MC	220	#Test 8: Server name handshake (client request only)
	221	$proxy->clear();
	222	$proxy->clientflags("-no_tls1_3 -servername testhost");
	223	$proxy->start();
1e566129 MC	224	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	225	checkhandshake::DEFAULT_EXTENSIONS
	226	\| checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	227	"Server name handshake test (client)");
60ea0034 MC	228
	229	#Test 9: Server name handshake (server support only)
	230	$proxy->clear();
	231	$proxy->clientflags("-no_tls1_3");
	232	$proxy->serverflags("-servername testhost");
	233	$proxy->start();
1e566129 MC	234	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	235	checkhandshake::DEFAULT_EXTENSIONS,
96153874	236	"Server name handshake test (server)");
60ea0034 MC	237
	238	#Test 10: Server name handshake (client and server)
	239	$proxy->clear();
	240	$proxy->clientflags("-no_tls1_3 -servername testhost");
	241	$proxy->serverflags("-servername testhost");
	242	$proxy->start();
1e566129	243	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	244	checkhandshake::DEFAULT_EXTENSIONS
	245	\| checkhandshake::SERVER_NAME_CLI_EXTENSION
	246	\| checkhandshake::SERVER_NAME_SRV_EXTENSION,
	247	"Server name handshake test");
60ea0034 MC	248
	249	#Test 11: ALPN handshake (client request only)
	250	$proxy->clear();
	251	$proxy->clientflags("-no_tls1_3 -alpn test");
	252	$proxy->start();
1e566129 MC	253	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	254	checkhandshake::DEFAULT_EXTENSIONS
	255	\| checkhandshake::ALPN_CLI_EXTENSION,
96153874	256	"ALPN handshake test (client)");
f50306c2	257
60ea0034 MC	258	#Test 12: ALPN handshake (server support only)
	259	$proxy->clear();
	260	$proxy->clientflags("-no_tls1_3");
	261	$proxy->serverflags("-alpn test");
	262	$proxy->start();
1e566129 MC	263	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	264	checkhandshake::DEFAULT_EXTENSIONS,
96153874	265	"ALPN handshake test (server)");
a1448c26	266
60ea0034 MC	267	#Test 13: ALPN handshake (client and server)
	268	$proxy->clear();
	269	$proxy->clientflags("-no_tls1_3 -alpn test");
	270	$proxy->serverflags("-alpn test");
	271	$proxy->start();
1e566129	272	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	273	checkhandshake::DEFAULT_EXTENSIONS
	274	\| checkhandshake::ALPN_CLI_EXTENSION
	275	\| checkhandshake::ALPN_SRV_EXTENSION,
	276	"ALPN handshake test");
60ea0034	277
a05bed19	278	SKIP: {
0a6793c9 MC	279	skip "No CT and/or EC support in this OpenSSL build", 1
0a6793c9 MC	280	if disabled("ct") \|\| disabled("ec");
a05bed19 RL	281
	282	#Test 14: SCT handshake (client request only)
	283	$proxy->clear();
	284	#Note: -ct also sends status_request
	285	$proxy->clientflags("-no_tls1_3 -ct");
	286	$proxy->serverflags("-status_file "
	287	.srctop_file("test", "recipes", "ocsp-response.der"));
	288	$proxy->start();
	289	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	290	checkhandshake::DEFAULT_EXTENSIONS
	291	\| checkhandshake::SCT_CLI_EXTENSION
	292	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	293	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	294	"SCT handshake test (client)");
	295	}
60ea0034 MC	296
	297	#Test 15: SCT handshake (server support only)
	298	$proxy->clear();
	299	#Note: -ct also sends status_request
	300	$proxy->clientflags("-no_tls1_3");
	301	$proxy->serverflags("-status_file "
	302	.srctop_file("test", "recipes", "ocsp-response.der"));
	303	$proxy->start();
1e566129	304	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	305	checkhandshake::DEFAULT_EXTENSIONS,
96153874 MC	306	"SCT handshake test (server)");
60ea0034	307
a05bed19	308	SKIP: {
0a6793c9 MC	309	skip "No CT and/or EC support in this OpenSSL build", 1
0a6793c9 MC	310	if disabled("ct") \|\| disabled("ec");
a05bed19 RL	311
	312	#Test 16: SCT handshake (client and server)
	313	#There is no built-in server side support for this so we are actually also
	314	#testing custom extensions here
	315	$proxy->clear();
	316	#Note: -ct also sends status_request
	317	$proxy->clientflags("-no_tls1_3 -ct");
	318	$proxy->serverflags("-status_file "
	319	.srctop_file("test", "recipes", "ocsp-response.der")
	320	." -serverinfo ".srctop_file("test", "serverinfo.pem"));
	321	$proxy->start();
	322	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
	323	checkhandshake::DEFAULT_EXTENSIONS
	324	\| checkhandshake::SCT_CLI_EXTENSION
	325	\| checkhandshake::SCT_SRV_EXTENSION
	326	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	327	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	328	"SCT handshake test");
	329	}
60ea0034 MC	330
60ea0034 MC	331
e0c47b2c RL	332	SKIP: {
	333	skip "No NPN support in this OpenSSL build", 3
	334	if disabled("nextprotoneg");
60ea0034	335
e0c47b2c RL	336	#Test 17: NPN handshake (client request only)
	337	$proxy->clear();
	338	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	339	$proxy->start();
	340	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	341	checkhandshake::DEFAULT_EXTENSIONS
	342	\| checkhandshake::NPN_CLI_EXTENSION,
	343	"NPN handshake test (client)");
a1448c26	344
e0c47b2c RL	345	#Test 18: NPN handshake (server support only)
	346	$proxy->clear();
	347	$proxy->clientflags("-no_tls1_3");
	348	$proxy->serverflags("-nextprotoneg test");
	349	$proxy->start();
	350	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	351	checkhandshake::DEFAULT_EXTENSIONS,
	352	"NPN handshake test (server)");
	353
	354	#Test 19: NPN handshake (client and server)
	355	$proxy->clear();
	356	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
	357	$proxy->serverflags("-nextprotoneg test");
	358	$proxy->start();
	359	checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
	360	checkhandshake::DEFAULT_EXTENSIONS
	361	\| checkhandshake::NPN_CLI_EXTENSION
	362	\| checkhandshake::NPN_SRV_EXTENSION,
	363	"NPN handshake test");
	364	}
60ea0034	365
327d38d0 RL	366	SKIP: {
	367	skip "No SRP support in this OpenSSL build", 1
	368	if disabled("srp");
	369
	370	#Test 20: SRP extension
	371	#Note: We are not actually going to perform an SRP handshake (TLSProxy
	372	#does not support it). However it is sufficient for us to check that the
	373	#SRP extension gets added on the client side. There is no SRP extension
	374	#generated on the server side anyway.
	375	$proxy->clear();
	376	$proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
	377	$proxy->start();
	378	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	379	checkhandshake::DEFAULT_EXTENSIONS
	380	\| checkhandshake::SRP_CLI_EXTENSION,
	381	"SRP extension test");
	382	}
397f4f78 MC	383
	384	#Test 21: EC handshake
	385	SKIP: {
	386	skip "No EC support in this OpenSSL build", 1 if disabled("ec");
	387	$proxy->clear();
	388	$proxy->clientflags("-no_tls1_3");
	389	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
	390	$proxy->start();
	391	checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
	392	checkhandshake::DEFAULT_EXTENSIONS
	393	\| checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
	394	"EC handshake test");
	395	}