[thirdparty/openssl.git] / test / recipes / 70-test_tls13messages.t

#! /usr/bin/env perl
# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
use OpenSSL::Test::Utils;
use File::Temp qw(tempfile);
use TLSProxy::Proxy;
use checkhandshake qw(checkhandshake @handmessages @extensions);

my $test_name = "test_tls13messages";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLSv1.3 enabled"
    if disabled("tls1_3");

plan skip_all => "$test_name needs EC enabled"
    if disabled("ec");

@handmessages = (
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [0, 0]
);

@extensions = (
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        TLSProxy::Message::CLIENT,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        TLSProxy::Message::CLIENT,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        TLSProxy::Message::CLIENT,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        TLSProxy::Message::CLIENT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
        TLSProxy::Message::CLIENT,
        checkhandshake::PSK_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
        TLSProxy::Message::CLIENT,
        checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
        TLSProxy::Message::SERVER,
        checkhandshake::KEY_SHARE_HRR_EXTENSION],

    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        TLSProxy::Message::CLIENT,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        TLSProxy::Message::CLIENT,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        TLSProxy::Message::CLIENT,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        TLSProxy::Message::CLIENT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
        TLSProxy::Message::CLIENT,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
        TLSProxy::Message::CLIENT,
        checkhandshake::PSK_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
        TLSProxy::Message::CLIENT,
        checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
        TLSProxy::Message::SERVER,
        checkhandshake::PSK_SRV_EXTENSION],

    [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
        TLSProxy::Message::SERVER,
        checkhandshake::SERVER_NAME_SRV_EXTENSION],
    [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
        TLSProxy::Message::SERVER,
        checkhandshake::ALPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
        TLSProxy::Message::SERVER,
        checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION],

    [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS,
        TLSProxy::Message::SERVER,
        checkhandshake::DEFAULT_EXTENSIONS],

    [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
        TLSProxy::Message::SERVER,
        checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
    [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
        TLSProxy::Message::SERVER,
        checkhandshake::SCT_SRV_EXTENSION],

    [0,0,0,0]
);

my $proxy = TLSProxy::Proxy->new(
    undef,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

#Test 1: Check we get all the right messages for a default handshake
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-no_rx_cert_comp -sess_out ".$session);
$proxy->sessionfile($session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 17;
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Default handshake test");

#Test 2: Resumption handshake
$proxy->clearClient();
$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
$proxy->clientstart();
checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
               (checkhandshake::DEFAULT_EXTENSIONS
                | checkhandshake::PSK_CLI_EXTENSION
                | checkhandshake::PSK_SRV_EXTENSION),
               "Resumption handshake test");

SKIP: {
    skip "No OCSP support in this OpenSSL build", 4
        if disabled("ct") || disabled("ec") || disabled("ocsp");
    #Test 3: A status_request handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-no_rx_cert_comp -status");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
                   "status_request handshake test (client)");

    #Test 4: A status_request handshake (server support only)
    $proxy->clear();
    $proxy->clientflags("-no_rx_cert_comp");
    $proxy->serverflags("-no_rx_cert_comp -status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "status_request handshake test (server)");

    #Test 5: A status_request handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-no_rx_cert_comp -status");
    $proxy->serverflags("-no_rx_cert_comp -status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "status_request handshake test");

    #Test 6: A status_request handshake (client and server) with client auth
    $proxy->clear();
    $proxy->clientflags("-no_rx_cert_comp -status -enable_pha -cert "
                        .srctop_file("apps", "server.pem"));
    $proxy->serverflags("-no_rx_cert_comp -Verify 5 -status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION
                   | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
                   "status_request handshake with client auth test");
}

#Test 7: A client auth handshake
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -enable_pha -cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-no_rx_cert_comp -Verify 5");
$proxy->start();
checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS |
               checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
               "Client auth handshake test");

#Test 8: Server name handshake (no client request)
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -noservername");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (client)");

#Test 9: Server name handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -noservername");
$proxy->serverflags("-no_rx_cert_comp -servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (server)");

#Test 10: Server name handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -servername testhost");
$proxy->serverflags("-no_rx_cert_comp -servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SERVER_NAME_SRV_EXTENSION,
               "Server name handshake test");

#Test 11: ALPN handshake (client request only)
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION,
               "ALPN handshake test (client)");

#Test 12: ALPN handshake (server support only)
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp");
$proxy->serverflags("-no_rx_cert_comp -alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "ALPN handshake test (server)");

#Test 13: ALPN handshake (client and server)
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -alpn test");
$proxy->serverflags("-no_rx_cert_comp -alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION
               | checkhandshake::ALPN_SRV_EXTENSION,
               "ALPN handshake test");

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 14: SCT handshake (client request only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-no_rx_cert_comp -ct");
    $proxy->serverflags("-no_rx_cert_comp -status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der")
                        ." -serverinfo ".srctop_file("test", "serverinfo2.pem"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::SCT_SRV_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test");
}

#Test 15: HRR Handshake
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp");
$proxy->serverflags("-no_rx_cert_comp -curves P-384");
$proxy->start();
checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::KEY_SHARE_HRR_EXTENSION,
               "HRR handshake test");

#Test 16: Resumption handshake with HRR
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
$proxy->serverflags("-no_rx_cert_comp -curves P-384");
$proxy->start();
checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
               (checkhandshake::DEFAULT_EXTENSIONS
                | checkhandshake::KEY_SHARE_HRR_EXTENSION
                | checkhandshake::PSK_CLI_EXTENSION
                | checkhandshake::PSK_SRV_EXTENSION),
               "Resumption handshake with HRR test");

#Test 17: Acceptable but non preferred key_share
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -curves P-384");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION,
               "Acceptable but non preferred key_share");

unlink $session;
Commit	Line	Data
c11237c2	1	#! /usr/bin/env perl
33388b44	2	# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
c11237c2	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
c11237c2 MC	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
f50306c2	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
c11237c2	11	use OpenSSL::Test::Utils;
cc24a22b	12	use File::Temp qw(tempfile);
c11237c2	13	use TLSProxy::Proxy;
1e566129	14	use checkhandshake qw(checkhandshake @handmessages @extensions);
f50306c2	15
1e566129 MC	16	my $test_name = "test_tls13messages";
1e566129 MC	17	setup($test_name);
f50306c2	18
c11237c2	19	plan skip_all => "TLSProxy isn't usable on $^O"
c5856878	20	if $^O =~ /^(VMS)$/;
c11237c2 MC	21
	22	plan skip_all => "$test_name needs the dynamic engine feature enabled"
	23	if disabled("engine") \|\| disabled("dynamic-engine");
	24
	25	plan skip_all => "$test_name needs the sock feature enabled"
	26	if disabled("sock");
	27
	28	plan skip_all => "$test_name needs TLSv1.3 enabled"
	29	if disabled("tls1_3");
	30
dbc6268f MC	31	plan skip_all => "$test_name needs EC enabled"
	32	if disabled("ec");
	33
f50306c2 MC	34	@handmessages = (
f50306c2 MC	35	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	36	checkhandshake::ALL_HANDSHAKES],
597c51bc	37	[TLSProxy::Message::MT_SERVER_HELLO,
b0bfd140 MC	38	checkhandshake::HRR_HANDSHAKE \| checkhandshake::HRR_RESUME_HANDSHAKE],
	39	[TLSProxy::Message::MT_CLIENT_HELLO,
	40	checkhandshake::HRR_HANDSHAKE \| checkhandshake::HRR_RESUME_HANDSHAKE],
f50306c2	41	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	42	checkhandshake::ALL_HANDSHAKES],
f50306c2	43	[TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
1e566129	44	checkhandshake::ALL_HANDSHAKES],
f50306c2	45	[TLSProxy::Message::MT_CERTIFICATE_REQUEST,
1e566129	46	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	47	[TLSProxy::Message::MT_CERTIFICATE,
b0bfd140	48	checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE \| checkhandshake::HRR_RESUME_HANDSHAKE)],
2c5dfdc3	49	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
b0bfd140	50	checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE \| checkhandshake::HRR_RESUME_HANDSHAKE)],
f50306c2	51	[TLSProxy::Message::MT_FINISHED,
1e566129	52	checkhandshake::ALL_HANDSHAKES],
f50306c2	53	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	54	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	55	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
1e566129	56	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	57	[TLSProxy::Message::MT_FINISHED,
1e566129	58	checkhandshake::ALL_HANDSHAKES],
c11237c2 MC	59	[0, 0]
	60	);
	61
f50306c2 MC	62	@extensions = (
f50306c2 MC	63	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
dc5bcb88	64	TLSProxy::Message::CLIENT,
1e566129	65	checkhandshake::SERVER_NAME_CLI_EXTENSION],
f50306c2	66	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
dc5bcb88	67	TLSProxy::Message::CLIENT,
1e566129	68	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
f50306c2	69	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
dc5bcb88	70	TLSProxy::Message::CLIENT,
1e566129	71	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	72	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
dc5bcb88	73	TLSProxy::Message::CLIENT,
1e566129	74	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	75	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
dc5bcb88	76	TLSProxy::Message::CLIENT,
1e566129	77	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	78	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
dc5bcb88	79	TLSProxy::Message::CLIENT,
1e566129	80	checkhandshake::ALPN_CLI_EXTENSION],
f50306c2	81	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
dc5bcb88	82	TLSProxy::Message::CLIENT,
1e566129	83	checkhandshake::SCT_CLI_EXTENSION],
f50306c2	84	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
dc5bcb88	85	TLSProxy::Message::CLIENT,
1e566129	86	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	87	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
dc5bcb88	88	TLSProxy::Message::CLIENT,
1e566129	89	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	90	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
dc5bcb88	91	TLSProxy::Message::CLIENT,
1e566129	92	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	93	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
dc5bcb88	94	TLSProxy::Message::CLIENT,
1e566129	95	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	96	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
dc5bcb88	97	TLSProxy::Message::CLIENT,
1e566129	98	checkhandshake::DEFAULT_EXTENSIONS],
b2f7e8c0	99	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
dc5bcb88	100	TLSProxy::Message::CLIENT,
b2f7e8c0	101	checkhandshake::DEFAULT_EXTENSIONS],
a23bb15a	102	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
dc5bcb88	103	TLSProxy::Message::CLIENT,
a23bb15a	104	checkhandshake::PSK_CLI_EXTENSION],
9d75dce3	105	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
dc5bcb88	106	TLSProxy::Message::CLIENT,
9d75dce3	107	checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
f50306c2	108
426dfc9f	109	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
dc5bcb88	110	TLSProxy::Message::SERVER,
426dfc9f	111	checkhandshake::DEFAULT_EXTENSIONS],
597c51bc	112	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
dc5bcb88	113	TLSProxy::Message::SERVER,
b0bfd140 MC	114	checkhandshake::KEY_SHARE_HRR_EXTENSION],
	115
	116	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
dc5bcb88	117	TLSProxy::Message::CLIENT,
b0bfd140 MC	118	checkhandshake::SERVER_NAME_CLI_EXTENSION],
b0bfd140 MC	119	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
dc5bcb88	120	TLSProxy::Message::CLIENT,
b0bfd140 MC	121	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
b0bfd140 MC	122	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
dc5bcb88	123	TLSProxy::Message::CLIENT,
b0bfd140	124	checkhandshake::DEFAULT_EXTENSIONS],
a2b97bdf	125	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
dc5bcb88	126	TLSProxy::Message::CLIENT,
a2b97bdf	127	checkhandshake::DEFAULT_EXTENSIONS],
b0bfd140	128	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
dc5bcb88	129	TLSProxy::Message::CLIENT,
b0bfd140 MC	130	checkhandshake::DEFAULT_EXTENSIONS],
b0bfd140 MC	131	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
dc5bcb88	132	TLSProxy::Message::CLIENT,
b0bfd140 MC	133	checkhandshake::ALPN_CLI_EXTENSION],
b0bfd140 MC	134	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
dc5bcb88	135	TLSProxy::Message::CLIENT,
b0bfd140	136	checkhandshake::SCT_CLI_EXTENSION],
a2b97bdf	137	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
dc5bcb88	138	TLSProxy::Message::CLIENT,
a2b97bdf MC	139	checkhandshake::DEFAULT_EXTENSIONS],
a2b97bdf MC	140	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
dc5bcb88	141	TLSProxy::Message::CLIENT,
a2b97bdf MC	142	checkhandshake::DEFAULT_EXTENSIONS],
a2b97bdf MC	143	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
dc5bcb88	144	TLSProxy::Message::CLIENT,
a2b97bdf	145	checkhandshake::DEFAULT_EXTENSIONS],
b0bfd140	146	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
dc5bcb88	147	TLSProxy::Message::CLIENT,
b0bfd140 MC	148	checkhandshake::DEFAULT_EXTENSIONS],
b0bfd140 MC	149	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
dc5bcb88	150	TLSProxy::Message::CLIENT,
b0bfd140 MC	151	checkhandshake::DEFAULT_EXTENSIONS],
b0bfd140 MC	152	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
dc5bcb88	153	TLSProxy::Message::CLIENT,
b0bfd140 MC	154	checkhandshake::DEFAULT_EXTENSIONS],
b0bfd140 MC	155	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
dc5bcb88	156	TLSProxy::Message::CLIENT,
b0bfd140	157	checkhandshake::PSK_CLI_EXTENSION],
9d75dce3	158	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
dc5bcb88	159	TLSProxy::Message::CLIENT,
9d75dce3	160	checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
b0bfd140	161
88050dd1	162	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
dc5bcb88	163	TLSProxy::Message::SERVER,
88050dd1	164	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	165	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
dc5bcb88	166	TLSProxy::Message::SERVER,
1e566129	167	checkhandshake::DEFAULT_EXTENSIONS],
a23bb15a	168	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
dc5bcb88	169	TLSProxy::Message::SERVER,
a23bb15a	170	checkhandshake::PSK_SRV_EXTENSION],
f50306c2 MC	171
f50306c2 MC	172	[TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
dc5bcb88	173	TLSProxy::Message::SERVER,
1e566129	174	checkhandshake::SERVER_NAME_SRV_EXTENSION],
f50306c2	175	[TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
dc5bcb88	176	TLSProxy::Message::SERVER,
1e566129	177	checkhandshake::ALPN_SRV_EXTENSION],
de65f7b9	178	[TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
dc5bcb88	179	TLSProxy::Message::SERVER,
de65f7b9	180	checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION],
e96e0f8e	181
dc5bcb88 MC	182	[TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS,
	183	TLSProxy::Message::SERVER,
	184	checkhandshake::DEFAULT_EXTENSIONS],
	185
e96e0f8e	186	[TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
dc5bcb88	187	TLSProxy::Message::SERVER,
e96e0f8e	188	checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
c3a48c7b	189	[TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
dc5bcb88	190	TLSProxy::Message::SERVER,
c3a48c7b	191	checkhandshake::SCT_SRV_EXTENSION],
e96e0f8e	192
dc5bcb88	193	[0,0,0,0]
9ce3ed2a MC	194	);
9ce3ed2a MC	195
c11237c2 MC	196	my $proxy = TLSProxy::Proxy->new(
	197	undef,
	198	cmdstr(app(["openssl"]), display => 1),
	199	srctop_file("apps", "server.pem"),
	200	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
	201	);
	202
c11237c2	203	#Test 1: Check we get all the right messages for a default handshake
cc24a22b	204	(undef, my $session) = tempfile();
a23bb15a	205	$proxy->serverconnects(2);
b67cb09f	206	$proxy->clientflags("-no_rx_cert_comp -sess_out ".$session);
a23bb15a	207	$proxy->sessionfile($session);
c11237c2	208	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
dc5bcb88	209	plan tests => 17;
1e566129 MC	210	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	211	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	212	"Default handshake test");
c11237c2	213
cc24a22b	214	#Test 2: Resumption handshake
a23bb15a	215	$proxy->clearClient();
b67cb09f	216	$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
a23bb15a MC	217	$proxy->clientstart();
a23bb15a MC	218	checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
db919b1e MC	219	(checkhandshake::DEFAULT_EXTENSIONS
db919b1e MC	220	\| checkhandshake::PSK_CLI_EXTENSION
b510b740	221	\| checkhandshake::PSK_SRV_EXTENSION),
a23bb15a	222	"Resumption handshake test");
cc24a22b	223
5f21b440	224	SKIP: {
dc5bcb88	225	skip "No OCSP support in this OpenSSL build", 4
5f21b440 BK	226	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
	227	#Test 3: A status_request handshake (client request only)
	228	$proxy->clear();
b67cb09f	229	$proxy->clientflags("-no_rx_cert_comp -status");
5f21b440 BK	230	$proxy->start();
	231	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	232	checkhandshake::DEFAULT_EXTENSIONS
	233	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
	234	"status_request handshake test (client)");
	235
	236	#Test 4: A status_request handshake (server support only)
	237	$proxy->clear();
b67cb09f TS	238	$proxy->clientflags("-no_rx_cert_comp");
b67cb09f TS	239	$proxy->serverflags("-no_rx_cert_comp -status_file "
5f21b440 BK	240	.srctop_file("test", "recipes", "ocsp-response.der"));
	241	$proxy->start();
	242	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	243	checkhandshake::DEFAULT_EXTENSIONS,
	244	"status_request handshake test (server)");
	245
	246	#Test 5: A status_request handshake (client and server)
	247	$proxy->clear();
b67cb09f TS	248	$proxy->clientflags("-no_rx_cert_comp -status");
b67cb09f TS	249	$proxy->serverflags("-no_rx_cert_comp -status_file "
5f21b440 BK	250	.srctop_file("test", "recipes", "ocsp-response.der"));
	251	$proxy->start();
	252	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	253	checkhandshake::DEFAULT_EXTENSIONS
	254	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	255	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	256	"status_request handshake test");
dc5bcb88 MC	257
	258	#Test 6: A status_request handshake (client and server) with client auth
	259	$proxy->clear();
b67cb09f	260	$proxy->clientflags("-no_rx_cert_comp -status -enable_pha -cert "
dc5bcb88	261	.srctop_file("apps", "server.pem"));
b67cb09f	262	$proxy->serverflags("-no_rx_cert_comp -Verify 5 -status_file "
dc5bcb88 MC	263	.srctop_file("test", "recipes", "ocsp-response.der"));
	264	$proxy->start();
	265	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
	266	checkhandshake::DEFAULT_EXTENSIONS
	267	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	268	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION
	269	\| checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
	270	"status_request handshake with client auth test");
5f21b440	271	}
cc24a22b	272
dc5bcb88	273	#Test 7: A client auth handshake
cc24a22b	274	$proxy->clear();
b67cb09f TS	275	$proxy->clientflags("-no_rx_cert_comp -enable_pha -cert ".srctop_file("apps", "server.pem"));
b67cb09f TS	276	$proxy->serverflags("-no_rx_cert_comp -Verify 5");
cc24a22b	277	$proxy->start();
1e566129	278	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
9d75dce3 TS	279	checkhandshake::DEFAULT_EXTENSIONS \|
9d75dce3 TS	280	checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
96153874	281	"Client auth handshake test");
cc24a22b	282
dc5bcb88	283	#Test 8: Server name handshake (no client request)
9ce3ed2a	284	$proxy->clear();
b67cb09f	285	$proxy->clientflags("-no_rx_cert_comp -noservername");
9ce3ed2a	286	$proxy->start();
1e566129 MC	287	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	288	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2	289	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	290	"Server name handshake test (client)");
9ce3ed2a	291
dc5bcb88	292	#Test 9: Server name handshake (server support only)
9ce3ed2a	293	$proxy->clear();
b67cb09f TS	294	$proxy->clientflags("-no_rx_cert_comp -noservername");
b67cb09f TS	295	$proxy->serverflags("-no_rx_cert_comp -servername testhost");
9ce3ed2a	296	$proxy->start();
1e566129	297	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
11ba87f2 MC	298	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2 MC	299	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	300	"Server name handshake test (server)");
9ce3ed2a	301
dc5bcb88	302	#Test 10: Server name handshake (client and server)
9ce3ed2a	303	$proxy->clear();
b67cb09f TS	304	$proxy->clientflags("-no_rx_cert_comp -servername testhost");
b67cb09f TS	305	$proxy->serverflags("-no_rx_cert_comp -servername testhost");
9ce3ed2a	306	$proxy->start();
1e566129	307	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874	308	checkhandshake::DEFAULT_EXTENSIONS
96153874 MC	309	\| checkhandshake::SERVER_NAME_SRV_EXTENSION,
96153874 MC	310	"Server name handshake test");
9ce3ed2a	311
dc5bcb88	312	#Test 11: ALPN handshake (client request only)
9ce3ed2a	313	$proxy->clear();
b67cb09f	314	$proxy->clientflags("-no_rx_cert_comp -alpn test");
9ce3ed2a	315	$proxy->start();
1e566129 MC	316	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	317	checkhandshake::DEFAULT_EXTENSIONS
	318	\| checkhandshake::ALPN_CLI_EXTENSION,
96153874	319	"ALPN handshake test (client)");
9ce3ed2a	320
dc5bcb88	321	#Test 12: ALPN handshake (server support only)
9ce3ed2a	322	$proxy->clear();
b67cb09f TS	323	$proxy->clientflags("-no_rx_cert_comp");
b67cb09f TS	324	$proxy->serverflags("-no_rx_cert_comp -alpn test");
9ce3ed2a	325	$proxy->start();
1e566129 MC	326	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	327	checkhandshake::DEFAULT_EXTENSIONS,
96153874	328	"ALPN handshake test (server)");
a1448c26	329
dc5bcb88	330	#Test 13: ALPN handshake (client and server)
9ce3ed2a	331	$proxy->clear();
b67cb09f TS	332	$proxy->clientflags("-no_rx_cert_comp -alpn test");
b67cb09f TS	333	$proxy->serverflags("-no_rx_cert_comp -alpn test");
9ce3ed2a	334	$proxy->start();
1e566129	335	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	336	checkhandshake::DEFAULT_EXTENSIONS
	337	\| checkhandshake::ALPN_CLI_EXTENSION
	338	\| checkhandshake::ALPN_SRV_EXTENSION,
	339	"ALPN handshake test");
9ce3ed2a	340
c3a48c7b MC	341	SKIP: {
	342	skip "No CT, EC or OCSP support in this OpenSSL build", 1
	343	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
	344
dc5bcb88	345	#Test 14: SCT handshake (client request only)
c3a48c7b MC	346	$proxy->clear();
c3a48c7b MC	347	#Note: -ct also sends status_request
b67cb09f TS	348	$proxy->clientflags("-no_rx_cert_comp -ct");
b67cb09f TS	349	$proxy->serverflags("-no_rx_cert_comp -status_file "
c3a48c7b MC	350	.srctop_file("test", "recipes", "ocsp-response.der")
	351	." -serverinfo ".srctop_file("test", "serverinfo2.pem"));
	352	$proxy->start();
	353	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	354	checkhandshake::DEFAULT_EXTENSIONS
	355	\| checkhandshake::SCT_CLI_EXTENSION
	356	\| checkhandshake::SCT_SRV_EXTENSION
	357	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	358	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	359	"SCT handshake test");
	360	}
	361
dc5bcb88	362	#Test 15: HRR Handshake
b0bfd140	363	$proxy->clear();
b67cb09f	364	$proxy->clientflags("-no_rx_cert_comp");
4032cd9a	365	$proxy->serverflags("-no_rx_cert_comp -curves P-384");
b0bfd140 MC	366	$proxy->start();
	367	checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
	368	checkhandshake::DEFAULT_EXTENSIONS
	369	\| checkhandshake::KEY_SHARE_HRR_EXTENSION,
	370	"HRR handshake test");
	371
dc5bcb88	372	#Test 16: Resumption handshake with HRR
b0bfd140	373	$proxy->clear();
b67cb09f	374	$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
4032cd9a	375	$proxy->serverflags("-no_rx_cert_comp -curves P-384");
b0bfd140 MC	376	$proxy->start();
b0bfd140 MC	377	checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
db919b1e MC	378	(checkhandshake::DEFAULT_EXTENSIONS
	379	\| checkhandshake::KEY_SHARE_HRR_EXTENSION
	380	\| checkhandshake::PSK_CLI_EXTENSION
b510b740	381	\| checkhandshake::PSK_SRV_EXTENSION),
b0bfd140	382	"Resumption handshake with HRR test");
de65f7b9	383
dc5bcb88	384	#Test 17: Acceptable but non preferred key_share
de65f7b9	385	$proxy->clear();
4032cd9a	386	$proxy->clientflags("-no_rx_cert_comp -curves P-384");
de65f7b9 MC	387	$proxy->start();
	388	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	389	checkhandshake::DEFAULT_EXTENSIONS
	390	\| checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION,
597c51bc	391	"Acceptable but non preferred key_share");
de65f7b9	392
b0bfd140	393	unlink $session;