]>
Commit | Line | Data |
---|---|---|
c11237c2 MC |
1 | #! /usr/bin/env perl |
2 | # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the OpenSSL license (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
f50306c2 | 10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; |
c11237c2 | 11 | use OpenSSL::Test::Utils; |
cc24a22b | 12 | use File::Temp qw(tempfile); |
c11237c2 | 13 | use TLSProxy::Proxy; |
1e566129 | 14 | use checkhandshake qw(checkhandshake @handmessages @extensions); |
f50306c2 | 15 | |
1e566129 MC |
16 | my $test_name = "test_tls13messages"; |
17 | setup($test_name); | |
f50306c2 | 18 | |
c11237c2 MC |
19 | plan skip_all => "TLSProxy isn't usable on $^O" |
20 | if $^O =~ /^(VMS|MSWin32)$/; | |
21 | ||
22 | plan skip_all => "$test_name needs the dynamic engine feature enabled" | |
23 | if disabled("engine") || disabled("dynamic-engine"); | |
24 | ||
25 | plan skip_all => "$test_name needs the sock feature enabled" | |
26 | if disabled("sock"); | |
27 | ||
28 | plan skip_all => "$test_name needs TLSv1.3 enabled" | |
29 | if disabled("tls1_3"); | |
30 | ||
31 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; | |
9ce3ed2a | 32 | $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); |
c11237c2 | 33 | |
c11237c2 | 34 | |
f50306c2 MC |
35 | @handmessages = ( |
36 | [TLSProxy::Message::MT_CLIENT_HELLO, | |
1e566129 | 37 | checkhandshake::ALL_HANDSHAKES], |
597c51bc | 38 | [TLSProxy::Message::MT_SERVER_HELLO, |
b0bfd140 MC |
39 | checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], |
40 | [TLSProxy::Message::MT_CLIENT_HELLO, | |
41 | checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], | |
f50306c2 | 42 | [TLSProxy::Message::MT_SERVER_HELLO, |
1e566129 | 43 | checkhandshake::ALL_HANDSHAKES], |
f50306c2 | 44 | [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, |
1e566129 | 45 | checkhandshake::ALL_HANDSHAKES], |
f50306c2 | 46 | [TLSProxy::Message::MT_CERTIFICATE_REQUEST, |
1e566129 | 47 | checkhandshake::CLIENT_AUTH_HANDSHAKE], |
f50306c2 | 48 | [TLSProxy::Message::MT_CERTIFICATE, |
b0bfd140 | 49 | checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], |
2c5dfdc3 | 50 | [TLSProxy::Message::MT_CERTIFICATE_VERIFY, |
b0bfd140 | 51 | checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], |
f50306c2 | 52 | [TLSProxy::Message::MT_FINISHED, |
1e566129 | 53 | checkhandshake::ALL_HANDSHAKES], |
f50306c2 | 54 | [TLSProxy::Message::MT_CERTIFICATE, |
1e566129 | 55 | checkhandshake::CLIENT_AUTH_HANDSHAKE], |
f50306c2 | 56 | [TLSProxy::Message::MT_CERTIFICATE_VERIFY, |
1e566129 | 57 | checkhandshake::CLIENT_AUTH_HANDSHAKE], |
f50306c2 | 58 | [TLSProxy::Message::MT_FINISHED, |
1e566129 | 59 | checkhandshake::ALL_HANDSHAKES], |
c11237c2 MC |
60 | [0, 0] |
61 | ); | |
62 | ||
f50306c2 MC |
63 | @extensions = ( |
64 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, | |
1e566129 | 65 | checkhandshake::SERVER_NAME_CLI_EXTENSION], |
f50306c2 | 66 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, |
1e566129 | 67 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION], |
f50306c2 | 68 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, |
1e566129 | 69 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 70 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, |
1e566129 | 71 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 72 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, |
1e566129 | 73 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 74 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, |
1e566129 | 75 | checkhandshake::ALPN_CLI_EXTENSION], |
f50306c2 | 76 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, |
1e566129 | 77 | checkhandshake::SCT_CLI_EXTENSION], |
f50306c2 | 78 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, |
1e566129 | 79 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 80 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, |
1e566129 | 81 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 82 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, |
1e566129 | 83 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 84 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, |
1e566129 | 85 | checkhandshake::DEFAULT_EXTENSIONS], |
f50306c2 | 86 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, |
1e566129 | 87 | checkhandshake::DEFAULT_EXTENSIONS], |
b2f7e8c0 MC |
88 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, |
89 | checkhandshake::DEFAULT_EXTENSIONS], | |
a23bb15a MC |
90 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, |
91 | checkhandshake::PSK_CLI_EXTENSION], | |
f50306c2 | 92 | |
426dfc9f MC |
93 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, |
94 | checkhandshake::DEFAULT_EXTENSIONS], | |
597c51bc | 95 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, |
b0bfd140 MC |
96 | checkhandshake::KEY_SHARE_HRR_EXTENSION], |
97 | ||
98 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, | |
99 | checkhandshake::SERVER_NAME_CLI_EXTENSION], | |
100 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, | |
101 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION], | |
102 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, | |
103 | checkhandshake::DEFAULT_EXTENSIONS], | |
a2b97bdf MC |
104 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, |
105 | checkhandshake::DEFAULT_EXTENSIONS], | |
b0bfd140 MC |
106 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, |
107 | checkhandshake::DEFAULT_EXTENSIONS], | |
108 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, | |
109 | checkhandshake::ALPN_CLI_EXTENSION], | |
110 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, | |
111 | checkhandshake::SCT_CLI_EXTENSION], | |
a2b97bdf MC |
112 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, |
113 | checkhandshake::DEFAULT_EXTENSIONS], | |
114 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, | |
115 | checkhandshake::DEFAULT_EXTENSIONS], | |
116 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, | |
117 | checkhandshake::DEFAULT_EXTENSIONS], | |
b0bfd140 MC |
118 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, |
119 | checkhandshake::DEFAULT_EXTENSIONS], | |
120 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, | |
121 | checkhandshake::DEFAULT_EXTENSIONS], | |
122 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, | |
123 | checkhandshake::DEFAULT_EXTENSIONS], | |
124 | [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, | |
125 | checkhandshake::PSK_CLI_EXTENSION], | |
126 | ||
88050dd1 MC |
127 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, |
128 | checkhandshake::DEFAULT_EXTENSIONS], | |
f50306c2 | 129 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, |
1e566129 | 130 | checkhandshake::DEFAULT_EXTENSIONS], |
a23bb15a MC |
131 | [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK, |
132 | checkhandshake::PSK_SRV_EXTENSION], | |
f50306c2 MC |
133 | |
134 | [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, | |
1e566129 | 135 | checkhandshake::SERVER_NAME_SRV_EXTENSION], |
f50306c2 | 136 | [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, |
1e566129 | 137 | checkhandshake::ALPN_SRV_EXTENSION], |
de65f7b9 MC |
138 | [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS, |
139 | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION], | |
e96e0f8e MC |
140 | |
141 | [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, | |
142 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION], | |
c3a48c7b MC |
143 | [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT, |
144 | checkhandshake::SCT_SRV_EXTENSION], | |
e96e0f8e | 145 | |
9ce3ed2a MC |
146 | [0,0,0] |
147 | ); | |
148 | ||
c11237c2 MC |
149 | my $proxy = TLSProxy::Proxy->new( |
150 | undef, | |
151 | cmdstr(app(["openssl"]), display => 1), | |
152 | srctop_file("apps", "server.pem"), | |
153 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
154 | ); | |
155 | ||
c11237c2 | 156 | #Test 1: Check we get all the right messages for a default handshake |
cc24a22b | 157 | (undef, my $session) = tempfile(); |
a23bb15a | 158 | $proxy->serverconnects(2); |
cc24a22b | 159 | $proxy->clientflags("-sess_out ".$session); |
a23bb15a | 160 | $proxy->sessionfile($session); |
c11237c2 | 161 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; |
de65f7b9 | 162 | plan tests => 16; |
1e566129 MC |
163 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
164 | checkhandshake::DEFAULT_EXTENSIONS, | |
f50306c2 | 165 | "Default handshake test"); |
c11237c2 | 166 | |
cc24a22b | 167 | #Test 2: Resumption handshake |
a23bb15a MC |
168 | $proxy->clearClient(); |
169 | $proxy->clientflags("-sess_in ".$session); | |
170 | $proxy->clientstart(); | |
171 | checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, | |
db919b1e MC |
172 | (checkhandshake::DEFAULT_EXTENSIONS |
173 | | checkhandshake::PSK_CLI_EXTENSION | |
b510b740 | 174 | | checkhandshake::PSK_SRV_EXTENSION), |
a23bb15a | 175 | "Resumption handshake test"); |
cc24a22b | 176 | |
5f21b440 BK |
177 | SKIP: { |
178 | skip "No OCSP support in this OpenSSL build", 3 | |
179 | if disabled("ct") || disabled("ec") || disabled("ocsp"); | |
180 | #Test 3: A status_request handshake (client request only) | |
181 | $proxy->clear(); | |
182 | $proxy->clientflags("-status"); | |
183 | $proxy->start(); | |
184 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
185 | checkhandshake::DEFAULT_EXTENSIONS | |
186 | | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, | |
187 | "status_request handshake test (client)"); | |
188 | ||
189 | #Test 4: A status_request handshake (server support only) | |
190 | $proxy->clear(); | |
191 | $proxy->serverflags("-status_file " | |
192 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
193 | $proxy->start(); | |
194 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
195 | checkhandshake::DEFAULT_EXTENSIONS, | |
196 | "status_request handshake test (server)"); | |
197 | ||
198 | #Test 5: A status_request handshake (client and server) | |
199 | $proxy->clear(); | |
200 | $proxy->clientflags("-status"); | |
201 | $proxy->serverflags("-status_file " | |
202 | .srctop_file("test", "recipes", "ocsp-response.der")); | |
203 | $proxy->start(); | |
204 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
205 | checkhandshake::DEFAULT_EXTENSIONS | |
206 | | checkhandshake::STATUS_REQUEST_CLI_EXTENSION | |
207 | | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, | |
208 | "status_request handshake test"); | |
209 | } | |
cc24a22b | 210 | |
9ce3ed2a | 211 | #Test 6: A client auth handshake |
cc24a22b MC |
212 | $proxy->clear(); |
213 | $proxy->clientflags("-cert ".srctop_file("apps", "server.pem")); | |
214 | $proxy->serverflags("-Verify 5"); | |
215 | $proxy->start(); | |
1e566129 MC |
216 | checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, |
217 | checkhandshake::DEFAULT_EXTENSIONS, | |
96153874 | 218 | "Client auth handshake test"); |
cc24a22b | 219 | |
11ba87f2 | 220 | #Test 7: Server name handshake (no client request) |
9ce3ed2a | 221 | $proxy->clear(); |
11ba87f2 | 222 | $proxy->clientflags("-noservername"); |
9ce3ed2a | 223 | $proxy->start(); |
1e566129 MC |
224 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
225 | checkhandshake::DEFAULT_EXTENSIONS | |
11ba87f2 | 226 | & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, |
96153874 | 227 | "Server name handshake test (client)"); |
9ce3ed2a MC |
228 | |
229 | #Test 8: Server name handshake (server support only) | |
230 | $proxy->clear(); | |
11ba87f2 | 231 | $proxy->clientflags("-noservername"); |
9ce3ed2a MC |
232 | $proxy->serverflags("-servername testhost"); |
233 | $proxy->start(); | |
1e566129 | 234 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
11ba87f2 MC |
235 | checkhandshake::DEFAULT_EXTENSIONS |
236 | & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, | |
96153874 | 237 | "Server name handshake test (server)"); |
9ce3ed2a MC |
238 | |
239 | #Test 9: Server name handshake (client and server) | |
240 | $proxy->clear(); | |
241 | $proxy->clientflags("-servername testhost"); | |
242 | $proxy->serverflags("-servername testhost"); | |
243 | $proxy->start(); | |
1e566129 | 244 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
96153874 | 245 | checkhandshake::DEFAULT_EXTENSIONS |
96153874 MC |
246 | | checkhandshake::SERVER_NAME_SRV_EXTENSION, |
247 | "Server name handshake test"); | |
9ce3ed2a MC |
248 | |
249 | #Test 10: ALPN handshake (client request only) | |
250 | $proxy->clear(); | |
251 | $proxy->clientflags("-alpn test"); | |
252 | $proxy->start(); | |
1e566129 MC |
253 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
254 | checkhandshake::DEFAULT_EXTENSIONS | |
255 | | checkhandshake::ALPN_CLI_EXTENSION, | |
96153874 | 256 | "ALPN handshake test (client)"); |
9ce3ed2a MC |
257 | |
258 | #Test 11: ALPN handshake (server support only) | |
259 | $proxy->clear(); | |
260 | $proxy->serverflags("-alpn test"); | |
261 | $proxy->start(); | |
1e566129 MC |
262 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
263 | checkhandshake::DEFAULT_EXTENSIONS, | |
96153874 | 264 | "ALPN handshake test (server)"); |
a1448c26 | 265 | |
9ce3ed2a MC |
266 | #Test 12: ALPN handshake (client and server) |
267 | $proxy->clear(); | |
268 | $proxy->clientflags("-alpn test"); | |
269 | $proxy->serverflags("-alpn test"); | |
270 | $proxy->start(); | |
1e566129 | 271 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, |
96153874 MC |
272 | checkhandshake::DEFAULT_EXTENSIONS |
273 | | checkhandshake::ALPN_CLI_EXTENSION | |
274 | | checkhandshake::ALPN_SRV_EXTENSION, | |
275 | "ALPN handshake test"); | |
9ce3ed2a | 276 | |
c3a48c7b MC |
277 | SKIP: { |
278 | skip "No CT, EC or OCSP support in this OpenSSL build", 1 | |
279 | if disabled("ct") || disabled("ec") || disabled("ocsp"); | |
280 | ||
281 | #Test 13: SCT handshake (client request only) | |
282 | $proxy->clear(); | |
283 | #Note: -ct also sends status_request | |
284 | $proxy->clientflags("-ct"); | |
285 | $proxy->serverflags("-status_file " | |
286 | .srctop_file("test", "recipes", "ocsp-response.der") | |
287 | ." -serverinfo ".srctop_file("test", "serverinfo2.pem")); | |
288 | $proxy->start(); | |
289 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
290 | checkhandshake::DEFAULT_EXTENSIONS | |
291 | | checkhandshake::SCT_CLI_EXTENSION | |
292 | | checkhandshake::SCT_SRV_EXTENSION | |
293 | | checkhandshake::STATUS_REQUEST_CLI_EXTENSION | |
294 | | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, | |
295 | "SCT handshake test"); | |
296 | } | |
297 | ||
298 | ||
299 | ||
b0bfd140 MC |
300 | |
301 | #Test 14: HRR Handshake | |
302 | $proxy->clear(); | |
303 | $proxy->serverflags("-curves P-256"); | |
304 | $proxy->start(); | |
305 | checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE, | |
306 | checkhandshake::DEFAULT_EXTENSIONS | |
307 | | checkhandshake::KEY_SHARE_HRR_EXTENSION, | |
308 | "HRR handshake test"); | |
309 | ||
310 | #Test 15: Resumption handshake with HRR | |
311 | $proxy->clear(); | |
312 | $proxy->clientflags("-sess_in ".$session); | |
313 | $proxy->serverflags("-curves P-256"); | |
314 | $proxy->start(); | |
315 | checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, | |
db919b1e MC |
316 | (checkhandshake::DEFAULT_EXTENSIONS |
317 | | checkhandshake::KEY_SHARE_HRR_EXTENSION | |
318 | | checkhandshake::PSK_CLI_EXTENSION | |
b510b740 | 319 | | checkhandshake::PSK_SRV_EXTENSION), |
b0bfd140 | 320 | "Resumption handshake with HRR test"); |
de65f7b9 MC |
321 | |
322 | #Test 16: Acceptable but non preferred key_share | |
323 | $proxy->clear(); | |
324 | $proxy->clientflags("-curves P-256"); | |
325 | $proxy->start(); | |
326 | checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | |
327 | checkhandshake::DEFAULT_EXTENSIONS | |
328 | | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION, | |
597c51bc | 329 | "Acceptable but non preferred key_share"); |
de65f7b9 | 330 | |
b0bfd140 | 331 | unlink $session; |