[thirdparty/openssl.git] / test / recipes / 70-test_tls13messages.t

#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
use OpenSSL::Test::Utils;
use File::Temp qw(tempfile);
use TLSProxy::Proxy;
use checkhandshake qw(checkhandshake @handmessages @extensions);

my $test_name = "test_tls13messages";
setup($test_name);

plan skip_all => "TLSProxy isn't usable on $^O"
    if $^O =~ /^(VMS|MSWin32)$/;

plan skip_all => "$test_name needs the dynamic engine feature enabled"
    if disabled("engine") || disabled("dynamic-engine");

plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

plan skip_all => "$test_name needs TLSv1.3 enabled"
    if disabled("tls1_3");

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");


@handmessages = (
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_CLIENT_HELLO,
        checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
    [TLSProxy::Message::MT_SERVER_HELLO,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [TLSProxy::Message::MT_CERTIFICATE,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
        checkhandshake::CLIENT_AUTH_HANDSHAKE],
    [TLSProxy::Message::MT_FINISHED,
        checkhandshake::ALL_HANDSHAKES],
    [0, 0]
);

@extensions = (
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
        checkhandshake::PSK_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
        checkhandshake::KEY_SHARE_HRR_EXTENSION],

    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_CLI_EXTENSION],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
        checkhandshake::PSK_CLI_EXTENSION],

    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
        checkhandshake::DEFAULT_EXTENSIONS],
    [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
        checkhandshake::PSK_SRV_EXTENSION],

    [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
        checkhandshake::SERVER_NAME_SRV_EXTENSION],
    [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
        checkhandshake::ALPN_SRV_EXTENSION],
    [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
        checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION],

    [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
        checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
    [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
        checkhandshake::SCT_SRV_EXTENSION],

    [0,0,0]
);

my $proxy = TLSProxy::Proxy->new(
    undef,
    cmdstr(app(["openssl"]), display => 1),
    srctop_file("apps", "server.pem"),
    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);

#Test 1: Check we get all the right messages for a default handshake
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session);
$proxy->sessionfile($session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 16;
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Default handshake test");

#Test 2: Resumption handshake
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
$proxy->clientstart();
checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
               (checkhandshake::DEFAULT_EXTENSIONS
                | checkhandshake::PSK_CLI_EXTENSION
                | checkhandshake::PSK_SRV_EXTENSION),
               "Resumption handshake test");

SKIP: {
    skip "No OCSP support in this OpenSSL build", 3
        if disabled("ct") || disabled("ec") || disabled("ocsp");
    #Test 3: A status_request handshake (client request only)
    $proxy->clear();
    $proxy->clientflags("-status");
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
                   "status_request handshake test (client)");

    #Test 4: A status_request handshake (server support only)
    $proxy->clear();
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS,
                   "status_request handshake test (server)");

    #Test 5: A status_request handshake (client and server)
    $proxy->clear();
    $proxy->clientflags("-status");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "status_request handshake test");
}

#Test 6: A client auth handshake
$proxy->clear();
$proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-Verify 5");
$proxy->start();
checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "Client auth handshake test");

#Test 7: Server name handshake (no client request)
$proxy->clear();
$proxy->clientflags("-noservername");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (client)");

#Test 8: Server name handshake (server support only)
$proxy->clear();
$proxy->clientflags("-noservername");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
               "Server name handshake test (server)");

#Test 9: Server name handshake (client and server)
$proxy->clear();
$proxy->clientflags("-servername testhost");
$proxy->serverflags("-servername testhost");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SERVER_NAME_SRV_EXTENSION,
               "Server name handshake test");

#Test 10: ALPN handshake (client request only)
$proxy->clear();
$proxy->clientflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION,
               "ALPN handshake test (client)");

#Test 11: ALPN handshake (server support only)
$proxy->clear();
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS,
               "ALPN handshake test (server)");

#Test 12: ALPN handshake (client and server)
$proxy->clear();
$proxy->clientflags("-alpn test");
$proxy->serverflags("-alpn test");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::ALPN_CLI_EXTENSION
               | checkhandshake::ALPN_SRV_EXTENSION,
               "ALPN handshake test");

SKIP: {
    skip "No CT, EC or OCSP support in this OpenSSL build", 1
        if disabled("ct") || disabled("ec") || disabled("ocsp");

    #Test 13: SCT handshake (client request only)
    $proxy->clear();
    #Note: -ct also sends status_request
    $proxy->clientflags("-ct");
    $proxy->serverflags("-status_file "
                        .srctop_file("test", "recipes", "ocsp-response.der")
                        ." -serverinfo ".srctop_file("test", "serverinfo2.pem"));
    $proxy->start();
    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                   checkhandshake::DEFAULT_EXTENSIONS
                   | checkhandshake::SCT_CLI_EXTENSION
                   | checkhandshake::SCT_SRV_EXTENSION
                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                   "SCT handshake test");
}


#Test 14: HRR Handshake
$proxy->clear();
$proxy->serverflags("-curves P-256");
$proxy->start();
checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::KEY_SHARE_HRR_EXTENSION,
               "HRR handshake test");

#Test 15: Resumption handshake with HRR
$proxy->clear();
$proxy->clientflags("-sess_in ".$session);
$proxy->serverflags("-curves P-256");
$proxy->start();
checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
               (checkhandshake::DEFAULT_EXTENSIONS
                | checkhandshake::KEY_SHARE_HRR_EXTENSION
                | checkhandshake::PSK_CLI_EXTENSION
                | checkhandshake::PSK_SRV_EXTENSION),
               "Resumption handshake with HRR test");

#Test 16: Acceptable but non preferred key_share
$proxy->clear();
$proxy->clientflags("-curves P-256");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
               checkhandshake::DEFAULT_EXTENSIONS
               | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION,
               "Acceptable but non preferred key_share");

unlink $session;
Commit	Line	Data
c11237c2 MC	1	#! /usr/bin/env perl
	2	# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	#
	4	# Licensed under the OpenSSL license (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
f50306c2	10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
c11237c2	11	use OpenSSL::Test::Utils;
cc24a22b	12	use File::Temp qw(tempfile);
c11237c2	13	use TLSProxy::Proxy;
1e566129	14	use checkhandshake qw(checkhandshake @handmessages @extensions);
f50306c2	15
1e566129 MC	16	my $test_name = "test_tls13messages";
1e566129 MC	17	setup($test_name);
f50306c2	18
c11237c2 MC	19	plan skip_all => "TLSProxy isn't usable on $^O"
	20	if $^O =~ /^(VMS\|MSWin32)$/;
	21
	22	plan skip_all => "$test_name needs the dynamic engine feature enabled"
	23	if disabled("engine") \|\| disabled("dynamic-engine");
	24
	25	plan skip_all => "$test_name needs the sock feature enabled"
	26	if disabled("sock");
	27
	28	plan skip_all => "$test_name needs TLSv1.3 enabled"
	29	if disabled("tls1_3");
	30
	31	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
9ce3ed2a	32	$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
c11237c2	33
c11237c2	34
f50306c2 MC	35	@handmessages = (
f50306c2 MC	36	[TLSProxy::Message::MT_CLIENT_HELLO,
1e566129	37	checkhandshake::ALL_HANDSHAKES],
597c51bc	38	[TLSProxy::Message::MT_SERVER_HELLO,
b0bfd140 MC	39	checkhandshake::HRR_HANDSHAKE \| checkhandshake::HRR_RESUME_HANDSHAKE],
	40	[TLSProxy::Message::MT_CLIENT_HELLO,
	41	checkhandshake::HRR_HANDSHAKE \| checkhandshake::HRR_RESUME_HANDSHAKE],
f50306c2	42	[TLSProxy::Message::MT_SERVER_HELLO,
1e566129	43	checkhandshake::ALL_HANDSHAKES],
f50306c2	44	[TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
1e566129	45	checkhandshake::ALL_HANDSHAKES],
f50306c2	46	[TLSProxy::Message::MT_CERTIFICATE_REQUEST,
1e566129	47	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	48	[TLSProxy::Message::MT_CERTIFICATE,
b0bfd140	49	checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE \| checkhandshake::HRR_RESUME_HANDSHAKE)],
2c5dfdc3	50	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
b0bfd140	51	checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE \| checkhandshake::HRR_RESUME_HANDSHAKE)],
f50306c2	52	[TLSProxy::Message::MT_FINISHED,
1e566129	53	checkhandshake::ALL_HANDSHAKES],
f50306c2	54	[TLSProxy::Message::MT_CERTIFICATE,
1e566129	55	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	56	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
1e566129	57	checkhandshake::CLIENT_AUTH_HANDSHAKE],
f50306c2	58	[TLSProxy::Message::MT_FINISHED,
1e566129	59	checkhandshake::ALL_HANDSHAKES],
c11237c2 MC	60	[0, 0]
	61	);
	62
f50306c2 MC	63	@extensions = (
f50306c2 MC	64	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
1e566129	65	checkhandshake::SERVER_NAME_CLI_EXTENSION],
f50306c2	66	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
1e566129	67	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
f50306c2	68	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
1e566129	69	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	70	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
1e566129	71	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	72	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
1e566129	73	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	74	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
1e566129	75	checkhandshake::ALPN_CLI_EXTENSION],
f50306c2	76	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
1e566129	77	checkhandshake::SCT_CLI_EXTENSION],
f50306c2	78	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
1e566129	79	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	80	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
1e566129	81	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	82	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
1e566129	83	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	84	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
1e566129	85	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	86	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
1e566129	87	checkhandshake::DEFAULT_EXTENSIONS],
b2f7e8c0 MC	88	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
b2f7e8c0 MC	89	checkhandshake::DEFAULT_EXTENSIONS],
a23bb15a MC	90	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
a23bb15a MC	91	checkhandshake::PSK_CLI_EXTENSION],
f50306c2	92
426dfc9f MC	93	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
426dfc9f MC	94	checkhandshake::DEFAULT_EXTENSIONS],
597c51bc	95	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
b0bfd140 MC	96	checkhandshake::KEY_SHARE_HRR_EXTENSION],
	97
	98	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
	99	checkhandshake::SERVER_NAME_CLI_EXTENSION],
	100	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
	101	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
	102	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
	103	checkhandshake::DEFAULT_EXTENSIONS],
a2b97bdf MC	104	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
a2b97bdf MC	105	checkhandshake::DEFAULT_EXTENSIONS],
b0bfd140 MC	106	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
	107	checkhandshake::DEFAULT_EXTENSIONS],
	108	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
	109	checkhandshake::ALPN_CLI_EXTENSION],
	110	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
	111	checkhandshake::SCT_CLI_EXTENSION],
a2b97bdf MC	112	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
	113	checkhandshake::DEFAULT_EXTENSIONS],
	114	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
	115	checkhandshake::DEFAULT_EXTENSIONS],
	116	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
	117	checkhandshake::DEFAULT_EXTENSIONS],
b0bfd140 MC	118	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
	119	checkhandshake::DEFAULT_EXTENSIONS],
	120	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
	121	checkhandshake::DEFAULT_EXTENSIONS],
	122	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
	123	checkhandshake::DEFAULT_EXTENSIONS],
	124	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
	125	checkhandshake::PSK_CLI_EXTENSION],
	126
88050dd1 MC	127	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
88050dd1 MC	128	checkhandshake::DEFAULT_EXTENSIONS],
f50306c2	129	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
1e566129	130	checkhandshake::DEFAULT_EXTENSIONS],
a23bb15a MC	131	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
a23bb15a MC	132	checkhandshake::PSK_SRV_EXTENSION],
f50306c2 MC	133
f50306c2 MC	134	[TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
1e566129	135	checkhandshake::SERVER_NAME_SRV_EXTENSION],
f50306c2	136	[TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
1e566129	137	checkhandshake::ALPN_SRV_EXTENSION],
de65f7b9 MC	138	[TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
de65f7b9 MC	139	checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION],
e96e0f8e MC	140
	141	[TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
	142	checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
c3a48c7b MC	143	[TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
c3a48c7b MC	144	checkhandshake::SCT_SRV_EXTENSION],
e96e0f8e	145
9ce3ed2a MC	146	[0,0,0]
	147	);
	148
c11237c2 MC	149	my $proxy = TLSProxy::Proxy->new(
	150	undef,
	151	cmdstr(app(["openssl"]), display => 1),
	152	srctop_file("apps", "server.pem"),
	153	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
	154	);
	155
c11237c2	156	#Test 1: Check we get all the right messages for a default handshake
cc24a22b	157	(undef, my $session) = tempfile();
a23bb15a	158	$proxy->serverconnects(2);
cc24a22b	159	$proxy->clientflags("-sess_out ".$session);
a23bb15a	160	$proxy->sessionfile($session);
c11237c2	161	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
de65f7b9	162	plan tests => 16;
1e566129 MC	163	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	164	checkhandshake::DEFAULT_EXTENSIONS,
f50306c2	165	"Default handshake test");
c11237c2	166
cc24a22b	167	#Test 2: Resumption handshake
a23bb15a MC	168	$proxy->clearClient();
	169	$proxy->clientflags("-sess_in ".$session);
	170	$proxy->clientstart();
	171	checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
db919b1e MC	172	(checkhandshake::DEFAULT_EXTENSIONS
db919b1e MC	173	\| checkhandshake::PSK_CLI_EXTENSION
b510b740	174	\| checkhandshake::PSK_SRV_EXTENSION),
a23bb15a	175	"Resumption handshake test");
cc24a22b	176
5f21b440 BK	177	SKIP: {
	178	skip "No OCSP support in this OpenSSL build", 3
	179	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
	180	#Test 3: A status_request handshake (client request only)
	181	$proxy->clear();
	182	$proxy->clientflags("-status");
	183	$proxy->start();
	184	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	185	checkhandshake::DEFAULT_EXTENSIONS
	186	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
	187	"status_request handshake test (client)");
	188
	189	#Test 4: A status_request handshake (server support only)
	190	$proxy->clear();
	191	$proxy->serverflags("-status_file "
	192	.srctop_file("test", "recipes", "ocsp-response.der"));
	193	$proxy->start();
	194	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	195	checkhandshake::DEFAULT_EXTENSIONS,
	196	"status_request handshake test (server)");
	197
	198	#Test 5: A status_request handshake (client and server)
	199	$proxy->clear();
	200	$proxy->clientflags("-status");
	201	$proxy->serverflags("-status_file "
	202	.srctop_file("test", "recipes", "ocsp-response.der"));
	203	$proxy->start();
	204	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	205	checkhandshake::DEFAULT_EXTENSIONS
	206	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	207	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	208	"status_request handshake test");
	209	}
cc24a22b	210
9ce3ed2a	211	#Test 6: A client auth handshake
cc24a22b MC	212	$proxy->clear();
	213	$proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
	214	$proxy->serverflags("-Verify 5");
	215	$proxy->start();
1e566129 MC	216	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
1e566129 MC	217	checkhandshake::DEFAULT_EXTENSIONS,
96153874	218	"Client auth handshake test");
cc24a22b	219
11ba87f2	220	#Test 7: Server name handshake (no client request)
9ce3ed2a	221	$proxy->clear();
11ba87f2	222	$proxy->clientflags("-noservername");
9ce3ed2a	223	$proxy->start();
1e566129 MC	224	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	225	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2	226	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	227	"Server name handshake test (client)");
9ce3ed2a MC	228
	229	#Test 8: Server name handshake (server support only)
	230	$proxy->clear();
11ba87f2	231	$proxy->clientflags("-noservername");
9ce3ed2a MC	232	$proxy->serverflags("-servername testhost");
9ce3ed2a MC	233	$proxy->start();
1e566129	234	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
11ba87f2 MC	235	checkhandshake::DEFAULT_EXTENSIONS
11ba87f2 MC	236	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
96153874	237	"Server name handshake test (server)");
9ce3ed2a MC	238
	239	#Test 9: Server name handshake (client and server)
	240	$proxy->clear();
	241	$proxy->clientflags("-servername testhost");
	242	$proxy->serverflags("-servername testhost");
	243	$proxy->start();
1e566129	244	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874	245	checkhandshake::DEFAULT_EXTENSIONS
96153874 MC	246	\| checkhandshake::SERVER_NAME_SRV_EXTENSION,
96153874 MC	247	"Server name handshake test");
9ce3ed2a MC	248
	249	#Test 10: ALPN handshake (client request only)
	250	$proxy->clear();
	251	$proxy->clientflags("-alpn test");
	252	$proxy->start();
1e566129 MC	253	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	254	checkhandshake::DEFAULT_EXTENSIONS
	255	\| checkhandshake::ALPN_CLI_EXTENSION,
96153874	256	"ALPN handshake test (client)");
9ce3ed2a MC	257
	258	#Test 11: ALPN handshake (server support only)
	259	$proxy->clear();
	260	$proxy->serverflags("-alpn test");
	261	$proxy->start();
1e566129 MC	262	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
1e566129 MC	263	checkhandshake::DEFAULT_EXTENSIONS,
96153874	264	"ALPN handshake test (server)");
a1448c26	265
9ce3ed2a MC	266	#Test 12: ALPN handshake (client and server)
	267	$proxy->clear();
	268	$proxy->clientflags("-alpn test");
	269	$proxy->serverflags("-alpn test");
	270	$proxy->start();
1e566129	271	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
96153874 MC	272	checkhandshake::DEFAULT_EXTENSIONS
	273	\| checkhandshake::ALPN_CLI_EXTENSION
	274	\| checkhandshake::ALPN_SRV_EXTENSION,
	275	"ALPN handshake test");
9ce3ed2a	276
c3a48c7b MC	277	SKIP: {
	278	skip "No CT, EC or OCSP support in this OpenSSL build", 1
	279	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
	280
	281	#Test 13: SCT handshake (client request only)
	282	$proxy->clear();
	283	#Note: -ct also sends status_request
	284	$proxy->clientflags("-ct");
	285	$proxy->serverflags("-status_file "
	286	.srctop_file("test", "recipes", "ocsp-response.der")
	287	." -serverinfo ".srctop_file("test", "serverinfo2.pem"));
	288	$proxy->start();
	289	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	290	checkhandshake::DEFAULT_EXTENSIONS
	291	\| checkhandshake::SCT_CLI_EXTENSION
	292	\| checkhandshake::SCT_SRV_EXTENSION
	293	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
	294	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
	295	"SCT handshake test");
	296	}
	297
	298
	299
b0bfd140 MC	300
	301	#Test 14: HRR Handshake
	302	$proxy->clear();
	303	$proxy->serverflags("-curves P-256");
	304	$proxy->start();
	305	checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
	306	checkhandshake::DEFAULT_EXTENSIONS
	307	\| checkhandshake::KEY_SHARE_HRR_EXTENSION,
	308	"HRR handshake test");
	309
	310	#Test 15: Resumption handshake with HRR
	311	$proxy->clear();
	312	$proxy->clientflags("-sess_in ".$session);
	313	$proxy->serverflags("-curves P-256");
	314	$proxy->start();
	315	checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
db919b1e MC	316	(checkhandshake::DEFAULT_EXTENSIONS
	317	\| checkhandshake::KEY_SHARE_HRR_EXTENSION
	318	\| checkhandshake::PSK_CLI_EXTENSION
b510b740	319	\| checkhandshake::PSK_SRV_EXTENSION),
b0bfd140	320	"Resumption handshake with HRR test");
de65f7b9 MC	321
	322	#Test 16: Acceptable but non preferred key_share
	323	$proxy->clear();
	324	$proxy->clientflags("-curves P-256");
	325	$proxy->start();
	326	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
	327	checkhandshake::DEFAULT_EXTENSIONS
	328	\| checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION,
597c51bc	329	"Acceptable but non preferred key_share");
de65f7b9	330
b0bfd140	331	unlink $session;