]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/70-test_sslmessages.t
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add a ciphersuite config sanity check for servers
[thirdparty/openssl.git] / test / recipes / 70-test_sslmessages.t
1 #! /usr/bin/env perl
2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 use strict;
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
13 use TLSProxy::Proxy;
14 use checkhandshake qw(checkhandshake @handmessages @extensions);
15
16 my $test_name = "test_sslmessages";
17 setup($test_name);
18
19 plan skip_all => "TLSProxy isn't usable on $^O"
20 if $^O =~ /^(VMS|MSWin32)$/;
21
22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
23 if disabled("engine") || disabled("dynamic-engine");
24
25 plan skip_all => "$test_name needs the sock feature enabled"
26 if disabled("sock");
27
28 plan skip_all => "$test_name needs TLS enabled"
29 if alldisabled(available_protocols("tls"));
30
31 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
32 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
33
34 my $proxy = TLSProxy::Proxy->new(
35 undef,
36 cmdstr(app(["openssl"]), display => 1),
37 srctop_file("apps", "server.pem"),
38 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
39 );
40
41 @handmessages = (
42 [TLSProxy::Message::MT_CLIENT_HELLO,
43 checkhandshake::ALL_HANDSHAKES],
44 [TLSProxy::Message::MT_SERVER_HELLO,
45 checkhandshake::ALL_HANDSHAKES],
46 [TLSProxy::Message::MT_CERTIFICATE,
47 checkhandshake::ALL_HANDSHAKES
48 & ~checkhandshake::RESUME_HANDSHAKE],
49 (disabled("ec") ? () :
50 [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
51 checkhandshake::EC_HANDSHAKE]),
52 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
53 checkhandshake::OCSP_HANDSHAKE],
54 #ServerKeyExchange handshakes not currently supported by TLSProxy
55 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
56 checkhandshake::CLIENT_AUTH_HANDSHAKE],
57 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
58 checkhandshake::ALL_HANDSHAKES
59 & ~checkhandshake::RESUME_HANDSHAKE],
60 [TLSProxy::Message::MT_CERTIFICATE,
61 checkhandshake::CLIENT_AUTH_HANDSHAKE],
62 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
63 checkhandshake::ALL_HANDSHAKES
64 & ~checkhandshake::RESUME_HANDSHAKE],
65 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
66 checkhandshake::CLIENT_AUTH_HANDSHAKE],
67 [TLSProxy::Message::MT_NEXT_PROTO,
68 checkhandshake::NPN_HANDSHAKE],
69 [TLSProxy::Message::MT_FINISHED,
70 checkhandshake::ALL_HANDSHAKES],
71 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
72 checkhandshake::ALL_HANDSHAKES
73 & ~checkhandshake::RESUME_HANDSHAKE],
74 [TLSProxy::Message::MT_FINISHED,
75 checkhandshake::ALL_HANDSHAKES],
76 [TLSProxy::Message::MT_CLIENT_HELLO,
77 checkhandshake::RENEG_HANDSHAKE],
78 [TLSProxy::Message::MT_SERVER_HELLO,
79 checkhandshake::RENEG_HANDSHAKE],
80 [TLSProxy::Message::MT_CERTIFICATE,
81 checkhandshake::RENEG_HANDSHAKE],
82 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
83 checkhandshake::RENEG_HANDSHAKE],
84 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
85 checkhandshake::RENEG_HANDSHAKE],
86 [TLSProxy::Message::MT_FINISHED,
87 checkhandshake::RENEG_HANDSHAKE],
88 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
89 checkhandshake::RENEG_HANDSHAKE],
90 [TLSProxy::Message::MT_FINISHED,
91 checkhandshake::RENEG_HANDSHAKE],
92 [0, 0]
93 );
94
95 @extensions = (
96 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
97 checkhandshake::SERVER_NAME_CLI_EXTENSION],
98 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
99 checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
100 (disabled("ec") ? () :
101 [TLSProxy::Message::MT_CLIENT_HELLO,
102 TLSProxy::Message::EXT_SUPPORTED_GROUPS,
103 checkhandshake::DEFAULT_EXTENSIONS]),
104 (disabled("ec") ? () :
105 [TLSProxy::Message::MT_CLIENT_HELLO,
106 TLSProxy::Message::EXT_EC_POINT_FORMATS,
107 checkhandshake::DEFAULT_EXTENSIONS]),
108 (disabled("tls1_2") ? () :
109 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
110 checkhandshake::DEFAULT_EXTENSIONS]),
111 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
112 checkhandshake::ALPN_CLI_EXTENSION],
113 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
114 checkhandshake::SCT_CLI_EXTENSION],
115 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
116 checkhandshake::DEFAULT_EXTENSIONS],
117 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
118 checkhandshake::DEFAULT_EXTENSIONS],
119 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
120 checkhandshake::DEFAULT_EXTENSIONS],
121 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
122 checkhandshake::RENEGOTIATE_CLI_EXTENSION],
123 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
124 checkhandshake::NPN_CLI_EXTENSION],
125 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
126 checkhandshake::SRP_CLI_EXTENSION],
127
128 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
129 checkhandshake::DEFAULT_EXTENSIONS],
130 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
131 checkhandshake::DEFAULT_EXTENSIONS],
132 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
133 checkhandshake::DEFAULT_EXTENSIONS],
134 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
135 checkhandshake::SESSION_TICKET_SRV_EXTENSION],
136 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
137 checkhandshake::SERVER_NAME_SRV_EXTENSION],
138 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
139 checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
140 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
141 checkhandshake::ALPN_SRV_EXTENSION],
142 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
143 checkhandshake::SCT_SRV_EXTENSION],
144 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
145 checkhandshake::NPN_SRV_EXTENSION],
146 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
147 checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
148 [0,0,0]
149 );
150
151 #Test 1: Check we get all the right messages for a default handshake
152 (undef, my $session) = tempfile();
153 $proxy->serverconnects(2);
154 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
155 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
156 plan tests => 21;
157 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
158 checkhandshake::DEFAULT_EXTENSIONS,
159 "Default handshake test");
160
161 #Test 2: Resumption handshake
162 $proxy->clearClient();
163 $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
164 $proxy->clientstart();
165 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
166 checkhandshake::DEFAULT_EXTENSIONS
167 & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
168 "Resumption handshake test");
169 unlink $session;
170
171 SKIP: {
172 skip "No OCSP support in this OpenSSL build", 3
173 if disabled("ocsp");
174
175 #Test 3: A status_request handshake (client request only)
176 $proxy->clear();
177 $proxy->clientflags("-no_tls1_3 -status");
178 $proxy->start();
179 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
180 checkhandshake::DEFAULT_EXTENSIONS
181 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
182 "status_request handshake test (client)");
183
184 #Test 4: A status_request handshake (server support only)
185 $proxy->clear();
186 $proxy->clientflags("-no_tls1_3");
187 $proxy->serverflags("-status_file "
188 .srctop_file("test", "recipes", "ocsp-response.der"));
189 $proxy->start();
190 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
191 checkhandshake::DEFAULT_EXTENSIONS,
192 "status_request handshake test (server)");
193
194 #Test 5: A status_request handshake (client and server)
195 $proxy->clear();
196 $proxy->clientflags("-no_tls1_3 -status");
197 $proxy->serverflags("-status_file "
198 .srctop_file("test", "recipes", "ocsp-response.der"));
199 $proxy->start();
200 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
201 checkhandshake::DEFAULT_EXTENSIONS
202 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
203 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
204 "status_request handshake test");
205 }
206
207 #Test 6: A client auth handshake
208 $proxy->clear();
209 $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
210 $proxy->serverflags("-Verify 5");
211 $proxy->start();
212 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
213 checkhandshake::DEFAULT_EXTENSIONS,
214 "Client auth handshake test");
215
216 #Test 7: A handshake with a renegotiation
217 $proxy->clear();
218 $proxy->clientflags("-no_tls1_3");
219 $proxy->reneg(1);
220 $proxy->start();
221 checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
222 checkhandshake::DEFAULT_EXTENSIONS,
223 "Rengotiation handshake test");
224
225 #Test 8: Server name handshake (client request only)
226 $proxy->clear();
227 $proxy->clientflags("-no_tls1_3 -servername testhost");
228 $proxy->start();
229 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
230 checkhandshake::DEFAULT_EXTENSIONS
231 | checkhandshake::SERVER_NAME_CLI_EXTENSION,
232 "Server name handshake test (client)");
233
234 #Test 9: Server name handshake (server support only)
235 $proxy->clear();
236 $proxy->clientflags("-no_tls1_3");
237 $proxy->serverflags("-servername testhost");
238 $proxy->start();
239 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
240 checkhandshake::DEFAULT_EXTENSIONS,
241 "Server name handshake test (server)");
242
243 #Test 10: Server name handshake (client and server)
244 $proxy->clear();
245 $proxy->clientflags("-no_tls1_3 -servername testhost");
246 $proxy->serverflags("-servername testhost");
247 $proxy->start();
248 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
249 checkhandshake::DEFAULT_EXTENSIONS
250 | checkhandshake::SERVER_NAME_CLI_EXTENSION
251 | checkhandshake::SERVER_NAME_SRV_EXTENSION,
252 "Server name handshake test");
253
254 #Test 11: ALPN handshake (client request only)
255 $proxy->clear();
256 $proxy->clientflags("-no_tls1_3 -alpn test");
257 $proxy->start();
258 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
259 checkhandshake::DEFAULT_EXTENSIONS
260 | checkhandshake::ALPN_CLI_EXTENSION,
261 "ALPN handshake test (client)");
262
263 #Test 12: ALPN handshake (server support only)
264 $proxy->clear();
265 $proxy->clientflags("-no_tls1_3");
266 $proxy->serverflags("-alpn test");
267 $proxy->start();
268 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
269 checkhandshake::DEFAULT_EXTENSIONS,
270 "ALPN handshake test (server)");
271
272 #Test 13: ALPN handshake (client and server)
273 $proxy->clear();
274 $proxy->clientflags("-no_tls1_3 -alpn test");
275 $proxy->serverflags("-alpn test");
276 $proxy->start();
277 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
278 checkhandshake::DEFAULT_EXTENSIONS
279 | checkhandshake::ALPN_CLI_EXTENSION
280 | checkhandshake::ALPN_SRV_EXTENSION,
281 "ALPN handshake test");
282
283 SKIP: {
284 skip "No CT, EC or OCSP support in this OpenSSL build", 1
285 if disabled("ct") || disabled("ec") || disabled("ocsp");
286
287 #Test 14: SCT handshake (client request only)
288 $proxy->clear();
289 #Note: -ct also sends status_request
290 $proxy->clientflags("-no_tls1_3 -ct");
291 $proxy->serverflags("-status_file "
292 .srctop_file("test", "recipes", "ocsp-response.der"));
293 $proxy->start();
294 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
295 checkhandshake::DEFAULT_EXTENSIONS
296 | checkhandshake::SCT_CLI_EXTENSION
297 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
298 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
299 "SCT handshake test (client)");
300 }
301
302 SKIP: {
303 skip "No OCSP support in this OpenSSL build", 1
304 if disabled("ocsp");
305
306 #Test 15: SCT handshake (server support only)
307 $proxy->clear();
308 #Note: -ct also sends status_request
309 $proxy->clientflags("-no_tls1_3");
310 $proxy->serverflags("-status_file "
311 .srctop_file("test", "recipes", "ocsp-response.der"));
312 $proxy->start();
313 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
314 checkhandshake::DEFAULT_EXTENSIONS,
315 "SCT handshake test (server)");
316 }
317
318 SKIP: {
319 skip "No CT, EC or OCSP support in this OpenSSL build", 1
320 if disabled("ct") || disabled("ec") || disabled("ocsp");
321
322 #Test 16: SCT handshake (client and server)
323 #There is no built-in server side support for this so we are actually also
324 #testing custom extensions here
325 $proxy->clear();
326 #Note: -ct also sends status_request
327 $proxy->clientflags("-no_tls1_3 -ct");
328 $proxy->serverflags("-status_file "
329 .srctop_file("test", "recipes", "ocsp-response.der")
330 ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
331 $proxy->start();
332 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
333 checkhandshake::DEFAULT_EXTENSIONS
334 | checkhandshake::SCT_CLI_EXTENSION
335 | checkhandshake::SCT_SRV_EXTENSION
336 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
337 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
338 "SCT handshake test");
339 }
340
341
342 SKIP: {
343 skip "No NPN support in this OpenSSL build", 3
344 if disabled("nextprotoneg");
345
346 #Test 17: NPN handshake (client request only)
347 $proxy->clear();
348 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
349 $proxy->start();
350 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
351 checkhandshake::DEFAULT_EXTENSIONS
352 | checkhandshake::NPN_CLI_EXTENSION,
353 "NPN handshake test (client)");
354
355 #Test 18: NPN handshake (server support only)
356 $proxy->clear();
357 $proxy->clientflags("-no_tls1_3");
358 $proxy->serverflags("-nextprotoneg test");
359 $proxy->start();
360 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
361 checkhandshake::DEFAULT_EXTENSIONS,
362 "NPN handshake test (server)");
363
364 #Test 19: NPN handshake (client and server)
365 $proxy->clear();
366 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
367 $proxy->serverflags("-nextprotoneg test");
368 $proxy->start();
369 checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
370 checkhandshake::DEFAULT_EXTENSIONS
371 | checkhandshake::NPN_CLI_EXTENSION
372 | checkhandshake::NPN_SRV_EXTENSION,
373 "NPN handshake test");
374 }
375
376 SKIP: {
377 skip "No SRP support in this OpenSSL build", 1
378 if disabled("srp");
379
380 #Test 20: SRP extension
381 #Note: We are not actually going to perform an SRP handshake (TLSProxy
382 #does not support it). However it is sufficient for us to check that the
383 #SRP extension gets added on the client side. There is no SRP extension
384 #generated on the server side anyway.
385 $proxy->clear();
386 $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
387 $proxy->start();
388 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
389 checkhandshake::DEFAULT_EXTENSIONS
390 | checkhandshake::SRP_CLI_EXTENSION,
391 "SRP extension test");
392 }
393
394 #Test 21: EC handshake
395 SKIP: {
396 skip "No EC support in this OpenSSL build", 1 if disabled("ec");
397 $proxy->clear();
398 $proxy->clientflags("-no_tls1_3");
399 $proxy->serverflags("-no_tls1_3");
400 $proxy->ciphers("ECDHE-RSA-AES128-SHA");
401 $proxy->start();
402 checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
403 checkhandshake::DEFAULT_EXTENSIONS
404 | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
405 "EC handshake test");
406 }
A mirror of the official openssl repository