test/recipes/70-test_tls13messages.t

   1 #! /usr/bin/env perl
   2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the OpenSSL license (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9 use strict;
  10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
  11 use OpenSSL::Test::Utils;
  12 use File::Temp qw(tempfile);
  13 use TLSProxy::Proxy;
  14 use checkhandshake qw(checkhandshake @handmessages @extensions);
  15
  16 my $test_name = "test_tls13messages";
  17 setup($test_name);
  18
  19 plan skip_all => "TLSProxy isn't usable on $^O"
  20     if $^O =~ /^(VMS|MSWin32)$/;
  21
  22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
  23     if disabled("engine") || disabled("dynamic-engine");
  24
  25 plan skip_all => "$test_name needs the sock feature enabled"
  26     if disabled("sock");
  27
  28 plan skip_all => "$test_name needs TLSv1.3 enabled"
  29     if disabled("tls1_3");
  30
  31 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
  32 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
  33
  34
  35 @handmessages = (
  36     [TLSProxy::Message::MT_CLIENT_HELLO,
  37         checkhandshake::ALL_HANDSHAKES],
  38     [TLSProxy::Message::MT_HELLO_RETRY_REQUEST,
  39         checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
  40     [TLSProxy::Message::MT_CLIENT_HELLO,
  41         checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
  42     [TLSProxy::Message::MT_SERVER_HELLO,
  43         checkhandshake::ALL_HANDSHAKES],
  44     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
  45         checkhandshake::ALL_HANDSHAKES],
  46     [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
  47         checkhandshake::CLIENT_AUTH_HANDSHAKE],
  48     [TLSProxy::Message::MT_CERTIFICATE,
  49         checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
  50     [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
  51         checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
  52     [TLSProxy::Message::MT_FINISHED,
  53         checkhandshake::ALL_HANDSHAKES],
  54     [TLSProxy::Message::MT_CERTIFICATE,
  55         checkhandshake::CLIENT_AUTH_HANDSHAKE],
  56     [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
  57         checkhandshake::CLIENT_AUTH_HANDSHAKE],
  58     [TLSProxy::Message::MT_FINISHED,
  59         checkhandshake::ALL_HANDSHAKES],
  60     [0, 0]
  61 );
  62
  63 @extensions = (
  64     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
  65         checkhandshake::SERVER_NAME_CLI_EXTENSION],
  66     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
  67         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
  68     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
  69         checkhandshake::DEFAULT_EXTENSIONS],
  70     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
  71         checkhandshake::DEFAULT_EXTENSIONS],
  72     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
  73         checkhandshake::DEFAULT_EXTENSIONS],
  74     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
  75         checkhandshake::ALPN_CLI_EXTENSION],
  76     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
  77         checkhandshake::SCT_CLI_EXTENSION],
  78     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
  79         checkhandshake::DEFAULT_EXTENSIONS],
  80     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
  81         checkhandshake::DEFAULT_EXTENSIONS],
  82     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
  83         checkhandshake::DEFAULT_EXTENSIONS],
  84     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
  85         checkhandshake::DEFAULT_EXTENSIONS],
  86     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
  87         checkhandshake::DEFAULT_EXTENSIONS],
  88     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
  89         checkhandshake::DEFAULT_EXTENSIONS],
  90     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
  91         checkhandshake::PSK_CLI_EXTENSION],
  92
  93     [TLSProxy::Message::MT_HELLO_RETRY_REQUEST, TLSProxy::Message::EXT_KEY_SHARE,
  94         checkhandshake::KEY_SHARE_HRR_EXTENSION],
  95
  96     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
  97         checkhandshake::SERVER_NAME_CLI_EXTENSION],
  98     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
  99         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
 100     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
 101         checkhandshake::DEFAULT_EXTENSIONS],
 102     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
 103         checkhandshake::DEFAULT_EXTENSIONS],
 104     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
 105         checkhandshake::ALPN_CLI_EXTENSION],
 106     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
 107         checkhandshake::SCT_CLI_EXTENSION],
 108     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
 109         checkhandshake::DEFAULT_EXTENSIONS],
 110     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
 111         checkhandshake::DEFAULT_EXTENSIONS],
 112     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
 113         checkhandshake::DEFAULT_EXTENSIONS],
 114     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
 115         checkhandshake::PSK_CLI_EXTENSION],
 116
 117     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
 118         checkhandshake::DEFAULT_EXTENSIONS],
 119     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
 120         checkhandshake::PSK_SRV_EXTENSION],
 121
 122     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
 123         checkhandshake::SERVER_NAME_SRV_EXTENSION],
 124     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
 125         checkhandshake::ALPN_SRV_EXTENSION],
 126
 127     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
 128         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
 129
 130     [0,0,0]
 131 );
 132
 133 my $proxy = TLSProxy::Proxy->new(
 134     undef,
 135     cmdstr(app(["openssl"]), display => 1),
 136     srctop_file("apps", "server.pem"),
 137     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
 138 );
 139
 140 #Test 1: Check we get all the right messages for a default handshake
 141 (undef, my $session) = tempfile();
 142 $proxy->serverconnects(2);
 143 $proxy->clientflags("-sess_out ".$session);
 144 $proxy->sessionfile($session);
 145 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
 146 plan tests => 15;
 147 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 148                checkhandshake::DEFAULT_EXTENSIONS,
 149                "Default handshake test");
 150
 151 #Test 2: Resumption handshake
 152 $proxy->clearClient();
 153 $proxy->clientflags("-sess_in ".$session);
 154 $proxy->clientstart();
 155 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
 156                checkhandshake::DEFAULT_EXTENSIONS
 157                | checkhandshake::PSK_CLI_EXTENSION
 158                | checkhandshake::PSK_SRV_EXTENSION,
 159                "Resumption handshake test");
 160
 161 #Test 3: A status_request handshake (client request only)
 162 $proxy->clear();
 163 $proxy->clientflags("-status");
 164 $proxy->start();
 165 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 166                checkhandshake::DEFAULT_EXTENSIONS
 167                | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
 168                "status_request handshake test (client)");
 169
 170 #Test 4: A status_request handshake (server support only)
 171 $proxy->clear();
 172 $proxy->serverflags("-status_file "
 173                     .srctop_file("test", "recipes", "ocsp-response.der"));
 174 $proxy->start();
 175 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 176                checkhandshake::DEFAULT_EXTENSIONS,
 177                "status_request handshake test (server)");
 178
 179 #Test 5: A status_request handshake (client and server)
 180 #TODO(TLS1.3): TLS1.3 doesn't actually have CertificateStatus messages. This is
 181 #a temporary test until such time as we do proper TLS1.3 style certificate
 182 #status
 183 $proxy->clear();
 184 $proxy->clientflags("-status");
 185 $proxy->serverflags("-status_file "
 186                     .srctop_file("test", "recipes", "ocsp-response.der"));
 187 $proxy->start();
 188 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 189                checkhandshake::DEFAULT_EXTENSIONS
 190                | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
 191                | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
 192                "status_request handshake test");
 193
 194 #Test 6: A client auth handshake
 195 $proxy->clear();
 196 $proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
 197 $proxy->serverflags("-Verify 5");
 198 $proxy->start();
 199 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
 200                checkhandshake::DEFAULT_EXTENSIONS,
 201                "Client auth handshake test");
 202
 203 #Test 7: Server name handshake (no client request)
 204 $proxy->clear();
 205 $proxy->clientflags("-noservername");
 206 $proxy->start();
 207 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 208                checkhandshake::DEFAULT_EXTENSIONS
 209                & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
 210                "Server name handshake test (client)");
 211
 212 #Test 8: Server name handshake (server support only)
 213 $proxy->clear();
 214 $proxy->clientflags("-noservername");
 215 $proxy->serverflags("-servername testhost");
 216 $proxy->start();
 217 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 218                checkhandshake::DEFAULT_EXTENSIONS
 219                & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
 220                "Server name handshake test (server)");
 221
 222 #Test 9: Server name handshake (client and server)
 223 $proxy->clear();
 224 $proxy->clientflags("-servername testhost");
 225 $proxy->serverflags("-servername testhost");
 226 $proxy->start();
 227 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 228                checkhandshake::DEFAULT_EXTENSIONS
 229                | checkhandshake::SERVER_NAME_SRV_EXTENSION,
 230                "Server name handshake test");
 231
 232 #Test 10: ALPN handshake (client request only)
 233 $proxy->clear();
 234 $proxy->clientflags("-alpn test");
 235 $proxy->start();
 236 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 237                checkhandshake::DEFAULT_EXTENSIONS
 238                | checkhandshake::ALPN_CLI_EXTENSION,
 239                "ALPN handshake test (client)");
 240
 241 #Test 11: ALPN handshake (server support only)
 242 $proxy->clear();
 243 $proxy->serverflags("-alpn test");
 244 $proxy->start();
 245 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 246                checkhandshake::DEFAULT_EXTENSIONS,
 247                "ALPN handshake test (server)");
 248
 249 #Test 12: ALPN handshake (client and server)
 250 $proxy->clear();
 251 $proxy->clientflags("-alpn test");
 252 $proxy->serverflags("-alpn test");
 253 $proxy->start();
 254 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 255                checkhandshake::DEFAULT_EXTENSIONS
 256                | checkhandshake::ALPN_CLI_EXTENSION
 257                | checkhandshake::ALPN_SRV_EXTENSION,
 258                "ALPN handshake test");
 259
 260 #Test 13: SCT handshake (client request only)
 261 #TODO(TLS1.3): This only checks that the client side extension appears. The
 262 #SCT extension is unusual in that we have no built-in server side implementation
 263 #The server side implementation can nomrally be added using the custom
 264 #extensions framework (e.g. by using the "-serverinfo" s_server option). However
 265 #currently we only support <= TLS1.2 for custom extensions because the existing
 266 #framework and API has no knowledge of the TLS1.3 messages
 267 $proxy->clear();
 268 #Note: -ct also sends status_request
 269 $proxy->clientflags("-ct");
 270 $proxy->serverflags("-status_file "
 271                     .srctop_file("test", "recipes", "ocsp-response.der"));
 272 $proxy->start();
 273 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
 274                checkhandshake::DEFAULT_EXTENSIONS
 275                | checkhandshake::SCT_CLI_EXTENSION
 276                | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
 277                | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
 278                "SCT handshake test");
 279
 280 #Test 14: HRR Handshake
 281 $proxy->clear();
 282 $proxy->serverflags("-curves P-256");
 283 $proxy->start();
 284 checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
 285                checkhandshake::DEFAULT_EXTENSIONS
 286                | checkhandshake::KEY_SHARE_HRR_EXTENSION,
 287                "HRR handshake test");
 288
 289 #Test 15: Resumption handshake with HRR
 290 $proxy->clear();
 291 $proxy->clientflags("-sess_in ".$session);
 292 $proxy->serverflags("-curves P-256");
 293 $proxy->start();
 294 checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
 295                checkhandshake::DEFAULT_EXTENSIONS
 296                | checkhandshake::KEY_SHARE_HRR_EXTENSION
 297                | checkhandshake::PSK_CLI_EXTENSION
 298                | checkhandshake::PSK_SRV_EXTENSION,
 299                "Resumption handshake with HRR test");
 300 unlink $session;