2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
17 # This block needs to run before 'use lib srctop_dir' directives.
19 $test_name = "test_tls13messages";
20 OpenSSL::Test::setup($test_name);
23 use lib srctop_dir("test", "recipes");
25 use recipes::checkhandshake qw(checkhandshake @handmessages @extensions);
27 plan skip_all => "TLSProxy isn't usable on $^O"
28 if $^O =~ /^(VMS|MSWin32)$/;
30 plan skip_all => "$test_name needs the dynamic engine feature enabled"
31 if disabled("engine") || disabled("dynamic-engine");
33 plan skip_all => "$test_name needs the sock feature enabled"
36 plan skip_all => "$test_name needs TLSv1.3 enabled"
37 if disabled("tls1_3");
39 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
40 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
44 [TLSProxy::Message::MT_CLIENT_HELLO,
45 recipes::checkhandshake::ALL_HANDSHAKES],
46 [TLSProxy::Message::MT_SERVER_HELLO,
47 recipes::checkhandshake::ALL_HANDSHAKES],
48 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
49 recipes::checkhandshake::ALL_HANDSHAKES],
50 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
51 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
52 [TLSProxy::Message::MT_CERTIFICATE,
53 recipes::checkhandshake::ALL_HANDSHAKES & ~recipes::checkhandshake::RESUME_HANDSHAKE],
54 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
55 recipes::checkhandshake::OCSP_HANDSHAKE],
56 [TLSProxy::Message::MT_FINISHED,
57 recipes::checkhandshake::ALL_HANDSHAKES],
58 [TLSProxy::Message::MT_CERTIFICATE,
59 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
60 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
61 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
62 [TLSProxy::Message::MT_FINISHED,
63 recipes::checkhandshake::ALL_HANDSHAKES],
68 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
69 recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION],
70 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
71 recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
72 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
73 recipes::checkhandshake::DEFAULT_EXTENSIONS],
74 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
75 recipes::checkhandshake::DEFAULT_EXTENSIONS],
76 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
77 recipes::checkhandshake::DEFAULT_EXTENSIONS],
78 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
79 recipes::checkhandshake::ALPN_CLI_EXTENSION],
80 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
81 recipes::checkhandshake::SCT_CLI_EXTENSION],
82 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
83 recipes::checkhandshake::DEFAULT_EXTENSIONS],
84 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
85 recipes::checkhandshake::DEFAULT_EXTENSIONS],
86 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
87 recipes::checkhandshake::DEFAULT_EXTENSIONS],
88 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
89 recipes::checkhandshake::DEFAULT_EXTENSIONS],
90 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
91 recipes::checkhandshake::DEFAULT_EXTENSIONS],
93 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
94 recipes::checkhandshake::DEFAULT_EXTENSIONS],
96 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
97 recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION],
98 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_STATUS_REQUEST,
99 recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
100 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
101 recipes::checkhandshake::ALPN_SRV_EXTENSION],
105 my $proxy = TLSProxy::Proxy->new(
107 cmdstr(app(["openssl"]), display => 1),
108 srctop_file("apps", "server.pem"),
109 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
112 #Test 1: Check we get all the right messages for a default handshake
113 (undef, my $session) = tempfile();
114 #$proxy->serverconnects(2);
115 $proxy->clientflags("-sess_out ".$session);
116 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
118 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
119 recipes::checkhandshake::DEFAULT_EXTENSIONS,
120 "Default handshake test");
122 #TODO(TLS1.3): Test temporarily disabled until we implement TLS1.3 resumption
123 #Test 2: Resumption handshake
124 #$proxy->clearClient();
125 #$proxy->clientflags("-sess_in ".$session);
126 #$proxy->clientstart();
127 #checkmessages(RESUME_HANDSHAKE, "Resumption handshake test");
130 #Test 3: A status_request handshake (client request only)
132 $proxy->clientflags("-status");
134 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
135 recipes::checkhandshake::DEFAULT_EXTENSIONS
136 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
137 "status_request handshake test (client)");
139 #Test 4: A status_request handshake (server support only)
141 $proxy->serverflags("-status_file "
142 .srctop_file("test", "recipes", "ocsp-response.der"));
144 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
145 recipes::checkhandshake::DEFAULT_EXTENSIONS,
146 "status_request handshake test (server)");
148 #Test 5: A status_request handshake (client and server)
149 #TODO(TLS1.3): TLS1.3 doesn't actually have CertificateStatus messages. This is
150 #a temporary test until such time as we do proper TLS1.3 style certificate
153 $proxy->clientflags("-status");
154 $proxy->serverflags("-status_file "
155 .srctop_file("test", "recipes", "ocsp-response.der"));
157 checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE,
158 recipes::checkhandshake::DEFAULT_EXTENSIONS
159 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION
160 | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
161 "status_request handshake test");
163 #Test 6: A client auth handshake
165 $proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
166 $proxy->serverflags("-Verify 5");
168 checkhandshake($proxy, recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE,
169 recipes::checkhandshake::DEFAULT_EXTENSIONS,
170 "Client auth handshake test");
172 #Test 7: Server name handshake (client request only)
174 $proxy->clientflags("-servername testhost");
176 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
177 recipes::checkhandshake::DEFAULT_EXTENSIONS
178 | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION,
179 "Server name handshake test (client)");
181 #Test 8: Server name handshake (server support only)
183 $proxy->serverflags("-servername testhost");
185 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
186 recipes::checkhandshake::DEFAULT_EXTENSIONS,
187 "Server name handshake test (server)");
189 #Test 9: Server name handshake (client and server)
191 $proxy->clientflags("-servername testhost");
192 $proxy->serverflags("-servername testhost");
194 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
195 recipes::checkhandshake::DEFAULT_EXTENSIONS
196 | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION
197 | recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION,
198 "Server name handshake test");
200 #Test 10: ALPN handshake (client request only)
202 $proxy->clientflags("-alpn test");
204 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
205 recipes::checkhandshake::DEFAULT_EXTENSIONS
206 | recipes::checkhandshake::ALPN_CLI_EXTENSION,
207 "ALPN handshake test (client)");
209 #Test 11: ALPN handshake (server support only)
211 $proxy->serverflags("-alpn test");
213 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
214 recipes::checkhandshake::DEFAULT_EXTENSIONS,
215 "ALPN handshake test (server)");
217 #Test 12: ALPN handshake (client and server)
219 $proxy->clientflags("-alpn test");
220 $proxy->serverflags("-alpn test");
222 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
223 recipes::checkhandshake::DEFAULT_EXTENSIONS
224 | recipes::checkhandshake::ALPN_CLI_EXTENSION
225 | recipes::checkhandshake::ALPN_SRV_EXTENSION,
226 "ALPN handshake test");
228 #Test 13: SCT handshake (client request only)
229 #TODO(TLS1.3): This only checks that the client side extension appears. The
230 #SCT extension is unusual in that we have no built-in server side implementation
231 #The server side implementation can nomrally be added using the custom
232 #extensions framework (e.g. by using the "-serverinfo" s_server option). However
233 #currently we only support <= TLS1.2 for custom extensions because the existing
234 #framework and API has no knowledge of the TLS1.3 messages
236 #Note: -ct also sends status_request
237 $proxy->clientflags("-ct");
238 $proxy->serverflags("-status_file "
239 .srctop_file("test", "recipes", "ocsp-response.der"));
241 checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE,
242 recipes::checkhandshake::DEFAULT_EXTENSIONS
243 | recipes::checkhandshake::SCT_CLI_EXTENSION
244 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION
245 | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
246 "SCT handshake test");