test/recipes/70-test_tls13messages.t

   1 #! /usr/bin/env perl
   2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the OpenSSL license (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9 use strict;
  10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
  11 use OpenSSL::Test::Utils;
  12 use File::Temp qw(tempfile);
  13 use TLSProxy::Proxy;
  14
  15 my $test_name;
  16
  17 # This block needs to run before 'use lib srctop_dir' directives.
  18 BEGIN {
  19     $test_name = "test_tls13messages";
  20     OpenSSL::Test::setup($test_name);
  21 }
  22 use lib srctop_dir("test");
  23
  24 use recipes::checkhandshake qw(checkhandshake @handmessages @extensions);
  25
  26 plan skip_all => "TLSProxy isn't usable on $^O"
  27     if $^O =~ /^(VMS|MSWin32)$/;
  28
  29 plan skip_all => "$test_name needs the dynamic engine feature enabled"
  30     if disabled("engine") || disabled("dynamic-engine");
  31
  32 plan skip_all => "$test_name needs the sock feature enabled"
  33     if disabled("sock");
  34
  35 plan skip_all => "$test_name needs TLSv1.3 enabled"
  36     if disabled("tls1_3");
  37
  38 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
  39 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
  40
  41
  42 @handmessages = (
  43     [TLSProxy::Message::MT_CLIENT_HELLO,
  44         recipes::checkhandshake::ALL_HANDSHAKES],
  45     [TLSProxy::Message::MT_SERVER_HELLO,
  46         recipes::checkhandshake::ALL_HANDSHAKES],
  47     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
  48         recipes::checkhandshake::ALL_HANDSHAKES],
  49     [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
  50         recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
  51     [TLSProxy::Message::MT_CERTIFICATE,
  52         recipes::checkhandshake::ALL_HANDSHAKES & ~recipes::checkhandshake::RESUME_HANDSHAKE],
  53     [TLSProxy::Message::MT_CERTIFICATE_STATUS,
  54         recipes::checkhandshake::OCSP_HANDSHAKE],
  55     [TLSProxy::Message::MT_FINISHED,
  56         recipes::checkhandshake::ALL_HANDSHAKES],
  57     [TLSProxy::Message::MT_CERTIFICATE,
  58         recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
  59     [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
  60         recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
  61     [TLSProxy::Message::MT_FINISHED,
  62         recipes::checkhandshake::ALL_HANDSHAKES],
  63     [0, 0]
  64 );
  65
  66 @extensions = (
  67     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
  68         recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION],
  69     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
  70         recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
  71     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
  72         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  73     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
  74         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  75     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
  76         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  77     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
  78         recipes::checkhandshake::ALPN_CLI_EXTENSION],
  79     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
  80         recipes::checkhandshake::SCT_CLI_EXTENSION],
  81     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
  82         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  83     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
  84         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  85     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
  86         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  87     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
  88         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  89     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
  90         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  91
  92     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
  93         recipes::checkhandshake::DEFAULT_EXTENSIONS],
  94
  95     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
  96         recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION],
  97     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_STATUS_REQUEST,
  98         recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
  99     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
 100         recipes::checkhandshake::ALPN_SRV_EXTENSION],
 101     [0,0,0]
 102 );
 103
 104 my $proxy = TLSProxy::Proxy->new(
 105     undef,
 106     cmdstr(app(["openssl"]), display => 1),
 107     srctop_file("apps", "server.pem"),
 108     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
 109 );
 110
 111 #Test 1: Check we get all the right messages for a default handshake
 112 (undef, my $session) = tempfile();
 113 #$proxy->serverconnects(2);
 114 $proxy->clientflags("-sess_out ".$session);
 115 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
 116 plan tests => 12;
 117 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 118                recipes::checkhandshake::DEFAULT_EXTENSIONS,
 119                "Default handshake test");
 120
 121 #TODO(TLS1.3): Test temporarily disabled until we implement TLS1.3 resumption
 122 #Test 2: Resumption handshake
 123 #$proxy->clearClient();
 124 #$proxy->clientflags("-sess_in ".$session);
 125 #$proxy->clientstart();
 126 #checkmessages(RESUME_HANDSHAKE, "Resumption handshake test");
 127 unlink $session;
 128
 129 #Test 3: A status_request handshake (client request only)
 130 $proxy->clear();
 131 $proxy->clientflags("-status");
 132 $proxy->start();
 133 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 134               recipes::checkhandshake::DEFAULT_EXTENSIONS
 135               | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
 136               "status_request handshake test (client)");
 137
 138 #Test 4: A status_request handshake (server support only)
 139 $proxy->clear();
 140 $proxy->serverflags("-status_file "
 141                     .srctop_file("test", "recipes", "ocsp-response.der"));
 142 $proxy->start();
 143 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 144                recipes::checkhandshake::DEFAULT_EXTENSIONS,
 145               "status_request handshake test (server)");
 146
 147 #Test 5: A status_request handshake (client and server)
 148 #TODO(TLS1.3): TLS1.3 doesn't actually have CertificateStatus messages. This is
 149 #a temporary test until such time as we do proper TLS1.3 style certificate
 150 #status
 151 $proxy->clear();
 152 $proxy->clientflags("-status");
 153 $proxy->serverflags("-status_file "
 154                     .srctop_file("test", "recipes", "ocsp-response.der"));
 155 $proxy->start();
 156 checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE,
 157               recipes::checkhandshake::DEFAULT_EXTENSIONS
 158               | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION
 159               | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
 160               "status_request handshake test");
 161
 162 #Test 6: A client auth handshake
 163 $proxy->clear();
 164 $proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
 165 $proxy->serverflags("-Verify 5");
 166 $proxy->start();
 167 checkhandshake($proxy, recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE,
 168                recipes::checkhandshake::DEFAULT_EXTENSIONS,
 169               "Client auth handshake test");
 170
 171 #Test 7: Server name handshake (client request only)
 172 $proxy->clear();
 173 $proxy->clientflags("-servername testhost");
 174 $proxy->start();
 175 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 176                recipes::checkhandshake::DEFAULT_EXTENSIONS
 177                | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION,
 178               "Server name handshake test (client)");
 179
 180 #Test 8: Server name handshake (server support only)
 181 $proxy->clear();
 182 $proxy->serverflags("-servername testhost");
 183 $proxy->start();
 184 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 185                recipes::checkhandshake::DEFAULT_EXTENSIONS,
 186               "Server name handshake test (server)");
 187
 188 #Test 9: Server name handshake (client and server)
 189 $proxy->clear();
 190 $proxy->clientflags("-servername testhost");
 191 $proxy->serverflags("-servername testhost");
 192 $proxy->start();
 193 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 194               recipes::checkhandshake::DEFAULT_EXTENSIONS
 195               | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION
 196               | recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION,
 197               "Server name handshake test");
 198
 199 #Test 10: ALPN handshake (client request only)
 200 $proxy->clear();
 201 $proxy->clientflags("-alpn test");
 202 $proxy->start();
 203 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 204                recipes::checkhandshake::DEFAULT_EXTENSIONS
 205                | recipes::checkhandshake::ALPN_CLI_EXTENSION,
 206               "ALPN handshake test (client)");
 207
 208 #Test 11: ALPN handshake (server support only)
 209 $proxy->clear();
 210 $proxy->serverflags("-alpn test");
 211 $proxy->start();
 212 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 213                recipes::checkhandshake::DEFAULT_EXTENSIONS,
 214               "ALPN handshake test (server)");
 215
 216 #Test 12: ALPN handshake (client and server)
 217 $proxy->clear();
 218 $proxy->clientflags("-alpn test");
 219 $proxy->serverflags("-alpn test");
 220 $proxy->start();
 221 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
 222               recipes::checkhandshake::DEFAULT_EXTENSIONS
 223               | recipes::checkhandshake::ALPN_CLI_EXTENSION
 224               | recipes::checkhandshake::ALPN_SRV_EXTENSION,
 225               "ALPN handshake test");
 226
 227 #Test 13: SCT handshake (client request only)
 228 #TODO(TLS1.3): This only checks that the client side extension appears. The
 229 #SCT extension is unusual in that we have no built-in server side implementation
 230 #The server side implementation can nomrally be added using the custom
 231 #extensions framework (e.g. by using the "-serverinfo" s_server option). However
 232 #currently we only support <= TLS1.2 for custom extensions because the existing
 233 #framework and API has no knowledge of the TLS1.3 messages
 234 $proxy->clear();
 235 #Note: -ct also sends status_request
 236 $proxy->clientflags("-ct");
 237 $proxy->serverflags("-status_file "
 238                     .srctop_file("test", "recipes", "ocsp-response.der"));
 239 $proxy->start();
 240 checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE,
 241               recipes::checkhandshake::DEFAULT_EXTENSIONS
 242               | recipes::checkhandshake::SCT_CLI_EXTENSION
 243               | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION
 244               | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
 245               "SCT handshake test");