X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=test%2Frecipes%2F70-test_sslmessages.t;h=9221529827399a0fe59c292491c983fc909e6e92;hp=7e1bf1755249b11e58314212c0bb3d60af28a246;hb=f6e752c0ac2e1ba8bcecc27bc54e30b895e0a1d3;hpb=f50306c298390c701046126bd1f48f6fef3ec3ca;ds=sidebyside diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t index 7e1bf17552..9221529827 100755 --- a/test/recipes/70-test_sslmessages.t +++ b/test/recipes/70-test_sslmessages.t @@ -11,15 +11,7 @@ use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; use OpenSSL::Test::Utils; use File::Temp qw(tempfile); use TLSProxy::Proxy; - -# This block needs to run before 'use lib srctop_dir' directives. -BEGIN { - OpenSSL::Test::setup("no_test_here"); -} - -use lib srctop_dir("test", "recipes"); - -use recipes::checkhandshake qw(checkhandshake @handmessages @extensions); +use checkhandshake qw(checkhandshake @handmessages @extensions); my $test_name = "test_sslmessages"; setup($test_name); @@ -37,7 +29,7 @@ plan skip_all => "$test_name needs TLS enabled" if alldisabled(available_protocols("tls")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; - +$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); my $proxy = TLSProxy::Proxy->new( undef, @@ -46,95 +38,113 @@ my $proxy = TLSProxy::Proxy->new( (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); -sub checkhandshake($$$$$); - @handmessages = ( [TLSProxy::Message::MT_CLIENT_HELLO, - recipes::checkhandshake::ALL_HANDSHAKES], + checkhandshake::ALL_HANDSHAKES], [TLSProxy::Message::MT_SERVER_HELLO, - recipes::checkhandshake::ALL_HANDSHAKES], + checkhandshake::ALL_HANDSHAKES], [TLSProxy::Message::MT_CERTIFICATE, - recipes::checkhandshake::ALL_HANDSHAKES - & ~recipes::checkhandshake::RESUME_HANDSHAKE], + checkhandshake::ALL_HANDSHAKES + & ~checkhandshake::RESUME_HANDSHAKE], + (disabled("ec") ? () : + [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE, + checkhandshake::EC_HANDSHAKE]), [TLSProxy::Message::MT_CERTIFICATE_STATUS, - recipes::checkhandshake::OCSP_HANDSHAKE], + checkhandshake::OCSP_HANDSHAKE], #ServerKeyExchange handshakes not currently supported by TLSProxy [TLSProxy::Message::MT_CERTIFICATE_REQUEST, - recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + checkhandshake::CLIENT_AUTH_HANDSHAKE], [TLSProxy::Message::MT_SERVER_HELLO_DONE, - recipes::checkhandshake::ALL_HANDSHAKES - & ~recipes::checkhandshake::RESUME_HANDSHAKE], + checkhandshake::ALL_HANDSHAKES + & ~checkhandshake::RESUME_HANDSHAKE], [TLSProxy::Message::MT_CERTIFICATE, - recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + checkhandshake::CLIENT_AUTH_HANDSHAKE], [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, - recipes::checkhandshake::ALL_HANDSHAKES - & ~recipes::checkhandshake::RESUME_HANDSHAKE], + checkhandshake::ALL_HANDSHAKES + & ~checkhandshake::RESUME_HANDSHAKE], [TLSProxy::Message::MT_CERTIFICATE_VERIFY, - recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + checkhandshake::CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_NEXT_PROTO, + checkhandshake::NPN_HANDSHAKE], [TLSProxy::Message::MT_FINISHED, - recipes::checkhandshake::ALL_HANDSHAKES], + checkhandshake::ALL_HANDSHAKES], [TLSProxy::Message::MT_NEW_SESSION_TICKET, - recipes::checkhandshake::ALL_HANDSHAKES - & ~recipes::checkhandshake::RESUME_HANDSHAKE], + checkhandshake::ALL_HANDSHAKES + & ~checkhandshake::RESUME_HANDSHAKE], [TLSProxy::Message::MT_FINISHED, - recipes::checkhandshake::ALL_HANDSHAKES], + checkhandshake::ALL_HANDSHAKES], [TLSProxy::Message::MT_CLIENT_HELLO, - recipes::checkhandshake::RENEG_HANDSHAKE], + checkhandshake::RENEG_HANDSHAKE], [TLSProxy::Message::MT_SERVER_HELLO, - recipes::checkhandshake::RENEG_HANDSHAKE], + checkhandshake::RENEG_HANDSHAKE], [TLSProxy::Message::MT_CERTIFICATE, - recipes::checkhandshake::RENEG_HANDSHAKE], + checkhandshake::RENEG_HANDSHAKE], [TLSProxy::Message::MT_SERVER_HELLO_DONE, - recipes::checkhandshake::RENEG_HANDSHAKE], + checkhandshake::RENEG_HANDSHAKE], [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, - recipes::checkhandshake::RENEG_HANDSHAKE], + checkhandshake::RENEG_HANDSHAKE], [TLSProxy::Message::MT_FINISHED, - recipes::checkhandshake::RENEG_HANDSHAKE], + checkhandshake::RENEG_HANDSHAKE], [TLSProxy::Message::MT_NEW_SESSION_TICKET, - recipes::checkhandshake::RENEG_HANDSHAKE], + checkhandshake::RENEG_HANDSHAKE], [TLSProxy::Message::MT_FINISHED, - recipes::checkhandshake::RENEG_HANDSHAKE], + checkhandshake::RENEG_HANDSHAKE], [0, 0] ); @extensions = ( [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, - recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION], + checkhandshake::SERVER_NAME_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, - recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, - recipes::checkhandshake::DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, - recipes::checkhandshake::DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, - recipes::checkhandshake::DEFAULT_EXTENSIONS], + checkhandshake::STATUS_REQUEST_CLI_EXTENSION], + (disabled("ec") ? () : + [TLSProxy::Message::MT_CLIENT_HELLO, + TLSProxy::Message::EXT_SUPPORTED_GROUPS, + checkhandshake::DEFAULT_EXTENSIONS]), + (disabled("ec") ? () : + [TLSProxy::Message::MT_CLIENT_HELLO, + TLSProxy::Message::EXT_EC_POINT_FORMATS, + checkhandshake::DEFAULT_EXTENSIONS]), + (disabled("tls1_2") ? () : + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, + checkhandshake::DEFAULT_EXTENSIONS]), [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, - recipes::checkhandshake::ALPN_CLI_EXTENSION], + checkhandshake::ALPN_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, - recipes::checkhandshake::SCT_CLI_EXTENSION], + checkhandshake::SCT_CLI_EXTENSION], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, - recipes::checkhandshake::DEFAULT_EXTENSIONS], + checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, - recipes::checkhandshake::DEFAULT_EXTENSIONS], + checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, - recipes::checkhandshake::DEFAULT_EXTENSIONS], + checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, - recipes::checkhandshake::RENEGOTIATE_CLI_EXTENSION], + checkhandshake::RENEGOTIATE_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN, + checkhandshake::NPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP, + checkhandshake::SRP_CLI_EXTENSION], [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, - recipes::checkhandshake::DEFAULT_EXTENSIONS], + checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, - recipes::checkhandshake::DEFAULT_EXTENSIONS], + checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, - recipes::checkhandshake::DEFAULT_EXTENSIONS], + checkhandshake::DEFAULT_EXTENSIONS], [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, - recipes::checkhandshake::SESSION_TICKET_SRV_EXTENSION], + checkhandshake::SESSION_TICKET_SRV_EXTENSION], [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME, - recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION], + checkhandshake::SERVER_NAME_SRV_EXTENSION], [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, - recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION], + checkhandshake::STATUS_REQUEST_SRV_EXTENSION], [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN, - recipes::checkhandshake::ALPN_SRV_EXTENSION], + checkhandshake::ALPN_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT, + checkhandshake::SCT_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN, + checkhandshake::NPN_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, + checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION], [0,0,0] ); @@ -143,49 +153,233 @@ sub checkhandshake($$$$$); $proxy->serverconnects(2); $proxy->clientflags("-no_tls1_3 -sess_out ".$session); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 5; -checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, - recipes::checkhandshake::DEFAULT_EXTENSIONS, +plan tests => 21; +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, "Default handshake test"); #Test 2: Resumption handshake $proxy->clearClient(); $proxy->clientflags("-no_tls1_3 -sess_in ".$session); $proxy->clientstart(); -checkhandshake($proxy, recipes::checkhandshake::RESUME_HANDSHAKE, - recipes::checkhandshake::DEFAULT_EXTENSIONS - & ~recipes::checkhandshake::SESSION_TICKET_SRV_EXTENSION, +checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION, "Resumption handshake test"); unlink $session; -#Test 3: A default handshake, but with a CertificateStatus message +#Test 3: A status_request handshake (client request only) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3 -status"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, + "status_request handshake test (client)"); + +#Test 4: A status_request handshake (server support only) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3"); +$proxy->serverflags("-status_file " + .srctop_file("test", "recipes", "ocsp-response.der")); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "status_request handshake test (server)"); + +#Test 5: A status_request handshake (client and server) $proxy->clear(); $proxy->clientflags("-no_tls1_3 -status"); $proxy->serverflags("-status_file " .srctop_file("test", "recipes", "ocsp-response.der")); $proxy->start(); -checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE, - recipes::checkhandshake::DEFAULT_EXTENSIONS - | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION - | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION, - "OCSP handshake test"); +checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, + "status_request handshake test"); -#Test 4: A client auth handshake +#Test 6: A client auth handshake $proxy->clear(); $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem")); $proxy->serverflags("-Verify 5"); $proxy->start(); -checkhandshake($proxy, recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE, - recipes::checkhandshake::DEFAULT_EXTENSIONS, +checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, "Client auth handshake test"); -#Test 5: A handshake with a renegotiation +#Test 7: A handshake with a renegotiation $proxy->clear(); $proxy->clientflags("-no_tls1_3"); $proxy->reneg(1); $proxy->start(); -checkhandshake($proxy, recipes::checkhandshake::RENEG_HANDSHAKE, - recipes::checkhandshake::DEFAULT_EXTENSIONS, +checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, "Rengotiation handshake test"); +#Test 8: Server name handshake (client request only) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3 -servername testhost"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::SERVER_NAME_CLI_EXTENSION, + "Server name handshake test (client)"); + +#Test 9: Server name handshake (server support only) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3"); +$proxy->serverflags("-servername testhost"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "Server name handshake test (server)"); + +#Test 10: Server name handshake (client and server) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3 -servername testhost"); +$proxy->serverflags("-servername testhost"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::SERVER_NAME_CLI_EXTENSION + | checkhandshake::SERVER_NAME_SRV_EXTENSION, + "Server name handshake test"); + +#Test 11: ALPN handshake (client request only) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3 -alpn test"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::ALPN_CLI_EXTENSION, + "ALPN handshake test (client)"); + +#Test 12: ALPN handshake (server support only) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3"); +$proxy->serverflags("-alpn test"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "ALPN handshake test (server)"); + +#Test 13: ALPN handshake (client and server) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3 -alpn test"); +$proxy->serverflags("-alpn test"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::ALPN_CLI_EXTENSION + | checkhandshake::ALPN_SRV_EXTENSION, + "ALPN handshake test"); + +SKIP: { + skip "No CT and/or EC support in this OpenSSL build", 1 + if disabled("ct") || disabled("ec"); + + #Test 14: SCT handshake (client request only) + $proxy->clear(); + #Note: -ct also sends status_request + $proxy->clientflags("-no_tls1_3 -ct"); + $proxy->serverflags("-status_file " + .srctop_file("test", "recipes", "ocsp-response.der")); + $proxy->start(); + checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::SCT_CLI_EXTENSION + | checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, + "SCT handshake test (client)"); +} + +#Test 15: SCT handshake (server support only) +$proxy->clear(); +#Note: -ct also sends status_request +$proxy->clientflags("-no_tls1_3"); +$proxy->serverflags("-status_file " + .srctop_file("test", "recipes", "ocsp-response.der")); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "SCT handshake test (server)"); + +SKIP: { + skip "No CT and/or EC support in this OpenSSL build", 1 + if disabled("ct") || disabled("ec"); + + #Test 16: SCT handshake (client and server) + #There is no built-in server side support for this so we are actually also + #testing custom extensions here + $proxy->clear(); + #Note: -ct also sends status_request + $proxy->clientflags("-no_tls1_3 -ct"); + $proxy->serverflags("-status_file " + .srctop_file("test", "recipes", "ocsp-response.der") + ." -serverinfo ".srctop_file("test", "serverinfo.pem")); + $proxy->start(); + checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::SCT_CLI_EXTENSION + | checkhandshake::SCT_SRV_EXTENSION + | checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, + "SCT handshake test"); +} + +#Test 17: NPN handshake (client request only) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3 -nextprotoneg test"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::NPN_CLI_EXTENSION, + "NPN handshake test (client)"); + +#Test 18: NPN handshake (server support only) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3"); +$proxy->serverflags("-nextprotoneg test"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "NPN handshake test (server)"); + +#Test 19: NPN handshake (client and server) +$proxy->clear(); +$proxy->clientflags("-no_tls1_3 -nextprotoneg test"); +$proxy->serverflags("-nextprotoneg test"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::NPN_CLI_EXTENSION + | checkhandshake::NPN_SRV_EXTENSION, + "NPN handshake test"); + +#Test 20: SRP extension +#Note: We are not actually going to perform an SRP handshake (TLSProxy does not +#support it). However it is sufficient for us to check that the SRP extension +#gets added on the client side. There is no SRP extension generated on the +#server side anyway. +$proxy->clear(); +$proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass"); +$proxy->start(); +checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::SRP_CLI_EXTENSION, + "SRP extension test"); + +#Test 21: EC handshake +SKIP: { + skip "No EC support in this OpenSSL build", 1 if disabled("ec"); + $proxy->clear(); + $proxy->clientflags("-no_tls1_3"); + $proxy->ciphers("ECDHE-RSA-AES128-SHA"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::EC_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION, + "EC handshake test"); +}