2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
15 # This block needs to run before 'use lib srctop_dir' directives.
17 OpenSSL::Test::setup("no_test_here");
20 use lib srctop_dir("test", "recipes");
22 use recipes::checkhandshake qw(checkhandshake @handmessages @extensions);
24 my $test_name = "test_sslmessages";
27 plan skip_all => "TLSProxy isn't usable on $^O"
28 if $^O =~ /^(VMS|MSWin32)$/;
30 plan skip_all => "$test_name needs the dynamic engine feature enabled"
31 if disabled("engine") || disabled("dynamic-engine");
33 plan skip_all => "$test_name needs the sock feature enabled"
36 plan skip_all => "$test_name needs TLS enabled"
37 if alldisabled(available_protocols("tls"));
39 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
42 my $proxy = TLSProxy::Proxy->new(
44 cmdstr(app(["openssl"]), display => 1),
45 srctop_file("apps", "server.pem"),
46 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
49 sub checkhandshake($$$$$);
52 [TLSProxy::Message::MT_CLIENT_HELLO,
53 recipes::checkhandshake::ALL_HANDSHAKES],
54 [TLSProxy::Message::MT_SERVER_HELLO,
55 recipes::checkhandshake::ALL_HANDSHAKES],
56 [TLSProxy::Message::MT_CERTIFICATE,
57 recipes::checkhandshake::ALL_HANDSHAKES
58 & ~recipes::checkhandshake::RESUME_HANDSHAKE],
59 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
60 recipes::checkhandshake::OCSP_HANDSHAKE],
61 #ServerKeyExchange handshakes not currently supported by TLSProxy
62 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
63 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
64 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
65 recipes::checkhandshake::ALL_HANDSHAKES
66 & ~recipes::checkhandshake::RESUME_HANDSHAKE],
67 [TLSProxy::Message::MT_CERTIFICATE,
68 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
69 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
70 recipes::checkhandshake::ALL_HANDSHAKES
71 & ~recipes::checkhandshake::RESUME_HANDSHAKE],
72 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
73 recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE],
74 [TLSProxy::Message::MT_FINISHED,
75 recipes::checkhandshake::ALL_HANDSHAKES],
76 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
77 recipes::checkhandshake::ALL_HANDSHAKES
78 & ~recipes::checkhandshake::RESUME_HANDSHAKE],
79 [TLSProxy::Message::MT_FINISHED,
80 recipes::checkhandshake::ALL_HANDSHAKES],
81 [TLSProxy::Message::MT_CLIENT_HELLO,
82 recipes::checkhandshake::RENEG_HANDSHAKE],
83 [TLSProxy::Message::MT_SERVER_HELLO,
84 recipes::checkhandshake::RENEG_HANDSHAKE],
85 [TLSProxy::Message::MT_CERTIFICATE,
86 recipes::checkhandshake::RENEG_HANDSHAKE],
87 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
88 recipes::checkhandshake::RENEG_HANDSHAKE],
89 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
90 recipes::checkhandshake::RENEG_HANDSHAKE],
91 [TLSProxy::Message::MT_FINISHED,
92 recipes::checkhandshake::RENEG_HANDSHAKE],
93 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
94 recipes::checkhandshake::RENEG_HANDSHAKE],
95 [TLSProxy::Message::MT_FINISHED,
96 recipes::checkhandshake::RENEG_HANDSHAKE],
101 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
102 recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION],
103 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
104 recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
105 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
106 recipes::checkhandshake::DEFAULT_EXTENSIONS],
107 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
108 recipes::checkhandshake::DEFAULT_EXTENSIONS],
109 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
110 recipes::checkhandshake::DEFAULT_EXTENSIONS],
111 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
112 recipes::checkhandshake::ALPN_CLI_EXTENSION],
113 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
114 recipes::checkhandshake::SCT_CLI_EXTENSION],
115 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
116 recipes::checkhandshake::DEFAULT_EXTENSIONS],
117 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
118 recipes::checkhandshake::DEFAULT_EXTENSIONS],
119 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
120 recipes::checkhandshake::DEFAULT_EXTENSIONS],
121 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
122 recipes::checkhandshake::RENEGOTIATE_CLI_EXTENSION],
124 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
125 recipes::checkhandshake::DEFAULT_EXTENSIONS],
126 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
127 recipes::checkhandshake::DEFAULT_EXTENSIONS],
128 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
129 recipes::checkhandshake::DEFAULT_EXTENSIONS],
130 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
131 recipes::checkhandshake::SESSION_TICKET_SRV_EXTENSION],
132 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
133 recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION],
134 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
135 recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
136 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
137 recipes::checkhandshake::ALPN_SRV_EXTENSION],
141 #Test 1: Check we get all the right messages for a default handshake
142 (undef, my $session) = tempfile();
143 $proxy->serverconnects(2);
144 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
145 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
147 checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE,
148 recipes::checkhandshake::DEFAULT_EXTENSIONS,
149 "Default handshake test");
151 #Test 2: Resumption handshake
152 $proxy->clearClient();
153 $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
154 $proxy->clientstart();
155 checkhandshake($proxy, recipes::checkhandshake::RESUME_HANDSHAKE,
156 recipes::checkhandshake::DEFAULT_EXTENSIONS
157 & ~recipes::checkhandshake::SESSION_TICKET_SRV_EXTENSION,
158 "Resumption handshake test");
161 #Test 3: A default handshake, but with a CertificateStatus message
163 $proxy->clientflags("-no_tls1_3 -status");
164 $proxy->serverflags("-status_file "
165 .srctop_file("test", "recipes", "ocsp-response.der"));
167 checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE,
168 recipes::checkhandshake::DEFAULT_EXTENSIONS
169 | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION
170 | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
171 "OCSP handshake test");
173 #Test 4: A client auth handshake
175 $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
176 $proxy->serverflags("-Verify 5");
178 checkhandshake($proxy, recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE,
179 recipes::checkhandshake::DEFAULT_EXTENSIONS,
180 "Client auth handshake test");
182 #Test 5: A handshake with a renegotiation
184 $proxy->clientflags("-no_tls1_3");
187 checkhandshake($proxy, recipes::checkhandshake::RENEG_HANDSHAKE,
188 recipes::checkhandshake::DEFAULT_EXTENSIONS,
189 "Rengotiation handshake test");