2 # Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
14 use checkhandshake qw(checkhandshake @handmessages @extensions);
16 my $test_name = "test_sslmessages";
19 plan skip_all => "TLSProxy isn't usable on $^O"
22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
23 if disabled("engine") || disabled("dynamic-engine");
25 plan skip_all => "$test_name needs the sock feature enabled"
28 plan skip_all => "$test_name needs TLS enabled"
29 if alldisabled(available_protocols("tls"))
30 || (!disabled("tls1_3") && disabled("tls1_2"));
32 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
33 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf");
35 my $proxy = TLSProxy::Proxy->new(
37 cmdstr(app(["openssl"]), display => 1),
38 srctop_file("apps", "server.pem"),
39 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
43 [TLSProxy::Message::MT_CLIENT_HELLO,
44 checkhandshake::ALL_HANDSHAKES],
45 [TLSProxy::Message::MT_SERVER_HELLO,
46 checkhandshake::ALL_HANDSHAKES],
47 [TLSProxy::Message::MT_CERTIFICATE,
48 checkhandshake::ALL_HANDSHAKES
49 & ~checkhandshake::RESUME_HANDSHAKE],
50 (disabled("ec") ? () :
51 [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
52 checkhandshake::EC_HANDSHAKE]),
53 [TLSProxy::Message::MT_CERTIFICATE_STATUS,
54 checkhandshake::OCSP_HANDSHAKE],
55 #ServerKeyExchange handshakes not currently supported by TLSProxy
56 [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
57 checkhandshake::CLIENT_AUTH_HANDSHAKE],
58 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
59 checkhandshake::ALL_HANDSHAKES
60 & ~checkhandshake::RESUME_HANDSHAKE],
61 [TLSProxy::Message::MT_CERTIFICATE,
62 checkhandshake::CLIENT_AUTH_HANDSHAKE],
63 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
64 checkhandshake::ALL_HANDSHAKES
65 & ~checkhandshake::RESUME_HANDSHAKE],
66 [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
67 checkhandshake::CLIENT_AUTH_HANDSHAKE],
68 [TLSProxy::Message::MT_NEXT_PROTO,
69 checkhandshake::NPN_HANDSHAKE],
70 [TLSProxy::Message::MT_FINISHED,
71 checkhandshake::ALL_HANDSHAKES],
72 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
73 checkhandshake::ALL_HANDSHAKES
74 & ~checkhandshake::RESUME_HANDSHAKE],
75 [TLSProxy::Message::MT_FINISHED,
76 checkhandshake::ALL_HANDSHAKES],
77 [TLSProxy::Message::MT_CLIENT_HELLO,
78 checkhandshake::RENEG_HANDSHAKE],
79 [TLSProxy::Message::MT_SERVER_HELLO,
80 checkhandshake::RENEG_HANDSHAKE],
81 [TLSProxy::Message::MT_CERTIFICATE,
82 checkhandshake::RENEG_HANDSHAKE],
83 [TLSProxy::Message::MT_SERVER_HELLO_DONE,
84 checkhandshake::RENEG_HANDSHAKE],
85 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
86 checkhandshake::RENEG_HANDSHAKE],
87 [TLSProxy::Message::MT_FINISHED,
88 checkhandshake::RENEG_HANDSHAKE],
89 [TLSProxy::Message::MT_NEW_SESSION_TICKET,
90 checkhandshake::RENEG_HANDSHAKE],
91 [TLSProxy::Message::MT_FINISHED,
92 checkhandshake::RENEG_HANDSHAKE],
97 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
98 TLSProxy::Message::CLIENT,
99 checkhandshake::SERVER_NAME_CLI_EXTENSION],
100 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
101 TLSProxy::Message::CLIENT,
102 checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
103 (disabled("ec") ? () :
104 [TLSProxy::Message::MT_CLIENT_HELLO,
105 TLSProxy::Message::EXT_SUPPORTED_GROUPS,
106 TLSProxy::Message::CLIENT,
107 checkhandshake::DEFAULT_EXTENSIONS]),
108 (disabled("ec") ? () :
109 [TLSProxy::Message::MT_CLIENT_HELLO,
110 TLSProxy::Message::EXT_EC_POINT_FORMATS,
111 TLSProxy::Message::CLIENT,
112 checkhandshake::DEFAULT_EXTENSIONS]),
113 (disabled("tls1_2") ? () :
114 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
115 TLSProxy::Message::CLIENT,
116 checkhandshake::DEFAULT_EXTENSIONS]),
117 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
118 TLSProxy::Message::CLIENT,
119 checkhandshake::ALPN_CLI_EXTENSION],
120 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
121 TLSProxy::Message::CLIENT,
122 checkhandshake::SCT_CLI_EXTENSION],
123 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
124 TLSProxy::Message::CLIENT,
125 checkhandshake::DEFAULT_EXTENSIONS],
126 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
127 TLSProxy::Message::CLIENT,
128 checkhandshake::DEFAULT_EXTENSIONS],
129 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
130 TLSProxy::Message::CLIENT,
131 checkhandshake::DEFAULT_EXTENSIONS],
132 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
133 TLSProxy::Message::CLIENT,
134 checkhandshake::RENEGOTIATE_CLI_EXTENSION],
135 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
136 TLSProxy::Message::CLIENT,
137 checkhandshake::NPN_CLI_EXTENSION],
138 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
139 TLSProxy::Message::CLIENT,
140 checkhandshake::SRP_CLI_EXTENSION],
142 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
143 TLSProxy::Message::SERVER,
144 checkhandshake::DEFAULT_EXTENSIONS],
145 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
146 TLSProxy::Message::SERVER,
147 checkhandshake::DEFAULT_EXTENSIONS],
148 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
149 TLSProxy::Message::SERVER,
150 checkhandshake::DEFAULT_EXTENSIONS],
151 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
152 TLSProxy::Message::SERVER,
153 checkhandshake::SESSION_TICKET_SRV_EXTENSION],
154 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
155 TLSProxy::Message::SERVER,
156 checkhandshake::SERVER_NAME_SRV_EXTENSION],
157 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
158 TLSProxy::Message::SERVER,
159 checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
160 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
161 TLSProxy::Message::SERVER,
162 checkhandshake::ALPN_SRV_EXTENSION],
163 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
164 TLSProxy::Message::SERVER,
165 checkhandshake::SCT_SRV_EXTENSION],
166 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
167 TLSProxy::Message::SERVER,
168 checkhandshake::NPN_SRV_EXTENSION],
169 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
170 TLSProxy::Message::SERVER,
171 checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
175 #Test 1: Check we get all the right messages for a default handshake
176 (undef, my $session) = tempfile();
177 $proxy->serverconnects(2);
178 $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
179 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
181 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
182 checkhandshake::DEFAULT_EXTENSIONS,
183 "Default handshake test");
185 #Test 2: Resumption handshake
186 $proxy->clearClient();
187 $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
188 $proxy->clientstart();
189 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
190 checkhandshake::DEFAULT_EXTENSIONS
191 & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
192 "Resumption handshake test");
196 skip "No OCSP support in this OpenSSL build", 3
199 #Test 3: A status_request handshake (client request only)
201 $proxy->clientflags("-no_tls1_3 -status");
203 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
204 checkhandshake::DEFAULT_EXTENSIONS
205 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
206 "status_request handshake test (client)");
208 #Test 4: A status_request handshake (server support only)
210 $proxy->clientflags("-no_tls1_3");
211 $proxy->serverflags("-status_file "
212 .srctop_file("test", "recipes", "ocsp-response.der"));
214 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
215 checkhandshake::DEFAULT_EXTENSIONS,
216 "status_request handshake test (server)");
218 #Test 5: A status_request handshake (client and server)
220 $proxy->clientflags("-no_tls1_3 -status");
221 $proxy->serverflags("-status_file "
222 .srctop_file("test", "recipes", "ocsp-response.der"));
224 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
225 checkhandshake::DEFAULT_EXTENSIONS
226 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
227 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
228 "status_request handshake test");
231 #Test 6: A client auth handshake
233 $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
234 $proxy->serverflags("-Verify 5");
236 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
237 checkhandshake::DEFAULT_EXTENSIONS,
238 "Client auth handshake test");
240 #Test 7: A handshake with a renegotiation
242 $proxy->clientflags("-no_tls1_3");
245 checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
246 checkhandshake::DEFAULT_EXTENSIONS,
247 "Renegotiation handshake test");
249 #Test 8: Server name handshake (no client request)
251 $proxy->clientflags("-no_tls1_3 -noservername");
253 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
254 checkhandshake::DEFAULT_EXTENSIONS
255 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
256 "Server name handshake test (client)");
258 #Test 9: Server name handshake (server support only)
260 $proxy->clientflags("-no_tls1_3 -noservername");
261 $proxy->serverflags("-servername testhost");
263 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
264 checkhandshake::DEFAULT_EXTENSIONS
265 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
266 "Server name handshake test (server)");
268 #Test 10: Server name handshake (client and server)
270 $proxy->clientflags("-no_tls1_3 -servername testhost");
271 $proxy->serverflags("-servername testhost");
273 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
274 checkhandshake::DEFAULT_EXTENSIONS
275 | checkhandshake::SERVER_NAME_SRV_EXTENSION,
276 "Server name handshake test");
278 #Test 11: ALPN handshake (client request only)
280 $proxy->clientflags("-no_tls1_3 -alpn test");
282 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
283 checkhandshake::DEFAULT_EXTENSIONS
284 | checkhandshake::ALPN_CLI_EXTENSION,
285 "ALPN handshake test (client)");
287 #Test 12: ALPN handshake (server support only)
289 $proxy->clientflags("-no_tls1_3");
290 $proxy->serverflags("-alpn test");
292 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
293 checkhandshake::DEFAULT_EXTENSIONS,
294 "ALPN handshake test (server)");
296 #Test 13: ALPN handshake (client and server)
298 $proxy->clientflags("-no_tls1_3 -alpn test");
299 $proxy->serverflags("-alpn test");
301 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
302 checkhandshake::DEFAULT_EXTENSIONS
303 | checkhandshake::ALPN_CLI_EXTENSION
304 | checkhandshake::ALPN_SRV_EXTENSION,
305 "ALPN handshake test");
308 skip "No CT, EC or OCSP support in this OpenSSL build", 1
309 if disabled("ct") || disabled("ec") || disabled("ocsp");
311 #Test 14: SCT handshake (client request only)
313 #Note: -ct also sends status_request
314 $proxy->clientflags("-no_tls1_3 -ct");
315 $proxy->serverflags("-status_file "
316 .srctop_file("test", "recipes", "ocsp-response.der"));
318 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
319 checkhandshake::DEFAULT_EXTENSIONS
320 | checkhandshake::SCT_CLI_EXTENSION
321 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
322 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
323 "SCT handshake test (client)");
327 skip "No OCSP support in this OpenSSL build", 1
330 #Test 15: SCT handshake (server support only)
332 #Note: -ct also sends status_request
333 $proxy->clientflags("-no_tls1_3");
334 $proxy->serverflags("-status_file "
335 .srctop_file("test", "recipes", "ocsp-response.der"));
337 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
338 checkhandshake::DEFAULT_EXTENSIONS,
339 "SCT handshake test (server)");
343 skip "No CT, EC or OCSP support in this OpenSSL build", 1
344 if disabled("ct") || disabled("ec") || disabled("ocsp");
346 #Test 16: SCT handshake (client and server)
347 #There is no built-in server side support for this so we are actually also
348 #testing custom extensions here
350 #Note: -ct also sends status_request
351 $proxy->clientflags("-no_tls1_3 -ct");
352 $proxy->serverflags("-status_file "
353 .srctop_file("test", "recipes", "ocsp-response.der")
354 ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
356 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
357 checkhandshake::DEFAULT_EXTENSIONS
358 | checkhandshake::SCT_CLI_EXTENSION
359 | checkhandshake::SCT_SRV_EXTENSION
360 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
361 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
362 "SCT handshake test");
367 skip "No NPN support in this OpenSSL build", 3
368 if disabled("nextprotoneg");
370 #Test 17: NPN handshake (client request only)
372 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
374 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
375 checkhandshake::DEFAULT_EXTENSIONS
376 | checkhandshake::NPN_CLI_EXTENSION,
377 "NPN handshake test (client)");
379 #Test 18: NPN handshake (server support only)
381 $proxy->clientflags("-no_tls1_3");
382 $proxy->serverflags("-nextprotoneg test");
384 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
385 checkhandshake::DEFAULT_EXTENSIONS,
386 "NPN handshake test (server)");
388 #Test 19: NPN handshake (client and server)
390 $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
391 $proxy->serverflags("-nextprotoneg test");
393 checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
394 checkhandshake::DEFAULT_EXTENSIONS
395 | checkhandshake::NPN_CLI_EXTENSION
396 | checkhandshake::NPN_SRV_EXTENSION,
397 "NPN handshake test");
401 skip "No SRP support in this OpenSSL build", 1
404 #Test 20: SRP extension
405 #Note: We are not actually going to perform an SRP handshake (TLSProxy
406 #does not support it). However it is sufficient for us to check that the
407 #SRP extension gets added on the client side. There is no SRP extension
408 #generated on the server side anyway.
410 $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
412 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
413 checkhandshake::DEFAULT_EXTENSIONS
414 | checkhandshake::SRP_CLI_EXTENSION,
415 "SRP extension test");
418 #Test 21: EC handshake
420 skip "No EC support in this OpenSSL build", 1 if disabled("ec");
422 $proxy->clientflags("-no_tls1_3");
423 $proxy->serverflags("-no_tls1_3");
424 $proxy->ciphers("ECDHE-RSA-AES128-SHA");
426 checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
427 checkhandshake::DEFAULT_EXTENSIONS
428 | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
429 "EC handshake test");