projects / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix PEM certificate loading that sometimes fails
[openssl.git] / test / recipes / 70-test_tls13messages.t
1 #! /usr/bin/env perl
2 # Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the Apache License 2.0 (the "License").  You may not use
5 # this file except in compliance with the License.  You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 use strict;
10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
11 use OpenSSL::Test::Utils;
12 use File::Temp qw(tempfile);
13 use TLSProxy::Proxy;
14 use checkhandshake qw(checkhandshake @handmessages @extensions);
15
16 my $test_name = "test_tls13messages";
17 setup($test_name);
18
19 plan skip_all => "TLSProxy isn't usable on $^O"
20     if $^O =~ /^(VMS)$/;
21
22 plan skip_all => "$test_name needs the dynamic engine feature enabled"
23     if disabled("engine") || disabled("dynamic-engine");
24
25 plan skip_all => "$test_name needs the sock feature enabled"
26     if disabled("sock");
27
28 plan skip_all => "$test_name needs TLSv1.3 enabled"
29     if disabled("tls1_3");
30
31 plan skip_all => "$test_name needs EC enabled"
32     if disabled("ec");
33
34 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
35
36 @handmessages = (
37     [TLSProxy::Message::MT_CLIENT_HELLO,
38         checkhandshake::ALL_HANDSHAKES],
39     [TLSProxy::Message::MT_SERVER_HELLO,
40         checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
41     [TLSProxy::Message::MT_CLIENT_HELLO,
42         checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE],
43     [TLSProxy::Message::MT_SERVER_HELLO,
44         checkhandshake::ALL_HANDSHAKES],
45     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS,
46         checkhandshake::ALL_HANDSHAKES],
47     [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
48         checkhandshake::CLIENT_AUTH_HANDSHAKE],
49     [TLSProxy::Message::MT_CERTIFICATE,
50         checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
51     [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
52         checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)],
53     [TLSProxy::Message::MT_FINISHED,
54         checkhandshake::ALL_HANDSHAKES],
55     [TLSProxy::Message::MT_CERTIFICATE,
56         checkhandshake::CLIENT_AUTH_HANDSHAKE],
57     [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
58         checkhandshake::CLIENT_AUTH_HANDSHAKE],
59     [TLSProxy::Message::MT_FINISHED,
60         checkhandshake::ALL_HANDSHAKES],
61     [0, 0]
62 );
63
64 @extensions = (
65     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
66         TLSProxy::Message::CLIENT,
67         checkhandshake::SERVER_NAME_CLI_EXTENSION],
68     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
69         TLSProxy::Message::CLIENT,
70         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
71     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
72         TLSProxy::Message::CLIENT,
73         checkhandshake::DEFAULT_EXTENSIONS],
74     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
75         TLSProxy::Message::CLIENT,
76         checkhandshake::DEFAULT_EXTENSIONS],
77     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
78         TLSProxy::Message::CLIENT,
79         checkhandshake::DEFAULT_EXTENSIONS],
80     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
81         TLSProxy::Message::CLIENT,
82         checkhandshake::ALPN_CLI_EXTENSION],
83     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
84         TLSProxy::Message::CLIENT,
85         checkhandshake::SCT_CLI_EXTENSION],
86     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
87         TLSProxy::Message::CLIENT,
88         checkhandshake::DEFAULT_EXTENSIONS],
89     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
90         TLSProxy::Message::CLIENT,
91         checkhandshake::DEFAULT_EXTENSIONS],
92     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
93         TLSProxy::Message::CLIENT,
94         checkhandshake::DEFAULT_EXTENSIONS],
95     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
96         TLSProxy::Message::CLIENT,
97         checkhandshake::DEFAULT_EXTENSIONS],
98     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
99         TLSProxy::Message::CLIENT,
100         checkhandshake::DEFAULT_EXTENSIONS],
101     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
102         TLSProxy::Message::CLIENT,
103         checkhandshake::DEFAULT_EXTENSIONS],
104     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
105         TLSProxy::Message::CLIENT,
106         checkhandshake::PSK_CLI_EXTENSION],
107     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
108         TLSProxy::Message::CLIENT,
109         checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
110
111     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
112         TLSProxy::Message::SERVER,
113         checkhandshake::DEFAULT_EXTENSIONS],
114     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
115         TLSProxy::Message::SERVER,
116         checkhandshake::KEY_SHARE_HRR_EXTENSION],
117
118     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
119         TLSProxy::Message::CLIENT,
120         checkhandshake::SERVER_NAME_CLI_EXTENSION],
121     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
122         TLSProxy::Message::CLIENT,
123         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
124     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
125         TLSProxy::Message::CLIENT,
126         checkhandshake::DEFAULT_EXTENSIONS],
127     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
128         TLSProxy::Message::CLIENT,
129         checkhandshake::DEFAULT_EXTENSIONS],
130     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
131         TLSProxy::Message::CLIENT,
132         checkhandshake::DEFAULT_EXTENSIONS],
133     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
134         TLSProxy::Message::CLIENT,
135         checkhandshake::ALPN_CLI_EXTENSION],
136     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
137         TLSProxy::Message::CLIENT,
138         checkhandshake::SCT_CLI_EXTENSION],
139     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
140         TLSProxy::Message::CLIENT,
141         checkhandshake::DEFAULT_EXTENSIONS],
142     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
143         TLSProxy::Message::CLIENT,
144         checkhandshake::DEFAULT_EXTENSIONS],
145     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
146         TLSProxy::Message::CLIENT,
147         checkhandshake::DEFAULT_EXTENSIONS],
148     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
149         TLSProxy::Message::CLIENT,
150         checkhandshake::DEFAULT_EXTENSIONS],
151     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
152         TLSProxy::Message::CLIENT,
153         checkhandshake::DEFAULT_EXTENSIONS],
154     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
155         TLSProxy::Message::CLIENT,
156         checkhandshake::DEFAULT_EXTENSIONS],
157     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
158         TLSProxy::Message::CLIENT,
159         checkhandshake::PSK_CLI_EXTENSION],
160     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
161         TLSProxy::Message::CLIENT,
162         checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
163
164     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
165         TLSProxy::Message::SERVER,
166         checkhandshake::DEFAULT_EXTENSIONS],
167     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
168         TLSProxy::Message::SERVER,
169         checkhandshake::DEFAULT_EXTENSIONS],
170     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
171         TLSProxy::Message::SERVER,
172         checkhandshake::PSK_SRV_EXTENSION],
173
174     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
175         TLSProxy::Message::SERVER,
176         checkhandshake::SERVER_NAME_SRV_EXTENSION],
177     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
178         TLSProxy::Message::SERVER,
179         checkhandshake::ALPN_SRV_EXTENSION],
180     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
181         TLSProxy::Message::SERVER,
182         checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION],
183
184     [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS,
185         TLSProxy::Message::SERVER,
186         checkhandshake::DEFAULT_EXTENSIONS],
187
188     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
189         TLSProxy::Message::SERVER,
190         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
191     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
192         TLSProxy::Message::SERVER,
193         checkhandshake::SCT_SRV_EXTENSION],
194
195     [0,0,0,0]
196 );
197
198 my $proxy = TLSProxy::Proxy->new(
199     undef,
200     cmdstr(app(["openssl"]), display => 1),
201     srctop_file("apps", "server.pem"),
202     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
203 );
204
205 #Test 1: Check we get all the right messages for a default handshake
206 (undef, my $session) = tempfile();
207 $proxy->serverconnects(2);
208 $proxy->clientflags("-sess_out ".$session);
209 $proxy->sessionfile($session);
210 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
211 plan tests => 17;
212 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
213                checkhandshake::DEFAULT_EXTENSIONS,
214                "Default handshake test");
215
216 #Test 2: Resumption handshake
217 $proxy->clearClient();
218 $proxy->clientflags("-sess_in ".$session);
219 $proxy->clientstart();
220 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
221                (checkhandshake::DEFAULT_EXTENSIONS
222                 | checkhandshake::PSK_CLI_EXTENSION
223                 | checkhandshake::PSK_SRV_EXTENSION),
224                "Resumption handshake test");
225
226 SKIP: {
227     skip "No OCSP support in this OpenSSL build", 4
228         if disabled("ct") || disabled("ec") || disabled("ocsp");
229     #Test 3: A status_request handshake (client request only)
230     $proxy->clear();
231     $proxy->clientflags("-status");
232     $proxy->start();
233     checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
234                    checkhandshake::DEFAULT_EXTENSIONS
235                    | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
236                    "status_request handshake test (client)");
237
238     #Test 4: A status_request handshake (server support only)
239     $proxy->clear();
240     $proxy->serverflags("-status_file "
241                         .srctop_file("test", "recipes", "ocsp-response.der"));
242     $proxy->start();
243     checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
244                    checkhandshake::DEFAULT_EXTENSIONS,
245                    "status_request handshake test (server)");
246
247     #Test 5: A status_request handshake (client and server)
248     $proxy->clear();
249     $proxy->clientflags("-status");
250     $proxy->serverflags("-status_file "
251                         .srctop_file("test", "recipes", "ocsp-response.der"));
252     $proxy->start();
253     checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
254                    checkhandshake::DEFAULT_EXTENSIONS
255                    | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
256                    | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
257                    "status_request handshake test");
258
259     #Test 6: A status_request handshake (client and server) with client auth
260     $proxy->clear();
261     $proxy->clientflags("-status -enable_pha -cert "
262                         .srctop_file("apps", "server.pem"));
263     $proxy->serverflags("-Verify 5 -status_file "
264                         .srctop_file("test", "recipes", "ocsp-response.der"));
265     $proxy->start();
266     checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
267                    checkhandshake::DEFAULT_EXTENSIONS
268                    | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
269                    | checkhandshake::STATUS_REQUEST_SRV_EXTENSION
270                    | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
271                    "status_request handshake with client auth test");
272 }
273
274 #Test 7: A client auth handshake
275 $proxy->clear();
276 $proxy->clientflags("-enable_pha -cert ".srctop_file("apps", "server.pem"));
277 $proxy->serverflags("-Verify 5");
278 $proxy->start();
279 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
280                checkhandshake::DEFAULT_EXTENSIONS |
281                checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
282                "Client auth handshake test");
283
284 #Test 8: Server name handshake (no client request)
285 $proxy->clear();
286 $proxy->clientflags("-noservername");
287 $proxy->start();
288 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
289                checkhandshake::DEFAULT_EXTENSIONS
290                & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
291                "Server name handshake test (client)");
292
293 #Test 9: Server name handshake (server support only)
294 $proxy->clear();
295 $proxy->clientflags("-noservername");
296 $proxy->serverflags("-servername testhost");
297 $proxy->start();
298 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
299                checkhandshake::DEFAULT_EXTENSIONS
300                & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
301                "Server name handshake test (server)");
302
303 #Test 10: Server name handshake (client and server)
304 $proxy->clear();
305 $proxy->clientflags("-servername testhost");
306 $proxy->serverflags("-servername testhost");
307 $proxy->start();
308 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
309                checkhandshake::DEFAULT_EXTENSIONS
310                | checkhandshake::SERVER_NAME_SRV_EXTENSION,
311                "Server name handshake test");
312
313 #Test 11: ALPN handshake (client request only)
314 $proxy->clear();
315 $proxy->clientflags("-alpn test");
316 $proxy->start();
317 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
318                checkhandshake::DEFAULT_EXTENSIONS
319                | checkhandshake::ALPN_CLI_EXTENSION,
320                "ALPN handshake test (client)");
321
322 #Test 12: ALPN handshake (server support only)
323 $proxy->clear();
324 $proxy->serverflags("-alpn test");
325 $proxy->start();
326 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
327                checkhandshake::DEFAULT_EXTENSIONS,
328                "ALPN handshake test (server)");
329
330 #Test 13: ALPN handshake (client and server)
331 $proxy->clear();
332 $proxy->clientflags("-alpn test");
333 $proxy->serverflags("-alpn test");
334 $proxy->start();
335 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
336                checkhandshake::DEFAULT_EXTENSIONS
337                | checkhandshake::ALPN_CLI_EXTENSION
338                | checkhandshake::ALPN_SRV_EXTENSION,
339                "ALPN handshake test");
340
341 SKIP: {
342     skip "No CT, EC or OCSP support in this OpenSSL build", 1
343         if disabled("ct") || disabled("ec") || disabled("ocsp");
344
345     #Test 14: SCT handshake (client request only)
346     $proxy->clear();
347     #Note: -ct also sends status_request
348     $proxy->clientflags("-ct");
349     $proxy->serverflags("-status_file "
350                         .srctop_file("test", "recipes", "ocsp-response.der")
351                         ." -serverinfo ".srctop_file("test", "serverinfo2.pem"));
352     $proxy->start();
353     checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
354                    checkhandshake::DEFAULT_EXTENSIONS
355                    | checkhandshake::SCT_CLI_EXTENSION
356                    | checkhandshake::SCT_SRV_EXTENSION
357                    | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
358                    | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
359                    "SCT handshake test");
360 }
361
362 #Test 15: HRR Handshake
363 $proxy->clear();
364 $proxy->serverflags("-curves P-256");
365 $proxy->start();
366 checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
367                checkhandshake::DEFAULT_EXTENSIONS
368                | checkhandshake::KEY_SHARE_HRR_EXTENSION,
369                "HRR handshake test");
370
371 #Test 16: Resumption handshake with HRR
372 $proxy->clear();
373 $proxy->clientflags("-sess_in ".$session);
374 $proxy->serverflags("-curves P-256");
375 $proxy->start();
376 checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
377                (checkhandshake::DEFAULT_EXTENSIONS
378                 | checkhandshake::KEY_SHARE_HRR_EXTENSION
379                 | checkhandshake::PSK_CLI_EXTENSION
380                 | checkhandshake::PSK_SRV_EXTENSION),
381                "Resumption handshake with HRR test");
382
383 #Test 17: Acceptable but non preferred key_share
384 $proxy->clear();
385 $proxy->clientflags("-curves P-256");
386 $proxy->start();
387 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
388                checkhandshake::DEFAULT_EXTENSIONS
389                | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION,
390                "Acceptable but non preferred key_share");
391
392 unlink $session;
Unnamed repository; edit this file 'description' to name the repository.