1e0c4386eSCy Schubert#! /usr/bin/env perl 2*e7be843bSPierre Pronchery# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. 3e0c4386eSCy Schubert# 4e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License"). You may not use 5e0c4386eSCy Schubert# this file except in compliance with the License. You can obtain a copy 6e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at 7e0c4386eSCy Schubert# https://www.openssl.org/source/license.html 8e0c4386eSCy Schubert 9e0c4386eSCy Schubertuse strict; 10e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; 11e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 12e0c4386eSCy Schubertuse File::Temp qw(tempfile); 13e0c4386eSCy Schubertuse TLSProxy::Proxy; 14e0c4386eSCy Schubertuse checkhandshake qw(checkhandshake @handmessages @extensions); 15e0c4386eSCy Schubert 16e0c4386eSCy Schubertmy $test_name = "test_tls13messages"; 17e0c4386eSCy Schubertsetup($test_name); 18e0c4386eSCy Schubert 19e0c4386eSCy Schubertplan skip_all => "TLSProxy isn't usable on $^O" 20e0c4386eSCy Schubert if $^O =~ /^(VMS)$/; 21e0c4386eSCy Schubert 22e0c4386eSCy Schubertplan skip_all => "$test_name needs the dynamic engine feature enabled" 23e0c4386eSCy Schubert if disabled("engine") || disabled("dynamic-engine"); 24e0c4386eSCy Schubert 25e0c4386eSCy Schubertplan skip_all => "$test_name needs the sock feature enabled" 26e0c4386eSCy Schubert if disabled("sock"); 27e0c4386eSCy Schubert 28e0c4386eSCy Schubertplan skip_all => "$test_name needs TLSv1.3 enabled" 29e0c4386eSCy Schubert if disabled("tls1_3"); 30e0c4386eSCy Schubert 31e0c4386eSCy Schubertplan skip_all => "$test_name needs EC enabled" 32e0c4386eSCy Schubert if disabled("ec"); 33e0c4386eSCy Schubert 34e0c4386eSCy Schubert@handmessages = ( 35e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, 36e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 37e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, 38e0c4386eSCy Schubert checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], 39e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, 40e0c4386eSCy Schubert checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], 41e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, 42e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 43e0c4386eSCy Schubert [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, 44e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 45e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE_REQUEST, 46e0c4386eSCy Schubert checkhandshake::CLIENT_AUTH_HANDSHAKE], 47e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE, 48e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], 49e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 50e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], 51e0c4386eSCy Schubert [TLSProxy::Message::MT_FINISHED, 52e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 53e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE, 54e0c4386eSCy Schubert checkhandshake::CLIENT_AUTH_HANDSHAKE], 55e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 56e0c4386eSCy Schubert checkhandshake::CLIENT_AUTH_HANDSHAKE], 57e0c4386eSCy Schubert [TLSProxy::Message::MT_FINISHED, 58e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 59e0c4386eSCy Schubert [0, 0] 60e0c4386eSCy Schubert); 61e0c4386eSCy Schubert 62e0c4386eSCy Schubert@extensions = ( 63e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 64e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 65e0c4386eSCy Schubert checkhandshake::SERVER_NAME_CLI_EXTENSION], 66e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 67e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 68e0c4386eSCy Schubert checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 69e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 70e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 71e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 72e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 73e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 74e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 75e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 76e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 77e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 78e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 79e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 80e0c4386eSCy Schubert checkhandshake::ALPN_CLI_EXTENSION], 81e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 82e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 83e0c4386eSCy Schubert checkhandshake::SCT_CLI_EXTENSION], 84e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 85e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 86e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 87e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 88e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 89e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 90e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 91e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 92e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 93e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 94e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 95e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 96e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 97e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 98e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 99e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 100e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 101e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 102e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 103e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 104e0c4386eSCy Schubert checkhandshake::PSK_CLI_EXTENSION], 105e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 106e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 107e0c4386eSCy Schubert checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 108*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, 109*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 110*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 111e0c4386eSCy Schubert 112e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 113e0c4386eSCy Schubert TLSProxy::Message::SERVER, 114e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 115e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 116e0c4386eSCy Schubert TLSProxy::Message::SERVER, 117e0c4386eSCy Schubert checkhandshake::KEY_SHARE_HRR_EXTENSION], 118e0c4386eSCy Schubert 119e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 120e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 121e0c4386eSCy Schubert checkhandshake::SERVER_NAME_CLI_EXTENSION], 122e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 123e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 124e0c4386eSCy Schubert checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 125e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 126e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 127e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 128e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 129e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 130e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 131e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 132e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 133e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 134e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 135e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 136e0c4386eSCy Schubert checkhandshake::ALPN_CLI_EXTENSION], 137e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 138e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 139e0c4386eSCy Schubert checkhandshake::SCT_CLI_EXTENSION], 140e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 141e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 142e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 143e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 144e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 145e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 146e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 147e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 148e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 149e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 150e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 151e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 152e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 153e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 154e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 155e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 156e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 157e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 158e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 159e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 160e0c4386eSCy Schubert checkhandshake::PSK_CLI_EXTENSION], 161e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 162e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 163e0c4386eSCy Schubert checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 164*e7be843bSPierre Pronchery [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, 165*e7be843bSPierre Pronchery TLSProxy::Message::CLIENT, 166*e7be843bSPierre Pronchery checkhandshake::DEFAULT_EXTENSIONS], 167e0c4386eSCy Schubert 168e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 169e0c4386eSCy Schubert TLSProxy::Message::SERVER, 170e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 171e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 172e0c4386eSCy Schubert TLSProxy::Message::SERVER, 173e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 174e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK, 175e0c4386eSCy Schubert TLSProxy::Message::SERVER, 176e0c4386eSCy Schubert checkhandshake::PSK_SRV_EXTENSION], 177e0c4386eSCy Schubert 178e0c4386eSCy Schubert [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, 179e0c4386eSCy Schubert TLSProxy::Message::SERVER, 180e0c4386eSCy Schubert checkhandshake::SERVER_NAME_SRV_EXTENSION], 181e0c4386eSCy Schubert [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, 182e0c4386eSCy Schubert TLSProxy::Message::SERVER, 183e0c4386eSCy Schubert checkhandshake::ALPN_SRV_EXTENSION], 184e0c4386eSCy Schubert [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 185e0c4386eSCy Schubert TLSProxy::Message::SERVER, 186e0c4386eSCy Schubert checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION], 187e0c4386eSCy Schubert 188e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS, 189e0c4386eSCy Schubert TLSProxy::Message::SERVER, 190e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 191e0c4386eSCy Schubert 192e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, 193e0c4386eSCy Schubert TLSProxy::Message::SERVER, 194e0c4386eSCy Schubert checkhandshake::STATUS_REQUEST_SRV_EXTENSION], 195e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT, 196e0c4386eSCy Schubert TLSProxy::Message::SERVER, 197e0c4386eSCy Schubert checkhandshake::SCT_SRV_EXTENSION], 198e0c4386eSCy Schubert 199e0c4386eSCy Schubert [0,0,0,0] 200e0c4386eSCy Schubert); 201e0c4386eSCy Schubert 202e0c4386eSCy Schubertmy $proxy = TLSProxy::Proxy->new( 203e0c4386eSCy Schubert undef, 204e0c4386eSCy Schubert cmdstr(app(["openssl"]), display => 1), 205e0c4386eSCy Schubert srctop_file("apps", "server.pem"), 206e0c4386eSCy Schubert (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 207e0c4386eSCy Schubert); 208e0c4386eSCy Schubert 209e0c4386eSCy Schubert#Test 1: Check we get all the right messages for a default handshake 210e0c4386eSCy Schubert(undef, my $session) = tempfile(); 211e0c4386eSCy Schubert$proxy->serverconnects(2); 212*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 213*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -sess_out ".$session); 214e0c4386eSCy Schubert$proxy->sessionfile($session); 215e0c4386eSCy Schubert$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 216e0c4386eSCy Schubertplan tests => 17; 217e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 218e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS, 219e0c4386eSCy Schubert "Default handshake test"); 220e0c4386eSCy Schubert 221e0c4386eSCy Schubert#Test 2: Resumption handshake 222e0c4386eSCy Schubert$proxy->clearClient(); 223*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 224*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session); 225e0c4386eSCy Schubert$proxy->clientstart(); 226e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, 227e0c4386eSCy Schubert (checkhandshake::DEFAULT_EXTENSIONS 228e0c4386eSCy Schubert | checkhandshake::PSK_CLI_EXTENSION 229e0c4386eSCy Schubert | checkhandshake::PSK_SRV_EXTENSION), 230e0c4386eSCy Schubert "Resumption handshake test"); 231e0c4386eSCy Schubert 232e0c4386eSCy SchubertSKIP: { 233e0c4386eSCy Schubert skip "No OCSP support in this OpenSSL build", 4 234e0c4386eSCy Schubert if disabled("ct") || disabled("ec") || disabled("ocsp"); 235e0c4386eSCy Schubert #Test 3: A status_request handshake (client request only) 236e0c4386eSCy Schubert $proxy->clear(); 237*e7be843bSPierre Pronchery $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 238*e7be843bSPierre Pronchery $proxy->clientflags("-no_rx_cert_comp -status"); 239e0c4386eSCy Schubert $proxy->start(); 240e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 241e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 242e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, 243e0c4386eSCy Schubert "status_request handshake test (client)"); 244e0c4386eSCy Schubert 245e0c4386eSCy Schubert #Test 4: A status_request handshake (server support only) 246e0c4386eSCy Schubert $proxy->clear(); 247*e7be843bSPierre Pronchery $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 248*e7be843bSPierre Pronchery $proxy->clientflags("-no_rx_cert_comp"); 249*e7be843bSPierre Pronchery $proxy->serverflags("-no_rx_cert_comp -status_file " 250e0c4386eSCy Schubert .srctop_file("test", "recipes", "ocsp-response.der")); 251e0c4386eSCy Schubert $proxy->start(); 252e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 253e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS, 254e0c4386eSCy Schubert "status_request handshake test (server)"); 255e0c4386eSCy Schubert 256e0c4386eSCy Schubert #Test 5: A status_request handshake (client and server) 257e0c4386eSCy Schubert $proxy->clear(); 258*e7be843bSPierre Pronchery $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 259*e7be843bSPierre Pronchery $proxy->clientflags("-no_rx_cert_comp -status"); 260*e7be843bSPierre Pronchery $proxy->serverflags("-no_rx_cert_comp -status_file " 261e0c4386eSCy Schubert .srctop_file("test", "recipes", "ocsp-response.der")); 262e0c4386eSCy Schubert $proxy->start(); 263e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 264e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 265e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 266e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 267e0c4386eSCy Schubert "status_request handshake test"); 268e0c4386eSCy Schubert 269e0c4386eSCy Schubert #Test 6: A status_request handshake (client and server) with client auth 270e0c4386eSCy Schubert $proxy->clear(); 271*e7be843bSPierre Pronchery $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 272*e7be843bSPierre Pronchery $proxy->clientflags("-no_rx_cert_comp -status -enable_pha -cert " 273e0c4386eSCy Schubert .srctop_file("apps", "server.pem")); 274*e7be843bSPierre Pronchery $proxy->serverflags("-no_rx_cert_comp -Verify 5 -status_file " 275e0c4386eSCy Schubert .srctop_file("test", "recipes", "ocsp-response.der")); 276e0c4386eSCy Schubert $proxy->start(); 277e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 278e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 279e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 280e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_SRV_EXTENSION 281e0c4386eSCy Schubert | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, 282e0c4386eSCy Schubert "status_request handshake with client auth test"); 283e0c4386eSCy Schubert} 284e0c4386eSCy Schubert 285e0c4386eSCy Schubert#Test 7: A client auth handshake 286e0c4386eSCy Schubert$proxy->clear(); 287*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 288*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -enable_pha -cert ".srctop_file("apps", "server.pem")); 289*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -Verify 5"); 290e0c4386eSCy Schubert$proxy->start(); 291e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 292e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS | 293e0c4386eSCy Schubert checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, 294e0c4386eSCy Schubert "Client auth handshake test"); 295e0c4386eSCy Schubert 296e0c4386eSCy Schubert#Test 8: Server name handshake (no client request) 297e0c4386eSCy Schubert$proxy->clear(); 298*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 299*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -noservername"); 300e0c4386eSCy Schubert$proxy->start(); 301e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 302e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 303e0c4386eSCy Schubert & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 304e0c4386eSCy Schubert "Server name handshake test (client)"); 305e0c4386eSCy Schubert 306e0c4386eSCy Schubert#Test 9: Server name handshake (server support only) 307e0c4386eSCy Schubert$proxy->clear(); 308*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 309*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -noservername"); 310*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -servername testhost"); 311e0c4386eSCy Schubert$proxy->start(); 312e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 313e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 314e0c4386eSCy Schubert & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 315e0c4386eSCy Schubert "Server name handshake test (server)"); 316e0c4386eSCy Schubert 317e0c4386eSCy Schubert#Test 10: Server name handshake (client and server) 318e0c4386eSCy Schubert$proxy->clear(); 319*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 320*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -servername testhost"); 321*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -servername testhost"); 322e0c4386eSCy Schubert$proxy->start(); 323e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 324e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 325e0c4386eSCy Schubert | checkhandshake::SERVER_NAME_SRV_EXTENSION, 326e0c4386eSCy Schubert "Server name handshake test"); 327e0c4386eSCy Schubert 328e0c4386eSCy Schubert#Test 11: ALPN handshake (client request only) 329e0c4386eSCy Schubert$proxy->clear(); 330*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 331*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -alpn test"); 332e0c4386eSCy Schubert$proxy->start(); 333e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 334e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 335e0c4386eSCy Schubert | checkhandshake::ALPN_CLI_EXTENSION, 336e0c4386eSCy Schubert "ALPN handshake test (client)"); 337e0c4386eSCy Schubert 338e0c4386eSCy Schubert#Test 12: ALPN handshake (server support only) 339e0c4386eSCy Schubert$proxy->clear(); 340*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 341*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp"); 342*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -alpn test"); 343e0c4386eSCy Schubert$proxy->start(); 344e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 345e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS, 346e0c4386eSCy Schubert "ALPN handshake test (server)"); 347e0c4386eSCy Schubert 348e0c4386eSCy Schubert#Test 13: ALPN handshake (client and server) 349e0c4386eSCy Schubert$proxy->clear(); 350*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 351*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -alpn test"); 352*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -alpn test"); 353e0c4386eSCy Schubert$proxy->start(); 354e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 355e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 356e0c4386eSCy Schubert | checkhandshake::ALPN_CLI_EXTENSION 357e0c4386eSCy Schubert | checkhandshake::ALPN_SRV_EXTENSION, 358e0c4386eSCy Schubert "ALPN handshake test"); 359e0c4386eSCy Schubert 360e0c4386eSCy SchubertSKIP: { 361e0c4386eSCy Schubert skip "No CT, EC or OCSP support in this OpenSSL build", 1 362e0c4386eSCy Schubert if disabled("ct") || disabled("ec") || disabled("ocsp"); 363e0c4386eSCy Schubert 364e0c4386eSCy Schubert #Test 14: SCT handshake (client request only) 365e0c4386eSCy Schubert $proxy->clear(); 366*e7be843bSPierre Pronchery $proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 367e0c4386eSCy Schubert #Note: -ct also sends status_request 368*e7be843bSPierre Pronchery $proxy->clientflags("-no_rx_cert_comp -ct"); 369*e7be843bSPierre Pronchery $proxy->serverflags("-no_rx_cert_comp -status_file " 370e0c4386eSCy Schubert .srctop_file("test", "recipes", "ocsp-response.der") 371e0c4386eSCy Schubert ." -serverinfo ".srctop_file("test", "serverinfo2.pem")); 372e0c4386eSCy Schubert $proxy->start(); 373e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 374e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 375e0c4386eSCy Schubert | checkhandshake::SCT_CLI_EXTENSION 376e0c4386eSCy Schubert | checkhandshake::SCT_SRV_EXTENSION 377e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 378e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 379e0c4386eSCy Schubert "SCT handshake test"); 380e0c4386eSCy Schubert} 381e0c4386eSCy Schubert 382e0c4386eSCy Schubert#Test 15: HRR Handshake 383e0c4386eSCy Schubert$proxy->clear(); 384*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 385*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp"); 386*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -curves P-384"); 387e0c4386eSCy Schubert$proxy->start(); 388e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::HRR_HANDSHAKE, 389e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 390e0c4386eSCy Schubert | checkhandshake::KEY_SHARE_HRR_EXTENSION, 391e0c4386eSCy Schubert "HRR handshake test"); 392e0c4386eSCy Schubert 393e0c4386eSCy Schubert#Test 16: Resumption handshake with HRR 394e0c4386eSCy Schubert$proxy->clear(); 395*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 396*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session); 397*e7be843bSPierre Pronchery$proxy->serverflags("-no_rx_cert_comp -curves P-384"); 398e0c4386eSCy Schubert$proxy->start(); 399e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, 400e0c4386eSCy Schubert (checkhandshake::DEFAULT_EXTENSIONS 401e0c4386eSCy Schubert | checkhandshake::KEY_SHARE_HRR_EXTENSION 402e0c4386eSCy Schubert | checkhandshake::PSK_CLI_EXTENSION 403e0c4386eSCy Schubert | checkhandshake::PSK_SRV_EXTENSION), 404e0c4386eSCy Schubert "Resumption handshake with HRR test"); 405e0c4386eSCy Schubert 406e0c4386eSCy Schubert#Test 17: Acceptable but non preferred key_share 407e0c4386eSCy Schubert$proxy->clear(); 408*e7be843bSPierre Pronchery$proxy->cipherc("DEFAULT:\@SECLEVEL=2"); 409*e7be843bSPierre Pronchery$proxy->clientflags("-no_rx_cert_comp -curves P-384"); 410e0c4386eSCy Schubert$proxy->start(); 411e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 412e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 413e0c4386eSCy Schubert | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION, 414e0c4386eSCy Schubert "Acceptable but non preferred key_share"); 415e0c4386eSCy Schubert 416e0c4386eSCy Schubertunlink $session; 417