1#! /usr/bin/env perl 2# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use strict; 10use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; 11use OpenSSL::Test::Utils; 12use File::Temp qw(tempfile); 13use TLSProxy::Proxy; 14use checkhandshake qw(checkhandshake @handmessages @extensions); 15 16my $test_name = "test_tls13messages"; 17setup($test_name); 18 19plan skip_all => "TLSProxy isn't usable on $^O" 20 if $^O =~ /^(VMS)$/; 21 22plan skip_all => "$test_name needs the dynamic engine feature enabled" 23 if disabled("engine") || disabled("dynamic-engine"); 24 25plan skip_all => "$test_name needs the sock feature enabled" 26 if disabled("sock"); 27 28plan skip_all => "$test_name needs TLSv1.3 enabled" 29 if disabled("tls1_3"); 30 31plan skip_all => "$test_name needs EC enabled" 32 if disabled("ec"); 33 34$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; 35 36@handmessages = ( 37 [TLSProxy::Message::MT_CLIENT_HELLO, 38 checkhandshake::ALL_HANDSHAKES], 39 [TLSProxy::Message::MT_SERVER_HELLO, 40 checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], 41 [TLSProxy::Message::MT_CLIENT_HELLO, 42 checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], 43 [TLSProxy::Message::MT_SERVER_HELLO, 44 checkhandshake::ALL_HANDSHAKES], 45 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, 46 checkhandshake::ALL_HANDSHAKES], 47 [TLSProxy::Message::MT_CERTIFICATE_REQUEST, 48 checkhandshake::CLIENT_AUTH_HANDSHAKE], 49 [TLSProxy::Message::MT_CERTIFICATE, 50 checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], 51 [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 52 checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], 53 [TLSProxy::Message::MT_FINISHED, 54 checkhandshake::ALL_HANDSHAKES], 55 [TLSProxy::Message::MT_CERTIFICATE, 56 checkhandshake::CLIENT_AUTH_HANDSHAKE], 57 [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 58 checkhandshake::CLIENT_AUTH_HANDSHAKE], 59 [TLSProxy::Message::MT_FINISHED, 60 checkhandshake::ALL_HANDSHAKES], 61 [0, 0] 62); 63 64@extensions = ( 65 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 66 TLSProxy::Message::CLIENT, 67 checkhandshake::SERVER_NAME_CLI_EXTENSION], 68 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 69 TLSProxy::Message::CLIENT, 70 checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 71 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 72 TLSProxy::Message::CLIENT, 73 checkhandshake::DEFAULT_EXTENSIONS], 74 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 75 TLSProxy::Message::CLIENT, 76 checkhandshake::DEFAULT_EXTENSIONS], 77 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 78 TLSProxy::Message::CLIENT, 79 checkhandshake::DEFAULT_EXTENSIONS], 80 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 81 TLSProxy::Message::CLIENT, 82 checkhandshake::ALPN_CLI_EXTENSION], 83 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 84 TLSProxy::Message::CLIENT, 85 checkhandshake::SCT_CLI_EXTENSION], 86 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 87 TLSProxy::Message::CLIENT, 88 checkhandshake::DEFAULT_EXTENSIONS], 89 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 90 TLSProxy::Message::CLIENT, 91 checkhandshake::DEFAULT_EXTENSIONS], 92 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 93 TLSProxy::Message::CLIENT, 94 checkhandshake::DEFAULT_EXTENSIONS], 95 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 96 TLSProxy::Message::CLIENT, 97 checkhandshake::DEFAULT_EXTENSIONS], 98 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 99 TLSProxy::Message::CLIENT, 100 checkhandshake::DEFAULT_EXTENSIONS], 101 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 102 TLSProxy::Message::CLIENT, 103 checkhandshake::DEFAULT_EXTENSIONS], 104 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 105 TLSProxy::Message::CLIENT, 106 checkhandshake::PSK_CLI_EXTENSION], 107 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 108 TLSProxy::Message::CLIENT, 109 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 110 111 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 112 TLSProxy::Message::SERVER, 113 checkhandshake::DEFAULT_EXTENSIONS], 114 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 115 TLSProxy::Message::SERVER, 116 checkhandshake::KEY_SHARE_HRR_EXTENSION], 117 118 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 119 TLSProxy::Message::CLIENT, 120 checkhandshake::SERVER_NAME_CLI_EXTENSION], 121 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 122 TLSProxy::Message::CLIENT, 123 checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 124 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 125 TLSProxy::Message::CLIENT, 126 checkhandshake::DEFAULT_EXTENSIONS], 127 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 128 TLSProxy::Message::CLIENT, 129 checkhandshake::DEFAULT_EXTENSIONS], 130 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 131 TLSProxy::Message::CLIENT, 132 checkhandshake::DEFAULT_EXTENSIONS], 133 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 134 TLSProxy::Message::CLIENT, 135 checkhandshake::ALPN_CLI_EXTENSION], 136 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 137 TLSProxy::Message::CLIENT, 138 checkhandshake::SCT_CLI_EXTENSION], 139 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 140 TLSProxy::Message::CLIENT, 141 checkhandshake::DEFAULT_EXTENSIONS], 142 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 143 TLSProxy::Message::CLIENT, 144 checkhandshake::DEFAULT_EXTENSIONS], 145 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 146 TLSProxy::Message::CLIENT, 147 checkhandshake::DEFAULT_EXTENSIONS], 148 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 149 TLSProxy::Message::CLIENT, 150 checkhandshake::DEFAULT_EXTENSIONS], 151 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 152 TLSProxy::Message::CLIENT, 153 checkhandshake::DEFAULT_EXTENSIONS], 154 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 155 TLSProxy::Message::CLIENT, 156 checkhandshake::DEFAULT_EXTENSIONS], 157 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 158 TLSProxy::Message::CLIENT, 159 checkhandshake::PSK_CLI_EXTENSION], 160 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 161 TLSProxy::Message::CLIENT, 162 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 163 164 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 165 TLSProxy::Message::SERVER, 166 checkhandshake::DEFAULT_EXTENSIONS], 167 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 168 TLSProxy::Message::SERVER, 169 checkhandshake::DEFAULT_EXTENSIONS], 170 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK, 171 TLSProxy::Message::SERVER, 172 checkhandshake::PSK_SRV_EXTENSION], 173 174 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, 175 TLSProxy::Message::SERVER, 176 checkhandshake::SERVER_NAME_SRV_EXTENSION], 177 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, 178 TLSProxy::Message::SERVER, 179 checkhandshake::ALPN_SRV_EXTENSION], 180 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 181 TLSProxy::Message::SERVER, 182 checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION], 183 184 [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS, 185 TLSProxy::Message::SERVER, 186 checkhandshake::DEFAULT_EXTENSIONS], 187 188 [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, 189 TLSProxy::Message::SERVER, 190 checkhandshake::STATUS_REQUEST_SRV_EXTENSION], 191 [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT, 192 TLSProxy::Message::SERVER, 193 checkhandshake::SCT_SRV_EXTENSION], 194 195 [0,0,0,0] 196); 197 198my $proxy = TLSProxy::Proxy->new( 199 undef, 200 cmdstr(app(["openssl"]), display => 1), 201 srctop_file("apps", "server.pem"), 202 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 203); 204 205#Test 1: Check we get all the right messages for a default handshake 206(undef, my $session) = tempfile(); 207$proxy->serverconnects(2); 208$proxy->clientflags("-sess_out ".$session); 209$proxy->sessionfile($session); 210$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 211plan tests => 17; 212checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 213 checkhandshake::DEFAULT_EXTENSIONS, 214 "Default handshake test"); 215 216#Test 2: Resumption handshake 217$proxy->clearClient(); 218$proxy->clientflags("-sess_in ".$session); 219$proxy->clientstart(); 220checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, 221 (checkhandshake::DEFAULT_EXTENSIONS 222 | checkhandshake::PSK_CLI_EXTENSION 223 | checkhandshake::PSK_SRV_EXTENSION), 224 "Resumption handshake test"); 225 226SKIP: { 227 skip "No OCSP support in this OpenSSL build", 4 228 if disabled("ct") || disabled("ec") || disabled("ocsp"); 229 #Test 3: A status_request handshake (client request only) 230 $proxy->clear(); 231 $proxy->clientflags("-status"); 232 $proxy->start(); 233 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 234 checkhandshake::DEFAULT_EXTENSIONS 235 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, 236 "status_request handshake test (client)"); 237 238 #Test 4: A status_request handshake (server support only) 239 $proxy->clear(); 240 $proxy->serverflags("-status_file " 241 .srctop_file("test", "recipes", "ocsp-response.der")); 242 $proxy->start(); 243 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 244 checkhandshake::DEFAULT_EXTENSIONS, 245 "status_request handshake test (server)"); 246 247 #Test 5: A status_request handshake (client and server) 248 $proxy->clear(); 249 $proxy->clientflags("-status"); 250 $proxy->serverflags("-status_file " 251 .srctop_file("test", "recipes", "ocsp-response.der")); 252 $proxy->start(); 253 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 254 checkhandshake::DEFAULT_EXTENSIONS 255 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 256 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 257 "status_request handshake test"); 258 259 #Test 6: A status_request handshake (client and server) with client auth 260 $proxy->clear(); 261 $proxy->clientflags("-status -enable_pha -cert " 262 .srctop_file("apps", "server.pem")); 263 $proxy->serverflags("-Verify 5 -status_file " 264 .srctop_file("test", "recipes", "ocsp-response.der")); 265 $proxy->start(); 266 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 267 checkhandshake::DEFAULT_EXTENSIONS 268 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 269 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION 270 | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, 271 "status_request handshake with client auth test"); 272} 273 274#Test 7: A client auth handshake 275$proxy->clear(); 276$proxy->clientflags("-enable_pha -cert ".srctop_file("apps", "server.pem")); 277$proxy->serverflags("-Verify 5"); 278$proxy->start(); 279checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 280 checkhandshake::DEFAULT_EXTENSIONS | 281 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, 282 "Client auth handshake test"); 283 284#Test 8: Server name handshake (no client request) 285$proxy->clear(); 286$proxy->clientflags("-noservername"); 287$proxy->start(); 288checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 289 checkhandshake::DEFAULT_EXTENSIONS 290 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 291 "Server name handshake test (client)"); 292 293#Test 9: Server name handshake (server support only) 294$proxy->clear(); 295$proxy->clientflags("-noservername"); 296$proxy->serverflags("-servername testhost"); 297$proxy->start(); 298checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 299 checkhandshake::DEFAULT_EXTENSIONS 300 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 301 "Server name handshake test (server)"); 302 303#Test 10: Server name handshake (client and server) 304$proxy->clear(); 305$proxy->clientflags("-servername testhost"); 306$proxy->serverflags("-servername testhost"); 307$proxy->start(); 308checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 309 checkhandshake::DEFAULT_EXTENSIONS 310 | checkhandshake::SERVER_NAME_SRV_EXTENSION, 311 "Server name handshake test"); 312 313#Test 11: ALPN handshake (client request only) 314$proxy->clear(); 315$proxy->clientflags("-alpn test"); 316$proxy->start(); 317checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 318 checkhandshake::DEFAULT_EXTENSIONS 319 | checkhandshake::ALPN_CLI_EXTENSION, 320 "ALPN handshake test (client)"); 321 322#Test 12: ALPN handshake (server support only) 323$proxy->clear(); 324$proxy->serverflags("-alpn test"); 325$proxy->start(); 326checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 327 checkhandshake::DEFAULT_EXTENSIONS, 328 "ALPN handshake test (server)"); 329 330#Test 13: ALPN handshake (client and server) 331$proxy->clear(); 332$proxy->clientflags("-alpn test"); 333$proxy->serverflags("-alpn test"); 334$proxy->start(); 335checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 336 checkhandshake::DEFAULT_EXTENSIONS 337 | checkhandshake::ALPN_CLI_EXTENSION 338 | checkhandshake::ALPN_SRV_EXTENSION, 339 "ALPN handshake test"); 340 341SKIP: { 342 skip "No CT, EC or OCSP support in this OpenSSL build", 1 343 if disabled("ct") || disabled("ec") || disabled("ocsp"); 344 345 #Test 14: SCT handshake (client request only) 346 $proxy->clear(); 347 #Note: -ct also sends status_request 348 $proxy->clientflags("-ct"); 349 $proxy->serverflags("-status_file " 350 .srctop_file("test", "recipes", "ocsp-response.der") 351 ." -serverinfo ".srctop_file("test", "serverinfo2.pem")); 352 $proxy->start(); 353 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 354 checkhandshake::DEFAULT_EXTENSIONS 355 | checkhandshake::SCT_CLI_EXTENSION 356 | checkhandshake::SCT_SRV_EXTENSION 357 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 358 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 359 "SCT handshake test"); 360} 361 362#Test 15: HRR Handshake 363$proxy->clear(); 364$proxy->serverflags("-curves P-256"); 365$proxy->start(); 366checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE, 367 checkhandshake::DEFAULT_EXTENSIONS 368 | checkhandshake::KEY_SHARE_HRR_EXTENSION, 369 "HRR handshake test"); 370 371#Test 16: Resumption handshake with HRR 372$proxy->clear(); 373$proxy->clientflags("-sess_in ".$session); 374$proxy->serverflags("-curves P-256"); 375$proxy->start(); 376checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, 377 (checkhandshake::DEFAULT_EXTENSIONS 378 | checkhandshake::KEY_SHARE_HRR_EXTENSION 379 | checkhandshake::PSK_CLI_EXTENSION 380 | checkhandshake::PSK_SRV_EXTENSION), 381 "Resumption handshake with HRR test"); 382 383#Test 17: Acceptable but non preferred key_share 384$proxy->clear(); 385$proxy->clientflags("-curves P-256"); 386$proxy->start(); 387checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 388 checkhandshake::DEFAULT_EXTENSIONS 389 | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION, 390 "Acceptable but non preferred key_share"); 391 392unlink $session; 393