1 #! /usr/bin/env perl 2 # Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. 3 # 4 # Licensed under the OpenSSL license (the "License"). You may not use 5 # this file except in compliance with the License. You can obtain a copy 6 # in the file LICENSE in the source distribution or at 7 # https://www.openssl.org/source/license.html 8 9 use strict; 10 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; 11 use OpenSSL::Test::Utils; 12 use File::Temp qw(tempfile); 13 use TLSProxy::Proxy; 14 use checkhandshake qw(checkhandshake @handmessages @extensions); 15 16 my $test_name = "test_tls13messages"; 17 setup($test_name); 18 19 plan skip_all => "TLSProxy isn't usable on $^O" 20 if $^O =~ /^(VMS)$/; 21 22 plan skip_all => "$test_name needs the dynamic engine feature enabled" 23 if disabled("engine") || disabled("dynamic-engine"); 24 25 plan skip_all => "$test_name needs the sock feature enabled" 26 if disabled("sock"); 27 28 plan skip_all => "$test_name needs TLSv1.3 enabled" 29 if disabled("tls1_3"); 30 31 $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; 32 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); 33 34 35 @handmessages = ( 36 [TLSProxy::Message::MT_CLIENT_HELLO, 37 checkhandshake::ALL_HANDSHAKES], 38 [TLSProxy::Message::MT_SERVER_HELLO, 39 checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], 40 [TLSProxy::Message::MT_CLIENT_HELLO, 41 checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], 42 [TLSProxy::Message::MT_SERVER_HELLO, 43 checkhandshake::ALL_HANDSHAKES], 44 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, 45 checkhandshake::ALL_HANDSHAKES], 46 [TLSProxy::Message::MT_CERTIFICATE_REQUEST, 47 checkhandshake::CLIENT_AUTH_HANDSHAKE], 48 [TLSProxy::Message::MT_CERTIFICATE, 49 checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], 50 [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 51 checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], 52 [TLSProxy::Message::MT_FINISHED, 53 checkhandshake::ALL_HANDSHAKES], 54 [TLSProxy::Message::MT_CERTIFICATE, 55 checkhandshake::CLIENT_AUTH_HANDSHAKE], 56 [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 57 checkhandshake::CLIENT_AUTH_HANDSHAKE], 58 [TLSProxy::Message::MT_FINISHED, 59 checkhandshake::ALL_HANDSHAKES], 60 [0, 0] 61 ); 62 63 @extensions = ( 64 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 65 TLSProxy::Message::CLIENT, 66 checkhandshake::SERVER_NAME_CLI_EXTENSION], 67 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 68 TLSProxy::Message::CLIENT, 69 checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 70 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 71 TLSProxy::Message::CLIENT, 72 checkhandshake::DEFAULT_EXTENSIONS], 73 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 74 TLSProxy::Message::CLIENT, 75 checkhandshake::DEFAULT_EXTENSIONS], 76 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 77 TLSProxy::Message::CLIENT, 78 checkhandshake::DEFAULT_EXTENSIONS], 79 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 80 TLSProxy::Message::CLIENT, 81 checkhandshake::ALPN_CLI_EXTENSION], 82 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 83 TLSProxy::Message::CLIENT, 84 checkhandshake::SCT_CLI_EXTENSION], 85 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 86 TLSProxy::Message::CLIENT, 87 checkhandshake::DEFAULT_EXTENSIONS], 88 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 89 TLSProxy::Message::CLIENT, 90 checkhandshake::DEFAULT_EXTENSIONS], 91 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 92 TLSProxy::Message::CLIENT, 93 checkhandshake::DEFAULT_EXTENSIONS], 94 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 95 TLSProxy::Message::CLIENT, 96 checkhandshake::DEFAULT_EXTENSIONS], 97 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 98 TLSProxy::Message::CLIENT, 99 checkhandshake::DEFAULT_EXTENSIONS], 100 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 101 TLSProxy::Message::CLIENT, 102 checkhandshake::DEFAULT_EXTENSIONS], 103 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 104 TLSProxy::Message::CLIENT, 105 checkhandshake::PSK_CLI_EXTENSION], 106 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 107 TLSProxy::Message::CLIENT, 108 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 109 110 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 111 TLSProxy::Message::SERVER, 112 checkhandshake::DEFAULT_EXTENSIONS], 113 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 114 TLSProxy::Message::SERVER, 115 checkhandshake::KEY_SHARE_HRR_EXTENSION], 116 117 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 118 TLSProxy::Message::CLIENT, 119 checkhandshake::SERVER_NAME_CLI_EXTENSION], 120 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 121 TLSProxy::Message::CLIENT, 122 checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 123 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 124 TLSProxy::Message::CLIENT, 125 checkhandshake::DEFAULT_EXTENSIONS], 126 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 127 TLSProxy::Message::CLIENT, 128 checkhandshake::DEFAULT_EXTENSIONS], 129 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 130 TLSProxy::Message::CLIENT, 131 checkhandshake::DEFAULT_EXTENSIONS], 132 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 133 TLSProxy::Message::CLIENT, 134 checkhandshake::ALPN_CLI_EXTENSION], 135 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 136 TLSProxy::Message::CLIENT, 137 checkhandshake::SCT_CLI_EXTENSION], 138 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 139 TLSProxy::Message::CLIENT, 140 checkhandshake::DEFAULT_EXTENSIONS], 141 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 142 TLSProxy::Message::CLIENT, 143 checkhandshake::DEFAULT_EXTENSIONS], 144 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 145 TLSProxy::Message::CLIENT, 146 checkhandshake::DEFAULT_EXTENSIONS], 147 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 148 TLSProxy::Message::CLIENT, 149 checkhandshake::DEFAULT_EXTENSIONS], 150 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 151 TLSProxy::Message::CLIENT, 152 checkhandshake::DEFAULT_EXTENSIONS], 153 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 154 TLSProxy::Message::CLIENT, 155 checkhandshake::DEFAULT_EXTENSIONS], 156 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 157 TLSProxy::Message::CLIENT, 158 checkhandshake::PSK_CLI_EXTENSION], 159 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 160 TLSProxy::Message::CLIENT, 161 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 162 163 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 164 TLSProxy::Message::SERVER, 165 checkhandshake::DEFAULT_EXTENSIONS], 166 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 167 TLSProxy::Message::SERVER, 168 checkhandshake::DEFAULT_EXTENSIONS], 169 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK, 170 TLSProxy::Message::SERVER, 171 checkhandshake::PSK_SRV_EXTENSION], 172 173 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, 174 TLSProxy::Message::SERVER, 175 checkhandshake::SERVER_NAME_SRV_EXTENSION], 176 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, 177 TLSProxy::Message::SERVER, 178 checkhandshake::ALPN_SRV_EXTENSION], 179 [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 180 TLSProxy::Message::SERVER, 181 checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION], 182 183 [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS, 184 TLSProxy::Message::SERVER, 185 checkhandshake::DEFAULT_EXTENSIONS], 186 187 [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, 188 TLSProxy::Message::SERVER, 189 checkhandshake::STATUS_REQUEST_SRV_EXTENSION], 190 [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT, 191 TLSProxy::Message::SERVER, 192 checkhandshake::SCT_SRV_EXTENSION], 193 194 [0,0,0,0] 195 ); 196 197 my $proxy = TLSProxy::Proxy->new( 198 undef, 199 cmdstr(app(["openssl"]), display => 1), 200 srctop_file("apps", "server.pem"), 201 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 202 ); 203 204 #Test 1: Check we get all the right messages for a default handshake 205 (undef, my $session) = tempfile(); 206 $proxy->serverconnects(2); 207 $proxy->clientflags("-sess_out ".$session); 208 $proxy->sessionfile($session); 209 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 210 plan tests => 17; 211 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 212 checkhandshake::DEFAULT_EXTENSIONS, 213 "Default handshake test"); 214 215 #Test 2: Resumption handshake 216 $proxy->clearClient(); 217 $proxy->clientflags("-sess_in ".$session); 218 $proxy->clientstart(); 219 checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, 220 (checkhandshake::DEFAULT_EXTENSIONS 221 | checkhandshake::PSK_CLI_EXTENSION 222 | checkhandshake::PSK_SRV_EXTENSION), 223 "Resumption handshake test"); 224 225 SKIP: { 226 skip "No OCSP support in this OpenSSL build", 4 227 if disabled("ct") || disabled("ec") || disabled("ocsp"); 228 #Test 3: A status_request handshake (client request only) 229 $proxy->clear(); 230 $proxy->clientflags("-status"); 231 $proxy->start(); 232 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 233 checkhandshake::DEFAULT_EXTENSIONS 234 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, 235 "status_request handshake test (client)"); 236 237 #Test 4: A status_request handshake (server support only) 238 $proxy->clear(); 239 $proxy->serverflags("-status_file " 240 .srctop_file("test", "recipes", "ocsp-response.der")); 241 $proxy->start(); 242 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 243 checkhandshake::DEFAULT_EXTENSIONS, 244 "status_request handshake test (server)"); 245 246 #Test 5: A status_request handshake (client and server) 247 $proxy->clear(); 248 $proxy->clientflags("-status"); 249 $proxy->serverflags("-status_file " 250 .srctop_file("test", "recipes", "ocsp-response.der")); 251 $proxy->start(); 252 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 253 checkhandshake::DEFAULT_EXTENSIONS 254 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 255 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 256 "status_request handshake test"); 257 258 #Test 6: A status_request handshake (client and server) with client auth 259 $proxy->clear(); 260 $proxy->clientflags("-status -enable_pha -cert " 261 .srctop_file("apps", "server.pem")); 262 $proxy->serverflags("-Verify 5 -status_file " 263 .srctop_file("test", "recipes", "ocsp-response.der")); 264 $proxy->start(); 265 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 266 checkhandshake::DEFAULT_EXTENSIONS 267 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 268 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION 269 | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, 270 "status_request handshake with client auth test"); 271 } 272 273 #Test 7: A client auth handshake 274 $proxy->clear(); 275 $proxy->clientflags("-enable_pha -cert ".srctop_file("apps", "server.pem")); 276 $proxy->serverflags("-Verify 5"); 277 $proxy->start(); 278 checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 279 checkhandshake::DEFAULT_EXTENSIONS | 280 checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, 281 "Client auth handshake test"); 282 283 #Test 8: Server name handshake (no client request) 284 $proxy->clear(); 285 $proxy->clientflags("-noservername"); 286 $proxy->start(); 287 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 288 checkhandshake::DEFAULT_EXTENSIONS 289 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 290 "Server name handshake test (client)"); 291 292 #Test 9: Server name handshake (server support only) 293 $proxy->clear(); 294 $proxy->clientflags("-noservername"); 295 $proxy->serverflags("-servername testhost"); 296 $proxy->start(); 297 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 298 checkhandshake::DEFAULT_EXTENSIONS 299 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 300 "Server name handshake test (server)"); 301 302 #Test 10: Server name handshake (client and server) 303 $proxy->clear(); 304 $proxy->clientflags("-servername testhost"); 305 $proxy->serverflags("-servername testhost"); 306 $proxy->start(); 307 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 308 checkhandshake::DEFAULT_EXTENSIONS 309 | checkhandshake::SERVER_NAME_SRV_EXTENSION, 310 "Server name handshake test"); 311 312 #Test 11: ALPN handshake (client request only) 313 $proxy->clear(); 314 $proxy->clientflags("-alpn test"); 315 $proxy->start(); 316 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 317 checkhandshake::DEFAULT_EXTENSIONS 318 | checkhandshake::ALPN_CLI_EXTENSION, 319 "ALPN handshake test (client)"); 320 321 #Test 12: ALPN handshake (server support only) 322 $proxy->clear(); 323 $proxy->serverflags("-alpn test"); 324 $proxy->start(); 325 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 326 checkhandshake::DEFAULT_EXTENSIONS, 327 "ALPN handshake test (server)"); 328 329 #Test 13: ALPN handshake (client and server) 330 $proxy->clear(); 331 $proxy->clientflags("-alpn test"); 332 $proxy->serverflags("-alpn test"); 333 $proxy->start(); 334 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 335 checkhandshake::DEFAULT_EXTENSIONS 336 | checkhandshake::ALPN_CLI_EXTENSION 337 | checkhandshake::ALPN_SRV_EXTENSION, 338 "ALPN handshake test"); 339 340 SKIP: { 341 skip "No CT, EC or OCSP support in this OpenSSL build", 1 342 if disabled("ct") || disabled("ec") || disabled("ocsp"); 343 344 #Test 14: SCT handshake (client request only) 345 $proxy->clear(); 346 #Note: -ct also sends status_request 347 $proxy->clientflags("-ct"); 348 $proxy->serverflags("-status_file " 349 .srctop_file("test", "recipes", "ocsp-response.der") 350 ." -serverinfo ".srctop_file("test", "serverinfo2.pem")); 351 $proxy->start(); 352 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 353 checkhandshake::DEFAULT_EXTENSIONS 354 | checkhandshake::SCT_CLI_EXTENSION 355 | checkhandshake::SCT_SRV_EXTENSION 356 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 357 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 358 "SCT handshake test"); 359 } 360 361 #Test 15: HRR Handshake 362 $proxy->clear(); 363 $proxy->serverflags("-curves P-256"); 364 $proxy->start(); 365 checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE, 366 checkhandshake::DEFAULT_EXTENSIONS 367 | checkhandshake::KEY_SHARE_HRR_EXTENSION, 368 "HRR handshake test"); 369 370 #Test 16: Resumption handshake with HRR 371 $proxy->clear(); 372 $proxy->clientflags("-sess_in ".$session); 373 $proxy->serverflags("-curves P-256"); 374 $proxy->start(); 375 checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, 376 (checkhandshake::DEFAULT_EXTENSIONS 377 | checkhandshake::KEY_SHARE_HRR_EXTENSION 378 | checkhandshake::PSK_CLI_EXTENSION 379 | checkhandshake::PSK_SRV_EXTENSION), 380 "Resumption handshake with HRR test"); 381 382 #Test 17: Acceptable but non preferred key_share 383 $proxy->clear(); 384 $proxy->clientflags("-curves P-256"); 385 $proxy->start(); 386 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 387 checkhandshake::DEFAULT_EXTENSIONS 388 | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION, 389 "Acceptable but non preferred key_share"); 390 391 unlink $session; 392
Indexes created Sat Feb 28 05:31:39 UTC 2026