1#! /usr/bin/env perl 2# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the OpenSSL license (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use strict; 10use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; 11use OpenSSL::Test::Utils; 12use File::Temp qw(tempfile); 13use TLSProxy::Proxy; 14use checkhandshake qw(checkhandshake @handmessages @extensions); 15 16my $test_name = "test_sslmessages"; 17setup($test_name); 18 19plan skip_all => "TLSProxy isn't usable on $^O" 20 if $^O =~ /^(VMS)$/; 21 22plan skip_all => "$test_name needs the dynamic engine feature enabled" 23 if disabled("engine") || disabled("dynamic-engine"); 24 25plan skip_all => "$test_name needs the sock feature enabled" 26 if disabled("sock"); 27 28plan skip_all => "$test_name needs TLS enabled" 29 if alldisabled(available_protocols("tls")) 30 || (!disabled("tls1_3") && disabled("tls1_2")); 31 32$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; 33$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); 34 35my $proxy = TLSProxy::Proxy->new( 36 undef, 37 cmdstr(app(["openssl"]), display => 1), 38 srctop_file("apps", "server.pem"), 39 (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 40); 41 42@handmessages = ( 43 [TLSProxy::Message::MT_CLIENT_HELLO, 44 checkhandshake::ALL_HANDSHAKES], 45 [TLSProxy::Message::MT_SERVER_HELLO, 46 checkhandshake::ALL_HANDSHAKES], 47 [TLSProxy::Message::MT_CERTIFICATE, 48 checkhandshake::ALL_HANDSHAKES 49 & ~checkhandshake::RESUME_HANDSHAKE], 50 (disabled("ec") ? () : 51 [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE, 52 checkhandshake::EC_HANDSHAKE]), 53 [TLSProxy::Message::MT_CERTIFICATE_STATUS, 54 checkhandshake::OCSP_HANDSHAKE], 55 #ServerKeyExchange handshakes not currently supported by TLSProxy 56 [TLSProxy::Message::MT_CERTIFICATE_REQUEST, 57 checkhandshake::CLIENT_AUTH_HANDSHAKE], 58 [TLSProxy::Message::MT_SERVER_HELLO_DONE, 59 checkhandshake::ALL_HANDSHAKES 60 & ~checkhandshake::RESUME_HANDSHAKE], 61 [TLSProxy::Message::MT_CERTIFICATE, 62 checkhandshake::CLIENT_AUTH_HANDSHAKE], 63 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, 64 checkhandshake::ALL_HANDSHAKES 65 & ~checkhandshake::RESUME_HANDSHAKE], 66 [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 67 checkhandshake::CLIENT_AUTH_HANDSHAKE], 68 [TLSProxy::Message::MT_NEXT_PROTO, 69 checkhandshake::NPN_HANDSHAKE], 70 [TLSProxy::Message::MT_FINISHED, 71 checkhandshake::ALL_HANDSHAKES], 72 [TLSProxy::Message::MT_NEW_SESSION_TICKET, 73 checkhandshake::ALL_HANDSHAKES 74 & ~checkhandshake::RESUME_HANDSHAKE], 75 [TLSProxy::Message::MT_FINISHED, 76 checkhandshake::ALL_HANDSHAKES], 77 [TLSProxy::Message::MT_CLIENT_HELLO, 78 checkhandshake::RENEG_HANDSHAKE], 79 [TLSProxy::Message::MT_SERVER_HELLO, 80 checkhandshake::RENEG_HANDSHAKE], 81 [TLSProxy::Message::MT_CERTIFICATE, 82 checkhandshake::RENEG_HANDSHAKE], 83 [TLSProxy::Message::MT_SERVER_HELLO_DONE, 84 checkhandshake::RENEG_HANDSHAKE], 85 [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, 86 checkhandshake::RENEG_HANDSHAKE], 87 [TLSProxy::Message::MT_FINISHED, 88 checkhandshake::RENEG_HANDSHAKE], 89 [TLSProxy::Message::MT_NEW_SESSION_TICKET, 90 checkhandshake::RENEG_HANDSHAKE], 91 [TLSProxy::Message::MT_FINISHED, 92 checkhandshake::RENEG_HANDSHAKE], 93 [0, 0] 94); 95 96@extensions = ( 97 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 98 checkhandshake::SERVER_NAME_CLI_EXTENSION], 99 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 100 checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 101 (disabled("ec") ? () : 102 [TLSProxy::Message::MT_CLIENT_HELLO, 103 TLSProxy::Message::EXT_SUPPORTED_GROUPS, 104 checkhandshake::DEFAULT_EXTENSIONS]), 105 (disabled("ec") ? () : 106 [TLSProxy::Message::MT_CLIENT_HELLO, 107 TLSProxy::Message::EXT_EC_POINT_FORMATS, 108 checkhandshake::DEFAULT_EXTENSIONS]), 109 (disabled("tls1_2") ? () : 110 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 111 checkhandshake::DEFAULT_EXTENSIONS]), 112 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 113 checkhandshake::ALPN_CLI_EXTENSION], 114 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 115 checkhandshake::SCT_CLI_EXTENSION], 116 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 117 checkhandshake::DEFAULT_EXTENSIONS], 118 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 119 checkhandshake::DEFAULT_EXTENSIONS], 120 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 121 checkhandshake::DEFAULT_EXTENSIONS], 122 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, 123 checkhandshake::RENEGOTIATE_CLI_EXTENSION], 124 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN, 125 checkhandshake::NPN_CLI_EXTENSION], 126 [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP, 127 checkhandshake::SRP_CLI_EXTENSION], 128 129 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, 130 checkhandshake::DEFAULT_EXTENSIONS], 131 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 132 checkhandshake::DEFAULT_EXTENSIONS], 133 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 134 checkhandshake::DEFAULT_EXTENSIONS], 135 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 136 checkhandshake::SESSION_TICKET_SRV_EXTENSION], 137 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 138 checkhandshake::SERVER_NAME_SRV_EXTENSION], 139 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 140 checkhandshake::STATUS_REQUEST_SRV_EXTENSION], 141 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN, 142 checkhandshake::ALPN_SRV_EXTENSION], 143 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT, 144 checkhandshake::SCT_SRV_EXTENSION], 145 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN, 146 checkhandshake::NPN_SRV_EXTENSION], 147 [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 148 checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION], 149 [0,0,0] 150); 151 152#Test 1: Check we get all the right messages for a default handshake 153(undef, my $session) = tempfile(); 154$proxy->serverconnects(2); 155$proxy->clientflags("-no_tls1_3 -sess_out ".$session); 156$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 157plan tests => 21; 158checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 159 checkhandshake::DEFAULT_EXTENSIONS, 160 "Default handshake test"); 161 162#Test 2: Resumption handshake 163$proxy->clearClient(); 164$proxy->clientflags("-no_tls1_3 -sess_in ".$session); 165$proxy->clientstart(); 166checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, 167 checkhandshake::DEFAULT_EXTENSIONS 168 & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION, 169 "Resumption handshake test"); 170unlink $session; 171 172SKIP: { 173 skip "No OCSP support in this OpenSSL build", 3 174 if disabled("ocsp"); 175 176 #Test 3: A status_request handshake (client request only) 177 $proxy->clear(); 178 $proxy->clientflags("-no_tls1_3 -status"); 179 $proxy->start(); 180 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 181 checkhandshake::DEFAULT_EXTENSIONS 182 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, 183 "status_request handshake test (client)"); 184 185 #Test 4: A status_request handshake (server support only) 186 $proxy->clear(); 187 $proxy->clientflags("-no_tls1_3"); 188 $proxy->serverflags("-status_file " 189 .srctop_file("test", "recipes", "ocsp-response.der")); 190 $proxy->start(); 191 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 192 checkhandshake::DEFAULT_EXTENSIONS, 193 "status_request handshake test (server)"); 194 195 #Test 5: A status_request handshake (client and server) 196 $proxy->clear(); 197 $proxy->clientflags("-no_tls1_3 -status"); 198 $proxy->serverflags("-status_file " 199 .srctop_file("test", "recipes", "ocsp-response.der")); 200 $proxy->start(); 201 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, 202 checkhandshake::DEFAULT_EXTENSIONS 203 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 204 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 205 "status_request handshake test"); 206} 207 208#Test 6: A client auth handshake 209$proxy->clear(); 210$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem")); 211$proxy->serverflags("-Verify 5"); 212$proxy->start(); 213checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 214 checkhandshake::DEFAULT_EXTENSIONS, 215 "Client auth handshake test"); 216 217#Test 7: A handshake with a renegotiation 218$proxy->clear(); 219$proxy->clientflags("-no_tls1_3"); 220$proxy->reneg(1); 221$proxy->start(); 222checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE, 223 checkhandshake::DEFAULT_EXTENSIONS, 224 "Renegotiation handshake test"); 225 226#Test 8: Server name handshake (no client request) 227$proxy->clear(); 228$proxy->clientflags("-no_tls1_3 -noservername"); 229$proxy->start(); 230checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 231 checkhandshake::DEFAULT_EXTENSIONS 232 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 233 "Server name handshake test (client)"); 234 235#Test 9: Server name handshake (server support only) 236$proxy->clear(); 237$proxy->clientflags("-no_tls1_3 -noservername"); 238$proxy->serverflags("-servername testhost"); 239$proxy->start(); 240checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 241 checkhandshake::DEFAULT_EXTENSIONS 242 & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 243 "Server name handshake test (server)"); 244 245#Test 10: Server name handshake (client and server) 246$proxy->clear(); 247$proxy->clientflags("-no_tls1_3 -servername testhost"); 248$proxy->serverflags("-servername testhost"); 249$proxy->start(); 250checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 251 checkhandshake::DEFAULT_EXTENSIONS 252 | checkhandshake::SERVER_NAME_SRV_EXTENSION, 253 "Server name handshake test"); 254 255#Test 11: ALPN handshake (client request only) 256$proxy->clear(); 257$proxy->clientflags("-no_tls1_3 -alpn test"); 258$proxy->start(); 259checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 260 checkhandshake::DEFAULT_EXTENSIONS 261 | checkhandshake::ALPN_CLI_EXTENSION, 262 "ALPN handshake test (client)"); 263 264#Test 12: ALPN handshake (server support only) 265$proxy->clear(); 266$proxy->clientflags("-no_tls1_3"); 267$proxy->serverflags("-alpn test"); 268$proxy->start(); 269checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 270 checkhandshake::DEFAULT_EXTENSIONS, 271 "ALPN handshake test (server)"); 272 273#Test 13: ALPN handshake (client and server) 274$proxy->clear(); 275$proxy->clientflags("-no_tls1_3 -alpn test"); 276$proxy->serverflags("-alpn test"); 277$proxy->start(); 278checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 279 checkhandshake::DEFAULT_EXTENSIONS 280 | checkhandshake::ALPN_CLI_EXTENSION 281 | checkhandshake::ALPN_SRV_EXTENSION, 282 "ALPN handshake test"); 283 284SKIP: { 285 skip "No CT, EC or OCSP support in this OpenSSL build", 1 286 if disabled("ct") || disabled("ec") || disabled("ocsp"); 287 288 #Test 14: SCT handshake (client request only) 289 $proxy->clear(); 290 #Note: -ct also sends status_request 291 $proxy->clientflags("-no_tls1_3 -ct"); 292 $proxy->serverflags("-status_file " 293 .srctop_file("test", "recipes", "ocsp-response.der")); 294 $proxy->start(); 295 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, 296 checkhandshake::DEFAULT_EXTENSIONS 297 | checkhandshake::SCT_CLI_EXTENSION 298 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 299 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 300 "SCT handshake test (client)"); 301} 302 303SKIP: { 304 skip "No OCSP support in this OpenSSL build", 1 305 if disabled("ocsp"); 306 307 #Test 15: SCT handshake (server support only) 308 $proxy->clear(); 309 #Note: -ct also sends status_request 310 $proxy->clientflags("-no_tls1_3"); 311 $proxy->serverflags("-status_file " 312 .srctop_file("test", "recipes", "ocsp-response.der")); 313 $proxy->start(); 314 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 315 checkhandshake::DEFAULT_EXTENSIONS, 316 "SCT handshake test (server)"); 317} 318 319SKIP: { 320 skip "No CT, EC or OCSP support in this OpenSSL build", 1 321 if disabled("ct") || disabled("ec") || disabled("ocsp"); 322 323 #Test 16: SCT handshake (client and server) 324 #There is no built-in server side support for this so we are actually also 325 #testing custom extensions here 326 $proxy->clear(); 327 #Note: -ct also sends status_request 328 $proxy->clientflags("-no_tls1_3 -ct"); 329 $proxy->serverflags("-status_file " 330 .srctop_file("test", "recipes", "ocsp-response.der") 331 ." -serverinfo ".srctop_file("test", "serverinfo.pem")); 332 $proxy->start(); 333 checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE, 334 checkhandshake::DEFAULT_EXTENSIONS 335 | checkhandshake::SCT_CLI_EXTENSION 336 | checkhandshake::SCT_SRV_EXTENSION 337 | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 338 | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 339 "SCT handshake test"); 340} 341 342 343SKIP: { 344 skip "No NPN support in this OpenSSL build", 3 345 if disabled("nextprotoneg"); 346 347 #Test 17: NPN handshake (client request only) 348 $proxy->clear(); 349 $proxy->clientflags("-no_tls1_3 -nextprotoneg test"); 350 $proxy->start(); 351 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 352 checkhandshake::DEFAULT_EXTENSIONS 353 | checkhandshake::NPN_CLI_EXTENSION, 354 "NPN handshake test (client)"); 355 356 #Test 18: NPN handshake (server support only) 357 $proxy->clear(); 358 $proxy->clientflags("-no_tls1_3"); 359 $proxy->serverflags("-nextprotoneg test"); 360 $proxy->start(); 361 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 362 checkhandshake::DEFAULT_EXTENSIONS, 363 "NPN handshake test (server)"); 364 365 #Test 19: NPN handshake (client and server) 366 $proxy->clear(); 367 $proxy->clientflags("-no_tls1_3 -nextprotoneg test"); 368 $proxy->serverflags("-nextprotoneg test"); 369 $proxy->start(); 370 checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE, 371 checkhandshake::DEFAULT_EXTENSIONS 372 | checkhandshake::NPN_CLI_EXTENSION 373 | checkhandshake::NPN_SRV_EXTENSION, 374 "NPN handshake test"); 375} 376 377SKIP: { 378 skip "No SRP support in this OpenSSL build", 1 379 if disabled("srp"); 380 381 #Test 20: SRP extension 382 #Note: We are not actually going to perform an SRP handshake (TLSProxy 383 #does not support it). However it is sufficient for us to check that the 384 #SRP extension gets added on the client side. There is no SRP extension 385 #generated on the server side anyway. 386 $proxy->clear(); 387 $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass"); 388 $proxy->start(); 389 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 390 checkhandshake::DEFAULT_EXTENSIONS 391 | checkhandshake::SRP_CLI_EXTENSION, 392 "SRP extension test"); 393} 394 395#Test 21: EC handshake 396SKIP: { 397 skip "No EC support in this OpenSSL build", 1 if disabled("ec"); 398 $proxy->clear(); 399 $proxy->clientflags("-no_tls1_3"); 400 $proxy->serverflags("-no_tls1_3"); 401 $proxy->ciphers("ECDHE-RSA-AES128-SHA"); 402 $proxy->start(); 403 checkhandshake($proxy, checkhandshake::EC_HANDSHAKE, 404 checkhandshake::DEFAULT_EXTENSIONS 405 | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION, 406 "EC handshake test"); 407} 408