70-test_sslmessages.t 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
  10. use OpenSSL::Test::Utils;
  11. use File::Temp qw(tempfile);
  12. use TLSProxy::Proxy;
  13. use checkhandshake qw(checkhandshake @handmessages @extensions);
  14. my $test_name = "test_sslmessages";
  15. setup($test_name);
  16. plan skip_all => "TLSProxy isn't usable on $^O"
  17. if $^O =~ /^(VMS)$/;
  18. plan skip_all => "$test_name needs the dynamic engine feature enabled"
  19. if disabled("engine") || disabled("dynamic-engine");
  20. plan skip_all => "$test_name needs the sock feature enabled"
  21. if disabled("sock");
  22. plan skip_all => "$test_name needs TLS enabled"
  23. if alldisabled(available_protocols("tls"))
  24. || (!disabled("tls1_3") && disabled("tls1_2"));
  25. $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
  26. $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
  27. my $proxy = TLSProxy::Proxy->new(
  28. undef,
  29. cmdstr(app(["openssl"]), display => 1),
  30. srctop_file("apps", "server.pem"),
  31. (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
  32. );
  33. @handmessages = (
  34. [TLSProxy::Message::MT_CLIENT_HELLO,
  35. checkhandshake::ALL_HANDSHAKES],
  36. [TLSProxy::Message::MT_SERVER_HELLO,
  37. checkhandshake::ALL_HANDSHAKES],
  38. [TLSProxy::Message::MT_CERTIFICATE,
  39. checkhandshake::ALL_HANDSHAKES
  40. & ~checkhandshake::RESUME_HANDSHAKE],
  41. (disabled("ec") ? () :
  42. [TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
  43. checkhandshake::EC_HANDSHAKE]),
  44. [TLSProxy::Message::MT_CERTIFICATE_STATUS,
  45. checkhandshake::OCSP_HANDSHAKE],
  46. #ServerKeyExchange handshakes not currently supported by TLSProxy
  47. [TLSProxy::Message::MT_CERTIFICATE_REQUEST,
  48. checkhandshake::CLIENT_AUTH_HANDSHAKE],
  49. [TLSProxy::Message::MT_SERVER_HELLO_DONE,
  50. checkhandshake::ALL_HANDSHAKES
  51. & ~checkhandshake::RESUME_HANDSHAKE],
  52. [TLSProxy::Message::MT_CERTIFICATE,
  53. checkhandshake::CLIENT_AUTH_HANDSHAKE],
  54. [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
  55. checkhandshake::ALL_HANDSHAKES
  56. & ~checkhandshake::RESUME_HANDSHAKE],
  57. [TLSProxy::Message::MT_CERTIFICATE_VERIFY,
  58. checkhandshake::CLIENT_AUTH_HANDSHAKE],
  59. [TLSProxy::Message::MT_NEXT_PROTO,
  60. checkhandshake::NPN_HANDSHAKE],
  61. [TLSProxy::Message::MT_FINISHED,
  62. checkhandshake::ALL_HANDSHAKES],
  63. [TLSProxy::Message::MT_NEW_SESSION_TICKET,
  64. checkhandshake::ALL_HANDSHAKES
  65. & ~checkhandshake::RESUME_HANDSHAKE],
  66. [TLSProxy::Message::MT_FINISHED,
  67. checkhandshake::ALL_HANDSHAKES],
  68. [TLSProxy::Message::MT_CLIENT_HELLO,
  69. checkhandshake::RENEG_HANDSHAKE],
  70. [TLSProxy::Message::MT_SERVER_HELLO,
  71. checkhandshake::RENEG_HANDSHAKE],
  72. [TLSProxy::Message::MT_CERTIFICATE,
  73. checkhandshake::RENEG_HANDSHAKE],
  74. [TLSProxy::Message::MT_SERVER_HELLO_DONE,
  75. checkhandshake::RENEG_HANDSHAKE],
  76. [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
  77. checkhandshake::RENEG_HANDSHAKE],
  78. [TLSProxy::Message::MT_FINISHED,
  79. checkhandshake::RENEG_HANDSHAKE],
  80. [TLSProxy::Message::MT_NEW_SESSION_TICKET,
  81. checkhandshake::RENEG_HANDSHAKE],
  82. [TLSProxy::Message::MT_FINISHED,
  83. checkhandshake::RENEG_HANDSHAKE],
  84. [0, 0]
  85. );
  86. @extensions = (
  87. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
  88. checkhandshake::SERVER_NAME_CLI_EXTENSION],
  89. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
  90. checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
  91. (disabled("ec") ? () :
  92. [TLSProxy::Message::MT_CLIENT_HELLO,
  93. TLSProxy::Message::EXT_SUPPORTED_GROUPS,
  94. checkhandshake::DEFAULT_EXTENSIONS]),
  95. (disabled("ec") ? () :
  96. [TLSProxy::Message::MT_CLIENT_HELLO,
  97. TLSProxy::Message::EXT_EC_POINT_FORMATS,
  98. checkhandshake::DEFAULT_EXTENSIONS]),
  99. (disabled("tls1_2") ? () :
  100. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
  101. checkhandshake::DEFAULT_EXTENSIONS]),
  102. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
  103. checkhandshake::ALPN_CLI_EXTENSION],
  104. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
  105. checkhandshake::SCT_CLI_EXTENSION],
  106. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
  107. checkhandshake::DEFAULT_EXTENSIONS],
  108. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
  109. checkhandshake::DEFAULT_EXTENSIONS],
  110. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
  111. checkhandshake::DEFAULT_EXTENSIONS],
  112. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
  113. checkhandshake::RENEGOTIATE_CLI_EXTENSION],
  114. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
  115. checkhandshake::NPN_CLI_EXTENSION],
  116. [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
  117. checkhandshake::SRP_CLI_EXTENSION],
  118. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
  119. checkhandshake::DEFAULT_EXTENSIONS],
  120. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
  121. checkhandshake::DEFAULT_EXTENSIONS],
  122. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
  123. checkhandshake::DEFAULT_EXTENSIONS],
  124. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
  125. checkhandshake::SESSION_TICKET_SRV_EXTENSION],
  126. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
  127. checkhandshake::SERVER_NAME_SRV_EXTENSION],
  128. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
  129. checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
  130. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
  131. checkhandshake::ALPN_SRV_EXTENSION],
  132. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
  133. checkhandshake::SCT_SRV_EXTENSION],
  134. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
  135. checkhandshake::NPN_SRV_EXTENSION],
  136. [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
  137. checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
  138. [0,0,0]
  139. );
  140. #Test 1: Check we get all the right messages for a default handshake
  141. (undef, my $session) = tempfile();
  142. $proxy->serverconnects(2);
  143. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  144. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
  145. plan tests => 21;
  146. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  147. checkhandshake::DEFAULT_EXTENSIONS,
  148. "Default handshake test");
  149. #Test 2: Resumption handshake
  150. $proxy->clearClient();
  151. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  152. $proxy->clientstart();
  153. checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
  154. checkhandshake::DEFAULT_EXTENSIONS
  155. & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
  156. "Resumption handshake test");
  157. unlink $session;
  158. SKIP: {
  159. skip "No OCSP support in this OpenSSL build", 3
  160. if disabled("ocsp");
  161. #Test 3: A status_request handshake (client request only)
  162. $proxy->clear();
  163. $proxy->clientflags("-no_tls1_3 -status");
  164. $proxy->start();
  165. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  166. checkhandshake::DEFAULT_EXTENSIONS
  167. | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
  168. "status_request handshake test (client)");
  169. #Test 4: A status_request handshake (server support only)
  170. $proxy->clear();
  171. $proxy->clientflags("-no_tls1_3");
  172. $proxy->serverflags("-status_file "
  173. .srctop_file("test", "recipes", "ocsp-response.der"));
  174. $proxy->start();
  175. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  176. checkhandshake::DEFAULT_EXTENSIONS,
  177. "status_request handshake test (server)");
  178. #Test 5: A status_request handshake (client and server)
  179. $proxy->clear();
  180. $proxy->clientflags("-no_tls1_3 -status");
  181. $proxy->serverflags("-status_file "
  182. .srctop_file("test", "recipes", "ocsp-response.der"));
  183. $proxy->start();
  184. checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
  185. checkhandshake::DEFAULT_EXTENSIONS
  186. | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
  187. | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
  188. "status_request handshake test");
  189. }
  190. #Test 6: A client auth handshake
  191. $proxy->clear();
  192. $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
  193. $proxy->serverflags("-Verify 5");
  194. $proxy->start();
  195. checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
  196. checkhandshake::DEFAULT_EXTENSIONS,
  197. "Client auth handshake test");
  198. #Test 7: A handshake with a renegotiation
  199. $proxy->clear();
  200. $proxy->clientflags("-no_tls1_3");
  201. $proxy->reneg(1);
  202. $proxy->start();
  203. checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
  204. checkhandshake::DEFAULT_EXTENSIONS,
  205. "Renegotiation handshake test");
  206. #Test 8: Server name handshake (no client request)
  207. $proxy->clear();
  208. $proxy->clientflags("-no_tls1_3 -noservername");
  209. $proxy->start();
  210. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  211. checkhandshake::DEFAULT_EXTENSIONS
  212. & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
  213. "Server name handshake test (client)");
  214. #Test 9: Server name handshake (server support only)
  215. $proxy->clear();
  216. $proxy->clientflags("-no_tls1_3 -noservername");
  217. $proxy->serverflags("-servername testhost");
  218. $proxy->start();
  219. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  220. checkhandshake::DEFAULT_EXTENSIONS
  221. & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
  222. "Server name handshake test (server)");
  223. #Test 10: Server name handshake (client and server)
  224. $proxy->clear();
  225. $proxy->clientflags("-no_tls1_3 -servername testhost");
  226. $proxy->serverflags("-servername testhost");
  227. $proxy->start();
  228. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  229. checkhandshake::DEFAULT_EXTENSIONS
  230. | checkhandshake::SERVER_NAME_SRV_EXTENSION,
  231. "Server name handshake test");
  232. #Test 11: ALPN handshake (client request only)
  233. $proxy->clear();
  234. $proxy->clientflags("-no_tls1_3 -alpn test");
  235. $proxy->start();
  236. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  237. checkhandshake::DEFAULT_EXTENSIONS
  238. | checkhandshake::ALPN_CLI_EXTENSION,
  239. "ALPN handshake test (client)");
  240. #Test 12: ALPN handshake (server support only)
  241. $proxy->clear();
  242. $proxy->clientflags("-no_tls1_3");
  243. $proxy->serverflags("-alpn test");
  244. $proxy->start();
  245. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  246. checkhandshake::DEFAULT_EXTENSIONS,
  247. "ALPN handshake test (server)");
  248. #Test 13: ALPN handshake (client and server)
  249. $proxy->clear();
  250. $proxy->clientflags("-no_tls1_3 -alpn test");
  251. $proxy->serverflags("-alpn test");
  252. $proxy->start();
  253. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  254. checkhandshake::DEFAULT_EXTENSIONS
  255. | checkhandshake::ALPN_CLI_EXTENSION
  256. | checkhandshake::ALPN_SRV_EXTENSION,
  257. "ALPN handshake test");
  258. SKIP: {
  259. skip "No CT, EC or OCSP support in this OpenSSL build", 1
  260. if disabled("ct") || disabled("ec") || disabled("ocsp");
  261. #Test 14: SCT handshake (client request only)
  262. $proxy->clear();
  263. #Note: -ct also sends status_request
  264. $proxy->clientflags("-no_tls1_3 -ct");
  265. $proxy->serverflags("-status_file "
  266. .srctop_file("test", "recipes", "ocsp-response.der"));
  267. $proxy->start();
  268. checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
  269. checkhandshake::DEFAULT_EXTENSIONS
  270. | checkhandshake::SCT_CLI_EXTENSION
  271. | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
  272. | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
  273. "SCT handshake test (client)");
  274. }
  275. SKIP: {
  276. skip "No OCSP support in this OpenSSL build", 1
  277. if disabled("ocsp");
  278. #Test 15: SCT handshake (server support only)
  279. $proxy->clear();
  280. #Note: -ct also sends status_request
  281. $proxy->clientflags("-no_tls1_3");
  282. $proxy->serverflags("-status_file "
  283. .srctop_file("test", "recipes", "ocsp-response.der"));
  284. $proxy->start();
  285. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  286. checkhandshake::DEFAULT_EXTENSIONS,
  287. "SCT handshake test (server)");
  288. }
  289. SKIP: {
  290. skip "No CT, EC or OCSP support in this OpenSSL build", 1
  291. if disabled("ct") || disabled("ec") || disabled("ocsp");
  292. #Test 16: SCT handshake (client and server)
  293. #There is no built-in server side support for this so we are actually also
  294. #testing custom extensions here
  295. $proxy->clear();
  296. #Note: -ct also sends status_request
  297. $proxy->clientflags("-no_tls1_3 -ct");
  298. $proxy->serverflags("-status_file "
  299. .srctop_file("test", "recipes", "ocsp-response.der")
  300. ." -serverinfo ".srctop_file("test", "serverinfo.pem"));
  301. $proxy->start();
  302. checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
  303. checkhandshake::DEFAULT_EXTENSIONS
  304. | checkhandshake::SCT_CLI_EXTENSION
  305. | checkhandshake::SCT_SRV_EXTENSION
  306. | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
  307. | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
  308. "SCT handshake test");
  309. }
  310. SKIP: {
  311. skip "No NPN support in this OpenSSL build", 3
  312. if disabled("nextprotoneg");
  313. #Test 17: NPN handshake (client request only)
  314. $proxy->clear();
  315. $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
  316. $proxy->start();
  317. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  318. checkhandshake::DEFAULT_EXTENSIONS
  319. | checkhandshake::NPN_CLI_EXTENSION,
  320. "NPN handshake test (client)");
  321. #Test 18: NPN handshake (server support only)
  322. $proxy->clear();
  323. $proxy->clientflags("-no_tls1_3");
  324. $proxy->serverflags("-nextprotoneg test");
  325. $proxy->start();
  326. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  327. checkhandshake::DEFAULT_EXTENSIONS,
  328. "NPN handshake test (server)");
  329. #Test 19: NPN handshake (client and server)
  330. $proxy->clear();
  331. $proxy->clientflags("-no_tls1_3 -nextprotoneg test");
  332. $proxy->serverflags("-nextprotoneg test");
  333. $proxy->start();
  334. checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
  335. checkhandshake::DEFAULT_EXTENSIONS
  336. | checkhandshake::NPN_CLI_EXTENSION
  337. | checkhandshake::NPN_SRV_EXTENSION,
  338. "NPN handshake test");
  339. }
  340. SKIP: {
  341. skip "No SRP support in this OpenSSL build", 1
  342. if disabled("srp");
  343. #Test 20: SRP extension
  344. #Note: We are not actually going to perform an SRP handshake (TLSProxy
  345. #does not support it). However it is sufficient for us to check that the
  346. #SRP extension gets added on the client side. There is no SRP extension
  347. #generated on the server side anyway.
  348. $proxy->clear();
  349. $proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
  350. $proxy->start();
  351. checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
  352. checkhandshake::DEFAULT_EXTENSIONS
  353. | checkhandshake::SRP_CLI_EXTENSION,
  354. "SRP extension test");
  355. }
  356. #Test 21: EC handshake
  357. SKIP: {
  358. skip "No EC support in this OpenSSL build", 1 if disabled("ec");
  359. $proxy->clear();
  360. $proxy->clientflags("-no_tls1_3");
  361. $proxy->serverflags("-no_tls1_3");
  362. $proxy->ciphers("ECDHE-RSA-AES128-SHA");
  363. $proxy->start();
  364. checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
  365. checkhandshake::DEFAULT_EXTENSIONS
  366. | checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
  367. "EC handshake test");
  368. }