Blame - ap/lib/libssl/openssl-1.1.1o/test/recipes/70-test_sslmessages.t - R306

blob: 212791fc05e1a2132b3e7bbb9f638664e8c4e553 [file] [log] [blame]

yuezonghe	824eb0c	2024-06-27 02:32:26 -0700	[diff] [blame]	1	#! /usr/bin/env perl
				2	# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
				3	#
				4	# Licensed under the OpenSSL license (the "License"). You may not use
				5	# this file except in compliance with the License. You can obtain a copy
				6	# in the file LICENSE in the source distribution or at
				7	# https://www.openssl.org/source/license.html
				8
				9	use strict;
				10	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
				11	use OpenSSL::Test::Utils;
				12	use File::Temp qw(tempfile);
				13	use TLSProxy::Proxy;
				14	use checkhandshake qw(checkhandshake @handmessages @extensions);
				15
				16	my $test_name = "test_sslmessages";
				17	setup($test_name);
				18
				19	plan skip_all => "TLSProxy isn't usable on $^O"
				20	if $^O =~ /^(VMS)$/;
				21
				22	plan skip_all => "$test_name needs the dynamic engine feature enabled"
				23	if disabled("engine") \|\| disabled("dynamic-engine");
				24
				25	plan skip_all => "$test_name needs the sock feature enabled"
				26	if disabled("sock");
				27
				28	plan skip_all => "$test_name needs TLS enabled"
				29	if alldisabled(available_protocols("tls"))
				30	\|\| (!disabled("tls1_3") && disabled("tls1_2"));
				31
				32	$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
				33	$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
				34
				35	my $proxy = TLSProxy::Proxy->new(
				36	undef,
				37	cmdstr(app(["openssl"]), display => 1),
				38	srctop_file("apps", "server.pem"),
				39	(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
				40	);
				41
				42	@handmessages = (
				43	[TLSProxy::Message::MT_CLIENT_HELLO,
				44	checkhandshake::ALL_HANDSHAKES],
				45	[TLSProxy::Message::MT_SERVER_HELLO,
				46	checkhandshake::ALL_HANDSHAKES],
				47	[TLSProxy::Message::MT_CERTIFICATE,
				48	checkhandshake::ALL_HANDSHAKES
				49	& ~checkhandshake::RESUME_HANDSHAKE],
				50	(disabled("ec") ? () :
				51	[TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
				52	checkhandshake::EC_HANDSHAKE]),
				53	[TLSProxy::Message::MT_CERTIFICATE_STATUS,
				54	checkhandshake::OCSP_HANDSHAKE],
				55	#ServerKeyExchange handshakes not currently supported by TLSProxy
				56	[TLSProxy::Message::MT_CERTIFICATE_REQUEST,
				57	checkhandshake::CLIENT_AUTH_HANDSHAKE],
				58	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
				59	checkhandshake::ALL_HANDSHAKES
				60	& ~checkhandshake::RESUME_HANDSHAKE],
				61	[TLSProxy::Message::MT_CERTIFICATE,
				62	checkhandshake::CLIENT_AUTH_HANDSHAKE],
				63	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
				64	checkhandshake::ALL_HANDSHAKES
				65	& ~checkhandshake::RESUME_HANDSHAKE],
				66	[TLSProxy::Message::MT_CERTIFICATE_VERIFY,
				67	checkhandshake::CLIENT_AUTH_HANDSHAKE],
				68	[TLSProxy::Message::MT_NEXT_PROTO,
				69	checkhandshake::NPN_HANDSHAKE],
				70	[TLSProxy::Message::MT_FINISHED,
				71	checkhandshake::ALL_HANDSHAKES],
				72	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
				73	checkhandshake::ALL_HANDSHAKES
				74	& ~checkhandshake::RESUME_HANDSHAKE],
				75	[TLSProxy::Message::MT_FINISHED,
				76	checkhandshake::ALL_HANDSHAKES],
				77	[TLSProxy::Message::MT_CLIENT_HELLO,
				78	checkhandshake::RENEG_HANDSHAKE],
				79	[TLSProxy::Message::MT_SERVER_HELLO,
				80	checkhandshake::RENEG_HANDSHAKE],
				81	[TLSProxy::Message::MT_CERTIFICATE,
				82	checkhandshake::RENEG_HANDSHAKE],
				83	[TLSProxy::Message::MT_SERVER_HELLO_DONE,
				84	checkhandshake::RENEG_HANDSHAKE],
				85	[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE,
				86	checkhandshake::RENEG_HANDSHAKE],
				87	[TLSProxy::Message::MT_FINISHED,
				88	checkhandshake::RENEG_HANDSHAKE],
				89	[TLSProxy::Message::MT_NEW_SESSION_TICKET,
				90	checkhandshake::RENEG_HANDSHAKE],
				91	[TLSProxy::Message::MT_FINISHED,
				92	checkhandshake::RENEG_HANDSHAKE],
				93	[0, 0]
				94	);
				95
				96	@extensions = (
				97	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
				98	TLSProxy::Message::CLIENT,
				99	checkhandshake::SERVER_NAME_CLI_EXTENSION],
				100	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
				101	TLSProxy::Message::CLIENT,
				102	checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
				103	(disabled("ec") ? () :
				104	[TLSProxy::Message::MT_CLIENT_HELLO,
				105	TLSProxy::Message::EXT_SUPPORTED_GROUPS,
				106	TLSProxy::Message::CLIENT,
				107	checkhandshake::DEFAULT_EXTENSIONS]),
				108	(disabled("ec") ? () :
				109	[TLSProxy::Message::MT_CLIENT_HELLO,
				110	TLSProxy::Message::EXT_EC_POINT_FORMATS,
				111	TLSProxy::Message::CLIENT,
				112	checkhandshake::DEFAULT_EXTENSIONS]),
				113	(disabled("tls1_2") ? () :
				114	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
				115	TLSProxy::Message::CLIENT,
				116	checkhandshake::DEFAULT_EXTENSIONS]),
				117	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
				118	TLSProxy::Message::CLIENT,
				119	checkhandshake::ALPN_CLI_EXTENSION],
				120	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
				121	TLSProxy::Message::CLIENT,
				122	checkhandshake::SCT_CLI_EXTENSION],
				123	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
				124	TLSProxy::Message::CLIENT,
				125	checkhandshake::DEFAULT_EXTENSIONS],
				126	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
				127	TLSProxy::Message::CLIENT,
				128	checkhandshake::DEFAULT_EXTENSIONS],
				129	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
				130	TLSProxy::Message::CLIENT,
				131	checkhandshake::DEFAULT_EXTENSIONS],
				132	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
				133	TLSProxy::Message::CLIENT,
				134	checkhandshake::RENEGOTIATE_CLI_EXTENSION],
				135	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
				136	TLSProxy::Message::CLIENT,
				137	checkhandshake::NPN_CLI_EXTENSION],
				138	[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
				139	TLSProxy::Message::CLIENT,
				140	checkhandshake::SRP_CLI_EXTENSION],
				141
				142	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
				143	TLSProxy::Message::SERVER,
				144	checkhandshake::DEFAULT_EXTENSIONS],
				145	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
				146	TLSProxy::Message::SERVER,
				147	checkhandshake::DEFAULT_EXTENSIONS],
				148	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
				149	TLSProxy::Message::SERVER,
				150	checkhandshake::DEFAULT_EXTENSIONS],
				151	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
				152	TLSProxy::Message::SERVER,
				153	checkhandshake::SESSION_TICKET_SRV_EXTENSION],
				154	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
				155	TLSProxy::Message::SERVER,
				156	checkhandshake::SERVER_NAME_SRV_EXTENSION],
				157	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
				158	TLSProxy::Message::SERVER,
				159	checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
				160	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
				161	TLSProxy::Message::SERVER,
				162	checkhandshake::ALPN_SRV_EXTENSION],
				163	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
				164	TLSProxy::Message::SERVER,
				165	checkhandshake::SCT_SRV_EXTENSION],
				166	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
				167	TLSProxy::Message::SERVER,
				168	checkhandshake::NPN_SRV_EXTENSION],
				169	[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
				170	TLSProxy::Message::SERVER,
				171	checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
				172	[0,0,0,0]
				173	);
				174
				175	#Test 1: Check we get all the right messages for a default handshake
				176	(undef, my $session) = tempfile();
				177	$proxy->serverconnects(2);
				178	$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
				179	$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
				180	plan tests => 21;
				181	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				182	checkhandshake::DEFAULT_EXTENSIONS,
				183	"Default handshake test");
				184
				185	#Test 2: Resumption handshake
				186	$proxy->clearClient();
				187	$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
				188	$proxy->clientstart();
				189	checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
				190	checkhandshake::DEFAULT_EXTENSIONS
				191	& ~checkhandshake::SESSION_TICKET_SRV_EXTENSION,
				192	"Resumption handshake test");
				193	unlink $session;
				194
				195	SKIP: {
				196	skip "No OCSP support in this OpenSSL build", 3
				197	if disabled("ocsp");
				198
				199	#Test 3: A status_request handshake (client request only)
				200	$proxy->clear();
				201	$proxy->clientflags("-no_tls1_3 -status");
				202	$proxy->start();
				203	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				204	checkhandshake::DEFAULT_EXTENSIONS
				205	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
				206	"status_request handshake test (client)");
				207
				208	#Test 4: A status_request handshake (server support only)
				209	$proxy->clear();
				210	$proxy->clientflags("-no_tls1_3");
				211	$proxy->serverflags("-status_file "
				212	.srctop_file("test", "recipes", "ocsp-response.der"));
				213	$proxy->start();
				214	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				215	checkhandshake::DEFAULT_EXTENSIONS,
				216	"status_request handshake test (server)");
				217
				218	#Test 5: A status_request handshake (client and server)
				219	$proxy->clear();
				220	$proxy->clientflags("-no_tls1_3 -status");
				221	$proxy->serverflags("-status_file "
				222	.srctop_file("test", "recipes", "ocsp-response.der"));
				223	$proxy->start();
				224	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
				225	checkhandshake::DEFAULT_EXTENSIONS
				226	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
				227	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
				228	"status_request handshake test");
				229	}
				230
				231	#Test 6: A client auth handshake
				232	$proxy->clear();
				233	$proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem"));
				234	$proxy->serverflags("-Verify 5");
				235	$proxy->start();
				236	checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
				237	checkhandshake::DEFAULT_EXTENSIONS,
				238	"Client auth handshake test");
				239
				240	#Test 7: A handshake with a renegotiation
				241	$proxy->clear();
				242	$proxy->clientflags("-no_tls1_3");
				243	$proxy->reneg(1);
				244	$proxy->start();
				245	checkhandshake($proxy, checkhandshake::RENEG_HANDSHAKE,
				246	checkhandshake::DEFAULT_EXTENSIONS,
				247	"Renegotiation handshake test");
				248
				249	#Test 8: Server name handshake (no client request)
				250	$proxy->clear();
				251	$proxy->clientflags("-no_tls1_3 -noservername");
				252	$proxy->start();
				253	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				254	checkhandshake::DEFAULT_EXTENSIONS
				255	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
				256	"Server name handshake test (client)");
				257
				258	#Test 9: Server name handshake (server support only)
				259	$proxy->clear();
				260	$proxy->clientflags("-no_tls1_3 -noservername");
				261	$proxy->serverflags("-servername testhost");
				262	$proxy->start();
				263	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				264	checkhandshake::DEFAULT_EXTENSIONS
				265	& ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
				266	"Server name handshake test (server)");
				267
				268	#Test 10: Server name handshake (client and server)
				269	$proxy->clear();
				270	$proxy->clientflags("-no_tls1_3 -servername testhost");
				271	$proxy->serverflags("-servername testhost");
				272	$proxy->start();
				273	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				274	checkhandshake::DEFAULT_EXTENSIONS
				275	\| checkhandshake::SERVER_NAME_SRV_EXTENSION,
				276	"Server name handshake test");
				277
				278	#Test 11: ALPN handshake (client request only)
				279	$proxy->clear();
				280	$proxy->clientflags("-no_tls1_3 -alpn test");
				281	$proxy->start();
				282	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				283	checkhandshake::DEFAULT_EXTENSIONS
				284	\| checkhandshake::ALPN_CLI_EXTENSION,
				285	"ALPN handshake test (client)");
				286
				287	#Test 12: ALPN handshake (server support only)
				288	$proxy->clear();
				289	$proxy->clientflags("-no_tls1_3");
				290	$proxy->serverflags("-alpn test");
				291	$proxy->start();
				292	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				293	checkhandshake::DEFAULT_EXTENSIONS,
				294	"ALPN handshake test (server)");
				295
				296	#Test 13: ALPN handshake (client and server)
				297	$proxy->clear();
				298	$proxy->clientflags("-no_tls1_3 -alpn test");
				299	$proxy->serverflags("-alpn test");
				300	$proxy->start();
				301	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				302	checkhandshake::DEFAULT_EXTENSIONS
				303	\| checkhandshake::ALPN_CLI_EXTENSION
				304	\| checkhandshake::ALPN_SRV_EXTENSION,
				305	"ALPN handshake test");
				306
				307	SKIP: {
				308	skip "No CT, EC or OCSP support in this OpenSSL build", 1
				309	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
				310
				311	#Test 14: SCT handshake (client request only)
				312	$proxy->clear();
				313	#Note: -ct also sends status_request
				314	$proxy->clientflags("-no_tls1_3 -ct");
				315	$proxy->serverflags("-status_file "
				316	.srctop_file("test", "recipes", "ocsp-response.der"));
				317	$proxy->start();
				318	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
				319	checkhandshake::DEFAULT_EXTENSIONS
				320	\| checkhandshake::SCT_CLI_EXTENSION
				321	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
				322	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
				323	"SCT handshake test (client)");
				324	}
				325
				326	SKIP: {
				327	skip "No OCSP support in this OpenSSL build", 1
				328	if disabled("ocsp");
				329
				330	#Test 15: SCT handshake (server support only)
				331	$proxy->clear();
				332	#Note: -ct also sends status_request
				333	$proxy->clientflags("-no_tls1_3");
				334	$proxy->serverflags("-status_file "
				335	.srctop_file("test", "recipes", "ocsp-response.der"));
				336	$proxy->start();
				337	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				338	checkhandshake::DEFAULT_EXTENSIONS,
				339	"SCT handshake test (server)");
				340	}
				341
				342	SKIP: {
				343	skip "No CT, EC or OCSP support in this OpenSSL build", 1
				344	if disabled("ct") \|\| disabled("ec") \|\| disabled("ocsp");
				345
				346	#Test 16: SCT handshake (client and server)
				347	#There is no built-in server side support for this so we are actually also
				348	#testing custom extensions here
				349	$proxy->clear();
				350	#Note: -ct also sends status_request
				351	$proxy->clientflags("-no_tls1_3 -ct");
				352	$proxy->serverflags("-status_file "
				353	.srctop_file("test", "recipes", "ocsp-response.der")
				354	." -serverinfo ".srctop_file("test", "serverinfo.pem"));
				355	$proxy->start();
				356	checkhandshake($proxy, checkhandshake::OCSP_HANDSHAKE,
				357	checkhandshake::DEFAULT_EXTENSIONS
				358	\| checkhandshake::SCT_CLI_EXTENSION
				359	\| checkhandshake::SCT_SRV_EXTENSION
				360	\| checkhandshake::STATUS_REQUEST_CLI_EXTENSION
				361	\| checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
				362	"SCT handshake test");
				363	}
				364
				365
				366	SKIP: {
				367	skip "No NPN support in this OpenSSL build", 3
				368	if disabled("nextprotoneg");
				369
				370	#Test 17: NPN handshake (client request only)
				371	$proxy->clear();
				372	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
				373	$proxy->start();
				374	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				375	checkhandshake::DEFAULT_EXTENSIONS
				376	\| checkhandshake::NPN_CLI_EXTENSION,
				377	"NPN handshake test (client)");
				378
				379	#Test 18: NPN handshake (server support only)
				380	$proxy->clear();
				381	$proxy->clientflags("-no_tls1_3");
				382	$proxy->serverflags("-nextprotoneg test");
				383	$proxy->start();
				384	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				385	checkhandshake::DEFAULT_EXTENSIONS,
				386	"NPN handshake test (server)");
				387
				388	#Test 19: NPN handshake (client and server)
				389	$proxy->clear();
				390	$proxy->clientflags("-no_tls1_3 -nextprotoneg test");
				391	$proxy->serverflags("-nextprotoneg test");
				392	$proxy->start();
				393	checkhandshake($proxy, checkhandshake::NPN_HANDSHAKE,
				394	checkhandshake::DEFAULT_EXTENSIONS
				395	\| checkhandshake::NPN_CLI_EXTENSION
				396	\| checkhandshake::NPN_SRV_EXTENSION,
				397	"NPN handshake test");
				398	}
				399
				400	SKIP: {
				401	skip "No SRP support in this OpenSSL build", 1
				402	if disabled("srp");
				403
				404	#Test 20: SRP extension
				405	#Note: We are not actually going to perform an SRP handshake (TLSProxy
				406	#does not support it). However it is sufficient for us to check that the
				407	#SRP extension gets added on the client side. There is no SRP extension
				408	#generated on the server side anyway.
				409	$proxy->clear();
				410	$proxy->clientflags("-no_tls1_3 -srpuser user -srppass pass:pass");
				411	$proxy->start();
				412	checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
				413	checkhandshake::DEFAULT_EXTENSIONS
				414	\| checkhandshake::SRP_CLI_EXTENSION,
				415	"SRP extension test");
				416	}
				417
				418	#Test 21: EC handshake
				419	SKIP: {
				420	skip "No EC support in this OpenSSL build", 1 if disabled("ec");
				421	$proxy->clear();
				422	$proxy->clientflags("-no_tls1_3");
				423	$proxy->serverflags("-no_tls1_3");
				424	$proxy->ciphers("ECDHE-RSA-AES128-SHA");
				425	$proxy->start();
				426	checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
				427	checkhandshake::DEFAULT_EXTENSIONS
				428	\| checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION,
				429	"EC handshake test");
				430	}