1*e0c4386eSCy Schubert#! /usr/bin/env perl 2*e0c4386eSCy Schubert# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. 3*e0c4386eSCy Schubert# 4*e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License"). You may not use 5*e0c4386eSCy Schubert# this file except in compliance with the License. You can obtain a copy 6*e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at 7*e0c4386eSCy Schubert# https://www.openssl.org/source/license.html 8*e0c4386eSCy Schubert 9*e0c4386eSCy Schubertuse strict; 10*e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; 11*e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 12*e0c4386eSCy Schubertuse File::Temp qw(tempfile); 13*e0c4386eSCy Schubertuse TLSProxy::Proxy; 14*e0c4386eSCy Schubertuse checkhandshake qw(checkhandshake @handmessages @extensions); 15*e0c4386eSCy Schubert 16*e0c4386eSCy Schubertmy $test_name = "test_tls13messages"; 17*e0c4386eSCy Schubertsetup($test_name); 18*e0c4386eSCy Schubert 19*e0c4386eSCy Schubertplan skip_all => "TLSProxy isn't usable on $^O" 20*e0c4386eSCy Schubert if $^O =~ /^(VMS)$/; 21*e0c4386eSCy Schubert 22*e0c4386eSCy Schubertplan skip_all => "$test_name needs the dynamic engine feature enabled" 23*e0c4386eSCy Schubert if disabled("engine") || disabled("dynamic-engine"); 24*e0c4386eSCy Schubert 25*e0c4386eSCy Schubertplan skip_all => "$test_name needs the sock feature enabled" 26*e0c4386eSCy Schubert if disabled("sock"); 27*e0c4386eSCy Schubert 28*e0c4386eSCy Schubertplan skip_all => "$test_name needs TLSv1.3 enabled" 29*e0c4386eSCy Schubert if disabled("tls1_3"); 30*e0c4386eSCy Schubert 31*e0c4386eSCy Schubertplan skip_all => "$test_name needs EC enabled" 32*e0c4386eSCy Schubert if disabled("ec"); 33*e0c4386eSCy Schubert 34*e0c4386eSCy Schubert$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; 35*e0c4386eSCy Schubert 36*e0c4386eSCy Schubert@handmessages = ( 37*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, 38*e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 39*e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, 40*e0c4386eSCy Schubert checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], 41*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, 42*e0c4386eSCy Schubert checkhandshake::HRR_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE], 43*e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, 44*e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 45*e0c4386eSCy Schubert [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, 46*e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 47*e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE_REQUEST, 48*e0c4386eSCy Schubert checkhandshake::CLIENT_AUTH_HANDSHAKE], 49*e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE, 50*e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], 51*e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 52*e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES & ~(checkhandshake::RESUME_HANDSHAKE | checkhandshake::HRR_RESUME_HANDSHAKE)], 53*e0c4386eSCy Schubert [TLSProxy::Message::MT_FINISHED, 54*e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 55*e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE, 56*e0c4386eSCy Schubert checkhandshake::CLIENT_AUTH_HANDSHAKE], 57*e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE_VERIFY, 58*e0c4386eSCy Schubert checkhandshake::CLIENT_AUTH_HANDSHAKE], 59*e0c4386eSCy Schubert [TLSProxy::Message::MT_FINISHED, 60*e0c4386eSCy Schubert checkhandshake::ALL_HANDSHAKES], 61*e0c4386eSCy Schubert [0, 0] 62*e0c4386eSCy Schubert); 63*e0c4386eSCy Schubert 64*e0c4386eSCy Schubert@extensions = ( 65*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 66*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 67*e0c4386eSCy Schubert checkhandshake::SERVER_NAME_CLI_EXTENSION], 68*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 69*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 70*e0c4386eSCy Schubert checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 71*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 72*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 73*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 74*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 75*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 76*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 77*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 78*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 79*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 80*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 81*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 82*e0c4386eSCy Schubert checkhandshake::ALPN_CLI_EXTENSION], 83*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 84*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 85*e0c4386eSCy Schubert checkhandshake::SCT_CLI_EXTENSION], 86*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 87*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 88*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 89*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 90*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 91*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 92*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 93*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 94*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 95*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 96*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 97*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 98*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 99*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 100*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 101*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 102*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 103*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 104*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 105*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 106*e0c4386eSCy Schubert checkhandshake::PSK_CLI_EXTENSION], 107*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 108*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 109*e0c4386eSCy Schubert checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 110*e0c4386eSCy Schubert 111*e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 112*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 113*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 114*e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 115*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 116*e0c4386eSCy Schubert checkhandshake::KEY_SHARE_HRR_EXTENSION], 117*e0c4386eSCy Schubert 118*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, 119*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 120*e0c4386eSCy Schubert checkhandshake::SERVER_NAME_CLI_EXTENSION], 121*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, 122*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 123*e0c4386eSCy Schubert checkhandshake::STATUS_REQUEST_CLI_EXTENSION], 124*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 125*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 126*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 127*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, 128*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 129*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 130*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, 131*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 132*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 133*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, 134*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 135*e0c4386eSCy Schubert checkhandshake::ALPN_CLI_EXTENSION], 136*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, 137*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 138*e0c4386eSCy Schubert checkhandshake::SCT_CLI_EXTENSION], 139*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, 140*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 141*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 142*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, 143*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 144*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 145*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, 146*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 147*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 148*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 149*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 150*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 151*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 152*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 153*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 154*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES, 155*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 156*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 157*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, 158*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 159*e0c4386eSCy Schubert checkhandshake::PSK_CLI_EXTENSION], 160*e0c4386eSCy Schubert [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH, 161*e0c4386eSCy Schubert TLSProxy::Message::CLIENT, 162*e0c4386eSCy Schubert checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION], 163*e0c4386eSCy Schubert 164*e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, 165*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 166*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 167*e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, 168*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 169*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 170*e0c4386eSCy Schubert [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK, 171*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 172*e0c4386eSCy Schubert checkhandshake::PSK_SRV_EXTENSION], 173*e0c4386eSCy Schubert 174*e0c4386eSCy Schubert [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, 175*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 176*e0c4386eSCy Schubert checkhandshake::SERVER_NAME_SRV_EXTENSION], 177*e0c4386eSCy Schubert [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, 178*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 179*e0c4386eSCy Schubert checkhandshake::ALPN_SRV_EXTENSION], 180*e0c4386eSCy Schubert [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS, 181*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 182*e0c4386eSCy Schubert checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION], 183*e0c4386eSCy Schubert 184*e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS, 185*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 186*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS], 187*e0c4386eSCy Schubert 188*e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, 189*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 190*e0c4386eSCy Schubert checkhandshake::STATUS_REQUEST_SRV_EXTENSION], 191*e0c4386eSCy Schubert [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT, 192*e0c4386eSCy Schubert TLSProxy::Message::SERVER, 193*e0c4386eSCy Schubert checkhandshake::SCT_SRV_EXTENSION], 194*e0c4386eSCy Schubert 195*e0c4386eSCy Schubert [0,0,0,0] 196*e0c4386eSCy Schubert); 197*e0c4386eSCy Schubert 198*e0c4386eSCy Schubertmy $proxy = TLSProxy::Proxy->new( 199*e0c4386eSCy Schubert undef, 200*e0c4386eSCy Schubert cmdstr(app(["openssl"]), display => 1), 201*e0c4386eSCy Schubert srctop_file("apps", "server.pem"), 202*e0c4386eSCy Schubert (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) 203*e0c4386eSCy Schubert); 204*e0c4386eSCy Schubert 205*e0c4386eSCy Schubert#Test 1: Check we get all the right messages for a default handshake 206*e0c4386eSCy Schubert(undef, my $session) = tempfile(); 207*e0c4386eSCy Schubert$proxy->serverconnects(2); 208*e0c4386eSCy Schubert$proxy->clientflags("-sess_out ".$session); 209*e0c4386eSCy Schubert$proxy->sessionfile($session); 210*e0c4386eSCy Schubert$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; 211*e0c4386eSCy Schubertplan tests => 17; 212*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 213*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS, 214*e0c4386eSCy Schubert "Default handshake test"); 215*e0c4386eSCy Schubert 216*e0c4386eSCy Schubert#Test 2: Resumption handshake 217*e0c4386eSCy Schubert$proxy->clearClient(); 218*e0c4386eSCy Schubert$proxy->clientflags("-sess_in ".$session); 219*e0c4386eSCy Schubert$proxy->clientstart(); 220*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, 221*e0c4386eSCy Schubert (checkhandshake::DEFAULT_EXTENSIONS 222*e0c4386eSCy Schubert | checkhandshake::PSK_CLI_EXTENSION 223*e0c4386eSCy Schubert | checkhandshake::PSK_SRV_EXTENSION), 224*e0c4386eSCy Schubert "Resumption handshake test"); 225*e0c4386eSCy Schubert 226*e0c4386eSCy SchubertSKIP: { 227*e0c4386eSCy Schubert skip "No OCSP support in this OpenSSL build", 4 228*e0c4386eSCy Schubert if disabled("ct") || disabled("ec") || disabled("ocsp"); 229*e0c4386eSCy Schubert #Test 3: A status_request handshake (client request only) 230*e0c4386eSCy Schubert $proxy->clear(); 231*e0c4386eSCy Schubert $proxy->clientflags("-status"); 232*e0c4386eSCy Schubert $proxy->start(); 233*e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 234*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 235*e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, 236*e0c4386eSCy Schubert "status_request handshake test (client)"); 237*e0c4386eSCy Schubert 238*e0c4386eSCy Schubert #Test 4: A status_request handshake (server support only) 239*e0c4386eSCy Schubert $proxy->clear(); 240*e0c4386eSCy Schubert $proxy->serverflags("-status_file " 241*e0c4386eSCy Schubert .srctop_file("test", "recipes", "ocsp-response.der")); 242*e0c4386eSCy Schubert $proxy->start(); 243*e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 244*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS, 245*e0c4386eSCy Schubert "status_request handshake test (server)"); 246*e0c4386eSCy Schubert 247*e0c4386eSCy Schubert #Test 5: A status_request handshake (client and server) 248*e0c4386eSCy Schubert $proxy->clear(); 249*e0c4386eSCy Schubert $proxy->clientflags("-status"); 250*e0c4386eSCy Schubert $proxy->serverflags("-status_file " 251*e0c4386eSCy Schubert .srctop_file("test", "recipes", "ocsp-response.der")); 252*e0c4386eSCy Schubert $proxy->start(); 253*e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 254*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 255*e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 256*e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 257*e0c4386eSCy Schubert "status_request handshake test"); 258*e0c4386eSCy Schubert 259*e0c4386eSCy Schubert #Test 6: A status_request handshake (client and server) with client auth 260*e0c4386eSCy Schubert $proxy->clear(); 261*e0c4386eSCy Schubert $proxy->clientflags("-status -enable_pha -cert " 262*e0c4386eSCy Schubert .srctop_file("apps", "server.pem")); 263*e0c4386eSCy Schubert $proxy->serverflags("-Verify 5 -status_file " 264*e0c4386eSCy Schubert .srctop_file("test", "recipes", "ocsp-response.der")); 265*e0c4386eSCy Schubert $proxy->start(); 266*e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 267*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 268*e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 269*e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_SRV_EXTENSION 270*e0c4386eSCy Schubert | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, 271*e0c4386eSCy Schubert "status_request handshake with client auth test"); 272*e0c4386eSCy Schubert} 273*e0c4386eSCy Schubert 274*e0c4386eSCy Schubert#Test 7: A client auth handshake 275*e0c4386eSCy Schubert$proxy->clear(); 276*e0c4386eSCy Schubert$proxy->clientflags("-enable_pha -cert ".srctop_file("apps", "server.pem")); 277*e0c4386eSCy Schubert$proxy->serverflags("-Verify 5"); 278*e0c4386eSCy Schubert$proxy->start(); 279*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE, 280*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS | 281*e0c4386eSCy Schubert checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION, 282*e0c4386eSCy Schubert "Client auth handshake test"); 283*e0c4386eSCy Schubert 284*e0c4386eSCy Schubert#Test 8: Server name handshake (no client request) 285*e0c4386eSCy Schubert$proxy->clear(); 286*e0c4386eSCy Schubert$proxy->clientflags("-noservername"); 287*e0c4386eSCy Schubert$proxy->start(); 288*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 289*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 290*e0c4386eSCy Schubert & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 291*e0c4386eSCy Schubert "Server name handshake test (client)"); 292*e0c4386eSCy Schubert 293*e0c4386eSCy Schubert#Test 9: Server name handshake (server support only) 294*e0c4386eSCy Schubert$proxy->clear(); 295*e0c4386eSCy Schubert$proxy->clientflags("-noservername"); 296*e0c4386eSCy Schubert$proxy->serverflags("-servername testhost"); 297*e0c4386eSCy Schubert$proxy->start(); 298*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 299*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 300*e0c4386eSCy Schubert & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, 301*e0c4386eSCy Schubert "Server name handshake test (server)"); 302*e0c4386eSCy Schubert 303*e0c4386eSCy Schubert#Test 10: Server name handshake (client and server) 304*e0c4386eSCy Schubert$proxy->clear(); 305*e0c4386eSCy Schubert$proxy->clientflags("-servername testhost"); 306*e0c4386eSCy Schubert$proxy->serverflags("-servername testhost"); 307*e0c4386eSCy Schubert$proxy->start(); 308*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 309*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 310*e0c4386eSCy Schubert | checkhandshake::SERVER_NAME_SRV_EXTENSION, 311*e0c4386eSCy Schubert "Server name handshake test"); 312*e0c4386eSCy Schubert 313*e0c4386eSCy Schubert#Test 11: ALPN handshake (client request only) 314*e0c4386eSCy Schubert$proxy->clear(); 315*e0c4386eSCy Schubert$proxy->clientflags("-alpn test"); 316*e0c4386eSCy Schubert$proxy->start(); 317*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 318*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 319*e0c4386eSCy Schubert | checkhandshake::ALPN_CLI_EXTENSION, 320*e0c4386eSCy Schubert "ALPN handshake test (client)"); 321*e0c4386eSCy Schubert 322*e0c4386eSCy Schubert#Test 12: ALPN handshake (server support only) 323*e0c4386eSCy Schubert$proxy->clear(); 324*e0c4386eSCy Schubert$proxy->serverflags("-alpn test"); 325*e0c4386eSCy Schubert$proxy->start(); 326*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 327*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS, 328*e0c4386eSCy Schubert "ALPN handshake test (server)"); 329*e0c4386eSCy Schubert 330*e0c4386eSCy Schubert#Test 13: ALPN handshake (client and server) 331*e0c4386eSCy Schubert$proxy->clear(); 332*e0c4386eSCy Schubert$proxy->clientflags("-alpn test"); 333*e0c4386eSCy Schubert$proxy->serverflags("-alpn test"); 334*e0c4386eSCy Schubert$proxy->start(); 335*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 336*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 337*e0c4386eSCy Schubert | checkhandshake::ALPN_CLI_EXTENSION 338*e0c4386eSCy Schubert | checkhandshake::ALPN_SRV_EXTENSION, 339*e0c4386eSCy Schubert "ALPN handshake test"); 340*e0c4386eSCy Schubert 341*e0c4386eSCy SchubertSKIP: { 342*e0c4386eSCy Schubert skip "No CT, EC or OCSP support in this OpenSSL build", 1 343*e0c4386eSCy Schubert if disabled("ct") || disabled("ec") || disabled("ocsp"); 344*e0c4386eSCy Schubert 345*e0c4386eSCy Schubert #Test 14: SCT handshake (client request only) 346*e0c4386eSCy Schubert $proxy->clear(); 347*e0c4386eSCy Schubert #Note: -ct also sends status_request 348*e0c4386eSCy Schubert $proxy->clientflags("-ct"); 349*e0c4386eSCy Schubert $proxy->serverflags("-status_file " 350*e0c4386eSCy Schubert .srctop_file("test", "recipes", "ocsp-response.der") 351*e0c4386eSCy Schubert ." -serverinfo ".srctop_file("test", "serverinfo2.pem")); 352*e0c4386eSCy Schubert $proxy->start(); 353*e0c4386eSCy Schubert checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 354*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 355*e0c4386eSCy Schubert | checkhandshake::SCT_CLI_EXTENSION 356*e0c4386eSCy Schubert | checkhandshake::SCT_SRV_EXTENSION 357*e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_CLI_EXTENSION 358*e0c4386eSCy Schubert | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, 359*e0c4386eSCy Schubert "SCT handshake test"); 360*e0c4386eSCy Schubert} 361*e0c4386eSCy Schubert 362*e0c4386eSCy Schubert#Test 15: HRR Handshake 363*e0c4386eSCy Schubert$proxy->clear(); 364*e0c4386eSCy Schubert$proxy->serverflags("-curves P-256"); 365*e0c4386eSCy Schubert$proxy->start(); 366*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::HRR_HANDSHAKE, 367*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 368*e0c4386eSCy Schubert | checkhandshake::KEY_SHARE_HRR_EXTENSION, 369*e0c4386eSCy Schubert "HRR handshake test"); 370*e0c4386eSCy Schubert 371*e0c4386eSCy Schubert#Test 16: Resumption handshake with HRR 372*e0c4386eSCy Schubert$proxy->clear(); 373*e0c4386eSCy Schubert$proxy->clientflags("-sess_in ".$session); 374*e0c4386eSCy Schubert$proxy->serverflags("-curves P-256"); 375*e0c4386eSCy Schubert$proxy->start(); 376*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, 377*e0c4386eSCy Schubert (checkhandshake::DEFAULT_EXTENSIONS 378*e0c4386eSCy Schubert | checkhandshake::KEY_SHARE_HRR_EXTENSION 379*e0c4386eSCy Schubert | checkhandshake::PSK_CLI_EXTENSION 380*e0c4386eSCy Schubert | checkhandshake::PSK_SRV_EXTENSION), 381*e0c4386eSCy Schubert "Resumption handshake with HRR test"); 382*e0c4386eSCy Schubert 383*e0c4386eSCy Schubert#Test 17: Acceptable but non preferred key_share 384*e0c4386eSCy Schubert$proxy->clear(); 385*e0c4386eSCy Schubert$proxy->clientflags("-curves P-256"); 386*e0c4386eSCy Schubert$proxy->start(); 387*e0c4386eSCy Schubertcheckhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, 388*e0c4386eSCy Schubert checkhandshake::DEFAULT_EXTENSIONS 389*e0c4386eSCy Schubert | checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION, 390*e0c4386eSCy Schubert "Acceptable but non preferred key_share"); 391*e0c4386eSCy Schubert 392*e0c4386eSCy Schubertunlink $session; 393