From f50306c298390c701046126bd1f48f6fef3ec3ca Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 29 Nov 2016 17:34:10 +0000 Subject: [PATCH] Merge common code between test_tls13messages and test_sslmessages Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: Rich Salz Reviewed-by: Richard Levitte --- test/recipes/70-test_sslmessages.t | 279 ++++++++++++--------------- test/recipes/70-test_tls13messages.t | 228 ++++++++++------------ test/recipes/checkhandshake.pm | 123 ++++++++++++ 3 files changed, 346 insertions(+), 284 deletions(-) create mode 100644 test/recipes/checkhandshake.pm diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t index 8f7cfb0712..7e1bf17552 100755 --- a/test/recipes/70-test_sslmessages.t +++ b/test/recipes/70-test_sslmessages.t @@ -7,11 +7,21 @@ # https://www.openssl.org/source/license.html use strict; -use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; use OpenSSL::Test::Utils; use File::Temp qw(tempfile); use TLSProxy::Proxy; -my $test_name = "test_tls13messages"; + +# This block needs to run before 'use lib srctop_dir' directives. +BEGIN { + OpenSSL::Test::setup("no_test_here"); +} + +use lib srctop_dir("test", "recipes"); + +use recipes::checkhandshake qw(checkhandshake @handmessages @extensions); + +my $test_name = "test_sslmessages"; setup($test_name); plan skip_all => "TLSProxy isn't usable on $^O" @@ -28,77 +38,6 @@ plan skip_all => "$test_name needs TLS enabled" $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; -use constant { - DEFAULT_HANDSHAKE => 1, - OCSP_HANDSHAKE => 2, - RESUME_HANDSHAKE => 4, - CLIENT_AUTH_HANDSHAKE => 8, - RENEG_HANDSHAKE => 16, - - ALL_HANDSHAKES => 31 -}; - -use constant { - #DEFAULT ALSO INCLUDES SESSION_TICKET_SRV_EXTENSION - DEFAULT_EXTENSIONS => 0x00000003, - SESSION_TICKET_SRV_EXTENSION => 0x00000002, - SERVER_NAME_CLI_EXTENSION => 0x00000004, - SERVER_NAME_SRV_EXTENSION => 0x00000008, - STATUS_REQUEST_CLI_EXTENSION => 0x00000010, - STATUS_REQUEST_SRV_EXTENSION => 0x00000020, - ALPN_CLI_EXTENSION => 0x00000040, - ALPN_SRV_EXTENSION => 0x00000080, - SCT_CLI_EXTENSION => 0x00000100, - RENEGOTIATE_CLI_EXTENSION => 0x00000200 -}; - -my @handmessages = ( - [TLSProxy::Message::MT_CLIENT_HELLO, ALL_HANDSHAKES], - [TLSProxy::Message::MT_SERVER_HELLO, ALL_HANDSHAKES], - [TLSProxy::Message::MT_CERTIFICATE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], - [TLSProxy::Message::MT_CERTIFICATE_STATUS, OCSP_HANDSHAKE], - #ServerKeyExchange handshakes not currently supported by TLSProxy - [TLSProxy::Message::MT_CERTIFICATE_REQUEST, CLIENT_AUTH_HANDSHAKE], - [TLSProxy::Message::MT_SERVER_HELLO_DONE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], - [TLSProxy::Message::MT_CERTIFICATE, CLIENT_AUTH_HANDSHAKE], - [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], - [TLSProxy::Message::MT_CERTIFICATE_VERIFY, CLIENT_AUTH_HANDSHAKE], - [TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES], - [TLSProxy::Message::MT_NEW_SESSION_TICKET, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], - [TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES], - [TLSProxy::Message::MT_CLIENT_HELLO, RENEG_HANDSHAKE], - [TLSProxy::Message::MT_SERVER_HELLO, RENEG_HANDSHAKE], - [TLSProxy::Message::MT_CERTIFICATE, RENEG_HANDSHAKE], - [TLSProxy::Message::MT_SERVER_HELLO_DONE, RENEG_HANDSHAKE], - [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, RENEG_HANDSHAKE], - [TLSProxy::Message::MT_FINISHED, RENEG_HANDSHAKE], - [TLSProxy::Message::MT_NEW_SESSION_TICKET, RENEG_HANDSHAKE], - [TLSProxy::Message::MT_FINISHED, RENEG_HANDSHAKE], - [0, 0] -); - -my @extensions = ( - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, SERVER_NAME_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, STATUS_REQUEST_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, ALPN_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, SCT_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, RENEGOTIATE_CLI_EXTENSION], - - [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, SESSION_TICKET_SRV_EXTENSION], - [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME, SERVER_NAME_SRV_EXTENSION], - [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, STATUS_REQUEST_SRV_EXTENSION], - [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN, ALPN_SRV_EXTENSION], - [0,0,0] -); my $proxy = TLSProxy::Proxy->new( undef, @@ -107,7 +46,97 @@ my $proxy = TLSProxy::Proxy->new( (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); -sub checkmessages($$$); +sub checkhandshake($$$$$); + +@handmessages = ( + [TLSProxy::Message::MT_CLIENT_HELLO, + recipes::checkhandshake::ALL_HANDSHAKES], + [TLSProxy::Message::MT_SERVER_HELLO, + recipes::checkhandshake::ALL_HANDSHAKES], + [TLSProxy::Message::MT_CERTIFICATE, + recipes::checkhandshake::ALL_HANDSHAKES + & ~recipes::checkhandshake::RESUME_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE_STATUS, + recipes::checkhandshake::OCSP_HANDSHAKE], + #ServerKeyExchange handshakes not currently supported by TLSProxy + [TLSProxy::Message::MT_CERTIFICATE_REQUEST, + recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_SERVER_HELLO_DONE, + recipes::checkhandshake::ALL_HANDSHAKES + & ~recipes::checkhandshake::RESUME_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE, + recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, + recipes::checkhandshake::ALL_HANDSHAKES + & ~recipes::checkhandshake::RESUME_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE_VERIFY, + recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, + recipes::checkhandshake::ALL_HANDSHAKES], + [TLSProxy::Message::MT_NEW_SESSION_TICKET, + recipes::checkhandshake::ALL_HANDSHAKES + & ~recipes::checkhandshake::RESUME_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, + recipes::checkhandshake::ALL_HANDSHAKES], + [TLSProxy::Message::MT_CLIENT_HELLO, + recipes::checkhandshake::RENEG_HANDSHAKE], + [TLSProxy::Message::MT_SERVER_HELLO, + recipes::checkhandshake::RENEG_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE, + recipes::checkhandshake::RENEG_HANDSHAKE], + [TLSProxy::Message::MT_SERVER_HELLO_DONE, + recipes::checkhandshake::RENEG_HANDSHAKE], + [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, + recipes::checkhandshake::RENEG_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, + recipes::checkhandshake::RENEG_HANDSHAKE], + [TLSProxy::Message::MT_NEW_SESSION_TICKET, + recipes::checkhandshake::RENEG_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, + recipes::checkhandshake::RENEG_HANDSHAKE], + [0, 0] +); + +@extensions = ( + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, + recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, + recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, + recipes::checkhandshake::ALPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, + recipes::checkhandshake::SCT_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, + recipes::checkhandshake::RENEGOTIATE_CLI_EXTENSION], + + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, + recipes::checkhandshake::SESSION_TICKET_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME, + recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, + recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN, + recipes::checkhandshake::ALPN_SRV_EXTENSION], + [0,0,0] +); #Test 1: Check we get all the right messages for a default handshake (undef, my $session) = tempfile(); @@ -115,15 +144,18 @@ $proxy->serverconnects(2); $proxy->clientflags("-no_tls1_3 -sess_out ".$session); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 5; -checkmessages(DEFAULT_HANDSHAKE, DEFAULT_EXTENSIONS, "Default handshake test"); +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS, + "Default handshake test"); #Test 2: Resumption handshake $proxy->clearClient(); $proxy->clientflags("-no_tls1_3 -sess_in ".$session); $proxy->clientstart(); -checkmessages(RESUME_HANDSHAKE, - DEFAULT_EXTENSIONS & ~SESSION_TICKET_SRV_EXTENSION, - "Resumption handshake test"); +checkhandshake($proxy, recipes::checkhandshake::RESUME_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + & ~recipes::checkhandshake::SESSION_TICKET_SRV_EXTENSION, + "Resumption handshake test"); unlink $session; #Test 3: A default handshake, but with a CertificateStatus message @@ -132,97 +164,28 @@ $proxy->clientflags("-no_tls1_3 -status"); $proxy->serverflags("-status_file " .srctop_file("test", "recipes", "ocsp-response.der")); $proxy->start(); -checkmessages(OCSP_HANDSHAKE, - DEFAULT_EXTENSIONS | STATUS_REQUEST_CLI_EXTENSION - | STATUS_REQUEST_SRV_EXTENSION, - "OCSP handshake test"); +checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION, + "OCSP handshake test"); #Test 4: A client auth handshake $proxy->clear(); $proxy->clientflags("-no_tls1_3 -cert ".srctop_file("apps", "server.pem")); $proxy->serverflags("-Verify 5"); $proxy->start(); -checkmessages(CLIENT_AUTH_HANDSHAKE, DEFAULT_EXTENSIONS, - "Client auth handshake test"); +checkhandshake($proxy, recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS, + "Client auth handshake test"); #Test 5: A handshake with a renegotiation $proxy->clear(); $proxy->clientflags("-no_tls1_3"); $proxy->reneg(1); $proxy->start(); -checkmessages(RENEG_HANDSHAKE, DEFAULT_EXTENSIONS, - "Rengotiation handshake test"); +checkhandshake($proxy, recipes::checkhandshake::RENEG_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS, + "Rengotiation handshake test"); -sub checkmessages($$$) -{ - my ($handtype, $exttype, $testname) = @_; - subtest $testname => sub { - my $loop = 0; - my $numtests; - my $extcount; - my $clienthelloseen = 0; - - #First count the number of tests - for ($numtests = 0; $handmessages[$loop][1] != 0; $loop++) { - $numtests++ if (($handmessages[$loop][1] & $handtype) != 0); - } - - #Add number of extensions we check plus 2 for the number of messages - #that contain extensions - $numtests += $#extensions + 2; - #In a renegotiation we will have double the number of extension tests - if (($handtype & RENEG_HANDSHAKE) != 0) { - $numtests += $#extensions + 2; - } - - plan tests => $numtests; - - my $nextmess = 0; - my $message = undef; - for ($loop = 0; $handmessages[$loop][1] != 0; $loop++) { - next if (($handmessages[$loop][1] & $handtype) == 0); - if (scalar @{$proxy->message_list} > $nextmess) { - $message = ${$proxy->message_list}[$nextmess]; - $nextmess++; - } else { - $message = undef; - } - if (!defined $message) { - fail("Message type check. Got nothing, expected " - .$handmessages[$loop][0]); - next; - } else { - ok($message->mt == $handmessages[$loop][0], - "Message type check. Got ".$message->mt - .", expected ".$handmessages[$loop][0]); - } - - next if ($message->mt() != TLSProxy::Message::MT_CLIENT_HELLO - && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO - && $message->mt() != - TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS); - - if ($message->mt() == TLSProxy::Message::MT_CLIENT_HELLO) { - #Add renegotiate extension we will expect if renegotiating - $exttype |= RENEGOTIATE_CLI_EXTENSION if ($clienthelloseen); - $clienthelloseen = 1; - } - #Now check that we saw the extensions we expected - my $msgexts = $message->extension_data(); - for (my $extloop = 0, $extcount = 0; $extensions[$extloop][2] != 0; - $extloop++) { - next if ($message->mt() != $extensions[$extloop][0]); - ok (($extensions[$extloop][2] & $exttype) == 0 - || defined ($msgexts->{$extensions[$extloop][1]}), - "Extension presence check (Message: ".$message->mt() - ." Extension: ".($extensions[$extloop][2] & $exttype).", " - .$extloop.")"); - $extcount++ if (($extensions[$extloop][2] & $exttype) != 0); - } - ok($extcount == keys %$msgexts, "Extensions count mismatch (" - .$extcount.", ".(keys %$msgexts) - .")"); - } - } -} diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t index b59bb5279b..6a5783b8b4 100755 --- a/test/recipes/70-test_tls13messages.t +++ b/test/recipes/70-test_tls13messages.t @@ -7,10 +7,20 @@ # https://www.openssl.org/source/license.html use strict; -use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; use OpenSSL::Test::Utils; use File::Temp qw(tempfile); use TLSProxy::Proxy; + +# This block needs to run before 'use lib srctop_dir' directives. +BEGIN { + OpenSSL::Test::setup("no_test_here"); +} + +use lib srctop_dir("test", "recipes"); + +use recipes::checkhandshake qw(checkhandshake @handmessages @extensions); + my $test_name = "test_tls13messages"; setup($test_name); @@ -29,58 +39,66 @@ plan skip_all => "$test_name needs TLSv1.3 enabled" $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); -use constant { - DEFAULT_HANDSHAKE => 1, - OCSP_HANDSHAKE => 2, - RESUME_HANDSHAKE => 4, - CLIENT_AUTH_HANDSHAKE => 8, - ALL_HANDSHAKES => 15 -}; -use constant { - DEFAULT_EXTENSIONS => 0x00000001, - SERVER_NAME_CLI_EXTENSION => 0x00000002, - SERVER_NAME_SRV_EXTENSION => 0x00000004, - STATUS_REQUEST_CLI_EXTENSION => 0x00000008, - STATUS_REQUEST_SRV_EXTENSION => 0x00000010, - ALPN_CLI_EXTENSION => 0x00000020, - ALPN_SRV_EXTENSION => 0x00000040, - SCT_CLI_EXTENSION => 0x00000080 -}; - -my @handmessages = ( - [TLSProxy::Message::MT_CLIENT_HELLO, ALL_HANDSHAKES], - [TLSProxy::Message::MT_SERVER_HELLO, ALL_HANDSHAKES], - [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, ALL_HANDSHAKES], - [TLSProxy::Message::MT_CERTIFICATE_REQUEST, CLIENT_AUTH_HANDSHAKE], - [TLSProxy::Message::MT_CERTIFICATE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], - [TLSProxy::Message::MT_CERTIFICATE_STATUS, OCSP_HANDSHAKE], - [TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES], - [TLSProxy::Message::MT_CERTIFICATE, CLIENT_AUTH_HANDSHAKE], - [TLSProxy::Message::MT_CERTIFICATE_VERIFY, CLIENT_AUTH_HANDSHAKE], - [TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES], +@handmessages = ( + [TLSProxy::Message::MT_CLIENT_HELLO, + recipes::checkhandshake::ALL_HANDSHAKES], + [TLSProxy::Message::MT_SERVER_HELLO, + recipes::checkhandshake::ALL_HANDSHAKES], + [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, + recipes::checkhandshake::ALL_HANDSHAKES], + [TLSProxy::Message::MT_CERTIFICATE_REQUEST, + recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE, + recipes::checkhandshake::ALL_HANDSHAKES & ~recipes::checkhandshake::RESUME_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE_STATUS, + recipes::checkhandshake::OCSP_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, + recipes::checkhandshake::ALL_HANDSHAKES], + [TLSProxy::Message::MT_CERTIFICATE, + recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE_VERIFY, + recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, + recipes::checkhandshake::ALL_HANDSHAKES], [0, 0] ); -my @extensions = ( - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, SERVER_NAME_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, STATUS_REQUEST_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, ALPN_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, SCT_CLI_EXTENSION], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, DEFAULT_EXTENSIONS], +@extensions = ( + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME, + recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST, + recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN, + recipes::checkhandshake::ALPN_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT, + recipes::checkhandshake::SCT_CLI_EXTENSION], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE, + recipes::checkhandshake::DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS, + recipes::checkhandshake::DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, DEFAULT_EXTENSIONS], + [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, + recipes::checkhandshake::DEFAULT_EXTENSIONS], - [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, SERVER_NAME_SRV_EXTENSION], - [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_STATUS_REQUEST, STATUS_REQUEST_SRV_EXTENSION], - [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, ALPN_SRV_EXTENSION], + [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME, + recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION], + [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_STATUS_REQUEST, + recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION], + [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN, + recipes::checkhandshake::ALPN_SRV_EXTENSION], [0,0,0] ); @@ -91,15 +109,15 @@ my $proxy = TLSProxy::Proxy->new( (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); -sub checkmessages($$$); - #Test 1: Check we get all the right messages for a default handshake (undef, my $session) = tempfile(); #$proxy->serverconnects(2); $proxy->clientflags("-sess_out ".$session); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 12; -checkmessages(DEFAULT_HANDSHAKE, DEFAULT_EXTENSIONS, "Default handshake test"); +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS, + "Default handshake test"); #TODO(TLS1.3): Test temporarily disabled until we implement TLS1.3 resumption #Test 2: Resumption handshake @@ -113,8 +131,9 @@ unlink $session; $proxy->clear(); $proxy->clientflags("-status"); $proxy->start(); -checkmessages(DEFAULT_HANDSHAKE, - DEFAULT_EXTENSIONS | STATUS_REQUEST_CLI_EXTENSION, +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION, "status_request handshake test (client)"); #Test 4: A status_request handshake (server support only) @@ -122,7 +141,8 @@ $proxy->clear(); $proxy->serverflags("-status_file " .srctop_file("test", "recipes", "ocsp-response.der")); $proxy->start(); -checkmessages(DEFAULT_HANDSHAKE, DEFAULT_EXTENSIONS, +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS, "status_request handshake test (server)"); #Test 5: A status_request handshake (client and server) @@ -134,9 +154,10 @@ $proxy->clientflags("-status"); $proxy->serverflags("-status_file " .srctop_file("test", "recipes", "ocsp-response.der")); $proxy->start(); -checkmessages(OCSP_HANDSHAKE, - DEFAULT_EXTENSIONS | STATUS_REQUEST_CLI_EXTENSION - | STATUS_REQUEST_SRV_EXTENSION, +checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION, "status_request handshake test"); #Test 6: A client auth handshake @@ -144,21 +165,25 @@ $proxy->clear(); $proxy->clientflags("-cert ".srctop_file("apps", "server.pem")); $proxy->serverflags("-Verify 5"); $proxy->start(); -checkmessages(CLIENT_AUTH_HANDSHAKE, DEFAULT_EXTENSIONS, +checkhandshake($proxy, recipes::checkhandshake::CLIENT_AUTH_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS, "Client auth handshake test"); #Test 7: Server name handshake (client request only) $proxy->clear(); $proxy->clientflags("-servername testhost"); $proxy->start(); -checkmessages(DEFAULT_HANDSHAKE, DEFAULT_EXTENSIONS | SERVER_NAME_CLI_EXTENSION, +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION, "Server name handshake test (client)"); #Test 8: Server name handshake (server support only) $proxy->clear(); $proxy->serverflags("-servername testhost"); $proxy->start(); -checkmessages(DEFAULT_HANDSHAKE, DEFAULT_EXTENSIONS, +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS, "Server name handshake test (server)"); #Test 9: Server name handshake (client and server) @@ -166,23 +191,27 @@ $proxy->clear(); $proxy->clientflags("-servername testhost"); $proxy->serverflags("-servername testhost"); $proxy->start(); -checkmessages(DEFAULT_HANDSHAKE, - DEFAULT_EXTENSIONS | SERVER_NAME_CLI_EXTENSION - | SERVER_NAME_SRV_EXTENSION, +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + | recipes::checkhandshake::SERVER_NAME_CLI_EXTENSION + | recipes::checkhandshake::SERVER_NAME_SRV_EXTENSION, "Server name handshake test"); #Test 10: ALPN handshake (client request only) $proxy->clear(); $proxy->clientflags("-alpn test"); $proxy->start(); -checkmessages(DEFAULT_HANDSHAKE, DEFAULT_EXTENSIONS | ALPN_CLI_EXTENSION, +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + | recipes::checkhandshake::ALPN_CLI_EXTENSION, "ALPN handshake test (client)"); #Test 11: ALPN handshake (server support only) $proxy->clear(); $proxy->serverflags("-alpn test"); $proxy->start(); -checkmessages(DEFAULT_HANDSHAKE, DEFAULT_EXTENSIONS, +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS, "ALPN handshake test (server)"); #Test 12: ALPN handshake (client and server) @@ -190,8 +219,10 @@ $proxy->clear(); $proxy->clientflags("-alpn test"); $proxy->serverflags("-alpn test"); $proxy->start(); -checkmessages(DEFAULT_HANDSHAKE, - DEFAULT_EXTENSIONS | ALPN_CLI_EXTENSION | ALPN_SRV_EXTENSION, +checkhandshake($proxy, recipes::checkhandshake::DEFAULT_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + | recipes::checkhandshake::ALPN_CLI_EXTENSION + | recipes::checkhandshake::ALPN_SRV_EXTENSION, "ALPN handshake test"); #Test 13: SCT handshake (client request only) @@ -207,64 +238,9 @@ $proxy->clientflags("-ct"); $proxy->serverflags("-status_file " .srctop_file("test", "recipes", "ocsp-response.der")); $proxy->start(); -checkmessages(OCSP_HANDSHAKE, - DEFAULT_EXTENSIONS | SCT_CLI_EXTENSION - | STATUS_REQUEST_CLI_EXTENSION | STATUS_REQUEST_SRV_EXTENSION, +checkhandshake($proxy, recipes::checkhandshake::OCSP_HANDSHAKE, + recipes::checkhandshake::DEFAULT_EXTENSIONS + | recipes::checkhandshake::SCT_CLI_EXTENSION + | recipes::checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | recipes::checkhandshake::STATUS_REQUEST_SRV_EXTENSION, "SCT handshake test"); - -sub checkmessages($$$) -{ - my ($handtype, $exttype, $testname) = @_; - - subtest $testname => sub { - my $loop = 0; - my $numtests; - my $extcount; - - #First count the number of tests - for ($numtests = 1; $handmessages[$loop][1] != 0; $loop++) { - $numtests++ if (($handmessages[$loop][1] & $handtype) != 0); - } - - #Add number of extensions we check plus 3 for the number of messages - #that contain extensions - $numtests += $#extensions + 3; - - plan tests => $numtests; - - $loop = 0; - foreach my $message (@{$proxy->message_list}) { - for (; $handmessages[$loop][1] != 0 - && ($handmessages[$loop][1] & $handtype) == 0; $loop++) { - next; - } - ok($handmessages[$loop][1] != 0 - && $message->mt == $handmessages[$loop][0], - "Message type check. Got ".$message->mt - .", expected ".$handmessages[$loop][0]); - $loop++; - - - next if ($message->mt() != TLSProxy::Message::MT_CLIENT_HELLO - && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO - && $message->mt() != - TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS); - #Now check that we saw the extensions we expected - my $msgexts = $message->extension_data(); - for (my $extloop = 0, $extcount = 0; $extensions[$extloop][2] != 0; - $extloop++) { - next if ($message->mt() != $extensions[$extloop][0]); - ok (($extensions[$extloop][2] & $exttype) == 0 - || defined ($msgexts->{$extensions[$extloop][1]}), - "Extension presence check (Message: ".$message->mt() - ." Extension: ".($extensions[$extloop][2] & $exttype).", " - .$extloop.")"); - $extcount++ if (($extensions[$extloop][2] & $exttype) != 0); - } - ok($extcount == keys %$msgexts, "Extensions count mismatch (" - .$extcount.", ".(keys %$msgexts) - .")"); - } - ok($handmessages[$loop][1] == 0, "All expected messages processed"); - } -} diff --git a/test/recipes/checkhandshake.pm b/test/recipes/checkhandshake.pm new file mode 100644 index 0000000000..04ca9296c7 --- /dev/null +++ b/test/recipes/checkhandshake.pm @@ -0,0 +1,123 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +package recipes::checkhandshake; + +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +use Exporter; +our @ISA = 'Exporter'; +our @EXPORT = qw(@handmessages @extensions checkhandshake); + +use constant { + DEFAULT_HANDSHAKE => 1, + OCSP_HANDSHAKE => 2, + RESUME_HANDSHAKE => 4, + CLIENT_AUTH_HANDSHAKE => 8, + RENEG_HANDSHAKE => 16, + + ALL_HANDSHAKES => 31 +}; + +use constant { + #DEFAULT ALSO INCLUDES SESSION_TICKET_SRV_EXTENSION + DEFAULT_EXTENSIONS => 0x00000003, + SESSION_TICKET_SRV_EXTENSION => 0x00000002, + SERVER_NAME_CLI_EXTENSION => 0x00000004, + SERVER_NAME_SRV_EXTENSION => 0x00000008, + STATUS_REQUEST_CLI_EXTENSION => 0x00000010, + STATUS_REQUEST_SRV_EXTENSION => 0x00000020, + ALPN_CLI_EXTENSION => 0x00000040, + ALPN_SRV_EXTENSION => 0x00000080, + SCT_CLI_EXTENSION => 0x00000100, + RENEGOTIATE_CLI_EXTENSION => 0x00000200 +}; + +our @handmessages = (); +our @extensions = (); + +sub checkhandshake($$$$) +{ + my ($proxy, $handtype, $exttype, $testname) = @_; + + subtest $testname => sub { + my $loop = 0; + my $numtests; + my $extcount; + my $clienthelloseen = 0; + + #First count the number of tests + for ($numtests = 0; $handmessages[$loop][1] != 0; $loop++) { + $numtests++ if (($handmessages[$loop][1] & $handtype) != 0); + } + + #Add number of extensions we check plus 2 for the number of messages + #that contain extensions + $numtests += $#extensions + 2; + #In a renegotiation we will have double the number of extension tests + if (($handtype & RENEG_HANDSHAKE) != 0) { + $numtests += $#extensions + 2; + } + #In TLS1.3 there are 3 messages with extensions (and no renegotiations) + $numtests += 1 if ($proxy->is_tls13()); + + plan tests => $numtests; + + my $nextmess = 0; + my $message = undef; + for ($loop = 0; $handmessages[$loop][1] != 0; $loop++) { + next if (($handmessages[$loop][1] & $handtype) == 0); + if (scalar @{$proxy->message_list} > $nextmess) { + $message = ${$proxy->message_list}[$nextmess]; + $nextmess++; + } else { + $message = undef; + } + if (!defined $message) { + fail("Message type check. Got nothing, expected " + .$handmessages[$loop][0]); + next; + } else { + ok($message->mt == $handmessages[$loop][0], + "Message type check. Got ".$message->mt + .", expected ".$handmessages[$loop][0]); + } + + next if ($message->mt() != TLSProxy::Message::MT_CLIENT_HELLO + && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO + && $message->mt() != + TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS); + + if ($message->mt() == TLSProxy::Message::MT_CLIENT_HELLO) { + #Add renegotiate extension we will expect if renegotiating + $exttype |= RENEGOTIATE_CLI_EXTENSION if ($clienthelloseen); + $clienthelloseen = 1; + } + #Now check that we saw the extensions we expected + my $msgexts = $message->extension_data(); + + for (my $extloop = 0, $extcount = 0; $extensions[$extloop][2] != 0; + $extloop++) { + next if ($message->mt() != $extensions[$extloop][0]); + ok (($extensions[$extloop][2] & $exttype) == 0 + || defined ($msgexts->{$extensions[$extloop][1]}), + "Extension presence check (Message: ".$message->mt() + ." Extension: ".($extensions[$extloop][2] & $exttype).", " + .$extloop.")"); + $extcount++ if (($extensions[$extloop][2] & $exttype) != 0); + } + ok($extcount == keys %$msgexts, "Extensions count mismatch (" + .$extcount.", ".(keys %$msgexts) + .")"); + } + } +} + +1;