Teach TLSProxy how to parse CertificateRequest messages

We also use this in test_tls13messages to check that the extensions we
expect to see in a CertificateRequest are there.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)

test/recipes/70-test_sslmessages.t

@@ -95,58 +95,81 @@ my $proxy = TLSProxy::Proxy->new(
 
 @extensions = (
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     (disabled("ec") ? () :
                       [TLSProxy::Message::MT_CLIENT_HELLO,
                        TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+                       TLSProxy::Message::CLIENT,
                        checkhandshake::DEFAULT_EXTENSIONS]),
     (disabled("ec") ? () :
                       [TLSProxy::Message::MT_CLIENT_HELLO,
                        TLSProxy::Message::EXT_EC_POINT_FORMATS,
+                       TLSProxy::Message::CLIENT,
                        checkhandshake::DEFAULT_EXTENSIONS]),
     (disabled("tls1_2") ? () :
      [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
          checkhandshake::DEFAULT_EXTENSIONS]),
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::RENEGOTIATE_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_NPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::NPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SRP,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SRP_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_RENEGOTIATE,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::SERVER,
         checkhandshake::SESSION_TICKET_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::SERVER,
         checkhandshake::SERVER_NAME_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::SERVER,
         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::SERVER,
         checkhandshake::ALPN_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::SERVER,
         checkhandshake::SCT_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_NPN,
+        TLSProxy::Message::SERVER,
         checkhandshake::NPN_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::SERVER,
         checkhandshake::EC_POINT_FORMAT_SRV_EXTENSION],
-    [0,0,0]
+    [0,0,0,0]
 );
 
 #Test 1: Check we get all the right messages for a default handshake

test/recipes/70-test_tls13kexmodes.t

@@ -65,78 +65,112 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
 
 @extensions = (
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_KEX_MODES_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::SERVER,
         checkhandshake::KEY_SHARE_HRR_EXTENSION],
 
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_KEX_MODES_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::SERVER,
         checkhandshake::KEY_SHARE_SRV_EXTENSION],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::SERVER,
         checkhandshake::PSK_SRV_EXTENSION],
 
     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::SERVER,
         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
-    [0,0,0]
+    [0,0,0,0]
 );
 
 use constant {

test/recipes/70-test_tls13messages.t

@@ -65,92 +65,136 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
 
 @extensions = (
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
+        TLSProxy::Message::CLIENT,
         checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::SERVER,
         checkhandshake::KEY_SHARE_HRR_EXTENSION],
 
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SERVER_NAME_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::CLIENT,
         checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::CLIENT,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::CLIENT,
         checkhandshake::SCT_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ENCRYPT_THEN_MAC,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SESSION_TICKET,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK_KEX_MODES,
+        TLSProxy::Message::CLIENT,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::CLIENT,
         checkhandshake::PSK_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_POST_HANDSHAKE_AUTH,
+        TLSProxy::Message::CLIENT,
         checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION],
 
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
+        TLSProxy::Message::SERVER,
         checkhandshake::DEFAULT_EXTENSIONS],
     [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_PSK,
+        TLSProxy::Message::SERVER,
         checkhandshake::PSK_SRV_EXTENSION],
 
     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SERVER_NAME,
+        TLSProxy::Message::SERVER,
         checkhandshake::SERVER_NAME_SRV_EXTENSION],
     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_ALPN,
+        TLSProxy::Message::SERVER,
         checkhandshake::ALPN_SRV_EXTENSION],
     [TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
+        TLSProxy::Message::SERVER,
         checkhandshake::SUPPORTED_GROUPS_SRV_EXTENSION],
 
+    [TLSProxy::Message::MT_CERTIFICATE_REQUEST, TLSProxy::Message::EXT_SIG_ALGS,
+        TLSProxy::Message::SERVER,
+        checkhandshake::DEFAULT_EXTENSIONS],
+
     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
+        TLSProxy::Message::SERVER,
         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
+        TLSProxy::Message::SERVER,
         checkhandshake::SCT_SRV_EXTENSION],
 
-    [0,0,0]
+    [0,0,0,0]
 );
 
 my $proxy = TLSProxy::Proxy->new(
@@ -166,7 +210,7 @@ $proxy->serverconnects(2);
 $proxy->clientflags("-sess_out ".$session);
 $proxy->sessionfile($session);
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 16;
+plan tests => 17;
 checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                checkhandshake::DEFAULT_EXTENSIONS,
                "Default handshake test");
@@ -182,7 +226,7 @@ checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
                "Resumption handshake test");
 
 SKIP: {
-    skip "No OCSP support in this OpenSSL build", 3
+    skip "No OCSP support in this OpenSSL build", 4
         if disabled("ct") || disabled("ec") || disabled("ocsp");
     #Test 3: A status_request handshake (client request only)
     $proxy->clear();
@@ -213,9 +257,23 @@ SKIP: {
                    | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
                    | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
                    "status_request handshake test");
+
+    #Test 6: A status_request handshake (client and server) with client auth
+    $proxy->clear();
+    $proxy->clientflags("-status -enable_pha -cert "
+                        .srctop_file("apps", "server.pem"));
+    $proxy->serverflags("-Verify 5 -status_file "
+                        .srctop_file("test", "recipes", "ocsp-response.der"));
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
+                   checkhandshake::DEFAULT_EXTENSIONS
+                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
+                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION
+                   | checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
+                   "status_request handshake with client auth test");
 }
 
-#Test 6: A client auth handshake
+#Test 7: A client auth handshake
 $proxy->clear();
 $proxy->clientflags("-enable_pha -cert ".srctop_file("apps", "server.pem"));
 $proxy->serverflags("-Verify 5");
@@ -225,7 +283,7 @@ checkhandshake($proxy, checkhandshake::CLIENT_AUTH_HANDSHAKE,
                checkhandshake::POST_HANDSHAKE_AUTH_CLI_EXTENSION,
                "Client auth handshake test");
 
-#Test 7: Server name handshake (no client request)
+#Test 8: Server name handshake (no client request)
 $proxy->clear();
 $proxy->clientflags("-noservername");
 $proxy->start();
@@ -234,7 +292,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
                "Server name handshake test (client)");
 
-#Test 8: Server name handshake (server support only)
+#Test 9: Server name handshake (server support only)
 $proxy->clear();
 $proxy->clientflags("-noservername");
 $proxy->serverflags("-servername testhost");
@@ -244,7 +302,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                & ~checkhandshake::SERVER_NAME_CLI_EXTENSION,
                "Server name handshake test (server)");
 
-#Test 9: Server name handshake (client and server)
+#Test 10: Server name handshake (client and server)
 $proxy->clear();
 $proxy->clientflags("-servername testhost");
 $proxy->serverflags("-servername testhost");
@@ -254,7 +312,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                | checkhandshake::SERVER_NAME_SRV_EXTENSION,
                "Server name handshake test");
 
-#Test 10: ALPN handshake (client request only)
+#Test 11: ALPN handshake (client request only)
 $proxy->clear();
 $proxy->clientflags("-alpn test");
 $proxy->start();
@@ -263,7 +321,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                | checkhandshake::ALPN_CLI_EXTENSION,
                "ALPN handshake test (client)");
 
-#Test 11: ALPN handshake (server support only)
+#Test 12: ALPN handshake (server support only)
 $proxy->clear();
 $proxy->serverflags("-alpn test");
 $proxy->start();
@@ -271,7 +329,7 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                checkhandshake::DEFAULT_EXTENSIONS,
                "ALPN handshake test (server)");
 
-#Test 12: ALPN handshake (client and server)
+#Test 13: ALPN handshake (client and server)
 $proxy->clear();
 $proxy->clientflags("-alpn test");
 $proxy->serverflags("-alpn test");
@@ -286,7 +344,7 @@ SKIP: {
     skip "No CT, EC or OCSP support in this OpenSSL build", 1
         if disabled("ct") || disabled("ec") || disabled("ocsp");
 
-    #Test 13: SCT handshake (client request only)
+    #Test 14: SCT handshake (client request only)
     $proxy->clear();
     #Note: -ct also sends status_request
     $proxy->clientflags("-ct");
@@ -303,10 +361,7 @@ SKIP: {
                    "SCT handshake test");
 }
 
-
+#Test 15: HRR Handshake
-
-
-#Test 14: HRR Handshake
 $proxy->clear();
 $proxy->serverflags("-curves P-256");
 $proxy->start();
@@ -315,7 +370,7 @@ checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
                | checkhandshake::KEY_SHARE_HRR_EXTENSION,
                "HRR handshake test");
 
-#Test 15: Resumption handshake with HRR
+#Test 16: Resumption handshake with HRR
 $proxy->clear();
 $proxy->clientflags("-sess_in ".$session);
 $proxy->serverflags("-curves P-256");
@@ -327,7 +382,7 @@ checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
                 | checkhandshake::PSK_SRV_EXTENSION),
                "Resumption handshake with HRR test");
 
-#Test 16: Acceptable but non preferred key_share
+#Test 17: Acceptable but non preferred key_share
 $proxy->clear();
 $proxy->clientflags("-curves P-256");
 $proxy->start();

util/perl/TLSProxy/CertificateRequest.pm

@@ -0,0 +1,105 @@
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+
+package TLSProxy::CertificateRequest;
+
+use vars '@ISA';
+push @ISA, 'TLSProxy::Message';
+
+sub new
+{
+    my $class = shift;
+    my ($server,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens) = @_;
+
+    my $self = $class->SUPER::new(
+        $server,
+        TLSProxy::Message::MT_CERTIFICATE_REQUEST,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens);
+
+    $self->{extension_data} = "";
+
+    return $self;
+}
+
+sub parse
+{
+    my $self = shift;
+    my $ptr = 1;
+
+    if (TLSProxy::Proxy->is_tls13()) {
+        my $request_ctx_len = unpack('C', $self->data);
+        my $request_ctx = substr($self->data, $ptr, $request_ctx_len);
+        $ptr += $request_ctx_len;
+
+        my $extensions_len = unpack('n', substr($self->data, $ptr));
+        $ptr += 2;
+        my $extension_data = substr($self->data, $ptr);
+        if (length($extension_data) != $extensions_len) {
+            die "Invalid extension length\n";
+        }
+        my %extensions = ();
+        while (length($extension_data) >= 4) {
+            my ($type, $size) = unpack("nn", $extension_data);
+            my $extdata = substr($extension_data, 4, $size);
+            $extension_data = substr($extension_data, 4 + $size);
+            $extensions{$type} = $extdata;
+        }
+        $self->extension_data(\%extensions);
+
+        print "    Extensions Len:".$extensions_len."\n";
+    }
+    # else parse TLSv1.2 version - we don't support that at the moment
+}
+
+#Reconstruct the on-the-wire message data following changes
+sub set_message_contents
+{
+    my $self = shift;
+    my $data;
+    my $extensions = "";
+
+    foreach my $key (keys %{$self->extension_data}) {
+        my $extdata = ${$self->extension_data}{$key};
+        $extensions .= pack("n", $key);
+        $extensions .= pack("n", length($extdata));
+        $extensions .= $extdata;
+    }
+
+    $data = pack('n', length($extensions));
+    $data .= $extensions;
+    $self->data($data);
+}
+
+#Read/write accessors
+sub extension_data
+{
+    my $self = shift;
+    if (@_) {
+        $self->{extension_data} = shift;
+    }
+    return $self->{extension_data};
+}
+sub set_extension
+{
+    my ($self, $ext_type, $ext_data) = @_;
+    $self->{extension_data}{$ext_type} = $ext_data;
+}
+sub delete_extension
+{
+    my ($self, $ext_type) = @_;
+    delete $self->{extension_data}{$ext_type};
+}
+1;

util/perl/TLSProxy/Message.pm

@@ -129,6 +129,11 @@ use constant {
     CIPHER_TLS13_AES_256_GCM_SHA384 => 0x1302
 };
 
+use constant {
+    CLIENT => 0,
+    SERVER => 1
+};
+
 my $payload = "";
 my $messlen = -1;
 my $mt;
@@ -338,6 +343,15 @@ sub create_message
             [@message_frag_lens]
         );
         $message->parse();
+    } elsif ($mt == MT_CERTIFICATE_REQUEST) {
+        $message = TLSProxy::CertificateRequest->new(
+            $server,
+            $data,
+            [@message_rec_list],
+            $startoffset,
+            [@message_frag_lens]
+        );
+        $message->parse();
     } elsif ($mt == MT_CERTIFICATE_VERIFY) {
         $message = TLSProxy::CertificateVerify->new(
             $server,

util/perl/TLSProxy/Proxy.pm

@@ -19,6 +19,7 @@ use TLSProxy::ClientHello;
 use TLSProxy::ServerHello;
 use TLSProxy::EncryptedExtensions;
 use TLSProxy::Certificate;
+use TLSProxy::CertificateRequest;
 use TLSProxy::CertificateVerify;
 use TLSProxy::ServerKeyExchange;
 use TLSProxy::NewSessionTicket;

util/perl/checkhandshake.pm

@@ -116,7 +116,8 @@ sub checkhandshake($$$$)
                     && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO
                     && $message->mt() !=
                        TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS
-                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE);
+                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE
+                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE_REQUEST);
 
             next if $message->mt() == TLSProxy::Message::MT_CERTIFICATE
                     && !TLSProxy::Proxy::is_tls13();
@@ -124,7 +125,7 @@ sub checkhandshake($$$$)
             my $extchnum = 1;
             my $extshnum = 1;
             for (my $extloop = 0;
-                    $extensions[$extloop][2] != 0;
+                    $extensions[$extloop][3] != 0;
                     $extloop++) {
                 $extchnum = 2 if $extensions[$extloop][0] != TLSProxy::Message::MT_CLIENT_HELLO
                                  && TLSProxy::Proxy::is_tls13();
@@ -135,6 +136,7 @@ sub checkhandshake($$$$)
                 next if $extensions[$extloop][0] == TLSProxy::Message::MT_SERVER_HELLO
                                  && $extshnum != $shnum;
                 next if ($message->mt() != $extensions[$extloop][0]);
+                next if ($message->server() != $extensions[$extloop][2]);
                 $numtests++;
             }
             $numtests++;
@@ -182,7 +184,8 @@ sub checkhandshake($$$$)
                     && $message->mt() != TLSProxy::Message::MT_SERVER_HELLO
                     && $message->mt() !=
                        TLSProxy::Message::MT_ENCRYPTED_EXTENSIONS
-                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE);
+                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE
+                    && $message->mt() != TLSProxy::Message::MT_CERTIFICATE_REQUEST);
 
             next if $message->mt() == TLSProxy::Message::MT_CERTIFICATE
                     && !TLSProxy::Proxy::is_tls13();
@@ -197,7 +200,7 @@ sub checkhandshake($$$$)
             my $msgexts = $message->extension_data();
             my $extchnum = 1;
             my $extshnum = 1;
-            for (my $extloop = 0, $extcount = 0; $extensions[$extloop][2] != 0;
+            for (my $extloop = 0, $extcount = 0; $extensions[$extloop][3] != 0;
                                 $extloop++) {
                 #In TLSv1.3 we can have two ClientHellos if there has been a
                 #HelloRetryRequest, and they may have different extensions. Skip
@@ -211,12 +214,13 @@ sub checkhandshake($$$$)
                 next if $extensions[$extloop][0] == TLSProxy::Message::MT_SERVER_HELLO
                                  && $extshnum != $shnum;
                 next if ($message->mt() != $extensions[$extloop][0]);
-                ok (($extensions[$extloop][2] & $exttype) == 0
+                next if ($message->server() != $extensions[$extloop][2]);
+                ok (($extensions[$extloop][3] & $exttype) == 0
                       || defined ($msgexts->{$extensions[$extloop][1]}),
                     "Extension presence check (Message: ".$message->mt()
-                    ." Extension: ".($extensions[$extloop][2] & $exttype).", "
+                    ." Extension: ".($extensions[$extloop][3] & $exttype).", "
                     .$extloop.")");
-                $extcount++ if (($extensions[$extloop][2] & $exttype) != 0);
+                $extcount++ if (($extensions[$extloop][3] & $exttype) != 0);
             }
             ok($extcount == keys %$msgexts, "Extensions count mismatch ("
                                             .$extcount.", ".(keys %$msgexts)