Run 70-test_tls13kexmodes.t with dtls

It is currently unsupported because of missing support in TLSProxy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)

1 files changed, 211 insertions, 173 deletions

diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t
index 738f2dcf7c..585d73d78b 100644
--- a/test/recipes/70-test_tls13kexmodes.t
+++ b/test/recipes/70-test_tls13kexmodes.t
@@ -183,181 +183,219 @@ use constant {
     UNKNOWN_KEX_MODES => 4,
     BOTH_KEX_MODES => 5
 };
+my $testcount = 13;
 
-my $proxy = TLSProxy::Proxy->new(
-    undef,
-    cmdstr(app(["openssl"]), display => 1),
-    srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-);
+plan tests => 2 * $testcount;
+
+SKIP: {
+    skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3");
+    # Run tests with TLS
+    run_tests(0);
+}
+
+SKIP: {
+    skip "TODO(DTLSv1.3): When enabling sessionfile and dtls TLSProxy hangs after"
+        ." the handshake.", $testcount;
+    skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3");
+    skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/;
+    run_tests(1);
+}
+
+my $testtype = -1;
 
-#Test 1: First get a session
-(undef, my $session) = tempfile();
-$proxy->clientflags("-no_rx_cert_comp -sess_out ".$session);
-$proxy->serverflags("-no_rx_cert_comp -servername localhost");
-$proxy->sessionfile($session);
-$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 13;
-ok(TLSProxy::Message->success(), "Initial connection");
-
-#Test 2: Attempt a resume with no kex modes extension. Should fail (server
-#        MUST abort handshake with pre_shared key and no psk_kex_modes)
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-my $testtype = DELETE_EXTENSION;
-$proxy->filter(\&modify_kex_modes_filter);
-$proxy->start();
-ok(TLSProxy::Message->fail(), "Resume with no kex modes");
-
-#Test 3: Attempt a resume with empty kex modes extension. Should fail (empty
-#        extension is invalid)
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-$testtype = EMPTY_EXTENSION;
-$proxy->start();
-ok(TLSProxy::Message->fail(), "Resume with empty kex modes");
-
-#Test 4: Attempt a resume with non-dhe kex mode only. Should resume without a
-#        key_share
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -sess_in ".$session);
-$proxy->serverflags("-no_rx_cert_comp -allow_no_dhe_kex");
-$testtype = NON_DHE_KEX_MODE_ONLY;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION
-               | checkhandshake::PSK_SRV_EXTENSION,
-               "Resume with non-dhe kex mode");
-
-#Test 5: Attempt a resume with dhe kex mode only. Should resume with a key_share
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-$testtype = DHE_KEX_MODE_ONLY;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::KEY_SHARE_SRV_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION
-               | checkhandshake::PSK_SRV_EXTENSION,
-               "Resume with non-dhe kex mode");
-
-#Test 6: Attempt a resume with only unrecognised kex modes. Should not resume
-#        but rather fall back to full handshake
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-$testtype = UNKNOWN_KEX_MODES;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::KEY_SHARE_SRV_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION,
-               "Resume with unrecognized kex mode");
-
-#Test 7: Attempt a resume with both, non-dhe and dhe kex mode. Should resume with
-#        a key_share, even though non-dhe is allowed, but not explicitly preferred.
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -sess_in ".$session);
-$proxy->serverflags("-allow_no_dhe_kex");
-$testtype = BOTH_KEX_MODES;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::KEY_SHARE_SRV_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION
-               | checkhandshake::PSK_SRV_EXTENSION,
-               "Resume with both kex modes");
-
-#Test 8: Attempt a resume with both, non-dhe and dhe kex mode, but with server-side
-#        preference for non-dhe. Should resume without a key_share.
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -sess_in ".$session);
-$proxy->serverflags("-allow_no_dhe_kex -prefer_no_dhe_kex");
-$testtype = BOTH_KEX_MODES;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION
-               | checkhandshake::PSK_SRV_EXTENSION,
-               "Resume with both kex modes, preference for non-dhe");
-
-#Test 9: Attempt a resume with both, non-dhe and dhe kex mode, with server-side
-#        preference for non-dhe, but non-dhe not allowed. Should resume with a key_share.
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -sess_in ".$session);
-$proxy->serverflags("-prefer_no_dhe_kex");
-$testtype = BOTH_KEX_MODES;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::KEY_SHARE_SRV_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION
-               | checkhandshake::PSK_SRV_EXTENSION,
-               "Resume with both kex modes, preference for but disabled non-dhe");
-
-#Test 10: Attempt a resume with both non-dhe and dhe kex mode, but unacceptable
-#        initial key_share. Should resume with a key_share following an HRR
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-$proxy->serverflags("-no_rx_cert_comp -curves P-384");
-$testtype = BOTH_KEX_MODES;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::KEY_SHARE_SRV_EXTENSION
-               | checkhandshake::KEY_SHARE_HRR_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION
-               | checkhandshake::PSK_SRV_EXTENSION,
-               "Resume with both kex modes and HRR");
-
-#Test 11: Attempt a resume with dhe kex mode only and an unacceptable initial
-#        key_share. Should resume with a key_share following an HRR
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-$proxy->serverflags("-no_rx_cert_comp -curves P-384");
-$testtype = DHE_KEX_MODE_ONLY;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::KEY_SHARE_SRV_EXTENSION
-               | checkhandshake::KEY_SHARE_HRR_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION
-               | checkhandshake::PSK_SRV_EXTENSION,
-               "Resume with dhe kex mode and HRR");
-
-#Test 12: Attempt a resume with both non-dhe and dhe kex mode, unacceptable
-#         initial key_share and no overlapping groups. Should resume without a
-#         key_share
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -curves P-384 -sess_in ".$session);
-$proxy->serverflags("-no_rx_cert_comp -allow_no_dhe_kex -curves P-256");
-$testtype = BOTH_KEX_MODES;
-$proxy->start();
-checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::PSK_KEX_MODES_EXTENSION
-               | checkhandshake::PSK_CLI_EXTENSION
-               | checkhandshake::PSK_SRV_EXTENSION,
-               "Resume with both kex modes, no overlapping groups");
-
-#Test 13: Attempt a resume with dhe kex mode only, unacceptable
-#         initial key_share and no overlapping groups. Should fail
-$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -curves P-384 -sess_in ".$session);
-$proxy->serverflags("-no_rx_cert_comp -curves P-256");
-$testtype = DHE_KEX_MODE_ONLY;
-$proxy->start();
-ok(TLSProxy::Message->fail(), "Resume with dhe kex mode, no overlapping groups");
-
-unlink $session;
+sub run_tests
+{
+    my $run_test_as_dtls = shift;
+    my $proxy_start_success = 0;
+
+    (undef, my $session) = tempfile();
+    my $proxy;
+    if ($run_test_as_dtls == 1) {
+        $proxy = TLSProxy::Proxy->new_dtls(
+            undef,
+            cmdstr(app([ "openssl" ]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+    else {
+        $proxy = TLSProxy::Proxy->new(
+            undef,
+            cmdstr(app([ "openssl" ]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+
+    $proxy->clear();
+
+    #Test 1: First get a session
+    $proxy->clientflags("-no_rx_cert_comp -sess_out " . $session);
+    $proxy->serverflags("-no_rx_cert_comp -servername localhost");
+    $proxy->sessionfile($session);
+    $proxy_start_success = $proxy->start();
+    skip "TLSProxy did not start correctly", $testcount if $proxy_start_success == 0;
+    ok(TLSProxy::Message->success(), "Initial connection");
+
+    #Test 2: Attempt a resume with no kex modes extension. Should fail (server
+    #        MUST abort handshake with pre_shared key and no psk_kex_modes)
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -sess_in " . $session);
+    $testtype = DELETE_EXTENSION;
+    $proxy->filter(\&modify_kex_modes_filter);
+    $proxy->start();
+    ok(TLSProxy::Message->fail(), "Resume with no kex modes");
+
+    #Test 3: Attempt a resume with empty kex modes extension. Should fail (empty
+    #        extension is invalid)
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -sess_in " . $session);
+    $testtype = EMPTY_EXTENSION;
+    $proxy->start();
+    ok(TLSProxy::Message->fail(), "Resume with empty kex modes");
+
+    #Test 4: Attempt a resume with non-dhe kex mode only. Should resume without a
+    #        key_share
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -sess_in " . $session);
+    $proxy->serverflags("-no_rx_cert_comp -allow_no_dhe_kex");
+    $testtype = NON_DHE_KEX_MODE_ONLY;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION
+            | checkhandshake::PSK_SRV_EXTENSION,
+        "Resume with non-dhe kex mode");
+
+    #Test 5: Attempt a resume with dhe kex mode only. Should resume with a key_share
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -sess_in " . $session);
+    $testtype = DHE_KEX_MODE_ONLY;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::KEY_SHARE_SRV_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION
+            | checkhandshake::PSK_SRV_EXTENSION,
+        "Resume with non-dhe kex mode");
+
+    #Test 6: Attempt a resume with only unrecognised kex modes. Should not resume
+    #        but rather fall back to full handshake
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -sess_in " . $session);
+    $testtype = UNKNOWN_KEX_MODES;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::KEY_SHARE_SRV_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION,
+        "Resume with unrecognized kex mode");
+
+    #Test 7: Attempt a resume with both, non-dhe and dhe kex mode. Should resume with
+    #        a key_share, even though non-dhe is allowed, but not explicitly preferred.
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -sess_in " . $session);
+    $proxy->serverflags("-allow_no_dhe_kex");
+    $testtype = BOTH_KEX_MODES;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::KEY_SHARE_SRV_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION
+            | checkhandshake::PSK_SRV_EXTENSION,
+        "Resume with both kex modes");
+
+    #Test 8: Attempt a resume with both, non-dhe and dhe kex mode, but with server-side
+    #        preference for non-dhe. Should resume without a key_share.
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -sess_in " . $session);
+    $proxy->serverflags("-allow_no_dhe_kex -prefer_no_dhe_kex");
+    $testtype = BOTH_KEX_MODES;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION
+            | checkhandshake::PSK_SRV_EXTENSION,
+        "Resume with both kex modes, preference for non-dhe");
+
+    #Test 9: Attempt a resume with both, non-dhe and dhe kex mode, with server-side
+    #        preference for non-dhe, but non-dhe not allowed. Should resume with a key_share.
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -sess_in " . $session);
+    $proxy->serverflags("-prefer_no_dhe_kex");
+    $testtype = BOTH_KEX_MODES;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::KEY_SHARE_SRV_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION
+            | checkhandshake::PSK_SRV_EXTENSION,
+        "Resume with both kex modes, preference for but disabled non-dhe");
+
+    #Test 10: Attempt a resume with both non-dhe and dhe kex mode, but unacceptable
+    #        initial key_share. Should resume with a key_share following an HRR
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -sess_in " . $session);
+    $proxy->serverflags("-no_rx_cert_comp -curves P-384");
+    $testtype = BOTH_KEX_MODES;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::KEY_SHARE_SRV_EXTENSION
+            | checkhandshake::KEY_SHARE_HRR_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION
+            | checkhandshake::PSK_SRV_EXTENSION,
+        "Resume with both kex modes and HRR");
+
+    #Test 11: Attempt a resume with dhe kex mode only and an unacceptable initial
+    #        key_share. Should resume with a key_share following an HRR
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -sess_in " . $session);
+    $proxy->serverflags("-no_rx_cert_comp -curves P-384");
+    $testtype = DHE_KEX_MODE_ONLY;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::KEY_SHARE_SRV_EXTENSION
+            | checkhandshake::KEY_SHARE_HRR_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION
+            | checkhandshake::PSK_SRV_EXTENSION,
+        "Resume with dhe kex mode and HRR");
+
+    #Test 12: Attempt a resume with both non-dhe and dhe kex mode, unacceptable
+    #         initial key_share and no overlapping groups. Should resume without a
+    #         key_share
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -allow_no_dhe_kex -curves P-384 -sess_in " . $session);
+    $proxy->serverflags("-no_rx_cert_comp -allow_no_dhe_kex -curves P-256");
+    $testtype = BOTH_KEX_MODES;
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
+        checkhandshake::DEFAULT_EXTENSIONS
+            | checkhandshake::PSK_KEX_MODES_EXTENSION
+            | checkhandshake::PSK_CLI_EXTENSION
+            | checkhandshake::PSK_SRV_EXTENSION,
+        "Resume with both kex modes, no overlapping groups");
+
+    #Test 13: Attempt a resume with dhe kex mode only, unacceptable
+    #         initial key_share and no overlapping groups. Should fail
+    $proxy->clear();
+    $proxy->clientflags("-no_rx_cert_comp -curves P-384 -sess_in " . $session);
+    $proxy->serverflags("-no_rx_cert_comp -curves P-256");
+    $testtype = DHE_KEX_MODE_ONLY;
+    $proxy->start();
+    ok(TLSProxy::Message->fail(), "Resume with dhe kex mode, no overlapping groups");
+
+    unlink $session;
+}
 
 sub modify_kex_modes_filter
 {