Run 70-test_tls13hrr.t with dtls

Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24525)
author: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk> 2024-05-30 09:04:48 +0200
committer: Matt Caswell <matt@openssl.org> 2024-06-27 15:01:01 +0100
commit: 4a53781162480d1085717fdef9ca0b9d355136b1 (patch)
tree: 8e3e6ded3ba6f53cb1cb25ed1acca8ad9ec0ebb2 /test/recipes
parent: 218ca61ebf9ae5a75586ed00f13f5c600f8d0dd0 (diff)
1 files changed, 139 insertions, 69 deletions
diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t
index d9f6c00d4b..0c3bf39660 100644
--- a/test/recipes/70-test_tls13hrr.t
+++ b/test/recipes/70-test_tls13hrr.t
@@ -24,15 +24,12 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled"
 plan skip_all => "$test_name needs the sock feature enabled"
     if disabled("sock");
 
-plan skip_all => "$test_name needs TLS1.3 enabled"
-    if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
+plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled"
+    if disabled("ec") && disabled("dh");
 
-my $proxy = TLSProxy::Proxy->new(
-    undef,
-    cmdstr(app(["openssl"]), display => 1),
-    srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-);
+my $testcount = 4;
+
+plan tests => 2 * $testcount;
 
 use constant {
     CHANGE_HRR_CIPHERSUITE => 0,
@@ -41,61 +38,117 @@ use constant {
     INVALID_GROUP => 3
 };
 
-#Test 1: A client should fail if the server changes the ciphersuite between the
-#        HRR and the SH
-$proxy->filter(\&hrr_filter);
-if (disabled("ec")) {
-    $proxy->serverflags("-curves ffdhe3072");
-} else {
-    $proxy->serverflags("-curves P-256");
-}
-my $testtype = CHANGE_HRR_CIPHERSUITE;
-$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 4;
-ok(TLSProxy::Message->fail(), "Server ciphersuite changes");
-
-#Test 2: It is an error if the client changes the offered ciphersuites so that
-#        we end up selecting a different ciphersuite between HRR and the SH
-$proxy->clear();
-if (disabled("ec")) {
-    $proxy->serverflags("-curves ffdhe3072");
-} else {
-    $proxy->serverflags("-curves P-384");
-}
-$proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384");
-$testtype = CHANGE_CH1_CIPHERSUITE;
-$proxy->start();
-ok(TLSProxy::Message->fail(), "Client ciphersuite changes");
-
-#Test 3: A client should fail with unexpected_message alert if the server
-#        sends more than 1 HRR
 my $fatal_alert = 0;
-$proxy->clear();
-if (disabled("ec")) {
-    $proxy->serverflags("-curves ffdhe3072");
-} else {
-    $proxy->serverflags("-curves P-384");
+my $testtype = -1;
+
+SKIP: {
+    skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3");
+    # Run tests with TLS
+    run_tests(0);
 }
-$testtype = DUPLICATE_HRR;
-$proxy->start();
-ok($fatal_alert, "Server duplicated HRR");
-
-#Test 4: If the client sends a group that is in the supported_groups list but
-#        otherwise not valid (e.g. not suitable for TLSv1.3) we should reject it
-#        and not consider it when sending the HRR. We send brainpoolP512r1 in
-#        the ClientHello, which is acceptable to the server but is not valid in
-#        TLSv1.3. We expect the server to select P-521 in the HRR and the
-#        handshake to complete successfully
+
 SKIP: {
-    skip "EC/TLSv1.2 is disabled in this build", 1
-        if disabled("ec") || disabled("tls1_2");
-
-    $proxy->clear();
-    $proxy->clientflags("-groups P-256:brainpoolP512r1:P-521");
-    $proxy->serverflags("-groups brainpoolP512r1:P-521");
-    $testtype = INVALID_GROUP;
-    $proxy->start();
-    ok(TLSProxy::Message->success(), "Invalid group with HRR");
+    skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3");
+    skip "DTLSProxy does not support partial messages that are sent when EC is disabled",
+        $testcount if disabled("ec");
+    skip "This test fails in several configurations because DTLSProxy does not support"
+         ." partial messages that are sent", $testcount;
+    skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/;
+    run_tests(1);
+}
+
+sub run_tests
+{
+    my $run_test_as_dtls = shift;
+    my $proxy_start_success = 0;
+
+    my $proxy;
+    if ($run_test_as_dtls == 1) {
+        $proxy = TLSProxy::Proxy->new_dtls(
+            undef,
+            cmdstr(app([ "openssl" ]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+    else {
+        $proxy = TLSProxy::Proxy->new(
+            undef,
+            cmdstr(app([ "openssl" ]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+
+    SKIP: {
+        skip "TODO(DTLSv1.3): When ECX is disabled running this test with DTLS will hang"
+            ." waiting for s_server to close", 2 if $run_test_as_dtls == 1 && disabled("ecx");
+        #Test 1: A client should fail if the server changes the ciphersuite between the
+        #        HRR and the SH
+        $proxy->clear();
+        $proxy->filter(\&hrr_filter);
+        if (disabled("ec")) {
+            $proxy->serverflags("-curves ffdhe3072");
+        }
+        else {
+            $proxy->serverflags("-curves P-256");
+        }
+        $testtype = CHANGE_HRR_CIPHERSUITE;
+        $proxy_start_success = $proxy->start();
+        skip "TLSProxy did not start correctly", 2 if $proxy_start_success == 0;
+        ok(TLSProxy::Message->fail(), "Server ciphersuite changes");
+
+        #Test 2: It is an error if the client changes the offered ciphersuites so that
+        #        we end up selecting a different ciphersuite between HRR and the SH
+        $proxy->clear();
+        if (disabled("ec")) {
+            $proxy->serverflags("-curves ffdhe3072");
+        }
+        else {
+            $proxy->serverflags("-curves P-384");
+        }
+        $proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384");
+        $testtype = CHANGE_CH1_CIPHERSUITE;
+        $proxy->start();
+        ok(TLSProxy::Message->fail(), "Client ciphersuite changes");
+    }
+
+    SKIP: {
+        skip "DTLSProxy does not support partial messages that are sent when ECX is disabled",
+            1 if $run_test_as_dtls == 1 && disabled("ecx");
+        #Test 3: A client should fail with unexpected_message alert if the server
+        #        sends more than 1 HRR
+        $fatal_alert = 0;
+        $proxy->clear();
+        if (disabled("ec")) {
+            $proxy->serverflags("-curves ffdhe3072");
+        }
+        else {
+            $proxy->serverflags("-curves P-384");
+        }
+        $testtype = DUPLICATE_HRR;
+        $proxy->start();
+        ok($fatal_alert, "Server duplicated HRR");
+    }
+
+    #Test 4: If the client sends a group that is in the supported_groups list but
+    #        otherwise not valid (e.g. not suitable for TLSv1.3) we should reject it
+    #        and not consider it when sending the HRR. We send brainpoolP512r1 in
+    #        the ClientHello, which is acceptable to the server but is not valid in
+    #        TLSv1.3. We expect the server to select P-521 in the HRR and the
+    #        handshake to complete successfully
+    SKIP: {
+        skip "EC/(D)TLSv1.2 is disabled in this build", 1
+            if disabled("ec") || ($run_test_as_dtls == 0 && disabled("tls1_2"))
+                              || ($run_test_as_dtls == 1 && disabled("dtls1_2"));
+
+        $proxy->clear();
+        $proxy->clientflags("-groups P-256:brainpoolP512r1:P-521");
+        $proxy->serverflags("-groups brainpoolP512r1:P-521");
+        $testtype = INVALID_GROUP;
+        $proxy->start();
+        ok(TLSProxy::Message->success(), "Invalid group with HRR");
+    }
 }
 
 sub hrr_filter
@@ -136,15 +189,32 @@ sub hrr_filter
             next;
         }
         my $hrr_record = ${$proxy->record_list}[$i];
-        my $dup_hrr = TLSProxy::Record->new(3,
-            $hrr_record->content_type(),
-            $hrr_record->version(),
-            $hrr_record->len(),
-            $hrr_record->sslv2(),
-            $hrr_record->len_real(),
-            $hrr_record->decrypt_len(),
-            $hrr_record->data(),
-            $hrr_record->decrypt_data());
+
+        my $dup_hrr;
+
+        if ($proxy->isdtls()) {
+            $dup_hrr = TLSProxy::Record->new_dtls(3,
+                $hrr_record->content_type(),
+                $hrr_record->version(),
+                $hrr_record->epoch(),
+                $hrr_record->seq(),
+                $hrr_record->len(),
+                $hrr_record->sslv2(),
+                $hrr_record->len_real(),
+                $hrr_record->decrypt_len(),
+                $hrr_record->data(),
+                $hrr_record->decrypt_data());
+        } else {
+            $dup_hrr = TLSProxy::Record->new(3,
+                $hrr_record->content_type(),
+                $hrr_record->version(),
+                $hrr_record->len(),
+                $hrr_record->sslv2(),
+                $hrr_record->len_real(),
+                $hrr_record->decrypt_len(),
+                $hrr_record->data(),
+                $hrr_record->decrypt_data());
+        }
 
         $i++;
         splice @{$proxy->record_list}, $i, 0, $dup_hrr;
author	Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>	2024-05-30 09:04:48 +0200
committer	Matt Caswell <matt@openssl.org>	2024-06-27 15:01:01 +0100
commit	4a53781162480d1085717fdef9ca0b9d355136b1 (patch)
tree	8e3e6ded3ba6f53cb1cb25ed1acca8ad9ec0ebb2 /test/recipes
parent	218ca61ebf9ae5a75586ed00f13f5c600f8d0dd0 (diff)