diff options
| author | Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk> | 2024-05-30 10:51:21 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2024-06-27 15:01:01 +0100 |
| commit | a022d72aaac1a593fca6fb0bc616b63b819fa59e (patch) | |
| tree | b0586694380e0434a47f0db576be128e0e25cd95 /test/recipes | |
| parent | 4a53781162480d1085717fdef9ca0b9d355136b1 (diff) | |
Add support for running 70-test_tls13psk.t with dtls
Has to be currently disabled because it fails.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
Diffstat (limited to 'test/recipes')
| -rw-r--r-- | test/recipes/70-test_tls13psk.t | 192 |
1 files changed, 116 insertions, 76 deletions
diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index 5607dd604c..e40cf3c678 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -24,91 +24,131 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); -plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3") || (disabled("ec") && disabled("dh")); +plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled" + if disabled("ec") && disabled("dh"); -my $proxy = TLSProxy::Proxy->new( - undef, - cmdstr(app(["openssl"]), display => 1), - srctop_file("apps", "server.pem"), - (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) -); +my $testcount = 5; + +plan tests => 2 * $testcount; use constant { PSK_LAST_FIRST_CH => 0, ILLEGAL_EXT_SECOND_CH => 1 }; -#Most PSK tests are done in test_ssl_new. This tests various failure scenarios -#around PSK - -#Test 1: First get a session -(undef, my $session) = tempfile(); -$proxy->clientflags("-sess_out ".$session); -$proxy->serverflags("-servername localhost"); -$proxy->sessionfile($session); -$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 5; -ok(TLSProxy::Message->success(), "Initial connection"); - -#Test 2: Attempt a resume with PSK not in last place. Should fail -$proxy->clear(); -$proxy->clientflags("-sess_in ".$session); -$proxy->filter(\&modify_psk_filter); -my $testtype = PSK_LAST_FIRST_CH; -$proxy->start(); -ok(TLSProxy::Message->fail(), "PSK not last"); - -#Test 3: Attempt a resume after an HRR where PSK hash matches selected -# ciphersuite. Should see PSK on second ClientHello -$proxy->clear(); -$proxy->clientflags("-sess_in ".$session); -if (disabled("ec")) { - $proxy->serverflags("-curves ffdhe3072"); -} else { - $proxy->serverflags("-curves P-384"); +SKIP: { + skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3"); + # Run tests with TLS + run_tests(0); +} + +SKIP: { + skip "TODO(DTLSv1.3): When enabling sessionfile and dtls TLSProxy hangs after" + ." the handshake.", $testcount; + skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3"); + skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/; + run_tests(1); } -$proxy->filter(undef); -$proxy->start(); -#Check if the PSK is present in the second ClientHello -my $ch2 = ${$proxy->message_list}[2]; -my $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO; -my $pskseen = $ch2seen - && defined ${$ch2->{extension_data}}{TLSProxy::Message::EXT_PSK}; -ok($pskseen, "PSK hash matches"); - -#Test 4: Attempt a resume after an HRR where PSK hash does not match selected -# ciphersuite. Should not see PSK on second ClientHello -$proxy->clear(); -$proxy->clientflags("-sess_in ".$session); -$proxy->filter(\&modify_psk_filter); -if (disabled("ec")) { - $proxy->serverflags("-curves ffdhe3072"); -} else { - $proxy->serverflags("-curves P-384"); + +my $testtype = -1; + +sub run_tests +{ + my $run_test_as_dtls = shift; + my $proxy_start_success = 0; + + my $proxy; + if ($run_test_as_dtls == 1) { + $proxy = TLSProxy::Proxy->new_dtls( + undef, + cmdstr(app([ "openssl" ]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) + ); + } + else { + $proxy = TLSProxy::Proxy->new( + undef, + cmdstr(app([ "openssl" ]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) + ); + } + + #Most PSK tests are done in test_ssl_new. This tests various failure scenarios + #around PSK + + #Test 1: First get a session + $proxy->clear(); + (undef, my $session) = tempfile(); + $proxy->clientflags("-sess_out " . $session); + $proxy->serverflags("-servername localhost"); + $proxy->sessionfile($session); + $proxy_start_success = $proxy->start(); + skip "TLSProxy did not start correctly", $testcount if $proxy_start_success == 0; + ok(TLSProxy::Message->success(), "Initial connection"); + + #Test 2: Attempt a resume with PSK not in last place. Should fail + $proxy->clear(); + $proxy->clientflags("-sess_in " . $session); + $proxy->filter(\&modify_psk_filter); + $testtype = PSK_LAST_FIRST_CH; + $proxy->start(); + ok(TLSProxy::Message->fail(), "PSK not last"); + + #Test 3: Attempt a resume after an HRR where PSK hash matches selected + # ciphersuite. Should see PSK on second ClientHello + $proxy->clear(); + $proxy->clientflags("-sess_in " . $session); + if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); + } + else { + $proxy->serverflags("-curves P-384"); + } + $proxy->filter(undef); + $proxy->start(); + #Check if the PSK is present in the second ClientHello + my $ch2 = ${$proxy->message_list}[2]; + my $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO; + my $pskseen = $ch2seen + && defined ${$ch2->{extension_data}}{TLSProxy::Message::EXT_PSK}; + ok($pskseen, "PSK hash matches"); + + #Test 4: Attempt a resume after an HRR where PSK hash does not match selected + # ciphersuite. Should not see PSK on second ClientHello + $proxy->clear(); + $proxy->clientflags("-sess_in " . $session); + $proxy->filter(\&modify_psk_filter); + if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); + } + else { + $proxy->serverflags("-curves P-384"); + } + $proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); + $proxy->ciphersuitess("TLS_AES_256_GCM_SHA384"); + #We force an early failure because TLS Proxy doesn't actually support + #TLS_AES_256_GCM_SHA384. That doesn't matter for this test though. + $testtype = ILLEGAL_EXT_SECOND_CH; + $proxy->start(); + #Check if the PSK is present in the second ClientHello + $ch2 = ${$proxy->message_list}[2]; + $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO; + $pskseen = $ch2seen + && defined ${$ch2->extension_data}{TLSProxy::Message::EXT_PSK}; + ok($ch2seen && !$pskseen, "PSK hash does not match"); + + #Test 5: Attempt a resume without a sig agls extension. Should succeed because + # sig algs is not needed in a resumption. + $proxy->clear(); + $proxy->clientflags("-sess_in " . $session); + $proxy->filter(\&remove_sig_algs_filter); + $proxy->start(); + ok(TLSProxy::Message->success(), "Remove sig algs"); + + unlink $session; } -$proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); -$proxy->ciphersuitess("TLS_AES_256_GCM_SHA384"); -#We force an early failure because TLS Proxy doesn't actually support -#TLS_AES_256_GCM_SHA384. That doesn't matter for this test though. -$testtype = ILLEGAL_EXT_SECOND_CH; -$proxy->start(); -#Check if the PSK is present in the second ClientHello -$ch2 = ${$proxy->message_list}[2]; -$ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO; -$pskseen = $ch2seen - && defined ${$ch2->extension_data}{TLSProxy::Message::EXT_PSK}; -ok($ch2seen && !$pskseen, "PSK hash does not match"); - -#Test 5: Attempt a resume without a sig agls extension. Should succeed because -# sig algs is not needed in a resumption. -$proxy->clear(); -$proxy->clientflags("-sess_in ".$session); -$proxy->filter(\&remove_sig_algs_filter); -$proxy->start(); -ok(TLSProxy::Message->success(), "Remove sig algs"); - -unlink $session; sub modify_psk_filter { |