From 29be50b727303d7aab282aec66c3eaf12cec4e98 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Thu, 30 May 2024 15:46:02 +0200 Subject: Run 70-test_tls13certcomp.t with dtls Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24525) --- test/recipes/70-test_tls13alerts.t | 2 +- test/recipes/70-test_tls13certcomp.t | 214 +++++++++++++++++++++-------------- test/recipes/70-test_tls13cookie.t | 2 +- test/recipes/70-test_tls13hrr.t | 2 +- test/recipes/70-test_tls13psk.t | 2 +- 5 files changed, 130 insertions(+), 92 deletions(-) (limited to 'test/recipes') diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t index 130ca70e18..4aefe6b2c2 100644 --- a/test/recipes/70-test_tls13alerts.t +++ b/test/recipes/70-test_tls13alerts.t @@ -23,7 +23,7 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); -plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled" +plan skip_all => "$test_name needs elliptic curves or diffie-hellman enabled" if disabled("ec") && disabled("dh"); my $testcount = 1; diff --git a/test/recipes/70-test_tls13certcomp.t b/test/recipes/70-test_tls13certcomp.t index e2d65bd87c..3b59ed3474 100644 --- a/test/recipes/70-test_tls13certcomp.t +++ b/test/recipes/70-test_tls13certcomp.t @@ -206,93 +206,131 @@ plan skip_all => "$test_name needs compression and algorithms enabled" [0,0,0,0] ); -my $proxy = TLSProxy::Proxy->new( - undef, - cmdstr(app(["openssl"]), display => 1), - srctop_file("apps", "server.pem"), - (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) -); +my $testcount = 8; + +plan tests => 2 * $testcount; + +SKIP: { + skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3"); + # Run tests with TLS + run_tests(0); +} + +SKIP: { + skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3"); + skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/; + run_tests(1); +} + +sub run_tests +{ + my $run_test_as_dtls = shift; + my $proxy_start_success = 0; + + my $proxy; + if ($run_test_as_dtls == 1) { + $proxy = TLSProxy::Proxy->new_dtls( + undef, + cmdstr(app([ "openssl" ]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) + ); + } + else { + $proxy = TLSProxy::Proxy->new( + undef, + cmdstr(app([ "openssl" ]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) + ); + } + + $proxy->clear(); + + #Test 1: Client sends cert comp, but no client auth + $proxy->serverconnects(2); + $proxy->clear(); + $proxy->serverflags("-no_tx_cert_comp -no_rx_cert_comp"); + # One final skip check + $proxy_start_success = $proxy->start(); + skip "TLSProxy did not start correctly", $testcount if $proxy_start_success == 0; + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::CERT_COMP_CLI_EXTENSION, + "Client supports certificate compression"); + + #Test 2: Server sends cert comp, no client auth + $proxy->clear(); + $proxy->clientflags("-no_tx_cert_comp -no_rx_cert_comp"); + $proxy->serverflags("-cert_comp"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::CERT_COMP_SRV_EXTENSION, + "Server supports certificate compression, but no client auth"); + + #Test 3: Both send cert comp, no client auth + $proxy->clear(); + $proxy->serverflags("-cert_comp"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::CERT_COMP_SRV_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::CERT_COMP_CLI_EXTENSION + | checkhandshake::CERT_COMP_SRV_EXTENSION, + "Both support certificate compression, but no client auth"); + + SKIP: { + skip "TLSProxy does not support partial messages for dtls", 2 + if $run_test_as_dtls == 1; + #Test 4: Both send cert comp, with client auth + $proxy->clear(); + $proxy->clientflags("-cert " . srctop_file("apps", "server.pem")); + $proxy->serverflags("-Verify 5 -cert_comp"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::CERT_COMP_BOTH_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::CERT_COMP_CLI_EXTENSION + | checkhandshake::CERT_COMP_SRV_EXTENSION, + "Both support certificate compression, with client auth"); + + #Test 5: Client-to-server-only certificate compression, with client auth + $proxy->clear(); + $proxy->clientflags("-no_rx_cert_comp -cert " . srctop_file("apps", "server.pem")); + $proxy->serverflags("-no_tx_cert_comp -Verify 5 -cert_comp"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::CERT_COMP_CLI_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::CERT_COMP_SRV_EXTENSION, + "Client-to-server-only certificate compression, with client auth"); + } + + #Test 6: Server-to-client-only certificate compression + $proxy->clear(); + $proxy->clientflags("-no_tx_cert_comp"); + $proxy->serverflags("-no_rx_cert_comp -cert_comp"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::CERT_COMP_SRV_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::CERT_COMP_CLI_EXTENSION, + "Server-to-client-only certificate compression"); + #Test 7: Neither side wants to send a compressed cert, but will accept one + $proxy->clear(); + $proxy->clientflags("-no_tx_cert_comp"); + $proxy->serverflags("-no_tx_cert_comp -cert_comp"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::CERT_COMP_CLI_EXTENSION + | checkhandshake::CERT_COMP_SRV_EXTENSION, + "Accept but not send compressed certificates"); -#Test 1: Client sends cert comp, but no client auth -$proxy->serverconnects(2); -$proxy->clear(); -$proxy->serverflags("-no_tx_cert_comp -no_rx_cert_comp"); -# One final skip check -$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 8; -checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::CERT_COMP_CLI_EXTENSION, - "Client supports certificate compression"); - -#Test 2: Server sends cert comp, no client auth -$proxy->clear(); -$proxy->clientflags("-no_tx_cert_comp -no_rx_cert_comp"); -$proxy->serverflags("-cert_comp"); -$proxy->start(); -checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::CERT_COMP_SRV_EXTENSION, - "Server supports certificate compression, but no client auth"); - -#Test 3: Both send cert comp, no client auth -$proxy->clear(); -$proxy->serverflags("-cert_comp"); -$proxy->start(); -checkhandshake($proxy, checkhandshake::CERT_COMP_SRV_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::CERT_COMP_CLI_EXTENSION - | checkhandshake::CERT_COMP_SRV_EXTENSION, - "Both support certificate compression, but no client auth"); - -#Test 4: Both send cert comp, with client auth -$proxy->clear(); -$proxy->clientflags("-cert ".srctop_file("apps", "server.pem")); -$proxy->serverflags("-Verify 5 -cert_comp"); -$proxy->start(); -checkhandshake($proxy, checkhandshake::CERT_COMP_BOTH_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::CERT_COMP_CLI_EXTENSION - | checkhandshake::CERT_COMP_SRV_EXTENSION, - "Both support certificate compression, with client auth"); - -#Test 5: Client-to-server-only certificate compression, with client auth -$proxy->clear(); -$proxy->clientflags("-no_rx_cert_comp -cert ".srctop_file("apps", "server.pem")); -$proxy->serverflags("-no_tx_cert_comp -Verify 5 -cert_comp"); -$proxy->start(); -checkhandshake($proxy, checkhandshake::CERT_COMP_CLI_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::CERT_COMP_SRV_EXTENSION, - "Client-to-server-only certificate compression, with client auth"); - -#Test 6: Server-to-client-only certificate compression -$proxy->clear(); -$proxy->clientflags("-no_tx_cert_comp"); -$proxy->serverflags("-no_rx_cert_comp -cert_comp"); -$proxy->start(); -checkhandshake($proxy, checkhandshake::CERT_COMP_SRV_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::CERT_COMP_CLI_EXTENSION, - "Server-to-client-only certificate compression"); - -#Test 7: Neither side wants to send a compressed cert, but will accept one -$proxy->clear(); -$proxy->clientflags("-no_tx_cert_comp"); -$proxy->serverflags("-no_tx_cert_comp -cert_comp"); -$proxy->start(); -checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::CERT_COMP_CLI_EXTENSION - | checkhandshake::CERT_COMP_SRV_EXTENSION, - "Accept but not send compressed certificates"); - -#Test 8: Neither side wants to receive a compressed cert, but will send one -$proxy->clear(); -$proxy->clientflags("-no_rx_cert_comp"); -$proxy->serverflags("-no_rx_cert_comp -cert_comp"); -$proxy->start(); -checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS, - "Send but not accept compressed certificates"); + #Test 8: Neither side wants to receive a compressed cert, but will send one + $proxy->clear(); + $proxy->clientflags("-no_rx_cert_comp"); + $proxy->serverflags("-no_rx_cert_comp -cert_comp"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "Send but not accept compressed certificates"); +} diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index 6c1f0e86bf..1afd58c92c 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -23,7 +23,7 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); -plan skip_all => "$test_name needs EC and DH enabled" +plan skip_all => "$test_name needs EC or DH enabled" if disabled("ec") && disabled("dh"); my $testcount = 2; diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 0c3bf39660..130f944669 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); -plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled" +plan skip_all => "$test_name needs elliptic curves or diffie-hellman enabled" if disabled("ec") && disabled("dh"); my $testcount = 4; diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index e40cf3c678..b7f9a49847 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); -plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled" +plan skip_all => "$test_name needs elliptic curves or diffie-hellman enabled" if disabled("ec") && disabled("dh"); my $testcount = 5; -- cgit v1.2.3