From 4a53781162480d1085717fdef9ca0b9d355136b1 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Thu, 30 May 2024 09:04:48 +0200 Subject: Run 70-test_tls13hrr.t with dtls Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24525) --- test/recipes/70-test_tls13hrr.t | 208 +++++++++++++++++++++++++++------------- 1 file changed, 139 insertions(+), 69 deletions(-) (limited to 'test/recipes') diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index d9f6c00d4b..0c3bf39660 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -24,15 +24,12 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); -plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3") || (disabled("ec") && disabled("dh")); +plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled" + if disabled("ec") && disabled("dh"); -my $proxy = TLSProxy::Proxy->new( - undef, - cmdstr(app(["openssl"]), display => 1), - srctop_file("apps", "server.pem"), - (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) -); +my $testcount = 4; + +plan tests => 2 * $testcount; use constant { CHANGE_HRR_CIPHERSUITE => 0, @@ -41,61 +38,117 @@ use constant { INVALID_GROUP => 3 }; -#Test 1: A client should fail if the server changes the ciphersuite between the -# HRR and the SH -$proxy->filter(\&hrr_filter); -if (disabled("ec")) { - $proxy->serverflags("-curves ffdhe3072"); -} else { - $proxy->serverflags("-curves P-256"); -} -my $testtype = CHANGE_HRR_CIPHERSUITE; -$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 4; -ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); - -#Test 2: It is an error if the client changes the offered ciphersuites so that -# we end up selecting a different ciphersuite between HRR and the SH -$proxy->clear(); -if (disabled("ec")) { - $proxy->serverflags("-curves ffdhe3072"); -} else { - $proxy->serverflags("-curves P-384"); -} -$proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); -$testtype = CHANGE_CH1_CIPHERSUITE; -$proxy->start(); -ok(TLSProxy::Message->fail(), "Client ciphersuite changes"); - -#Test 3: A client should fail with unexpected_message alert if the server -# sends more than 1 HRR my $fatal_alert = 0; -$proxy->clear(); -if (disabled("ec")) { - $proxy->serverflags("-curves ffdhe3072"); -} else { - $proxy->serverflags("-curves P-384"); +my $testtype = -1; + +SKIP: { + skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3"); + # Run tests with TLS + run_tests(0); } -$testtype = DUPLICATE_HRR; -$proxy->start(); -ok($fatal_alert, "Server duplicated HRR"); - -#Test 4: If the client sends a group that is in the supported_groups list but -# otherwise not valid (e.g. not suitable for TLSv1.3) we should reject it -# and not consider it when sending the HRR. We send brainpoolP512r1 in -# the ClientHello, which is acceptable to the server but is not valid in -# TLSv1.3. We expect the server to select P-521 in the HRR and the -# handshake to complete successfully + SKIP: { - skip "EC/TLSv1.2 is disabled in this build", 1 - if disabled("ec") || disabled("tls1_2"); - - $proxy->clear(); - $proxy->clientflags("-groups P-256:brainpoolP512r1:P-521"); - $proxy->serverflags("-groups brainpoolP512r1:P-521"); - $testtype = INVALID_GROUP; - $proxy->start(); - ok(TLSProxy::Message->success(), "Invalid group with HRR"); + skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3"); + skip "DTLSProxy does not support partial messages that are sent when EC is disabled", + $testcount if disabled("ec"); + skip "This test fails in several configurations because DTLSProxy does not support" + ." partial messages that are sent", $testcount; + skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/; + run_tests(1); +} + +sub run_tests +{ + my $run_test_as_dtls = shift; + my $proxy_start_success = 0; + + my $proxy; + if ($run_test_as_dtls == 1) { + $proxy = TLSProxy::Proxy->new_dtls( + undef, + cmdstr(app([ "openssl" ]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) + ); + } + else { + $proxy = TLSProxy::Proxy->new( + undef, + cmdstr(app([ "openssl" ]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) + ); + } + + SKIP: { + skip "TODO(DTLSv1.3): When ECX is disabled running this test with DTLS will hang" + ." waiting for s_server to close", 2 if $run_test_as_dtls == 1 && disabled("ecx"); + #Test 1: A client should fail if the server changes the ciphersuite between the + # HRR and the SH + $proxy->clear(); + $proxy->filter(\&hrr_filter); + if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); + } + else { + $proxy->serverflags("-curves P-256"); + } + $testtype = CHANGE_HRR_CIPHERSUITE; + $proxy_start_success = $proxy->start(); + skip "TLSProxy did not start correctly", 2 if $proxy_start_success == 0; + ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); + + #Test 2: It is an error if the client changes the offered ciphersuites so that + # we end up selecting a different ciphersuite between HRR and the SH + $proxy->clear(); + if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); + } + else { + $proxy->serverflags("-curves P-384"); + } + $proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); + $testtype = CHANGE_CH1_CIPHERSUITE; + $proxy->start(); + ok(TLSProxy::Message->fail(), "Client ciphersuite changes"); + } + + SKIP: { + skip "DTLSProxy does not support partial messages that are sent when ECX is disabled", + 1 if $run_test_as_dtls == 1 && disabled("ecx"); + #Test 3: A client should fail with unexpected_message alert if the server + # sends more than 1 HRR + $fatal_alert = 0; + $proxy->clear(); + if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); + } + else { + $proxy->serverflags("-curves P-384"); + } + $testtype = DUPLICATE_HRR; + $proxy->start(); + ok($fatal_alert, "Server duplicated HRR"); + } + + #Test 4: If the client sends a group that is in the supported_groups list but + # otherwise not valid (e.g. not suitable for TLSv1.3) we should reject it + # and not consider it when sending the HRR. We send brainpoolP512r1 in + # the ClientHello, which is acceptable to the server but is not valid in + # TLSv1.3. We expect the server to select P-521 in the HRR and the + # handshake to complete successfully + SKIP: { + skip "EC/(D)TLSv1.2 is disabled in this build", 1 + if disabled("ec") || ($run_test_as_dtls == 0 && disabled("tls1_2")) + || ($run_test_as_dtls == 1 && disabled("dtls1_2")); + + $proxy->clear(); + $proxy->clientflags("-groups P-256:brainpoolP512r1:P-521"); + $proxy->serverflags("-groups brainpoolP512r1:P-521"); + $testtype = INVALID_GROUP; + $proxy->start(); + ok(TLSProxy::Message->success(), "Invalid group with HRR"); + } } sub hrr_filter @@ -136,15 +189,32 @@ sub hrr_filter next; } my $hrr_record = ${$proxy->record_list}[$i]; - my $dup_hrr = TLSProxy::Record->new(3, - $hrr_record->content_type(), - $hrr_record->version(), - $hrr_record->len(), - $hrr_record->sslv2(), - $hrr_record->len_real(), - $hrr_record->decrypt_len(), - $hrr_record->data(), - $hrr_record->decrypt_data()); + + my $dup_hrr; + + if ($proxy->isdtls()) { + $dup_hrr = TLSProxy::Record->new_dtls(3, + $hrr_record->content_type(), + $hrr_record->version(), + $hrr_record->epoch(), + $hrr_record->seq(), + $hrr_record->len(), + $hrr_record->sslv2(), + $hrr_record->len_real(), + $hrr_record->decrypt_len(), + $hrr_record->data(), + $hrr_record->decrypt_data()); + } else { + $dup_hrr = TLSProxy::Record->new(3, + $hrr_record->content_type(), + $hrr_record->version(), + $hrr_record->len(), + $hrr_record->sslv2(), + $hrr_record->len_real(), + $hrr_record->decrypt_len(), + $hrr_record->data(), + $hrr_record->decrypt_data()); + } $i++; splice @{$proxy->record_list}, $i, 0, $dup_hrr; -- cgit v1.2.3