Add support for running 70-test_tls13psk.t with dtls

Has to be currently disabled because it fails. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24525)
2024-05-30 10:51:21 +02:00 · 2024-05-30 10:51:21 +02:00 · df46d865e2
commit df46d865e2
parent 24bc207b02
1 changed files with 113 additions and 73 deletions
--- a/test/recipes/70-test_tls13psk.t
+++ b/test/recipes/70-test_tls13psk.t
@ -24,91 +24,131 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled"
 plan skip_all => "$test_name needs the sock feature enabled"
    if disabled("sock");

-plan skip_all => "$test_name needs TLSv1.3 enabled"
-    if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
+plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled"
+    if disabled("ec") && disabled("dh");

-my $proxy = TLSProxy::Proxy->new(
-    undef,
-    cmdstr(app(["openssl"]), display => 1),
-    srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-);
+my $testcount = 5;
+
+plan tests => 2 * $testcount;

 use constant {
    PSK_LAST_FIRST_CH => 0,
    ILLEGAL_EXT_SECOND_CH => 1
 };

-#Most PSK tests are done in test_ssl_new. This tests various failure scenarios
-#around PSK
-
-#Test 1: First get a session
-(undef, my $session) = tempfile();
-$proxy->clientflags("-sess_out ".$session);
-$proxy->serverflags("-servername localhost");
-$proxy->sessionfile($session);
-$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 5;
-ok(TLSProxy::Message->success(), "Initial connection");
-
-#Test 2: Attempt a resume with PSK not in last place. Should fail
-$proxy->clear();
-$proxy->clientflags("-sess_in ".$session);
-$proxy->filter(\&modify_psk_filter);
-my $testtype = PSK_LAST_FIRST_CH;
-$proxy->start();
-ok(TLSProxy::Message->fail(), "PSK not last");
-
-#Test 3: Attempt a resume after an HRR where PSK hash matches selected
-#        ciphersuite. Should see PSK on second ClientHello
-$proxy->clear();
-$proxy->clientflags("-sess_in ".$session);
-if (disabled("ec")) {
-    $proxy->serverflags("-curves ffdhe3072");
-} else {
-    $proxy->serverflags("-curves P-384");
+SKIP: {
+    skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3");
+    # Run tests with TLS
+    run_tests(0);
 }
-$proxy->filter(undef);
-$proxy->start();
-#Check if the PSK is present in the second ClientHello
-my $ch2 = ${$proxy->message_list}[2];
-my $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO;
-my $pskseen = $ch2seen
-              && defined ${$ch2->{extension_data}}{TLSProxy::Message::EXT_PSK};
-ok($pskseen, "PSK hash matches");

-#Test 4: Attempt a resume after an HRR where PSK hash does not match selected
-#        ciphersuite. Should not see PSK on second ClientHello
-$proxy->clear();
-$proxy->clientflags("-sess_in ".$session);
-$proxy->filter(\&modify_psk_filter);
-if (disabled("ec")) {
-    $proxy->serverflags("-curves ffdhe3072");
-} else {
-    $proxy->serverflags("-curves P-384");
+SKIP: {
+    skip "TODO(DTLSv1.3): When enabling sessionfile and dtls TLSProxy hangs after"
+         ." the handshake.", $testcount;
+    skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3");
+    skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/;
+    run_tests(1);
 }
-$proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384");
-$proxy->ciphersuitess("TLS_AES_256_GCM_SHA384");
-#We force an early failure because TLS Proxy doesn't actually support
-#TLS_AES_256_GCM_SHA384. That doesn't matter for this test though.
-$testtype = ILLEGAL_EXT_SECOND_CH;
-$proxy->start();
-#Check if the PSK is present in the second ClientHello
-$ch2 = ${$proxy->message_list}[2];
-$ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO;
-$pskseen = $ch2seen
-           && defined ${$ch2->extension_data}{TLSProxy::Message::EXT_PSK};
-ok($ch2seen && !$pskseen, "PSK hash does not match");

-#Test 5: Attempt a resume without a sig agls extension. Should succeed because
-#        sig algs is not needed in a resumption.
-$proxy->clear();
-$proxy->clientflags("-sess_in ".$session);
-$proxy->filter(\&remove_sig_algs_filter);
-$proxy->start();
-ok(TLSProxy::Message->success(), "Remove sig algs");
+my $testtype = -1;

-unlink $session;
+sub run_tests
+{
+    my $run_test_as_dtls = shift;
+    my $proxy_start_success = 0;
+
+    my $proxy;
+    if ($run_test_as_dtls == 1) {
+        $proxy = TLSProxy::Proxy->new_dtls(
+            undef,
+            cmdstr(app([ "openssl" ]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+    else {
+        $proxy = TLSProxy::Proxy->new(
+            undef,
+            cmdstr(app([ "openssl" ]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+
+    #Most PSK tests are done in test_ssl_new. This tests various failure scenarios
+    #around PSK
+
+    #Test 1: First get a session
+    $proxy->clear();
+    (undef, my $session) = tempfile();
+    $proxy->clientflags("-sess_out " . $session);
+    $proxy->serverflags("-servername localhost");
+    $proxy->sessionfile($session);
+    $proxy_start_success = $proxy->start();
+    skip "TLSProxy did not start correctly", $testcount if $proxy_start_success == 0;
+    ok(TLSProxy::Message->success(), "Initial connection");
+
+    #Test 2: Attempt a resume with PSK not in last place. Should fail
+    $proxy->clear();
+    $proxy->clientflags("-sess_in " . $session);
+    $proxy->filter(\&modify_psk_filter);
+    $testtype = PSK_LAST_FIRST_CH;
+    $proxy->start();
+    ok(TLSProxy::Message->fail(), "PSK not last");
+
+    #Test 3: Attempt a resume after an HRR where PSK hash matches selected
+    #        ciphersuite. Should see PSK on second ClientHello
+    $proxy->clear();
+    $proxy->clientflags("-sess_in " . $session);
+    if (disabled("ec")) {
+        $proxy->serverflags("-curves ffdhe3072");
+    }
+    else {
+        $proxy->serverflags("-curves P-384");
+    }
+    $proxy->filter(undef);
+    $proxy->start();
+    #Check if the PSK is present in the second ClientHello
+    my $ch2 = ${$proxy->message_list}[2];
+    my $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO;
+    my $pskseen = $ch2seen
+        && defined ${$ch2->{extension_data}}{TLSProxy::Message::EXT_PSK};
+    ok($pskseen, "PSK hash matches");
+
+    #Test 4: Attempt a resume after an HRR where PSK hash does not match selected
+    #        ciphersuite. Should not see PSK on second ClientHello
+    $proxy->clear();
+    $proxy->clientflags("-sess_in " . $session);
+    $proxy->filter(\&modify_psk_filter);
+    if (disabled("ec")) {
+        $proxy->serverflags("-curves ffdhe3072");
+    }
+    else {
+        $proxy->serverflags("-curves P-384");
+    }
+    $proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384");
+    $proxy->ciphersuitess("TLS_AES_256_GCM_SHA384");
+    #We force an early failure because TLS Proxy doesn't actually support
+    #TLS_AES_256_GCM_SHA384. That doesn't matter for this test though.
+    $testtype = ILLEGAL_EXT_SECOND_CH;
+    $proxy->start();
+    #Check if the PSK is present in the second ClientHello
+    $ch2 = ${$proxy->message_list}[2];
+    $ch2seen = defined $ch2 && $ch2->mt() == TLSProxy::Message::MT_CLIENT_HELLO;
+    $pskseen = $ch2seen
+        && defined ${$ch2->extension_data}{TLSProxy::Message::EXT_PSK};
+    ok($ch2seen && !$pskseen, "PSK hash does not match");
+
+    #Test 5: Attempt a resume without a sig agls extension. Should succeed because
+    #        sig algs is not needed in a resumption.
+    $proxy->clear();
+    $proxy->clientflags("-sess_in " . $session);
+    $proxy->filter(\&remove_sig_algs_filter);
+    $proxy->start();
+    ok(TLSProxy::Message->success(), "Remove sig algs");
+
+    unlink $session;
+}

 sub modify_psk_filter
 {