Run 70-test_tls13alerts.t with dtls

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)

Configure

@@ -414,7 +414,7 @@ my $default_ranlib;
 
 # Known TLS and DTLS protocols
 my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);
-my @dtls = qw(dtls1 dtls1_2);
+my @dtls = qw(dtls1 dtls1_2 dtls1_3);
 
 # Explicitly known options that are possible to disable.  They can
 # be regexps, and will be used like this: /^no-${option}$/
@@ -562,7 +562,7 @@ my @disablables = (
 foreach my $proto ((@tls, @dtls))
         {
         push(@disablables, $proto);
-        push(@disablables, "$proto-method") unless $proto eq "tls1_3";
+        push(@disablables, "$proto-method") unless $proto eq "tls1_3" || $proto eq "dtls1_3";
         }
 
 # Internal disablables, for aliasing purposes.  They serve no special

test/recipes/70-test_tls13alerts.t

@@ -26,23 +26,60 @@ plan skip_all => "$test_name needs the module feature enabled"
 plan skip_all => "$test_name needs the sock feature enabled"
     if disabled("sock");
 
-plan skip_all => "$test_name needs TLS1.3 enabled"
-    if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
+plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled"
+    if disabled("ec") && disabled("dh");
 
-my $proxy = TLSProxy::Proxy->new(
-    undef,
-    cmdstr(app(["openssl"]), display => 1),
-    srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-);
+my $testcount = 1;
 
-#Test 1: We test that a server can handle an unencrypted alert when normally the
-#        next message is encrypted
-$proxy->filter(\&alert_filter);
-$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 1;
-my $alert = TLSProxy::Message->alert();
-ok(TLSProxy::Message->fail() && !$alert->server() && !$alert->encrypted(), "Client sends an unencrypted alert");
+plan tests => 2 * $testcount;
+
+SKIP: {
+    skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3");
+    # Run tests with TLS
+    run_tests(0);
+}
+
+SKIP: {
+    skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3");
+    skip "DTLSProxy does not support partial messages that are sent when EC is disabled",
+        $testcount if disabled("ec");
+    skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/;
+    run_tests(1);
+}
+
+sub run_tests
+{
+    my $run_test_as_dtls = shift;
+    my $proxy_start_success = 0;
+
+    my $proxy;
+    if ($run_test_as_dtls == 1) {
+        $proxy = TLSProxy::Proxy->new_dtls(
+            undef,
+            cmdstr(app([ "openssl" ]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+    else {
+        $proxy = TLSProxy::Proxy->new(
+            undef,
+            cmdstr(app(["openssl"]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+
+    #Test 1: We test that a server can handle an unencrypted alert when normally the
+    #        next message is encrypted
+    $proxy->clear();
+    $proxy->filter(\&alert_filter);
+    $proxy_start_success = $proxy->start();
+    skip "TLSProxy did not start correctly", $testcount if $proxy_start_success == 0;
+
+    my $alert = TLSProxy::Message->alert();
+    ok(TLSProxy::Message->fail() && !$alert->server() && !$alert->encrypted(), "Client sends an unencrypted alert");
+}
 
 sub alert_filter
 {

util/perl/TLSProxy/Message.pm

@@ -632,7 +632,8 @@ sub repack
                     $data .= pack("C", $macval);
                 }
 
-                if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1()) {
+                if ((!$self->{isdtls} && $rec->version() >= TLSProxy::Record::VERS_TLS_1_1())
+                    || ($self->{isdtls} && $rec->version() <= TLSProxy::Record::VERS_DTLS_1())) {
                     #Explicit IV
                     $data = ("\0"x16).$data;
                 }

util/perl/TLSProxy/Proxy.pm

@@ -339,7 +339,7 @@ sub start
         ." -cert ".$self->cert." -cert2 ".$self->cert
         ." -naccept ".$self->serverconnects;
     if ($self->{isdtls}) {
-        $execcmd .= " -dtls -max_protocol DTLSv1.2"
+        $execcmd .= " -dtls -max_protocol DTLSv1.3"
                     # TLSProxy does not support message fragmentation. So
                     # set a high mtu and fingers crossed.
                     ." -mtu 1500";
@@ -436,7 +436,7 @@ sub clientstart
              ." s_client -provider=p_ossltest -provider=default -propquery ?provider=p_ossltest"
              ." -connect $self->{proxy_addr}:$self->{proxy_port}";
         if ($self->{isdtls}) {
-            $execcmd .= " -dtls -max_protocol DTLSv1.2"
+            $execcmd .= " -dtls -max_protocol DTLSv1.3"
                         # TLSProxy does not support message fragmentation. So
                         # set a high mtu and fingers crossed.
                         ." -mtu 1500"

util/perl/TLSProxy/Record.pm

@@ -308,7 +308,8 @@ sub decryptETM
 
     my $data = $self->data;
 
-    if($self->version >= VERS_TLS_1_1()) {
+    if((!$self->{isdtls} && $self->version >= VERS_TLS_1_1)
+       || ($self->{isdtls} && $self->version <= VERS_DTLS_1)) {
         #TLS1.1+ has an explicit IV. Throw it away
         $data = substr($data, 16);
     }

util/perl/TLSProxy/ServerKeyExchange.pm

@@ -77,7 +77,8 @@ sub parse
     my $record = ${$self->records}[0];
 
     if (TLSProxy::Proxy->is_tls13()
-            || $record->version() == TLSProxy::Record::VERS_TLS_1_2()) {
+        || $record->version() == TLSProxy::Record::VERS_TLS_1_2()
+        || $record->version() == TLSProxy::Record::VERS_DTLS_1_2()) {
         $sigalg = unpack('n', substr($self->data, $ptr));
         $ptr += 2;
     }