diff --git a/Configure b/Configure index 6cc03bf2fe..66734aefe3 100755 --- a/Configure +++ b/Configure @@ -414,7 +414,7 @@ my $default_ranlib; # Known TLS and DTLS protocols my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3); -my @dtls = qw(dtls1 dtls1_2); +my @dtls = qw(dtls1 dtls1_2 dtls1_3); # Explicitly known options that are possible to disable. They can # be regexps, and will be used like this: /^no-${option}$/ @@ -562,7 +562,7 @@ my @disablables = ( foreach my $proto ((@tls, @dtls)) { push(@disablables, $proto); - push(@disablables, "$proto-method") unless $proto eq "tls1_3"; + push(@disablables, "$proto-method") unless $proto eq "tls1_3" || $proto eq "dtls1_3"; } # Internal disablables, for aliasing purposes. They serve no special diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t index 1858a8d4f2..ca0251e9e9 100644 --- a/test/recipes/70-test_tls13alerts.t +++ b/test/recipes/70-test_tls13alerts.t @@ -26,23 +26,60 @@ plan skip_all => "$test_name needs the module feature enabled" plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); -plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3") || (disabled("ec") && disabled("dh")); +plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled" + if disabled("ec") && disabled("dh"); -my $proxy = TLSProxy::Proxy->new( - undef, - cmdstr(app(["openssl"]), display => 1), - srctop_file("apps", "server.pem"), - (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) -); +my $testcount = 1; -#Test 1: We test that a server can handle an unencrypted alert when normally the -# next message is encrypted -$proxy->filter(\&alert_filter); -$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 1; -my $alert = TLSProxy::Message->alert(); -ok(TLSProxy::Message->fail() && !$alert->server() && !$alert->encrypted(), "Client sends an unencrypted alert"); +plan tests => 2 * $testcount; + +SKIP: { + skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3"); + # Run tests with TLS + run_tests(0); +} + +SKIP: { + skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3"); + skip "DTLSProxy does not support partial messages that are sent when EC is disabled", + $testcount if disabled("ec"); + skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/; + run_tests(1); +} + +sub run_tests +{ + my $run_test_as_dtls = shift; + my $proxy_start_success = 0; + + my $proxy; + if ($run_test_as_dtls == 1) { + $proxy = TLSProxy::Proxy->new_dtls( + undef, + cmdstr(app([ "openssl" ]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) + ); + } + else { + $proxy = TLSProxy::Proxy->new( + undef, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) + ); + } + + #Test 1: We test that a server can handle an unencrypted alert when normally the + # next message is encrypted + $proxy->clear(); + $proxy->filter(\&alert_filter); + $proxy_start_success = $proxy->start(); + skip "TLSProxy did not start correctly", $testcount if $proxy_start_success == 0; + + my $alert = TLSProxy::Message->alert(); + ok(TLSProxy::Message->fail() && !$alert->server() && !$alert->encrypted(), "Client sends an unencrypted alert"); +} sub alert_filter { diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm index 854b387c40..89cb09b58d 100644 --- a/util/perl/TLSProxy/Message.pm +++ b/util/perl/TLSProxy/Message.pm @@ -632,7 +632,8 @@ sub repack $data .= pack("C", $macval); } - if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1()) { + if ((!$self->{isdtls} && $rec->version() >= TLSProxy::Record::VERS_TLS_1_1()) + || ($self->{isdtls} && $rec->version() <= TLSProxy::Record::VERS_DTLS_1())) { #Explicit IV $data = ("\0"x16).$data; } diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm index 0c2880a7d8..4fae78db41 100644 --- a/util/perl/TLSProxy/Proxy.pm +++ b/util/perl/TLSProxy/Proxy.pm @@ -339,7 +339,7 @@ sub start ." -cert ".$self->cert." -cert2 ".$self->cert ." -naccept ".$self->serverconnects; if ($self->{isdtls}) { - $execcmd .= " -dtls -max_protocol DTLSv1.2" + $execcmd .= " -dtls -max_protocol DTLSv1.3" # TLSProxy does not support message fragmentation. So # set a high mtu and fingers crossed. ." -mtu 1500"; @@ -436,7 +436,7 @@ sub clientstart ." s_client -provider=p_ossltest -provider=default -propquery ?provider=p_ossltest" ." -connect $self->{proxy_addr}:$self->{proxy_port}"; if ($self->{isdtls}) { - $execcmd .= " -dtls -max_protocol DTLSv1.2" + $execcmd .= " -dtls -max_protocol DTLSv1.3" # TLSProxy does not support message fragmentation. So # set a high mtu and fingers crossed. ." -mtu 1500" diff --git a/util/perl/TLSProxy/Record.pm b/util/perl/TLSProxy/Record.pm index f55e4ac3a4..4d4a48498f 100644 --- a/util/perl/TLSProxy/Record.pm +++ b/util/perl/TLSProxy/Record.pm @@ -308,7 +308,8 @@ sub decryptETM my $data = $self->data; - if($self->version >= VERS_TLS_1_1()) { + if((!$self->{isdtls} && $self->version >= VERS_TLS_1_1) + || ($self->{isdtls} && $self->version <= VERS_DTLS_1)) { #TLS1.1+ has an explicit IV. Throw it away $data = substr($data, 16); } diff --git a/util/perl/TLSProxy/ServerKeyExchange.pm b/util/perl/TLSProxy/ServerKeyExchange.pm index 6af7e23826..6087a760c1 100644 --- a/util/perl/TLSProxy/ServerKeyExchange.pm +++ b/util/perl/TLSProxy/ServerKeyExchange.pm @@ -77,7 +77,8 @@ sub parse my $record = ${$self->records}[0]; if (TLSProxy::Proxy->is_tls13() - || $record->version() == TLSProxy::Record::VERS_TLS_1_2()) { + || $record->version() == TLSProxy::Record::VERS_TLS_1_2() + || $record->version() == TLSProxy::Record::VERS_DTLS_1_2()) { $sigalg = unpack('n', substr($self->data, $ptr)); $ptr += 2; }