wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Port DTLS version negotiation tests

Browse source 
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Emilia Kasper 2016-06-03 17:49:04 +02:00
parent 81fc33c951
commit 74726750ef
12 changed files with 2756 additions and 171 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
test/README.ssltest.md
View file

@ -64,6 +64,8 @@ The test section supports the following options:
- AcceptAll - accepts all certificates.
- RejectAll - rejects all certificates.
* Method - the method to test. One of DTLS or TLS.
* ServerName - the server the client should attempt to connect to. One of
- None - do not use SNI (default)
- server1 - the initial context

34
test/recipes/80-test_ssl_new.t
View file

@ -26,28 +26,43 @@ map { s/;.*// } @conf_srcs if $^O eq "VMS";
my @conf_files = map { basename($_) } @conf_srcs;
map { s/\.in// } @conf_files;
# 02-protocol-version.conf test results depend on the configuration of enabled
# protocols. We only verify generated sources in the default configuration.
my $is_default = (disabled("ssl3") && !disabled("tls1") &&
!disabled("tls1_1") && !disabled("tls1_2"));
# 02-protocol-version.conf test and 05-dtls-protocol-version.conf results
# depend on the configuration of enabled protocols. We only verify generated
# sources in the default configuration.
my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
!disabled("tls1_1") && !disabled("tls1_2"));
my %conf_dependent_tests = ("02-protocol-version.conf" => 1);
my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
my $no_tls = alldisabled(available_protocols("tls"));
my $no_dtls = alldisabled(available_protocols("dtls"));
my %conf_dependent_tests = (
"02-protocol-version.conf" => !$is_default_tls,
"05-dtls-protocol-version.conf" => !$is_default_dtls,
);
# Default is $no_tls but some tests have different skip conditions.
my %skip = (
"05-dtls-protocol-version.conf" => $no_dtls,
);
foreach my $conf (@conf_files) {
subtest "Test configuration $conf" => sub {
test_conf($conf,
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1);
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1,
$skip{$conf} || $no_tls);
}
}
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
plan tests => 6; # = scalar @conf_srcs
plan tests => 7; # = scalar @conf_srcs
sub test_conf {
plan tests => 3;
my ($conf, $check_source) = @_;
my ($conf, $check_source, $skip) = @_;
my $conf_file = srctop_file("test", "ssl-tests", $conf);
my $tmp_file = "${conf}.$$.tmp";
@ -73,8 +88,7 @@ sub test_conf {
}
# Test 3. Run the test.
my $no_tls = alldisabled(available_protocols("tls"));
skip "No TLS tests available; skipping tests", 1 if $no_tls;
skip "No tests available; skipping tests", 1 if $skip;
skip "Stale sources; skipping tests", 1 if !$run_test;
ok(run(test(["ssl_test", $tmp_file])), "running ssl_test $conf");

51
test/recipes/80-test_ssl_old.t
View file

@ -79,7 +79,7 @@ my $client_sess="client.ss";
# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.
plan tests =>
1 # For testss
+ 14 # For the first testssl
+ 13 # For the first testssl
;
subtest 'test_ss' => sub {
@ -331,7 +331,7 @@ sub testssl {
subtest 'standard SSL tests' => sub {
######################################################################
plan tests => 21;
plan tests => 21;
SKIP: {
skip "SSLv3 is not supported by this OpenSSL build", 4
@ -683,53 +683,6 @@ sub testssl {
}
};
subtest 'DTLS Version min/max tests' => sub {
my @protos;
push(@protos, "dtls1") unless ($no_dtls1 || $no_dtls);
push(@protos, "dtls1.2") unless ($no_dtls1_2 || $no_dtls);
my @minprotos = (undef, @protos);
my @maxprotos = (@protos, undef);
my @shdprotos = (@protos, $protos[$#protos]);
my $n = ((@protos+2) * (@protos+3))/2 - 2;
my $ntests = $n * $n;
plan tests => $ntests;
SKIP: {
skip "DTLS disabled", 1 if $ntests == 1;
my $should;
for (my $smin = 0; $smin < @minprotos; ++$smin) {
for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) {
for (my $cmin = 0; $cmin < @minprotos; ++$cmin) {
for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) {
if ($cmax < $smin-1) {
$should = "fail-server";
} elsif ($smax < $cmin-1) {
$should = "fail-client";
} elsif ($cmax > $smax) {
$should = $shdprotos[$smax];
} else {
$should = $shdprotos[$cmax];
}
my @args = (@ssltest, "-dtls");
push(@args, "-should_negotiate", $should);
push(@args, "-server_min_proto", $minprotos[$smin])
if (defined($minprotos[$smin]));
push(@args, "-server_max_proto", $maxprotos[$smax])
if (defined($maxprotos[$smax]));
push(@args, "-client_min_proto", $minprotos[$cmin])
if (defined($minprotos[$cmin]));
push(@args, "-client_max_proto", $maxprotos[$cmax])
if (defined($maxprotos[$cmax]));
my $ok = run(test[@args]);
if (! $ok) {
print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n";
print STDERR "\nFailed: @args\n";
}
ok($ok);
}}}}}
};
subtest 'TLS session reuse' => sub {
plan tests => 12;

113
test/ssl-tests/02-protocol-version.conf.in
View file

@ -7,116 +7,13 @@
# https://www.openssl.org/source/license.html
## Test version negotiation
## Test TLS version negotiation
package ssltests;
use List::Util qw/max min/;
use strict;
use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Utils qw/anydisabled alldisabled/;
setup("no_test_here");
use protocol_version;
my @protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
# undef stands for "no limit".
my @min_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
my @max_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", undef);
my @is_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
my $min_enabled; my $max_enabled;
# Protocol configuration works in cascades, i.e.,
# $no_tls1_1 disables TLSv1.1 and below.
#
# $min_enabled and $max_enabled will be correct if there is at least one
# protocol enabled.
foreach my $i (0..$#protocols) {
if (!$is_disabled[$i]) {
$min_enabled = $i;
last;
}
}
foreach my $i (0..$#protocols) {
if (!$is_disabled[$i]) {
$max_enabled = $i;
}
}
our @tests = ();
sub generate_tests() {
foreach my $c_min (0..$#min_protocols) {
my $c_max_min = $c_min == 0 ? 0 : $c_min - 1;
foreach my $c_max ($c_max_min..$#max_protocols) {
foreach my $s_min (0..$#min_protocols) {
my $s_max_min = $s_min == 0 ? 0 : $s_min - 1;
foreach my $s_max ($s_max_min..$#max_protocols) {
my ($result, $protocol) =
expected_result($c_min, $c_max, $s_min, $s_max);
push @tests, {
"name" => "version-negotiation",
"client" => {
"MinProtocol" => $min_protocols[$c_min],
"MaxProtocol" => $max_protocols[$c_max],
},
"server" => {
"MinProtocol" => $min_protocols[$s_min],
"MaxProtocol" => $max_protocols[$s_max],
},
"test" => {
"ExpectedResult" => $result,
"Protocol" => $protocol
}
};
}
}
}
}
}
sub expected_result {
my $no_tls = alldisabled("ssl3", "tls1", "tls1_1", "tls1_2");
if ($no_tls) {
return ("InternalError", undef);
}
my ($c_min, $c_max, $s_min, $s_max) = @_;
# Adjust for "undef" (no limit).
$c_min = $c_min == 0 ? 0 : $c_min - 1;
$c_max = $c_max == scalar(@max_protocols) - 1 ? $c_max - 1 : $c_max;
$s_min = $s_min == 0 ? 0 : $s_min - 1;
$s_max = $s_max == scalar(@max_protocols) - 1 ? $s_max - 1 : $s_max;
# We now have at least one protocol enabled, so $min_enabled and
# $max_enabled are well-defined.
$c_min = max $c_min, $min_enabled;
$s_min = max $s_min, $min_enabled;
$c_max = min $c_max, $max_enabled;
$s_max = min $s_max, $max_enabled;
if ($c_min > $c_max) {
# Client should fail to even send a hello.
# This results in an internal error since the server will be
# waiting for input that never arrives.
return ("InternalError", undef);
} elsif ($s_min > $s_max) {
# Server has no protocols, should always fail.
return ("ServerFail", undef);
} elsif ($s_min > $c_max) {
# Server doesn't support the client range.
return ("ServerFail", undef);
} elsif ($c_min > $s_max) {
# Server will try with a version that is lower than the lowest
# supported client version.
return ("ClientFail", undef);
} else {
# Server and client ranges overlap.
my $max_common = $s_max < $c_max ? $s_max : $c_max;
return ("Success", $protocols[$max_common]);
}
}
generate_tests();
our @tests = generate_tests("TLS");

2476
test/ssl-tests/07-dtls-protocol-version.conf Normal file
View file

File diff suppressed because it is too large Load diff

19
test/ssl-tests/07-dtls-protocol-version.conf.in Normal file
View file

@ -0,0 +1,19 @@
# -*- mode: perl; -*-
# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## Test DTLS version negotiation
package ssltests;
use strict;
use warnings;
use protocol_version;
our @tests = generate_tests("DTLS");

166
test/ssl-tests/protocol_version.pm Normal file
View file

@ -0,0 +1,166 @@
# -*- mode: perl; -*-
# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## Test version negotiation
package ssltests;
use strict;
use warnings;
use List::Util qw/max min/;
use OpenSSL::Test;
use OpenSSL::Test::Utils qw/anydisabled alldisabled/;
setup("no_test_here");
my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
# undef stands for "no limit".
my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", undef);
my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
my $min_tls_enabled; my $max_tls_enabled;
# Protocol configuration works in cascades, i.e.,
# $no_tls1_1 disables TLSv1.1 and below.
#
# $min_enabled and $max_enabled will be correct if there is at least one
# protocol enabled.
foreach my $i (0..$#tls_protocols) {
if (!$is_tls_disabled[$i]) {
$min_tls_enabled = $i;
last;
}
}
foreach my $i (0..$#tls_protocols) {
if (!$is_tls_disabled[$i]) {
$max_tls_enabled = $i;
}
}
my @dtls_protocols = ("DTLSv1", "DTLSv1.2");
# undef stands for "no limit".
my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2");
my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", undef);
my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2");
my $min_dtls_enabled; my $max_dtls_enabled;
# $min_enabled and $max_enabled will be correct if there is at least one
# protocol enabled.
foreach my $i (0..$#dtls_protocols) {
if (!$is_dtls_disabled[$i]) {
$min_dtls_enabled = $i;
last;
}
}
foreach my $i (0..$#dtls_protocols) {
if (!$is_dtls_disabled[$i]) {
$max_dtls_enabled = $i;
}
}
sub generate_tests {
my ($method) = @_;
my $dtls = $method eq "DTLS";
# Don't write the redundant "Method = TLS" into the configuration.
undef $method if !$dtls;
my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
my @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
my @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
my $no_tests = $dtls ? alldisabled("dtls1", "dtls1_2") :
alldisabled("ssl3", "tls1", "tls1_1", "tls1_2");
if ($no_tests) {
return;
}
my @tests = ();
foreach my $c_min (0..$#min_protocols) {
my $c_max_min = $c_min == 0 ? 0 : $c_min - 1;
foreach my $c_max ($c_max_min..$#max_protocols) {
foreach my $s_min (0..$#min_protocols) {
my $s_max_min = $s_min == 0 ? 0 : $s_min - 1;
foreach my $s_max ($s_max_min..$#max_protocols) {
my ($result, $protocol) =
expected_result($c_min, $c_max, $s_min, $s_max,
$min_enabled, $max_enabled, \@protocols);
push @tests, {
"name" => "version-negotiation",
"client" => {
"MinProtocol" => $min_protocols[$c_min],
"MaxProtocol" => $max_protocols[$c_max],
},
"server" => {
"MinProtocol" => $min_protocols[$s_min],
"MaxProtocol" => $max_protocols[$s_max],
},
"test" => {
"ExpectedResult" => $result,
"Protocol" => $protocol,
"Method" => $method,
}
};
}
}
}
}
return @tests;
}
sub expected_result {
my ($c_min, $c_max, $s_min, $s_max, $min_enabled, $max_enabled,
$protocols) = @_;
# Adjust for "undef" (no limit).
$c_min = $c_min == 0 ? 0 : $c_min - 1;
$c_max = $c_max == scalar @$protocols ? $c_max - 1 : $c_max;
$s_min = $s_min == 0 ? 0 : $s_min - 1;
$s_max = $s_max == scalar @$protocols ? $s_max - 1 : $s_max;
# We now have at least one protocol enabled, so $min_enabled and
# $max_enabled are well-defined.
$c_min = max $c_min, $min_enabled;
$s_min = max $s_min, $min_enabled;
$c_max = min $c_max, $max_enabled;
$s_max = min $s_max, $max_enabled;
if ($c_min > $c_max) {
# Client should fail to even send a hello.
# This results in an internal error since the server will be
# waiting for input that never arrives.
return ("InternalError", undef);
} elsif ($s_min > $s_max) {
# Server has no protocols, should always fail.
return ("ServerFail", undef);
} elsif ($s_min > $c_max) {
# Server doesn't support the client range.
return ("ServerFail", undef);
} elsif ($c_min > $s_max) {
# Server will try with a version that is lower than the lowest
# supported client version.
return ("ClientFail", undef);
} else {
# Server and client ranges overlap.
my $max_common = $s_max < $c_max ? $s_max : $c_max;
return ("Success", $protocols->[$max_common]);
}
}
1;

23
test/ssl_test.c
View file

@ -177,10 +177,25 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
SSL_TEST_CTX *test_ctx = NULL;
HANDSHAKE_RESULT result;
server_ctx = SSL_CTX_new(TLS_server_method());
server2_ctx = SSL_CTX_new(TLS_server_method());
client_ctx = SSL_CTX_new(TLS_client_method());
OPENSSL_assert(server_ctx != NULL && server2_ctx != NULL && client_ctx != NULL);
test_ctx = SSL_TEST_CTX_create(conf, fixture.test_app);
if (test_ctx == NULL)
goto err;
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new(DTLS_server_method());
server2_ctx = SSL_CTX_new(DTLS_server_method());
client_ctx = SSL_CTX_new(DTLS_client_method());
}
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
server_ctx = SSL_CTX_new(TLS_server_method());
server2_ctx = SSL_CTX_new(TLS_server_method());
client_ctx = SSL_CTX_new(TLS_client_method());
}
OPENSSL_assert(server_ctx != NULL && server2_ctx != NULL &&
client_ctx != NULL);
OPENSSL_assert(CONF_modules_load(conf, fixture.test_app, 0) > 0);

28
test/ssl_test_ctx.c
View file

@ -113,6 +113,8 @@ static const test_enum ssl_protocols[] = {
{"TLSv1.1", TLS1_1_VERSION},
{"TLSv1", TLS1_VERSION},
{"SSLv3", SSL3_VERSION},
{"DTLSv1", DTLS1_VERSION},
{"DTLSv1.2", DTLS1_2_VERSION},
};
__owur static int parse_protocol(SSL_TEST_CTX *test_ctx, const char *value)
@ -211,6 +213,31 @@ const char *ssl_session_ticket_name(ssl_session_ticket_t server)
server);
}
/***********************/
/* Method. */
/***********************/
static const test_enum ssl_test_methods[] = {
{"TLS", SSL_TEST_METHOD_TLS},
{"DTLS", SSL_TEST_METHOD_DTLS},
};
__owur static int parse_test_method(SSL_TEST_CTX *test_ctx, const char *value)
{
int ret_value;
if (!parse_enum(ssl_test_methods, OSSL_NELEM(ssl_test_methods),
&ret_value, value)) {
return 0;
}
test_ctx->method = ret_value;
return 1;
}
const char *ssl_test_method_name(ssl_test_method_t method)
{
return enum_name(ssl_test_methods, OSSL_NELEM(ssl_test_methods), method);
}
/*************************************************************/
/* Known test options and their corresponding parse methods. */
/*************************************************************/
@ -228,6 +255,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
{ "ClientVerifyCallback", &parse_client_verify_callback },
{ "ServerName", &parse_servername },
{ "SessionTicketExpected", &parse_session_ticket },
{ "Method", &parse_test_method },
};

8
test/ssl_test_ctx.h
View file

@ -39,6 +39,11 @@ typedef enum {
SSL_TEST_SESSION_TICKET_BROKEN, /* Special test */
} ssl_session_ticket_t;
typedef enum {
SSL_TEST_METHOD_TLS = 0, /* Default */
SSL_TEST_METHOD_DTLS,
} ssl_test_method_t;
typedef struct ssl_test_ctx {
/* Test expectations. */
/* Defaults to SUCCESS. */
@ -57,6 +62,8 @@ typedef struct ssl_test_ctx {
/* One of a number of predefined server names use by the client */
ssl_servername_t servername;
ssl_session_ticket_t session_ticket_expected;
/* Whether the server/client CTX should use DTLS or TLS. */
ssl_test_method_t method;
} SSL_TEST_CTX;
const char *ssl_test_result_name(ssl_test_result_t result);
@ -65,6 +72,7 @@ const char *ssl_protocol_name(int protocol);
const char *ssl_verify_callback_name(ssl_verify_callback_t verify_callback);
const char *ssl_servername_name(ssl_servername_t server);
const char *ssl_session_ticket_name(ssl_session_ticket_t server);
const char *ssl_test_method_name(ssl_test_method_t method);
/*
* Load the test case context from |conf|.

2
test/ssl_test_ctx_test.c
View file

@ -156,6 +156,7 @@ static int test_good_configuration()
fixture.expected_ctx->client_verify_callback = SSL_TEST_VERIFY_REJECT_ALL;
fixture.expected_ctx->servername = SSL_TEST_SERVERNAME_SERVER2;
fixture.expected_ctx->session_ticket_expected = SSL_TEST_SESSION_TICKET_YES;
fixture.expected_ctx->method = SSL_TEST_METHOD_DTLS;
EXECUTE_SSL_TEST_CTX_TEST();
}
@ -167,6 +168,7 @@ static const char *bad_configurations[] = {
"ssltest_unknown_verify_callback",
"ssltest_unknown_servername",
"ssltest_unknown_session_ticket_expected",
"ssltest_unknown_method",
};
static int test_bad_configuration(int idx)

5
test/ssl_test_ctx_test.conf
View file

@ -7,6 +7,7 @@ Protocol = TLSv1.1
ClientVerifyCallback = RejectAll
ServerName = server2
SessionTicketExpected = Yes
Method = DTLS
[ssltest_unknown_option]
UnknownOption = Foo
@ -28,3 +29,7 @@ ServerName = Foo
[ssltest_unknown_session_ticket_expected]
SessionTicketExpected = Foo
[ssltest_unknown_method]
Method = TLS2