Commit graph

31 commits

Author SHA1 Message Date
Matt Caswell
6f34a16ea9 Teach TLSProxy how to parse CertificateRequest messages
We also use this in test_tls13messages to check that the extensions we
expect to see in a CertificateRequest are there.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)

(cherry picked from commit dc5bcb88d819de55eb37460c122e02fec91c6d86)
2019-09-06 10:12:51 +01:00
Matt Caswell
72a7a7021f Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8347)
2019-02-26 14:05:09 +00:00
Matthias Kraft
5dc422c7ab Fix Invalid Argument return code from IP_Factory in connect_to_server().
Fixes #7732

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8158)

(cherry picked from commit 66a6000371)
2019-02-04 21:52:20 +01:00
Matt Caswell
36ff232cf2 Change the default number of NewSessionTickets we send to 2
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Bernd Edlinger
bc66144845 Wait max. 60 seconds for s_client to connect
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5964)
2018-04-26 18:35:18 +02:00
Andy Polyakov
f3d3b36255 TLSProxy/Proxy.pm: preclude output intermix.
s_server -rev emits info output on stderr, i.e. unbufferred, which
risks intermixing with output from TLSProxy itself on non-line
boundaries, which in turn is confusing to TAP parser.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
2018-04-18 19:58:15 +02:00
Andy Polyakov
17cde9c2e4 TLSProxy/Proxy.pm: refine NewSessionTicket detection.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
2018-04-18 19:56:53 +02:00
Andy Polyakov
4442061532 TLSProxy/Proxy.pm: straighten inner loop termination logic.
Original condition was susceptible to race condition...

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
2018-04-14 20:00:04 +02:00
Andy Polyakov
de5b3a8645 TLSProxy/Proxy.pm: bind s_server to loopback interface.
Bind even test/ssltest_old.c to loopback interface. This allows to avoid
unnecessary alerts from Windows and Mac OS X firewalls.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
2018-04-14 19:59:02 +02:00
Bernd Edlinger
0e3ecaec3e Rework partial packet handling once more
Address the concern that commit c53c2fec raised differently.

The original direction of the traffic is encoded in bit 0
of the flight number.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5923)
2018-04-13 18:48:06 +02:00
Andy Polyakov
b4c1950d89 TLSProxy/Proxy.pm: handle "impossible" failure to connect to s_server.
The failure is "impossible", because we have confirmation that s_server
listens, yet Mac OS X fails to connect. This avoids 10 minutes timeout
on Travis CI.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)
2018-04-13 10:14:27 +02:00
Andy Polyakov
6b3e8b9430 TLSProxy/Proxy.pm: handle -1 as return value from waitpid.
On rare occasion 's_server | perl -ne print' can complete before
corresponding waitpid, which on Windows can results in -1 return
value. This is not an error, don't treat it like one. Collect
even return value from s_server.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)
2018-04-13 10:12:01 +02:00
Andy Polyakov
c53c2fec82 TLSProxy/Proxy.pm: refine partial packet handling.
Original logic was "if no records found *or* last one is truncated, then
leave complete records in queue." Trouble is that if we don't pass on
complete records and get complete packet in opposite direction, then
queued records will go back to sender. In other words complete records
should always be passed on. [Possible alternative would be to match
direction in reconstruct_record.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)
2018-04-08 11:42:41 +02:00
Andy Polyakov
55fd5d3fc5 TLSProxy/Proxy.pm: harmonize inner loop with the way sockets are.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)
2018-04-08 11:41:56 +02:00
Andy Polyakov
6228b1dae2 TLSProxy/Proxy.pm: switch to dynamic ports and overhaul.
By asking for port 0, you get a free port dynamically assigned by OS.
TLSProxy::Proxy now asks for 0 and asks s_server to do the same. The
s_server's port is reported in "ACCEPT" line, which TLSProxy::Proxy
parses and uses.

Because the server port is now a random affair in TLSProxy::Proxy,
it's no longer possible to change it with the method 'server_port',
and it has become an accessor only. For the sake of orthogonality, so
has the method 'server_addr'.

Remove all fork calls on Windows, as fork is not to be trusted there.
This naturally minimized amount of fork calls on POSIX systems, to 1.

Sink s_server's output to 'perl -ne print' which ensures that output
is written strictly in lines. This keeps TAP parser happy.

Improve synchronization in -naccept +n cases by establishing next
connection to s_server *after* s_client finishes instead of before it
starts.

Improve error handling and clean up some methods.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5843)
2018-04-04 20:24:26 +02:00
Matt Caswell
7814cdf3eb Revert "Temporarily disable some tests that hang"
This reverts commit 37a3859564.

These tests should now be fixed by commit e6e9170d6.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5765)
2018-03-28 14:59:16 +01:00
Matt Caswell
37a3859564 Temporarily disable some tests that hang
The previous commit causes some tests to hang so we temporarily disable them.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5757)
2018-03-27 17:15:24 +01:00
Bernd Edlinger
12636c149d Handle partial messages in TLSProxy
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5412)
2018-03-22 17:28:39 +01:00
Richard Levitte
2e2faa8c48 In TLSProxy::Proxy, specify TLSv1.3 as maximum allowable protocol
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5663)
2018-03-19 18:24:30 +01:00
Matt Caswell
f865b08143 Split configuration of TLSv1.3 ciphers from older ciphers
With the current mechanism, old cipher strings that used to work in 1.1.0,
may inadvertently disable all TLSv1.3 ciphersuites causing connections to
fail. This is confusing for users.

In reality TLSv1.3 are quite different to older ciphers. They are much
simpler and there are only a small number of them so, arguably, they don't
need the same level of control that the older ciphers have.

This change splits the configuration of TLSv1.3 ciphers from older ones.
By default the TLSv1.3 ciphers are on, so you cannot inadvertently disable
them through your existing config.

Fixes #5359

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
2018-03-14 10:15:50 +00:00
Richard Levitte
48e5119a6b Copyright update of more files that have changed this year
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5110)
2018-01-19 13:34:03 +01:00
Richard Levitte
c7454e1af7 Create one permanent proxy socket per TLSProxy::Proxy instance
On Windows, we sometimes see a behavior with SO_REUSEADDR where there
remains lingering listening sockets on the same address and port as a
newly created one.

To avoid this scenario, we don't create a new proxy port for each new
client run.  Instead, we create one proxy socket when the proxy object
is created, and close it when destroying that object.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5095)
2018-01-19 10:09:32 +01:00
Richard Levitte
e02d588663 TLSProxy::Proxy: Don't use ReuseAddr on Windows
On Windows, we sometimes see a behavior with SO_REUSEADDR where there
remains lingering listening sockets on the same address and port as a
newly created one.

An easy solution is not to use ReuseAddr on Windows.

Thanks Bernd Edlinger for the suggestion.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5103)
2018-01-18 10:56:20 +01:00
Richard Levitte
825038d8c3 TLSProxy::Proxy: don't waste time redirecting STDOUT and STDERR
On Windows, it seems that doing so in a forked (pseudo-)process
sometimes affects the parent, and thereby hides all the results that
are supposed to be seen by the running test framework (the "ok" and
"not ok" lines).

It turns out that our redirection isn't necessary, as the test
framework seems to swallow it all in non-verbose mode anyway.
It's possible that we did need this at some point, but the framework
has undergone some refinement since then...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5100)
2018-01-17 21:27:33 +01:00
Richard Levitte
c44bab084e TLSProxy::Proxy: If we don't support IPv6, force IPv4
We use the first we can of the following IO::Socket modules to create
sockets:

- IO::Socket::INET6
- IO::Socket::IP
- IO::Socket::INET

The last of them doesn't support IPv6, so if that's the one available,
we must force the s_client and s_server processes to use IPv4.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5092)
2018-01-17 09:26:42 +01:00
Matt Caswell
82992a4130 Extend timeout for TLSProxy
I received this error from a TLSProxy test:

Failed to start up server (localhost,4443): Transport endpoint is not
connected

So, extend the timeout before we give up trying to connect to the server.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5088)
2018-01-16 17:22:09 +00:00
Bernd Edlinger
438e57a43f Catch SIGPIPE in TLSProxy::Proxy::clientstart
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5071)
2018-01-13 14:57:15 +01:00
Matt Caswell
597c51bc98 Merge HRR into ServerHello
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
2017-12-14 15:06:37 +00:00
Matt Caswell
018632ae98 Fix race condition in TLSProxy
Normally TLSProxy waits for the s_server process to finish before
continuing. However in cases where serverconnects > 1 we need to keep the
s_server process around for a later test so we continue immediately. This
means that TAP test output can end up being printed to stdout at the same
time as s_server is printing stuff. This confuses the test runner and can
cause spurious test failures. This commit introduces a small delay in cases
where serverconnects > 1 in order to give s_server enough time to finish
what it was doing before we continue to the next test.

Fixes #4129

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4660)
2017-11-07 10:51:17 +00:00
Matt Caswell
4130016623 Fix Proxy where a timeout occurs waiting for both client and server
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4305)
2017-09-01 08:47:14 +01:00
Richard Levitte
cb6afcd6ee Consolidate the locations where we have our internal perl modules
Instead of having perl modules under test/testlib, util and util/perl,
consolidate them all to be inside util/perl.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4069)
2017-08-15 11:30:47 +02:00
Renamed from util/TLSProxy/Proxy.pm (Browse further)