Port DTLS version negotiation tests

Reviewed-by: N Rich Salz <rsalz@openssl.org>

Port DTLS version negotiation tests
Reviewed-by: N Rich Salz <rsalz@openssl.org>
74726750 · Emilia Kasper · 81fc33c9 · 74726750 · 74726750 · 74726750
12 changed file
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -64,6 +64,8 @@ The test section supports the following options:
  - AcceptAll - accepts all certificates.
  - RejectAll - rejects all certificates.

+* Method - the method to test. One of DTLS or TLS.
+
 * ServerName - the server the client should attempt to connect to. One of
  - None - do not use SNI (default)
  - server1 - the initial context

--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -26,28 +26,43 @@ map { s/;.*// } @conf_srcs if $^O eq "VMS";
 my @conf_files = map { basename($_) } @conf_srcs;
 map { s/\.in// } @conf_files;

-# 02-protocol-version.conf test results depend on the configuration of enabled
-# protocols. We only verify generated sources in the default configuration.
-my $is_default = (disabled("ssl3") && !disabled("tls1") &&
-                  !disabled("tls1_1") && !disabled("tls1_2"));
+# 02-protocol-version.conf test and 05-dtls-protocol-version.conf results
+# depend on the configuration of enabled protocols. We only verify generated
+# sources in the default configuration.
+my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
+                      !disabled("tls1_1") && !disabled("tls1_2"));

-my %conf_dependent_tests = ("02-protocol-version.conf" => 1);
+my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
+
+my $no_tls = alldisabled(available_protocols("tls"));
+my $no_dtls = alldisabled(available_protocols("dtls"));
+
+my %conf_dependent_tests = (
+  "02-protocol-version.conf" => !$is_default_tls,
+  "05-dtls-protocol-version.conf" => !$is_default_dtls,
+);
+
+# Default is $no_tls but some tests have different skip conditions.
+my %skip = (
+  "05-dtls-protocol-version.conf" => $no_dtls,
+);

 foreach my $conf (@conf_files) {
    subtest "Test configuration $conf" => sub {
        test_conf($conf,
-                  $conf_dependent_tests{$conf} || $^O eq "VMS" ?  0 : 1);
+                  $conf_dependent_tests{$conf} || $^O eq "VMS" ?  0 : 1,
+                  $skip{$conf} || $no_tls);
    }
 }

 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 6;  # = scalar @conf_srcs
+plan tests => 7;  # = scalar @conf_srcs

 sub test_conf {
    plan tests => 3;

-    my ($conf, $check_source) = @_;
+    my ($conf, $check_source, $skip) = @_;

    my $conf_file = srctop_file("test", "ssl-tests", $conf);
    my $tmp_file = "${conf}.$$.tmp";
@@ -73,8 +88,7 @@ sub test_conf {
      }

      # Test 3. Run the test.
-      my $no_tls = alldisabled(available_protocols("tls"));
-      skip "No TLS tests available; skipping tests", 1 if $no_tls;
+      skip "No tests available; skipping tests", 1 if $skip;
      skip "Stale sources; skipping tests", 1 if !$run_test;

      ok(run(test(["ssl_test", $tmp_file])), "running ssl_test $conf");

--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -79,7 +79,7 @@ my $client_sess="client.ss";
 # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.
 plan tests =>
    1				# For testss
-    + 14			# For the first testssl
+    + 13			# For the first testssl
    ;

 subtest 'test_ss' => sub {
@@ -331,7 +331,7 @@ sub testssl {

    subtest 'standard SSL tests' => sub {
 	######################################################################
-        plan tests => 21;
+      plan tests => 21;

      SKIP: {
 	  skip "SSLv3 is not supported by this OpenSSL build", 4
@@ -683,53 +683,6 @@ sub testssl {
 	}
    };

-    subtest 'DTLS Version min/max tests' => sub {
-        my @protos;
-        push(@protos, "dtls1") unless ($no_dtls1 || $no_dtls);
-        push(@protos, "dtls1.2") unless ($no_dtls1_2 || $no_dtls);
-        my @minprotos = (undef, @protos);
-        my @maxprotos = (@protos, undef);
-        my @shdprotos = (@protos, $protos[$#protos]);
-        my $n = ((@protos+2) * (@protos+3))/2 - 2;
-        my $ntests = $n * $n;
-	plan tests => $ntests;
-      SKIP: {
-        skip "DTLS disabled", 1 if $ntests == 1;
-
-        my $should;
-        for (my $smin = 0; $smin < @minprotos; ++$smin) {
-        for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) {
-        for (my $cmin = 0; $cmin < @minprotos; ++$cmin) {
-        for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) {
-            if ($cmax < $smin-1) {
-                $should = "fail-server";
-            } elsif ($smax < $cmin-1) {
-                $should = "fail-client";
-            } elsif ($cmax > $smax) {
-                $should = $shdprotos[$smax];
-            } else {
-                $should = $shdprotos[$cmax];
-            }
-
-            my @args = (@ssltest, "-dtls");
-            push(@args, "-should_negotiate", $should);
-            push(@args, "-server_min_proto", $minprotos[$smin])
-                if (defined($minprotos[$smin]));
-            push(@args, "-server_max_proto", $maxprotos[$smax])
-                if (defined($maxprotos[$smax]));
-            push(@args, "-client_min_proto", $minprotos[$cmin])
-                if (defined($minprotos[$cmin]));
-            push(@args, "-client_max_proto", $maxprotos[$cmax])
-                if (defined($maxprotos[$cmax]));
-            my $ok = run(test[@args]);
-            if (! $ok) {
-                print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n";
-                print STDERR "\nFailed: @args\n";
-            }
-            ok($ok);
-        }}}}}
-    };
-
    subtest 'TLS session reuse' => sub {
        plan tests => 12;


--- a/test/ssl-tests/02-protocol-version.conf.in
+++ b/test/ssl-tests/02-protocol-version.conf.in
@@ -7,116 +7,13 @@
 # https://www.openssl.org/source/license.html


-## Test version negotiation
+## Test TLS version negotiation

 package ssltests;

-use List::Util qw/max min/;
+use strict;
+use warnings;

-use OpenSSL::Test;
-use OpenSSL::Test::Utils qw/anydisabled alldisabled/;
-setup("no_test_here");
+use protocol_version;

-my @protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
-# undef stands for "no limit".
-my @min_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
-my @max_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", undef);
-
-my @is_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
-
-my $min_enabled; my $max_enabled;
-
-# Protocol configuration works in cascades, i.e.,
-# $no_tls1_1 disables TLSv1.1 and below.
-#
-# $min_enabled and $max_enabled will be correct if there is at least one
-# protocol enabled.
-foreach my $i (0..$#protocols) {
-    if (!$is_disabled[$i]) {
-        $min_enabled = $i;
-        last;
-    }
-}
-
-foreach my $i (0..$#protocols) {
-    if (!$is_disabled[$i]) {
-        $max_enabled = $i;
-    }
-}
-
-our @tests = ();
-
-sub generate_tests() {
-    foreach my $c_min (0..$#min_protocols) {
-        my $c_max_min = $c_min == 0 ? 0 : $c_min - 1;
-        foreach my $c_max ($c_max_min..$#max_protocols) {
-            foreach my $s_min (0..$#min_protocols) {
-                my $s_max_min = $s_min == 0 ? 0 : $s_min - 1;
-                foreach my $s_max ($s_max_min..$#max_protocols) {
-                    my ($result, $protocol) =
-                        expected_result($c_min, $c_max, $s_min, $s_max);
-                    push @tests, {
-                        "name" => "version-negotiation",
-                        "client" => {
-                            "MinProtocol" => $min_protocols[$c_min],
-                            "MaxProtocol" => $max_protocols[$c_max],
-                        },
-                        "server" => {
-                            "MinProtocol" => $min_protocols[$s_min],
-                            "MaxProtocol" => $max_protocols[$s_max],
-                        },
-                        "test" => {
-                            "ExpectedResult" => $result,
-                            "Protocol" => $protocol
-                        }
-                    };
-                }
-            }
-        }
-    }
-}
-
-sub expected_result {
-    my $no_tls = alldisabled("ssl3", "tls1", "tls1_1", "tls1_2");
-    if ($no_tls) {
-        return ("InternalError", undef);
-    }
-
-    my ($c_min, $c_max, $s_min, $s_max) = @_;
-
-    # Adjust for "undef" (no limit).
-    $c_min = $c_min == 0 ? 0 : $c_min - 1;
-    $c_max = $c_max == scalar(@max_protocols) - 1 ? $c_max - 1 : $c_max;
-    $s_min = $s_min == 0 ? 0 : $s_min - 1;
-    $s_max = $s_max == scalar(@max_protocols) - 1 ? $s_max - 1 : $s_max;
-
-    # We now have at least one protocol enabled, so $min_enabled and
-    # $max_enabled are well-defined.
-    $c_min = max $c_min, $min_enabled;
-    $s_min = max $s_min, $min_enabled;
-    $c_max = min $c_max, $max_enabled;
-    $s_max = min $s_max, $max_enabled;
-
-    if ($c_min > $c_max) {
-        # Client should fail to even send a hello.
-        # This results in an internal error since the server will be
-        # waiting for input that never arrives.
-        return ("InternalError", undef);
-    } elsif ($s_min > $s_max) {
-        # Server has no protocols, should always fail.
-        return ("ServerFail", undef);
-    } elsif ($s_min > $c_max) {
-        # Server doesn't support the client range.
-        return ("ServerFail", undef);
-    } elsif ($c_min > $s_max) {
-        # Server will try with a version that is lower than the lowest
-        # supported client version.
-        return ("ClientFail", undef);
-    } else {
-        # Server and client ranges overlap.
-        my $max_common = $s_max < $c_max ? $s_max : $c_max;
-        return ("Success", $protocols[$max_common]);
-    }
-}
-
-generate_tests();
+our @tests = generate_tests("TLS");
--- a/test/ssl-tests/07-dtls-protocol-version.conf
+++ b/test/ssl-tests/07-dtls-protocol-version.conf
--- a/test/ssl-tests/07-dtls-protocol-version.conf.in
+++ b/test/ssl-tests/07-dtls-protocol-version.conf.in
+# -*- mode: perl; -*-
+# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## Test DTLS version negotiation
+
+package ssltests;
+
+use strict;
+use warnings;
+
+use protocol_version;
+
+our @tests = generate_tests("DTLS");
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
+# -*- mode: perl; -*-
+# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## Test version negotiation
+
+package ssltests;
+
+use strict;
+use warnings;
+
+use List::Util qw/max min/;
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils qw/anydisabled alldisabled/;
+setup("no_test_here");
+
+my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
+# undef stands for "no limit".
+my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
+my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", undef);
+
+my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
+
+my $min_tls_enabled; my $max_tls_enabled;
+
+# Protocol configuration works in cascades, i.e.,
+# $no_tls1_1 disables TLSv1.1 and below.
+#
+# $min_enabled and $max_enabled will be correct if there is at least one
+# protocol enabled.
+foreach my $i (0..$#tls_protocols) {
+    if (!$is_tls_disabled[$i]) {
+        $min_tls_enabled = $i;
+        last;
+    }
+}
+
+foreach my $i (0..$#tls_protocols) {
+    if (!$is_tls_disabled[$i]) {
+        $max_tls_enabled = $i;
+    }
+}
+
+my @dtls_protocols = ("DTLSv1", "DTLSv1.2");
+# undef stands for "no limit".
+my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2");
+my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", undef);
+
+my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2");
+
+my $min_dtls_enabled; my $max_dtls_enabled;
+
+# $min_enabled and $max_enabled will be correct if there is at least one
+# protocol enabled.
+foreach my $i (0..$#dtls_protocols) {
+    if (!$is_dtls_disabled[$i]) {
+        $min_dtls_enabled = $i;
+        last;
+    }
+}
+
+foreach my $i (0..$#dtls_protocols) {
+    if (!$is_dtls_disabled[$i]) {
+        $max_dtls_enabled = $i;
+    }
+}
+
+sub generate_tests {
+    my ($method) = @_;
+
+    my $dtls = $method eq "DTLS";
+    # Don't write the redundant "Method = TLS" into the configuration.
+    undef $method if !$dtls; 
+
+    my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
+    my @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
+    my @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
+    my $min_enabled  = $dtls ? $min_dtls_enabled : $min_tls_enabled;
+    my $max_enabled  = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+
+    my $no_tests = $dtls ? alldisabled("dtls1", "dtls1_2") :
+      alldisabled("ssl3", "tls1", "tls1_1", "tls1_2");
+    if ($no_tests) {
+        return;
+    }
+
+    my @tests = ();
+
+    foreach my $c_min (0..$#min_protocols) {
+        my $c_max_min = $c_min == 0 ? 0 : $c_min - 1;
+        foreach my $c_max ($c_max_min..$#max_protocols) {
+            foreach my $s_min (0..$#min_protocols) {
+                my $s_max_min = $s_min == 0 ? 0 : $s_min - 1;
+                foreach my $s_max ($s_max_min..$#max_protocols) {
+                    my ($result, $protocol) =
+                        expected_result($c_min, $c_max, $s_min, $s_max,
+                                        $min_enabled, $max_enabled, \@protocols);
+                    push @tests, {
+                        "name" => "version-negotiation",
+                        "client" => {
+                            "MinProtocol" => $min_protocols[$c_min],
+                            "MaxProtocol" => $max_protocols[$c_max],
+                        },
+                        "server" => {
+                            "MinProtocol" => $min_protocols[$s_min],
+                            "MaxProtocol" => $max_protocols[$s_max],
+                        },
+                        "test" => {
+                            "ExpectedResult" => $result,
+                            "Protocol" => $protocol,
+                            "Method" => $method,
+                        }
+                    };
+                }
+            }
+        }
+    }
+    return @tests;
+}
+
+sub expected_result {
+    my ($c_min, $c_max, $s_min, $s_max, $min_enabled, $max_enabled,
+        $protocols) = @_;
+
+    # Adjust for "undef" (no limit).
+    $c_min = $c_min == 0 ? 0 : $c_min - 1;
+    $c_max = $c_max == scalar @$protocols ? $c_max - 1 : $c_max;
+    $s_min = $s_min == 0 ? 0 : $s_min - 1;
+    $s_max = $s_max == scalar @$protocols ? $s_max - 1 : $s_max;
+
+    # We now have at least one protocol enabled, so $min_enabled and
+    # $max_enabled are well-defined.
+    $c_min = max $c_min, $min_enabled;
+    $s_min = max $s_min, $min_enabled;
+    $c_max = min $c_max, $max_enabled;
+    $s_max = min $s_max, $max_enabled;
+
+    if ($c_min > $c_max) {
+        # Client should fail to even send a hello.
+        # This results in an internal error since the server will be
+        # waiting for input that never arrives.
+        return ("InternalError", undef);
+    } elsif ($s_min > $s_max) {
+        # Server has no protocols, should always fail.
+        return ("ServerFail", undef);
+    } elsif ($s_min > $c_max) {
+        # Server doesn't support the client range.
+        return ("ServerFail", undef);
+    } elsif ($c_min > $s_max) {
+        # Server will try with a version that is lower than the lowest
+        # supported client version.
+        return ("ClientFail", undef);
+    } else {
+        # Server and client ranges overlap.
+        my $max_common = $s_max < $c_max ? $s_max : $c_max;
+        return ("Success", $protocols->[$max_common]);
+    }
+}
+
+1;
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -177,10 +177,25 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
    SSL_TEST_CTX *test_ctx = NULL;
    HANDSHAKE_RESULT result;

-    server_ctx = SSL_CTX_new(TLS_server_method());
-    server2_ctx = SSL_CTX_new(TLS_server_method());
-    client_ctx = SSL_CTX_new(TLS_client_method());
-    OPENSSL_assert(server_ctx != NULL && server2_ctx != NULL && client_ctx != NULL);
+    test_ctx = SSL_TEST_CTX_create(conf, fixture.test_app);
+    if (test_ctx == NULL)
+        goto err;
+
+#ifndef OPENSSL_NO_DTLS
+    if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
+        server_ctx = SSL_CTX_new(DTLS_server_method());
+        server2_ctx = SSL_CTX_new(DTLS_server_method());
+        client_ctx = SSL_CTX_new(DTLS_client_method());
+    }
+#endif
+    if (test_ctx->method == SSL_TEST_METHOD_TLS) {
+        server_ctx = SSL_CTX_new(TLS_server_method());
+        server2_ctx = SSL_CTX_new(TLS_server_method());
+        client_ctx = SSL_CTX_new(TLS_client_method());
+    }
+
+    OPENSSL_assert(server_ctx != NULL && server2_ctx != NULL &&
+                   client_ctx != NULL);

    OPENSSL_assert(CONF_modules_load(conf, fixture.test_app, 0) > 0);


--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -113,6 +113,8 @@ static const test_enum ssl_protocols[] = {
     {"TLSv1.1", TLS1_1_VERSION},
     {"TLSv1", TLS1_VERSION},
     {"SSLv3", SSL3_VERSION},
+     {"DTLSv1", DTLS1_VERSION},
+     {"DTLSv1.2", DTLS1_2_VERSION},
 };

 __owur static int parse_protocol(SSL_TEST_CTX *test_ctx, const char *value)
@@ -211,6 +213,31 @@ const char *ssl_session_ticket_name(ssl_session_ticket_t server)
                     server);
 }

+/***********************/
+/* Method.             */
+/***********************/
+
+static const test_enum ssl_test_methods[] = {
+    {"TLS", SSL_TEST_METHOD_TLS},
+    {"DTLS", SSL_TEST_METHOD_DTLS},
+};
+
+__owur static int parse_test_method(SSL_TEST_CTX *test_ctx, const char *value)
+{
+    int ret_value;
+    if (!parse_enum(ssl_test_methods, OSSL_NELEM(ssl_test_methods),
+                    &ret_value, value)) {
+        return 0;
+    }
+    test_ctx->method = ret_value;
+    return 1;
+}
+
+const char *ssl_test_method_name(ssl_test_method_t method)
+{
+    return enum_name(ssl_test_methods, OSSL_NELEM(ssl_test_methods), method);
+}
+
 /*************************************************************/
 /* Known test options and their corresponding parse methods. */
 /*************************************************************/
@@ -228,6 +255,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
    { "ClientVerifyCallback", &parse_client_verify_callback },
    { "ServerName", &parse_servername },
    { "SessionTicketExpected", &parse_session_ticket },
+    { "Method", &parse_test_method },
 };



--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -39,6 +39,11 @@ typedef enum {
    SSL_TEST_SESSION_TICKET_BROKEN, /* Special test */
 } ssl_session_ticket_t;

+typedef enum {
+    SSL_TEST_METHOD_TLS = 0, /* Default */
+    SSL_TEST_METHOD_DTLS,
+} ssl_test_method_t;
+
 typedef struct ssl_test_ctx {
    /* Test expectations. */
    /* Defaults to SUCCESS. */
@@ -57,6 +62,8 @@ typedef struct ssl_test_ctx {
    /* One of a number of predefined server names use by the client */
    ssl_servername_t servername;
    ssl_session_ticket_t session_ticket_expected;
+    /* Whether the server/client CTX should use DTLS or TLS. */
+    ssl_test_method_t method;
 } SSL_TEST_CTX;

 const char *ssl_test_result_name(ssl_test_result_t result);
@@ -65,6 +72,7 @@ const char *ssl_protocol_name(int protocol);
 const char *ssl_verify_callback_name(ssl_verify_callback_t verify_callback);
 const char *ssl_servername_name(ssl_servername_t server);
 const char *ssl_session_ticket_name(ssl_session_ticket_t server);
+const char *ssl_test_method_name(ssl_test_method_t method);

 /*
 * Load the test case context from |conf|.

--- a/test/ssl_test_ctx_test.c
+++ b/test/ssl_test_ctx_test.c
@@ -156,6 +156,7 @@ static int test_good_configuration()
    fixture.expected_ctx->client_verify_callback = SSL_TEST_VERIFY_REJECT_ALL;
    fixture.expected_ctx->servername = SSL_TEST_SERVERNAME_SERVER2;
    fixture.expected_ctx->session_ticket_expected = SSL_TEST_SESSION_TICKET_YES;
+    fixture.expected_ctx->method = SSL_TEST_METHOD_DTLS;
    EXECUTE_SSL_TEST_CTX_TEST();
 }

@@ -167,6 +168,7 @@ static const char *bad_configurations[] = {
    "ssltest_unknown_verify_callback",
    "ssltest_unknown_servername",
    "ssltest_unknown_session_ticket_expected",
+    "ssltest_unknown_method",
 };

 static int test_bad_configuration(int idx)

--- a/test/ssl_test_ctx_test.conf
+++ b/test/ssl_test_ctx_test.conf
@@ -7,6 +7,7 @@ Protocol = TLSv1.1
 ClientVerifyCallback = RejectAll
 ServerName = server2
 SessionTicketExpected = Yes
+Method = DTLS

 [ssltest_unknown_option]
 UnknownOption = Foo
@@ -28,3 +29,7 @@ ServerName = Foo

 [ssltest_unknown_session_ticket_expected]
 SessionTicketExpected = Foo
+
+[ssltest_unknown_method]
+Method = TLS2
+