From 6b4d6931e79e0f2e1fc3c1d9c49d79cbad677bed Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 4 Sep 2024 16:51:50 +0200 Subject: [PATCH] Test dtls_server Test against both OpenSSL and GnuTLS. Don't use a proxy. It's not particularly useful here, and would complicate figuring out port numbers. Clean up compile-time requirements dtls_server.c: any certificate-based key exchange is ok, so don't insist on built-in RSA. Signed-off-by: Gilles Peskine --- programs/ssl/dtls_server.c | 28 +++++++++++++--------------- tests/opt-testcases/sample.sh | 24 ++++++++++++++++++++++++ tests/ssl-opt.sh | 3 ++- 3 files changed, 39 insertions(+), 16 deletions(-) diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 732625e7fb..0a02694eb7 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -18,19 +18,19 @@ #define BIND_IP "::" #endif -#if !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \ - !defined(MBEDTLS_SSL_COOKIE_C) || !defined(MBEDTLS_NET_C) || \ - !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ - !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_RSA_C) || \ - !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_TIMING_C) - +#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ + !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_SRV_C) || \ + !defined(MBEDTLS_TIMING_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \ + !defined(MBEDTLS_SSL_COOKIE_C) || \ + !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) int main(void) { - printf("MBEDTLS_SSL_SRV_C and/or MBEDTLS_SSL_PROTO_DTLS and/or " - "MBEDTLS_SSL_COOKIE_C and/or MBEDTLS_NET_C and/or " - "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or " - "MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_RSA_C and/or " - "MBEDTLS_PEM_PARSE_C and/or MBEDTLS_TIMING_C not defined.\n"); + mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or " + "MBEDTLS_NET_C and/or MBEDTLS_SSL_SRV_C and/or " + "MBEDTLS_TIMING_C and/or MBEDTLS_SSL_PROTO_DTLS and/or " + "MBEDTLS_SSL_COOKIE_C and/or " + "MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C " + "not defined.\n"); mbedtls_exit(0); } #else @@ -402,7 +402,5 @@ exit: mbedtls_exit(ret); } -#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS && - MBEDTLS_SSL_COOKIE_C && MBEDTLS_NET_C && MBEDTLS_ENTROPY_C && - MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_RSA_C - && MBEDTLS_PEM_PARSE_C && MBEDTLS_TIMING_C */ + +#endif /* configuration allows running this program */ diff --git a/tests/opt-testcases/sample.sh b/tests/opt-testcases/sample.sh index a74d597c28..7c5562ffbb 100644 --- a/tests/opt-testcases/sample.sh +++ b/tests/opt-testcases/sample.sh @@ -206,3 +206,27 @@ run_test "Sample: ssl_pthread_server, gnutls client, TLS 1.3" \ -c "Description:.*TLS1.3" \ -S "error" \ -C "ERROR" + +requires_protocol_version dtls12 +run_test "Sample: dtls_server, openssl client, DTLS 1.2" \ + -P 4433 \ + "$PROGRAMS_DIR/dtls_server" \ + "$O_CLI -dtls1_2" \ + 0 \ + -s "[1-9][0-9]* bytes read" \ + -s "[1-9][0-9]* bytes written" \ + -c "New, TLSv1.2, Cipher is" \ + -S "error" \ + -C "ERROR" + +requires_protocol_version dtls12 +run_test "Sample: dtls_server, gnutls client, DTLS 1.2" \ + -P 4433 \ + "$PROGRAMS_DIR/dtls_server" \ + "$G_CLI -u --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \ + 0 \ + -s "[1-9][0-9]* bytes read" \ + -s "[1-9][0-9]* bytes written" \ + -c "Description:.*DTLS1.2" \ + -S "error" \ + -C "ERROR" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b5d6266876..0f84395701 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -500,6 +500,7 @@ detect_required_features() { requires_config_enabled MBEDTLS_SSL_CLI_C requires_certificate_authentication ;; + *"programs/ssl/dtls_server "*|\ *"programs/ssl/ssl_fork_server "*|\ *"programs/ssl/ssl_pthread_server "*|\ *"programs/ssl/ssl_server "*) @@ -1277,7 +1278,7 @@ wait_client_done() { # check if the given command uses dtls and sets global variable DTLS detect_dtls() { case "$1" in - *dtls=1*|*-dtls*|*-u*) DTLS=1;; + *dtls=1*|*-dtls*|*-u*|*/dtls_*) DTLS=1;; *) DTLS=0;; esac }