From 99f00d917a917eb848eac3803a4bd52b536deaa6 Mon Sep 17 00:00:00 2001
From: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Wed, 29 May 2024 11:04:14 +0200
Subject: [PATCH] Run 70-test_tls13alerts.t with dtls

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
---
 Configure                               |  4 +-
 test/recipes/70-test_tls13alerts.t      | 71 +++++++++++++++++++------
 util/perl/TLSProxy/Message.pm           |  3 +-
 util/perl/TLSProxy/Proxy.pm             |  4 +-
 util/perl/TLSProxy/Record.pm            |  3 +-
 util/perl/TLSProxy/ServerKeyExchange.pm |  3 +-
 6 files changed, 64 insertions(+), 24 deletions(-)

diff --git a/Configure b/Configure
index 2dd6234d1cc..436911df3c2 100755
--- a/Configure
+++ b/Configure
@@ -408,7 +408,7 @@ my $default_ranlib;
 
 # Known TLS and DTLS protocols
 my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);
-my @dtls = qw(dtls1 dtls1_2);
+my @dtls = qw(dtls1 dtls1_2 dtls1_3);
 
 # Explicitly known options that are possible to disable.  They can
 # be regexps, and will be used like this: /^no-${option}$/
@@ -549,7 +549,7 @@ my @disablables = (
 foreach my $proto ((@tls, @dtls))
         {
         push(@disablables, $proto);
-        push(@disablables, "$proto-method") unless $proto eq "tls1_3";
+        push(@disablables, "$proto-method") unless $proto eq "tls1_3" || $proto eq "dtls1_3";
         }
 
 # Internal disablables, for aliasing purposes.  They serve no special
diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t
index 152e6cc130d..130ca70e186 100644
--- a/test/recipes/70-test_tls13alerts.t
+++ b/test/recipes/70-test_tls13alerts.t
@@ -23,23 +23,60 @@ plan skip_all => "$test_name needs the dynamic engine feature enabled"
 plan skip_all => "$test_name needs the sock feature enabled"
     if disabled("sock");
 
-plan skip_all => "$test_name needs TLS1.3 enabled"
-    if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
-
-my $proxy = TLSProxy::Proxy->new(
-    undef,
-    cmdstr(app(["openssl"]), display => 1),
-    srctop_file("apps", "server.pem"),
-    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-);
-
-#Test 1: We test that a server can handle an unencrypted alert when normally the
-#        next message is encrypted
-$proxy->filter(\&alert_filter);
-$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 1;
-my $alert = TLSProxy::Message->alert();
-ok(TLSProxy::Message->fail() && !$alert->server() && !$alert->encrypted(), "Client sends an unencrypted alert");
+plan skip_all => "$test_name needs elliptic curves and diffie-hellman enabled"
+    if disabled("ec") && disabled("dh");
+
+my $testcount = 1;
+
+plan tests => 2 * $testcount;
+
+SKIP: {
+    skip "TLS 1.3 is disabled", $testcount if disabled("tls1_3");
+    # Run tests with TLS
+    run_tests(0);
+}
+
+SKIP: {
+    skip "DTLS 1.3 is disabled", $testcount if disabled("dtls1_3");
+    skip "DTLSProxy does not support partial messages that are sent when EC is disabled",
+        $testcount if disabled("ec");
+    skip "DTLSProxy does not work on Windows", $testcount if $^O =~ /^(MSWin32)$/;
+    run_tests(1);
+}
+
+sub run_tests
+{
+    my $run_test_as_dtls = shift;
+    my $proxy_start_success = 0;
+
+    my $proxy;
+    if ($run_test_as_dtls == 1) {
+        $proxy = TLSProxy::Proxy->new_dtls(
+            undef,
+            cmdstr(app([ "openssl" ]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+    else {
+        $proxy = TLSProxy::Proxy->new(
+            undef,
+            cmdstr(app(["openssl"]), display => 1),
+            srctop_file("apps", "server.pem"),
+            (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+        );
+    }
+
+    #Test 1: We test that a server can handle an unencrypted alert when normally the
+    #        next message is encrypted
+    $proxy->clear();
+    $proxy->filter(\&alert_filter);
+    $proxy_start_success = $proxy->start();
+    skip "TLSProxy did not start correctly", $testcount if $proxy_start_success == 0;
+
+    my $alert = TLSProxy::Message->alert();
+    ok(TLSProxy::Message->fail() && !$alert->server() && !$alert->encrypted(), "Client sends an unencrypted alert");
+}
 
 sub alert_filter
 {
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
index 82db4022c24..3075761424b 100644
--- a/util/perl/TLSProxy/Message.pm
+++ b/util/perl/TLSProxy/Message.pm
@@ -632,7 +632,8 @@ sub repack
                     $data .= pack("C", $macval);
                 }
 
-                if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1) {
+                if ((!$self->{isdtls} && $rec->version() >= TLSProxy::Record::VERS_TLS_1_1)
+                    || ($self->{isdtls} && $rec->version() <= TLSProxy::Record::VERS_DTLS_1)) {
                     #Explicit IV
                     $data = ("\0"x16).$data;
                 }
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 8436861668a..badc179a472 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -271,7 +271,7 @@ sub start
         ." -cert ".$self->cert." -cert2 ".$self->cert
         ." -naccept ".$self->serverconnects;
     if ($self->{isdtls}) {
-        $execcmd .= " -dtls -max_protocol DTLSv1.2"
+        $execcmd .= " -dtls -max_protocol DTLSv1.3"
                     # TLSProxy does not support message fragmentation. So
                     # set a high mtu and fingers crossed.
                     ." -mtu 1500";
@@ -338,7 +338,7 @@ sub clientstart
              ." s_client -engine ossltest"
              ." -connect $self->{proxy_addr}:$self->{proxy_port}";
         if ($self->{isdtls}) {
-            $execcmd .= " -dtls -max_protocol DTLSv1.2"
+            $execcmd .= " -dtls -max_protocol DTLSv1.3"
                         # TLSProxy does not support message fragmentation. So
                         # set a high mtu and fingers crossed.
                         ." -mtu 1500"
diff --git a/util/perl/TLSProxy/Record.pm b/util/perl/TLSProxy/Record.pm
index f55e4ac3a48..4d4a48498f2 100644
--- a/util/perl/TLSProxy/Record.pm
+++ b/util/perl/TLSProxy/Record.pm
@@ -308,7 +308,8 @@ sub decryptETM
 
     my $data = $self->data;
 
-    if($self->version >= VERS_TLS_1_1()) {
+    if((!$self->{isdtls} && $self->version >= VERS_TLS_1_1)
+       || ($self->{isdtls} && $self->version <= VERS_DTLS_1)) {
         #TLS1.1+ has an explicit IV. Throw it away
         $data = substr($data, 16);
     }
diff --git a/util/perl/TLSProxy/ServerKeyExchange.pm b/util/perl/TLSProxy/ServerKeyExchange.pm
index 15dd9a8898e..160ff366883 100644
--- a/util/perl/TLSProxy/ServerKeyExchange.pm
+++ b/util/perl/TLSProxy/ServerKeyExchange.pm
@@ -77,7 +77,8 @@ sub parse
     my $record = ${$self->records}[0];
 
     if (TLSProxy::Proxy->is_tls13()
-            || $record->version() == TLSProxy::Record::VERS_TLS_1_2) {
+        || $record->version() == TLSProxy::Record::VERS_TLS_1_2
+        || $record->version() == TLSProxy::Record::VERS_DTLS_1_2) {
         $sigalg = unpack('n', substr($self->data, $ptr));
         $ptr += 2;
     }
-- 
2.47.2