Merge branch '3.3dev' into fix_early_data_empty

Author: drwetter

t/00_testssl_help.t

@@ -13,7 +13,7 @@ my $out="";
 
 # Try to detect remainders from debugging:
 my $debug_regexp='^(\s)*set (-|\+)x';
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $error_regexp1='(syntax|parse) (e|E)rror';
 my $error_regexp2='testssl.sh: line';
 my $error_regexp3='bash: warning';

t/01_testssl_banner.t

@@ -8,7 +8,7 @@ use Test::More;
 
 my $tests = 0;
 my $fileout="";
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $error_regexp1='(syntax|parse) (e|E)rror';
 my $error_regexp2='testssl.sh: line';
 my $error_regexp3='bash: warning';

t/02_clientsim_txt_parsable.t

@@ -8,7 +8,7 @@ use Test::More;
 
 my $tests = 0;
 my $fileout="";
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $error_regexp1='(syntax|parse) (e|E)rror';
 my $error_regexp2='client-simulation.txt:';
 

t/10_baseline_ipv4_http.t

@@ -1,8 +1,6 @@
 #!/usr/bin/env perl
 
-# baseline test for testssl, screen and JSON output
-
-# This is referred by the documentation.
+# Baseline test for testssl, screen and JSON output
 
 # We could also inspect the JSON for any problems for
 #    "id"           : "scanProblem"
@@ -15,58 +13,89 @@ use JSON;
 
 my $tests = 0;
 my $prg="./testssl.sh";
-my $tmp_json="tmp.json";
-my $check2run="-p -s -P --fs -S -h -U -q --ip=one --color 0 --jsonfile $tmp_json";
+my $json_file="";
+my $check2run="-p -s -P --fs -S -h -U -q --ip=one --color 0 --jsonfile";
 my $uri="google.com";
-my $socket_out="";
-my $openssl_out="";
-my $socket_json="";
-my $openssl_json="";
+my $terminal_out="";
+my $json_string="";
 #FIXME: Pattern we use to trigger an error, but likely we can skip that and instead we should?/could use the following??
 #       @args="$prg $check2run $uri >/dev/null";
 #       system("@args") == 0
 #           or die ("FAILED: \"@args\" ");
 my $socket_errors='(e|E)rror|FIXME|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
 my $openssl_errors='(e|E)rror|FIXME|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 my $json_errors='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")';
+my $os="$^O";
 
 # useful against "failed to flush stdout" messages
 STDOUT->autoflush(1);
 
 die "Unable to open $prg" unless -f $prg;
 
 # Provide proper start conditions
-unlink $tmp_json;
+$json_file="tmp.json";
+unlink $json_file;
 
 # Title
 printf "\n%s\n", "Baseline unit test IPv4 against \"$uri\"";
-$socket_out = `$prg $check2run $uri 2>&1`;
-$socket_json = json($tmp_json);
+
+
+# run the check
+$terminal_out = `$prg $check2run $json_file $uri 2>&1`;
+$json_string = json($json_file);
+
 
 #1
-unlike($socket_out, qr/$socket_errors≈/, "via sockets, checking terminal output");
+unlike($terminal_out, qr/$socket_errors≈/, "via sockets, checking terminal output");
 $tests++;
 
 #2
-unlike($socket_json, qr/$json_errors/, "via sockets checking JSON output");
+unlike($json_string, qr/$json_errors/, "via sockets checking JSON output");
 $tests++;
 
-unlink $tmp_json;
-
 #3
-$openssl_out = `$prg --ssl-native $check2run $uri 2>&1`;
-$openssl_json = json($tmp_json);
-unlike($openssl_out, qr/$openssl_errors/, "via (builtin) OpenSSL, checking terminal output");
+unlink $json_file;
+$terminal_out = `$prg --ssl-native $check2run $json_file $uri 2>&1`;
+$json_string = json($json_file);
+unlike($terminal_out, qr/$openssl_errors/, "via (builtin) OpenSSL, checking terminal output");
 $tests++;
 
 #4
-unlike($openssl_json, qr/$json_errors/, "via OpenSSL (builtin) checking JSON output");
+unlike($json_string, qr/$json_errors/, "via OpenSSL (builtin) checking JSON output");
 $tests++;
 
-unlink $tmp_json;
+if ( $os eq "linux" ){
+     #5 -- early data test. We just take the last check
+     my $found=0;
+     open my $fh, '<', $json_file or die "Can't open '$json_file': $!";
+     local $/;                    # undef slurp mode
+     my $data = decode_json(<$fh>);
+     close $fh;
+
+     # Check if the decoded data is an array
+     if (ref $data eq 'ARRAY') {
+          # Iterate through the array of JSON objects
+          foreach my $obj (@$data) {
+               # Check if the 'id' is "early_data" and 'severity' is "HIGH"
+               if ($obj->{id} eq 'early_data' && $obj->{severity} eq 'HIGH') {
+                    $found=1;
+                    last;          # we can leave the loop
+               }
+          }
+     }
+
+     if ($found) {
+         ok(1, "0‑RTT found in JSON from $uri");
+     } else {
+         fail("0‑RTT test for $uri failed");
+     }
+     $tests++;
+} elsif ( $os eq "darwin" ){
+     printf "%s\n", "Skipping test. The result of the check under MacOS is not understood" ;
+}
 
 done_testing($tests);
-printf "\n";
+printf "\n\n";
 
 
 sub json($) {
@@ -76,6 +105,5 @@ sub json($) {
 	return from_json($file);
 }
 
-
 # vim:ts=5:sw=5:expandtab
 

t/11_baseline_ipv6_http.t.DISABLED

@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 
-# disabled as IPv6 wasn't supported by Travis CI and isn't by GH action, see https://github.com/testssl/testssl.sh/issues/1177
+# disabled as IPv6 wasn't supported by Travis CI and isn't also supported by GH action, see https://github.com/testssl/testssl.sh/issues/1177
 
 # Just a functional test, whether there are any problems on the client side
 # Probably we could also inspect the JSON for any problems for
@@ -10,16 +10,16 @@
 use strict;
 use Test::More;
 use Data::Dumper;
+# if JSON it'll be needed to uncommented this and the lines below
 # use JSON;
-# if we need JSON we need to comment this and the lines below in
 
 my $tests = 0;
 my $prg="./testssl.sh";
 my $check2run ="-p -s -P --fs -S -h -U -q --ip=one --color 0";
 my $uri="";
 my $socket_out="";
 my $openssl_out="";
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
 my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 

t/12_diff_opensslversions.t

@@ -21,7 +21,7 @@ my $diff="";
 my $distro_openssl="/usr/bin/openssl";
 my @args="";
 # that can be done better but I am a perl n00b ;-)
-my $os=`perl -e 'print "$^O";'`;
+my $os="$^O";
 
 # useful against "failed to flush stdout" messages
 STDOUT->autoflush(1);

t/21_baseline_starttls.t

@@ -22,9 +22,11 @@ my $check2run="-q --ip=one --color 0";
 my $uri="";
 my $socket_out="";
 my $openssl_out="";
-# Blacklists we use to trigger an error:
+# Patterns used to trigger an error:
 my $socket_regex_bl='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
 my $openssl_regex_bl='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
+my $openssl_fallback_cmd="";       # empty for Linux
+my $os="$^O";
 
 # useful against "failed to flush stdout" messages
 STDOUT->autoflush(1);
@@ -36,10 +38,26 @@ STDOUT->autoflush(1);
 
 die "Unable to open $prg" unless -f $prg;
 
-$uri="smtp-relay.gmail.com:587";
+if ( $os eq "darwin" ){
+     # MacOS silicon doesn't have ~/bin/openssl.Darwin.arm64 binary so we use the
+     # homebrew version which was moved to /opt/homebrew/bin/openssl.NOPE in
+     # .github/workflows/unit_tests_macos.yml . The LibreSSL version from MacOS
+     # sometimes have problems to finish the run, thus we use homebrew's version
+     # as fallback.
+     # If this will be run outside GH actions, i.e. locally, we provide a fallback to
+     # /opt/homebrew/bin/openssl or just leave this thing
+     if ( -x "/opt/homebrew/bin/openssl.NOPE" ) {
+          $openssl_fallback_cmd="--openssl /opt/homebrew/bin/openssl.NOPE";
+     }
+     elsif ( -x "/opt/homebrew/bin/openssl" ) {
+          $openssl_fallback_cmd="--openssl /opt/homebrew/bin/openssl";
+     }
+}
 
+$check2run_smtp="$check2run_smtp $openssl_fallback_cmd" ;
 
 #1
+$uri="smtp-relay.gmail.com:587";
 # unlink "tmp.json";
 # we will have client simulations later, so we don't need to run everything again:
 printf "\n%s\n", "STARTTLS SMTP unit test via sockets --> $uri ...";
@@ -49,60 +67,34 @@ unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
 #2
-# unlink "tmp.json";
-printf "\n%s\n", "STARTTLS SMTP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `$prg --ssl-native $check2run_smtp -t smtp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
-
 $uri="pop.gmx.net:110";
-
-#3
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS POP3 unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t pop3 $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-#4
-printf "\n%s\n", "STARTTLS POP3 unit tests via OpenSSL --> $uri ...";
-$openssl_out = `$prg --ssl-native $check2run -t pop3 $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
-
+#3
 $uri="imap.gmx.net:143";
-
-#5
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS IMAP unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t imap $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-#6
-printf "\n%s\n", "STARTTLS IMAP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `$prg --ssl-native $check2run -t imap $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
-
+#4
 $uri="mail.tigertech.net:4190";
-
-#7
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS MANAGE(SIEVE) unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t sieve $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;
 
+#5
 $uri="jabber.org:5222";
-
-#8
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS XMPP unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t xmpp $uri 2>&1`;
@@ -112,23 +104,15 @@ $tests++;
 
 # commented out, bc of travis' limits
 #
-#printf "\n%s\n", "STARTTLS XMPP unit tests via OpenSSL --> $uri ...";
-#$openssl_out = `$prg --ssl-native $check2run -t xmpp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-#unlike($openssl_out, qr/$openssl_regex_bl/, "");
-#$tests++;
-
 # $uri="jabber.ccc.de:5269";
 # printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
 # $openssl_out = `$prg --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
 # # $openssl_json = json('tmp.json');
 # unlike($openssl_out, qr/$openssl_regex_bl/, "");
 # $tests++;
 
-
+#6
 $uri="ldap.uni-rostock.de:21";
-
-#9
 # unlink "tmp.json";
 printf "\n%s\n", "STARTTLS FTP unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t ftp $uri 2>&1`;
@@ -138,50 +122,23 @@ $socket_out =~ s/ error querying OCSP responder .*\n//g;
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-# commented out, bc of travis' limits
-#
-# printf "\n%s\n", "STARTTLS FTP unit tests via OpenSSL --> $uri ...";
-# $openssl_out = `$prg --ssl-native $check2run -t ftp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-# OCSP stapling fails sometimes with: 'offered, error querying OCSP responder (ERROR: No Status found)'
-# $openssl_out =~ s/ error querying OCSP responder .*\n//g;
-# unlike($openssl_out, qr/$openssl_regex_bl/, "");
-# $tests++;
-
-
+#7
 # https://ldapwiki.com/wiki/Public%20LDAP%20Servers
 $uri="db.debian.org:389";
-
-#10
 printf "\n%s\n", "STARTTLS LDAP unit tests via sockets --> $uri ...";
 $socket_out = `$prg $check2run -t ldap $uri 2>&1`;
 # $socket_json = json('tmp.json');
 unlike($socket_out, qr/$socket_regex_bl/, "");
 $tests++;
 
-#11
-printf "\n%s\n", "STARTTLS LDAP unit tests via OpenSSL --> $uri ...";
-$openssl_out = `$prg --ssl-native $check2run -t ldap $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-unlike($openssl_out, qr/$openssl_regex_bl/, "");
-$tests++;
-
-
 # For NNTP there doesn't seem to be reliable host out there
 #$uri="144.76.182.167:119";
 
 #printf "\n%s\n", "STARTTLS NNTP unit tests via sockets --> $uri ...";
 #$socket_out = `$prg $check2run -t nntp $uri 2>&1`;
 #unlike($socket_out, qr/$socket_regex_bl/, "");
 #$tests++;
-
-# commented out, bc of travis' limits
-#
-#printf "\n%s\n", "STARTTLS NNTP unit tests via OpenSSL --> $uri ...";
-#$openssl_out = `$prg --ssl-native $check2run -t nntp $uri 2>&1`;
-# $openssl_json = json('tmp.json');
-#unlike($openssl_out, qr/$openssl_regex_bl/, "");
-#$tests++;
+# also: commented out, bc of travis' limits
 
 # IRC: missing
 # LTMP, mysql, postgres