]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
fecb3aae | 2 | # Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. |
596d6b7e | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
c9d24373 | 14 | use File::Basename; |
88b8a527 | 15 | use File::Copy; |
6955e3f7 | 16 | use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file/; |
340166a9 | 17 | use OpenSSL::Test::Utils; |
88b8a527 | 18 | |
be9d82bb | 19 | BEGIN { |
1d1d2312 | 20 | setup("test_ssl_old"); |
be9d82bb MC |
21 | } |
22 | ||
23 | use lib srctop_dir('Configurations'); | |
24 | use lib bldtop_dir('.'); | |
88b8a527 | 25 | |
be9d82bb | 26 | my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); |
ea1ecd98 | 27 | my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, |
582a17d6 | 28 | $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3, |
dd696a55 | 29 | $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) = |
ea1ecd98 | 30 | anydisabled qw/rsa dsa dh ec psk |
582a17d6 | 31 | ssl3 tls1 tls1_1 tls1_2 tls1_3 |
dd696a55 | 32 | dtls dtls1 dtls1_2 ct/; |
a763ca11 MC |
33 | #If ec and dh are disabled then don't use TLSv1.3 |
34 | $no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh); | |
90d48e5e RL |
35 | my $no_anytls = alldisabled(available_protocols("tls")); |
36 | my $no_anydtls = alldisabled(available_protocols("dtls")); | |
3ea75c63 RL |
37 | |
38 | plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build" | |
39 | if $no_anytls && $no_anydtls; | |
340166a9 | 40 | |
88b8a527 RL |
41 | my $digest = "-sha1"; |
42 | my @reqcmd = ("openssl", "req"); | |
43 | my @x509cmd = ("openssl", "x509", $digest); | |
44 | my @verifycmd = ("openssl", "verify"); | |
343f0e4a | 45 | my @genpkeycmd = ("openssl", "genpkey"); |
42e0ccdf | 46 | my $dummycnf = srctop_file("apps", "openssl.cnf"); |
88b8a527 | 47 | |
2b584ff3 | 48 | my $cnf = srctop_file("test", "ca-and-certs.cnf"); |
91f2b15f | 49 | my $CAkey = srctop_file("test", "certs", "ca-key.pem"); # "keyCA.ss" |
88b8a527 RL |
50 | my $CAcert="certCA.ss"; |
51 | my $CAserial="certCA.srl"; | |
52 | my $CAreq="reqCA.ss"; | |
a0430488 | 53 | my $CAreq2="req2CA.ss"; # temp |
91f2b15f | 54 | my $Ukey = srctop_file("test", "certs", "ee-key.pem"); # "keyU.ss"; |
88b8a527 RL |
55 | my $Ureq="reqU.ss"; |
56 | my $Ucert="certU.ss"; | |
5beb63c4 RL |
57 | my $Dkey="keyD.ss"; |
58 | my $Dreq="reqD.ss"; | |
59 | my $Dcert="certD.ss"; | |
5beb63c4 RL |
60 | my $Ekey="keyE.ss"; |
61 | my $Ereq="reqE.ss"; | |
62 | my $Ecert="certE.ss"; | |
63 | ||
2b584ff3 | 64 | my $proxycnf=srctop_file("test", "proxy.cnf"); |
91f2b15f | 65 | my $P1key= srctop_file("test", "certs", "alt1-key.pem"); # "keyP1.ss"; |
88b8a527 RL |
66 | my $P1req="reqP1.ss"; |
67 | my $P1cert="certP1.ss"; | |
68 | my $P1intermediate="tmp_intP1.ss"; | |
91f2b15f | 69 | my $P2key= srctop_file("test", "certs", "alt2-key.pem"); # "keyP2.ss"; |
88b8a527 RL |
70 | my $P2req="reqP2.ss"; |
71 | my $P2cert="certP2.ss"; | |
72 | my $P2intermediate="tmp_intP2.ss"; | |
73 | ||
b7dffce0 KR |
74 | my $server_sess="server.ss"; |
75 | my $client_sess="client.ss"; | |
76 | ||
20f8bc72 | 77 | # ssl_old_test.c is deprecated in favour of the new framework in ssl_test.c |
453dfd8d EK |
78 | # If you're adding tests here, you probably want to convert them to the |
79 | # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. | |
88b8a527 | 80 | plan tests => |
7bf2e4d7 | 81 | ($no_fips ? 0 : 6) # testssl with fips provider |
be9d82bb MC |
82 | + 1 # For testss |
83 | + 5 # For the testssl with default provider | |
7bf2e4d7 | 84 | + 1 # For security level 0 failure tests |
88b8a527 RL |
85 | ; |
86 | ||
87 | subtest 'test_ss' => sub { | |
88 | if (testss()) { | |
a0430488 P |
89 | open OUT, ">", "intP1.ss"; |
90 | copy($CAcert, \*OUT); copy($Ucert, \*OUT); | |
91 | close OUT; | |
88b8a527 | 92 | |
a0430488 P |
93 | open OUT, ">", "intP2.ss"; |
94 | copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT); | |
95 | close OUT; | |
88b8a527 RL |
96 | } |
97 | }; | |
98 | ||
1d1d2312 | 99 | note('test_ssl_old -- key U'); |
49da54b9 MC |
100 | my $configfile = srctop_file("test","default-and-legacy.cnf"); |
101 | if (disabled("legacy")) { | |
102 | $configfile = srctop_file("test","default.cnf"); | |
103 | } | |
104 | ||
1d1d2312 | 105 | testssl($Ukey, $Ucert, $CAcert, "default", $configfile); |
be9d82bb | 106 | unless ($no_fips) { |
1d1d2312 | 107 | testssl($Ukey, $Ucert, $CAcert, "fips", |
7192e4df | 108 | srctop_file("test","fips-and-base.cnf")); |
be9d82bb | 109 | } |
88b8a527 | 110 | |
88b8a527 RL |
111 | # ----------- |
112 | # subtest functions | |
113 | sub testss { | |
5beb63c4 | 114 | my @req_dsa = ("-newkey", |
6955e3f7 MC |
115 | "dsa:".data_file("dsa2048.pem")); |
116 | my $dsaparams = data_file("dsa2048.pem"); | |
88b8a527 | 117 | my @req_new; |
340166a9 | 118 | if ($no_rsa) { |
a0430488 | 119 | @req_new = @req_dsa; |
88b8a527 | 120 | } else { |
a0430488 | 121 | @req_new = ("-new"); |
88b8a527 RL |
122 | } |
123 | ||
5beb63c4 | 124 | plan tests => 17; |
88b8a527 RL |
125 | |
126 | SKIP: { | |
5beb63c4 | 127 | skip 'failure', 16 unless |
a0430488 P |
128 | ok(run(app([@reqcmd, "-config", $cnf, |
129 | "-out", $CAreq, "-key", $CAkey, | |
130 | @req_new])), | |
131 | 'make cert request'); | |
88b8a527 | 132 | |
5beb63c4 | 133 | skip 'failure', 15 unless |
a0430488 P |
134 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", |
135 | "-req", "-out", $CAcert, "-signkey", $CAkey, | |
136 | "-extfile", $cnf, "-extensions", "v3_ca"], | |
137 | stdout => "err.ss")), | |
138 | 'convert request into self-signed cert'); | |
88b8a527 | 139 | |
5beb63c4 | 140 | skip 'failure', 14 unless |
a0430488 P |
141 | ok(run(app([@x509cmd, "-in", $CAcert, |
142 | "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], | |
143 | stdout => "err.ss")), | |
144 | 'convert cert into a cert request'); | |
88b8a527 | 145 | |
5beb63c4 | 146 | skip 'failure', 13 unless |
a0430488 P |
147 | ok(run(app([@reqcmd, "-config", $dummycnf, |
148 | "-verify", "-in", $CAreq, "-noout"])), | |
149 | 'verify request 1'); | |
88b8a527 RL |
150 | |
151 | ||
5beb63c4 | 152 | skip 'failure', 12 unless |
a0430488 P |
153 | ok(run(app([@reqcmd, "-config", $dummycnf, |
154 | "-verify", "-in", $CAreq2, "-noout"])), | |
155 | 'verify request 2'); | |
88b8a527 | 156 | |
5beb63c4 | 157 | skip 'failure', 11 unless |
a0430488 P |
158 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), |
159 | 'verify signature'); | |
88b8a527 | 160 | |
5beb63c4 | 161 | skip 'failure', 10 unless |
a0430488 P |
162 | ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq", |
163 | "-out", $Ureq, "-key", $Ukey, @req_new], | |
164 | stdout => "err.ss")), | |
165 | 'make a user cert request'); | |
88b8a527 | 166 | |
5beb63c4 | 167 | skip 'failure', 9 unless |
a0430488 P |
168 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", |
169 | "-req", "-out", $Ucert, | |
170 | "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, | |
171 | "-extfile", $cnf, "-extensions", "v3_ee"], | |
172 | stdout => "err.ss")) | |
173 | && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), | |
174 | 'sign user cert request'); | |
88b8a527 | 175 | |
5beb63c4 | 176 | skip 'failure', 8 unless |
a0430488 P |
177 | ok(run(app([@x509cmd, |
178 | "-subject", "-issuer", "-startdate", "-enddate", | |
179 | "-noout", "-in", $Ucert])), | |
180 | 'Certificate details'); | |
88b8a527 | 181 | |
5beb63c4 RL |
182 | skip 'failure', 7 unless |
183 | subtest 'DSA certificate creation' => sub { | |
184 | plan skip_all => "skipping DSA certificate creation" | |
340166a9 | 185 | if $no_dsa; |
5beb63c4 | 186 | |
46ac07f5 | 187 | plan tests => 5; |
5beb63c4 RL |
188 | |
189 | SKIP: { | |
190 | $ENV{CN2} = "DSA Certificate"; | |
46ac07f5 | 191 | skip 'failure', 4 unless |
343f0e4a RL |
192 | ok(run(app([@genpkeycmd, "-out", $Dkey, |
193 | "-paramfile", $dsaparams], | |
46ac07f5 MC |
194 | stdout => "err.ss")), |
195 | "make a DSA key"); | |
5beb63c4 | 196 | skip 'failure', 3 unless |
4e6e57cf RS |
197 | ok(run(app([@reqcmd, "-new", "-config", $cnf, |
198 | "-section", "userreq", | |
46ac07f5 | 199 | "-out", $Dreq, "-key", $Dkey], |
5beb63c4 RL |
200 | stdout => "err.ss")), |
201 | "make a DSA user cert request"); | |
202 | skip 'failure', 2 unless | |
203 | ok(run(app([@x509cmd, "-CAcreateserial", | |
204 | "-in", $Dreq, | |
205 | "-days", "30", | |
206 | "-req", | |
207 | "-out", $Dcert, | |
208 | "-CA", $CAcert, "-CAkey", $CAkey, | |
209 | "-CAserial", $CAserial, | |
4e6e57cf | 210 | "-extfile", $cnf, |
5beb63c4 RL |
211 | "-extensions", "v3_ee_dsa"], |
212 | stdout => "err.ss")), | |
213 | "sign DSA user cert request"); | |
214 | skip 'failure', 1 unless | |
215 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), | |
216 | "verify DSA user cert"); | |
217 | skip 'failure', 0 unless | |
218 | ok(run(app([@x509cmd, | |
219 | "-subject", "-issuer", | |
220 | "-startdate", "-enddate", "-noout", | |
221 | "-in", $Dcert])), | |
222 | "DSA Certificate details"); | |
223 | } | |
224 | }; | |
225 | ||
226 | skip 'failure', 6 unless | |
227 | subtest 'ECDSA/ECDH certificate creation' => sub { | |
228 | plan skip_all => "skipping ECDSA/ECDH certificate creation" | |
340166a9 | 229 | if $no_ec; |
5beb63c4 RL |
230 | |
231 | plan tests => 5; | |
232 | ||
233 | SKIP: { | |
234 | $ENV{CN2} = "ECDSA Certificate"; | |
235 | skip 'failure', 4 unless | |
d1eec097 P |
236 | ok(run(app(["openssl", "genpkey", "-genparam", |
237 | "-algorithm", "EC", | |
238 | "-pkeyopt", "ec_paramgen_curve:P-256", | |
239 | "-pkeyopt", "ec_param_enc:named_curve", | |
5beb63c4 RL |
240 | "-out", "ecp.ss"])), |
241 | "make EC parameters"); | |
242 | skip 'failure', 3 unless | |
4e6e57cf RS |
243 | ok(run(app([@reqcmd, "-config", $cnf, |
244 | "-section", "userreq", | |
5beb63c4 RL |
245 | "-out", $Ereq, "-keyout", $Ekey, |
246 | "-newkey", "ec:ecp.ss"], | |
247 | stdout => "err.ss")), | |
248 | "make a ECDSA/ECDH user cert request"); | |
249 | skip 'failure', 2 unless | |
250 | ok(run(app([@x509cmd, "-CAcreateserial", | |
251 | "-in", $Ereq, | |
252 | "-days", "30", | |
253 | "-req", | |
254 | "-out", $Ecert, | |
255 | "-CA", $CAcert, "-CAkey", $CAkey, | |
256 | "-CAserial", $CAserial, | |
4e6e57cf | 257 | "-extfile", $cnf, |
5beb63c4 RL |
258 | "-extensions", "v3_ee_ec"], |
259 | stdout => "err.ss")), | |
260 | "sign ECDSA/ECDH user cert request"); | |
261 | skip 'failure', 1 unless | |
262 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), | |
263 | "verify ECDSA/ECDH user cert"); | |
264 | skip 'failure', 0 unless | |
265 | ok(run(app([@x509cmd, | |
266 | "-subject", "-issuer", | |
267 | "-startdate", "-enddate", "-noout", | |
268 | "-in", $Ecert])), | |
269 | "ECDSA Certificate details"); | |
270 | } | |
271 | }; | |
88b8a527 RL |
272 | |
273 | skip 'failure', 5 unless | |
a0430488 P |
274 | ok(run(app([@reqcmd, "-config", $proxycnf, |
275 | "-out", $P1req, "-key", $P1key, @req_new], | |
276 | stdout => "err.ss")), | |
277 | 'make a proxy cert request'); | |
88b8a527 RL |
278 | |
279 | ||
280 | skip 'failure', 4 unless | |
a0430488 P |
281 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", |
282 | "-req", "-out", $P1cert, | |
283 | "-CA", $Ucert, "-CAkey", $Ukey, | |
284 | "-extfile", $proxycnf, "-extensions", "proxy"], | |
285 | stdout => "err.ss")), | |
286 | 'sign proxy with user cert'); | |
88b8a527 RL |
287 | |
288 | copy($Ucert, $P1intermediate); | |
289 | run(app([@verifycmd, "-CAfile", $CAcert, | |
a0430488 | 290 | "-untrusted", $P1intermediate, $P1cert])); |
88b8a527 | 291 | ok(run(app([@x509cmd, |
a0430488 P |
292 | "-subject", "-issuer", "-startdate", "-enddate", |
293 | "-noout", "-in", $P1cert])), | |
294 | 'Certificate details'); | |
88b8a527 RL |
295 | |
296 | skip 'failure', 2 unless | |
a0430488 P |
297 | ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req", |
298 | "-out", $P2req, "-key", $P2key, | |
299 | @req_new], | |
300 | stdout => "err.ss")), | |
301 | 'make another proxy cert request'); | |
88b8a527 RL |
302 | |
303 | ||
304 | skip 'failure', 1 unless | |
a0430488 P |
305 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", |
306 | "-req", "-out", $P2cert, | |
307 | "-CA", $P1cert, "-CAkey", $P1key, | |
308 | "-extfile", $proxycnf, "-extensions", "proxy_2"], | |
309 | stdout => "err.ss")), | |
310 | 'sign second proxy cert request with the first proxy cert'); | |
88b8a527 RL |
311 | |
312 | ||
313 | open OUT, ">", $P2intermediate; | |
314 | copy($Ucert, \*OUT); copy($P1cert, \*OUT); | |
315 | close OUT; | |
316 | run(app([@verifycmd, "-CAfile", $CAcert, | |
a0430488 | 317 | "-untrusted", $P2intermediate, $P2cert])); |
88b8a527 | 318 | ok(run(app([@x509cmd, |
a0430488 P |
319 | "-subject", "-issuer", "-startdate", "-enddate", |
320 | "-noout", "-in", $P2cert])), | |
321 | 'Certificate details'); | |
88b8a527 RL |
322 | } |
323 | } | |
324 | ||
325 | sub testssl { | |
be9d82bb | 326 | my ($key, $cert, $CAtmp, $provider, $configfile) = @_; |
42e0ccdf | 327 | my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); |
6955e3f7 MC |
328 | my @providerflags = ("-provider", $provider); |
329 | ||
49da54b9 | 330 | if ($provider eq "default" && !disabled("legacy")) { |
6955e3f7 MC |
331 | push @providerflags, "-provider", "legacy"; |
332 | } | |
88b8a527 | 333 | |
20f8bc72 | 334 | my @ssltest = ("ssl_old_test", |
6955e3f7 MC |
335 | "-s_key", $key, "-s_cert", $cert, |
336 | "-c_key", $key, "-c_cert", $cert, | |
337 | "-config", $configfile, | |
338 | @providerflags); | |
339 | ||
88b8a527 | 340 | |
42e0ccdf | 341 | my $serverinfo = srctop_file("test","serverinfo.pem"); |
88b8a527 RL |
342 | |
343 | my $dsa_cert = 0; | |
344 | if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert, | |
a0430488 P |
345 | "-text", "-noout"]), capture => 1)) { |
346 | $dsa_cert = 1; | |
88b8a527 RL |
347 | } |
348 | ||
88b8a527 | 349 | subtest 'standard SSL tests' => sub { |
a0430488 | 350 | ###################################################################### |
8fff986d | 351 | plan tests => 19; |
88b8a527 | 352 | |
3ea75c63 | 353 | SKIP: { |
a0430488 P |
354 | skip "SSLv3 is not supported by this OpenSSL build", 4 |
355 | if disabled("ssl3"); | |
356 | ||
357 | skip "SSLv3 is not supported by the FIPS provider", 4 | |
358 | if $provider eq "fips"; | |
359 | ||
360 | ok(run(test([@ssltest, "-bio_pair", "-ssl3"])), | |
361 | 'test sslv3 via BIO pair'); | |
362 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])), | |
363 | 'test sslv3 with server authentication via BIO pair'); | |
364 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])), | |
365 | 'test sslv3 with client authentication via BIO pair'); | |
366 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])), | |
367 | 'test sslv3 with both server and client authentication via BIO pair'); | |
368 | } | |
3ea75c63 RL |
369 | |
370 | SKIP: { | |
a0430488 P |
371 | skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1 |
372 | if $no_anytls; | |
3ea75c63 | 373 | |
a0430488 P |
374 | ok(run(test([@ssltest, "-bio_pair"])), |
375 | 'test sslv2/sslv3 via BIO pair'); | |
376 | } | |
3ea75c63 | 377 | |
3ea75c63 | 378 | SKIP: { |
8fff986d | 379 | skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 14 |
a0430488 | 380 | if $no_anytls; |
3ea75c63 | 381 | |
a0430488 P |
382 | SKIP: { |
383 | skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; | |
3ea75c63 | 384 | |
a0430488 P |
385 | ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])), |
386 | 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); | |
387 | } | |
3ea75c63 | 388 | |
a0430488 P |
389 | SKIP: { |
390 | skip "skipping dhe1024dsa test", 1 | |
5658470c DDO |
391 | if ($no_dh); |
392 | ||
393 | ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), | |
394 | 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); | |
395 | } | |
396 | ||
a0430488 P |
397 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), |
398 | 'test sslv2/sslv3 with server authentication'); | |
399 | ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), | |
400 | 'test sslv2/sslv3 with client authentication via BIO pair'); | |
401 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])), | |
402 | 'test sslv2/sslv3 with both client and server authentication via BIO pair'); | |
403 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), | |
404 | 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); | |
75d5bd4e | 405 | |
b7be6d22 | 406 | SKIP: { |
8fff986d | 407 | skip "No IPv4 available on this machine", 4 |
f9e55034 | 408 | unless !disabled("sock") && have_IPv4(); |
63936115 | 409 | ok(run(test([@ssltest, "-ipv4"])), |
b7be6d22 | 410 | 'test TLS via IPv4'); |
8fff986d BE |
411 | ok(run(test([@ssltest, "-ipv4", "-client_ktls"])), |
412 | 'test TLS via IPv4 + ktls(client)'); | |
413 | ok(run(test([@ssltest, "-ipv4", "-server_ktls"])), | |
414 | 'test TLS via IPv4 + ktls(server)'); | |
415 | ok(run(test([@ssltest, "-ipv4", "-client_ktls", "-server_ktls"])), | |
416 | 'test TLS via IPv4 + ktls'); | |
b7be6d22 | 417 | } |
69853045 | 418 | |
b7be6d22 | 419 | SKIP: { |
8fff986d | 420 | skip "No IPv6 available on this machine", 4 |
f9e55034 | 421 | unless !disabled("sock") && have_IPv6(); |
63936115 | 422 | ok(run(test([@ssltest, "-ipv6"])), |
b7be6d22 | 423 | 'test TLS via IPv6'); |
8fff986d BE |
424 | ok(run(test([@ssltest, "-ipv6", "-client_ktls"])), |
425 | 'test TLS via IPv6 + ktls(client)'); | |
426 | ok(run(test([@ssltest, "-ipv6", "-server_ktls"])), | |
427 | 'test TLS via IPv6 + ktls(client)'); | |
428 | ok(run(test([@ssltest, "-ipv6", "-client_ktls", "-server_ktls"])), | |
429 | 'test TLS via IPv6 + ktls'); | |
b7be6d22 RL |
430 | } |
431 | } | |
88b8a527 RL |
432 | }; |
433 | ||
434 | subtest "Testing ciphersuites" => sub { | |
435 | ||
5beb63c4 | 436 | my @exkeys = (); |
6955e3f7 | 437 | my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; |
5beb63c4 | 438 | |
8175af50 | 439 | if (!$no_dsa) { |
91f2b15f | 440 | push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; |
5beb63c4 RL |
441 | } |
442 | ||
8175af50 | 443 | if (!$no_ec) { |
91f2b15f | 444 | push @exkeys, "-s_cert", "certE.ss", "-s_key", $Ekey; |
5beb63c4 | 445 | } |
88b8a527 | 446 | |
6955e3f7 | 447 | my @protocols = (); |
20f8bc72 | 448 | # We only use the flags that ssl_old_test understands |
6955e3f7 MC |
449 | push @protocols, "-tls1_3" unless $no_tls1_3; |
450 | push @protocols, "-tls1_2" unless $no_tls1_2; | |
451 | push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips"; | |
452 | push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips"; | |
453 | my $protocolciphersuitecount = 0; | |
454 | my %ciphersuites = (); | |
455 | my %ciphersstatus = (); | |
456 | #There's no "-config" option to the ciphers command so we set the | |
457 | #environment variable instead | |
458 | my $opensslconf = $ENV{OPENSSL_CONF}; | |
459 | $ENV{OPENSSL_CONF} = $configfile; | |
460 | foreach my $protocol (@protocols) { | |
461 | my $ciphersstatus = undef; | |
462 | my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol, | |
463 | @providerflags, | |
464 | "ALL:$ciphers"]), | |
465 | capture => 1, statusvar => \$ciphersstatus); | |
466 | $ciphersstatus{$protocol} = $ciphersstatus; | |
467 | if ($ciphersstatus) { | |
468 | $ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) } | |
469 | @ciphers ]; | |
470 | $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; | |
471 | } | |
472 | } | |
473 | $ENV{OPENSSL_CONF} = $opensslconf; | |
88b8a527 | 474 | |
49dc5404 | 475 | plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build" |
9ea6d56d | 476 | if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0; |
49dc5404 | 477 | |
46f4e1be | 478 | # The count of protocols is because in addition to the ciphersuites |
f865b081 MC |
479 | # we got above, we're running a weak DH test for each protocol (except |
480 | # TLSv1.3) | |
481 | my $testcount = scalar(@protocols) + $protocolciphersuitecount | |
482 | + scalar(keys %ciphersuites); | |
483 | $testcount-- unless $no_tls1_3; | |
484 | plan tests => $testcount; | |
7e46e56a RL |
485 | |
486 | foreach my $protocol (@protocols) { | |
487 | ok($ciphersstatus{$protocol}, "Getting ciphers for $protocol"); | |
488 | } | |
582a17d6 | 489 | |
9ea6d56d | 490 | foreach my $protocol (sort keys %ciphersuites) { |
582a17d6 | 491 | note "Testing ciphersuites for $protocol"; |
20f8bc72 | 492 | # ssl_old_test doesn't know -tls1_3, but that's fine, since that's |
9ea6d56d RL |
493 | # the default choice if TLSv1.3 enabled |
494 | my $flag = $protocol eq "-tls1_3" ? "" : $protocol; | |
f865b081 | 495 | my $ciphersuites = ""; |
582a17d6 | 496 | foreach my $cipher (@{$ciphersuites{$protocol}}) { |
9ea6d56d | 497 | if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { |
4f326dd8 RS |
498 | note "*****SKIPPING $protocol $cipher"; |
499 | ok(1); | |
500 | } else { | |
f865b081 MC |
501 | if ($protocol eq "-tls1_3") { |
502 | $ciphersuites = $cipher; | |
503 | $cipher = ""; | |
6955e3f7 MC |
504 | } else { |
505 | $cipher = $cipher.':@SECLEVEL=0'; | |
f865b081 | 506 | } |
6955e3f7 MC |
507 | ok(run(test([@ssltest, @exkeys, "-cipher", |
508 | $cipher, | |
509 | "-ciphersuites", $ciphersuites, | |
510 | $flag || ()])), | |
f865b081 | 511 | "Testing $cipher"); |
4f326dd8 | 512 | } |
582a17d6 | 513 | } |
f865b081 | 514 | next if $protocol eq "-tls1_3"; |
5658470c DDO |
515 | |
516 | SKIP: { | |
517 | skip "skipping dhe512 test", 1 | |
518 | if ($no_dh); | |
519 | ||
520 | is(run(test([@ssltest, | |
521 | "-s_cipher", "EDH", | |
522 | "-c_cipher", 'EDH:@SECLEVEL=1', | |
523 | "-dhe512", | |
524 | $protocol])), 0, | |
525 | "testing connection with weak DH, expecting failure"); | |
526 | } | |
582a17d6 | 527 | } |
88b8a527 RL |
528 | }; |
529 | ||
7bf2e4d7 P |
530 | subtest 'SSL security level failure tests' => sub { |
531 | ###################################################################### | |
532 | plan tests => 3; | |
533 | ||
534 | SKIP: { | |
535 | skip "SSLv3 is not supported by this OpenSSL build", 1 | |
536 | if disabled("ssl3"); | |
537 | ||
538 | skip "SSLv3 is not supported by the FIPS provider", 1 | |
539 | if $provider eq "fips"; | |
540 | ||
541 | is(run(test([@ssltest, "-bio_pair", "-ssl3", "-cipher", '@SECLEVEL=1'])), | |
542 | 0, "test sslv3 fails at security level 1, expecting failure"); | |
543 | } | |
544 | ||
545 | SKIP: { | |
546 | skip "TLSv1.0 is not supported by this OpenSSL build", 1 | |
547 | if $no_tls1; | |
548 | ||
549 | skip "TLSv1.0 is not supported by the FIPS provider", 1 | |
550 | if $provider eq "fips"; | |
551 | ||
552 | is(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", '@SECLEVEL=1'])), | |
553 | 0, 'test tls1 fails at security level 1, expecting failure'); | |
554 | } | |
555 | ||
556 | SKIP: { | |
557 | skip "TLSv1.1 is not supported by this OpenSSL build", 1 | |
558 | if $no_tls1_1; | |
559 | ||
560 | skip "TLSv1.1 is not supported by the FIPS provider", 1 | |
561 | if $provider eq "fips"; | |
562 | ||
563 | is(run(test([@ssltest, "-bio_pair", "-tls1_1", "-cipher", '@SECLEVEL=1'])), | |
564 | 0, 'test tls1.1 fails at security level 1, expecting failure'); | |
565 | } | |
566 | }; | |
567 | ||
88b8a527 | 568 | subtest 'RSA/(EC)DHE/PSK tests' => sub { |
a0430488 | 569 | ###################################################################### |
88b8a527 | 570 | |
d71151ae | 571 | plan tests => 10; |
88b8a527 | 572 | |
3ea75c63 | 573 | SKIP: { |
a0430488 P |
574 | skip "TLSv1.0 is not supported by this OpenSSL build", 6 |
575 | if $no_tls1 || $provider eq "fips"; | |
88b8a527 | 576 | |
a0430488 P |
577 | SKIP: { |
578 | skip "skipping anonymous DH tests", 1 | |
579 | if ($no_dh); | |
88b8a527 | 580 | |
a0430488 P |
581 | ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])), |
582 | 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); | |
583 | } | |
88b8a527 | 584 | |
a0430488 P |
585 | SKIP: { |
586 | skip "skipping RSA tests", 2 | |
587 | if $no_rsa; | |
88b8a527 | 588 | |
a0430488 P |
589 | ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])), |
590 | 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); | |
88b8a527 | 591 | |
a0430488 P |
592 | skip "skipping RSA+DHE tests", 1 |
593 | if $no_dh; | |
3ea75c63 | 594 | |
a0430488 P |
595 | ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])), |
596 | 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); | |
597 | } | |
3ea75c63 | 598 | |
a0430488 | 599 | SKIP: { |
0c7ec1d2 | 600 | skip "skipping PSK tests", 2 |
a0430488 | 601 | if ($no_psk); |
71a64af3 | 602 | |
a0430488 P |
603 | ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])), |
604 | 'test tls1 with PSK'); | |
71a64af3 | 605 | |
a0430488 P |
606 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), |
607 | 'test tls1 with PSK via BIO pair'); | |
d71151ae | 608 | } |
0c7ec1d2 P |
609 | |
610 | SKIP: { | |
611 | skip "skipping auto DH PSK tests", 1 | |
612 | if ($no_dh || $no_psk); | |
d0e5230d P |
613 | |
614 | ok(run(test(['ssl_old_test', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])), | |
615 | 'test auto DH meets security strength'); | |
0c7ec1d2 | 616 | } |
3ea75c63 | 617 | } |
88b8a527 | 618 | |
d71151ae | 619 | SKIP: { |
7bf2e4d7 P |
620 | skip "TLSv1.2 is not supported by this OpenSSL build", 4 |
621 | if $no_tls1_2; | |
d71151ae NT |
622 | |
623 | SKIP: { | |
624 | skip "skipping auto DHE PSK test at SECLEVEL 3", 1 | |
625 | if ($no_dh || $no_psk); | |
626 | ||
7bf2e4d7 | 627 | ok(run(test(['ssl_old_test', '-tls1_2', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])), |
d71151ae NT |
628 | 'test auto DHE PSK meets security strength'); |
629 | } | |
630 | ||
631 | SKIP: { | |
632 | skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1 | |
633 | if ($no_ec || $no_psk); | |
634 | ||
7bf2e4d7 | 635 | ok(run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])), |
d71151ae NT |
636 | 'test auto ECDHE PSK meets security strength'); |
637 | } | |
638 | ||
639 | SKIP: { | |
640 | skip "skipping no RSA PSK at SECLEVEL 3 test", 1 | |
641 | if ($no_rsa || $no_psk); | |
642 | ||
7bf2e4d7 | 643 | ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])), |
d71151ae NT |
644 | 'test auto RSA PSK does not meet security level 3 requirements (PFS)'); |
645 | } | |
646 | ||
647 | SKIP: { | |
648 | skip "skipping no PSK at SECLEVEL 3 test", 1 | |
649 | if ($no_psk); | |
650 | ||
7bf2e4d7 | 651 | ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])), |
d71151ae NT |
652 | 'test auto PSK does not meet security level 3 requirements (PFS)'); |
653 | } | |
654 | } | |
655 | ||
88b8a527 RL |
656 | }; |
657 | ||
88b8a527 | 658 | subtest 'Custom Extension tests' => sub { |
a0430488 | 659 | ###################################################################### |
88b8a527 | 660 | |
a0430488 | 661 | plan tests => 1; |
88b8a527 | 662 | |
3ea75c63 | 663 | SKIP: { |
a0430488 P |
664 | skip "TLSv1.0 is not supported by this OpenSSL build", 1 |
665 | if $no_tls1 || $provider eq "fips"; | |
3ea75c63 | 666 | |
a0430488 P |
667 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])), |
668 | 'test tls1 with custom extensions'); | |
669 | } | |
88b8a527 RL |
670 | }; |
671 | ||
672 | subtest 'Serverinfo tests' => sub { | |
a0430488 | 673 | ###################################################################### |
88b8a527 | 674 | |
a0430488 | 675 | plan tests => 5; |
88b8a527 | 676 | |
3ea75c63 | 677 | SKIP: { |
a0430488 P |
678 | skip "TLSv1.0 is not supported by this OpenSSL build", 5 |
679 | if $no_tls1 || $provider eq "fips"; | |
680 | ||
681 | note('echo test tls1 with serverinfo'); | |
682 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo]))); | |
683 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))); | |
684 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"]))); | |
685 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); | |
686 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); | |
687 | } | |
88b8a527 | 688 | }; |
88b8a527 | 689 | } |