]>
Commit | Line | Data |
---|---|---|
596d6b7e RS |
1 | #! /usr/bin/env perl |
2 | # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the OpenSSL license (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
c9d24373 | 14 | use File::Basename; |
88b8a527 | 15 | use File::Copy; |
42e0ccdf | 16 | use OpenSSL::Test qw/:DEFAULT with bldtop_file srctop_file cmdstr/; |
340166a9 | 17 | use OpenSSL::Test::Utils; |
88b8a527 RL |
18 | |
19 | setup("test_ssl"); | |
20 | ||
ad87a3dc MC |
21 | $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); |
22 | ||
ea1ecd98 | 23 | my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, |
582a17d6 | 24 | $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3, |
dd696a55 | 25 | $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) = |
ea1ecd98 | 26 | anydisabled qw/rsa dsa dh ec psk |
582a17d6 | 27 | ssl3 tls1 tls1_1 tls1_2 tls1_3 |
dd696a55 | 28 | dtls dtls1 dtls1_2 ct/; |
90d48e5e RL |
29 | my $no_anytls = alldisabled(available_protocols("tls")); |
30 | my $no_anydtls = alldisabled(available_protocols("dtls")); | |
3ea75c63 RL |
31 | |
32 | plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build" | |
33 | if $no_anytls && $no_anydtls; | |
340166a9 | 34 | |
88b8a527 RL |
35 | my $digest = "-sha1"; |
36 | my @reqcmd = ("openssl", "req"); | |
37 | my @x509cmd = ("openssl", "x509", $digest); | |
38 | my @verifycmd = ("openssl", "verify"); | |
46ac07f5 | 39 | my @gendsacmd = ("openssl", "gendsa"); |
42e0ccdf | 40 | my $dummycnf = srctop_file("apps", "openssl.cnf"); |
88b8a527 RL |
41 | |
42 | my $CAkey = "keyCA.ss"; | |
43 | my $CAcert="certCA.ss"; | |
44 | my $CAserial="certCA.srl"; | |
45 | my $CAreq="reqCA.ss"; | |
42e0ccdf | 46 | my $CAconf=srctop_file("test","CAss.cnf"); |
88b8a527 RL |
47 | my $CAreq2="req2CA.ss"; # temp |
48 | ||
42e0ccdf | 49 | my $Uconf=srctop_file("test","Uss.cnf"); |
88b8a527 RL |
50 | my $Ukey="keyU.ss"; |
51 | my $Ureq="reqU.ss"; | |
52 | my $Ucert="certU.ss"; | |
53 | ||
5beb63c4 RL |
54 | my $Dkey="keyD.ss"; |
55 | my $Dreq="reqD.ss"; | |
56 | my $Dcert="certD.ss"; | |
57 | ||
58 | my $Ekey="keyE.ss"; | |
59 | my $Ereq="reqE.ss"; | |
60 | my $Ecert="certE.ss"; | |
61 | ||
42e0ccdf | 62 | my $P1conf=srctop_file("test","P1ss.cnf"); |
88b8a527 RL |
63 | my $P1key="keyP1.ss"; |
64 | my $P1req="reqP1.ss"; | |
65 | my $P1cert="certP1.ss"; | |
66 | my $P1intermediate="tmp_intP1.ss"; | |
67 | ||
42e0ccdf | 68 | my $P2conf=srctop_file("test","P2ss.cnf"); |
88b8a527 RL |
69 | my $P2key="keyP2.ss"; |
70 | my $P2req="reqP2.ss"; | |
71 | my $P2cert="certP2.ss"; | |
72 | my $P2intermediate="tmp_intP2.ss"; | |
73 | ||
b7dffce0 KR |
74 | my $server_sess="server.ss"; |
75 | my $client_sess="client.ss"; | |
76 | ||
69853045 | 77 | # ssltest_old.c is deprecated in favour of the new framework in ssl_test.c |
453dfd8d EK |
78 | # If you're adding tests here, you probably want to convert them to the |
79 | # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. | |
88b8a527 RL |
80 | plan tests => |
81 | 1 # For testss | |
ea1ecd98 | 82 | +5 # For the first testssl |
88b8a527 RL |
83 | ; |
84 | ||
85 | subtest 'test_ss' => sub { | |
86 | if (testss()) { | |
87 | open OUT, ">", "intP1.ss"; | |
88 | copy($CAcert, \*OUT); copy($Ucert, \*OUT); | |
89 | close OUT; | |
90 | ||
91 | open OUT, ">", "intP2.ss"; | |
92 | copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT); | |
93 | close OUT; | |
94 | } | |
95 | }; | |
96 | ||
5a22cf96 EK |
97 | note('test_ssl -- key U'); |
98 | testssl("keyU.ss", $Ucert, $CAcert); | |
88b8a527 | 99 | |
88b8a527 RL |
100 | # ----------- |
101 | # subtest functions | |
102 | sub testss { | |
103 | open RND, ">>", ".rnd"; | |
104 | print RND "string to make the random number generator think it has entropy"; | |
105 | close RND; | |
106 | ||
5beb63c4 | 107 | my @req_dsa = ("-newkey", |
42e0ccdf | 108 | "dsa:".srctop_file("apps", "dsa1024.pem")); |
46ac07f5 | 109 | my $dsaparams = srctop_file("apps", "dsa1024.pem"); |
88b8a527 | 110 | my @req_new; |
340166a9 | 111 | if ($no_rsa) { |
5beb63c4 | 112 | @req_new = @req_dsa; |
88b8a527 RL |
113 | } else { |
114 | @req_new = ("-new"); | |
115 | } | |
116 | ||
5beb63c4 | 117 | plan tests => 17; |
88b8a527 RL |
118 | |
119 | SKIP: { | |
5beb63c4 | 120 | skip 'failure', 16 unless |
88b8a527 RL |
121 | ok(run(app([@reqcmd, "-config", $CAconf, |
122 | "-out", $CAreq, "-keyout", $CAkey, | |
123 | @req_new])), | |
124 | 'make cert request'); | |
125 | ||
5beb63c4 | 126 | skip 'failure', 15 unless |
88b8a527 RL |
127 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", |
128 | "-req", "-out", $CAcert, "-signkey", $CAkey, | |
129 | "-extfile", $CAconf, "-extensions", "v3_ca"], | |
130 | stdout => "err.ss")), | |
131 | 'convert request into self-signed cert'); | |
132 | ||
5beb63c4 | 133 | skip 'failure', 14 unless |
88b8a527 RL |
134 | ok(run(app([@x509cmd, "-in", $CAcert, |
135 | "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], | |
136 | stdout => "err.ss")), | |
137 | 'convert cert into a cert request'); | |
138 | ||
5beb63c4 | 139 | skip 'failure', 13 unless |
88b8a527 RL |
140 | ok(run(app([@reqcmd, "-config", $dummycnf, |
141 | "-verify", "-in", $CAreq, "-noout"])), | |
142 | 'verify request 1'); | |
143 | ||
144 | ||
5beb63c4 | 145 | skip 'failure', 12 unless |
88b8a527 RL |
146 | ok(run(app([@reqcmd, "-config", $dummycnf, |
147 | "-verify", "-in", $CAreq2, "-noout"])), | |
148 | 'verify request 2'); | |
149 | ||
5beb63c4 | 150 | skip 'failure', 11 unless |
88b8a527 RL |
151 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), |
152 | 'verify signature'); | |
153 | ||
5beb63c4 | 154 | skip 'failure', 10 unless |
88b8a527 RL |
155 | ok(run(app([@reqcmd, "-config", $Uconf, |
156 | "-out", $Ureq, "-keyout", $Ukey, @req_new], | |
157 | stdout => "err.ss")), | |
158 | 'make a user cert request'); | |
159 | ||
5beb63c4 | 160 | skip 'failure', 9 unless |
88b8a527 RL |
161 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", |
162 | "-req", "-out", $Ucert, | |
163 | "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, | |
164 | "-extfile", $Uconf, "-extensions", "v3_ee"], | |
165 | stdout => "err.ss")) | |
166 | && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), | |
167 | 'sign user cert request'); | |
168 | ||
5beb63c4 | 169 | skip 'failure', 8 unless |
88b8a527 RL |
170 | ok(run(app([@x509cmd, |
171 | "-subject", "-issuer", "-startdate", "-enddate", | |
172 | "-noout", "-in", $Ucert])), | |
173 | 'Certificate details'); | |
174 | ||
5beb63c4 RL |
175 | skip 'failure', 7 unless |
176 | subtest 'DSA certificate creation' => sub { | |
177 | plan skip_all => "skipping DSA certificate creation" | |
340166a9 | 178 | if $no_dsa; |
5beb63c4 | 179 | |
46ac07f5 | 180 | plan tests => 5; |
5beb63c4 RL |
181 | |
182 | SKIP: { | |
183 | $ENV{CN2} = "DSA Certificate"; | |
46ac07f5 MC |
184 | skip 'failure', 4 unless |
185 | ok(run(app([@gendsacmd, "-out", $Dkey, | |
186 | $dsaparams], | |
187 | stdout => "err.ss")), | |
188 | "make a DSA key"); | |
5beb63c4 | 189 | skip 'failure', 3 unless |
46ac07f5 MC |
190 | ok(run(app([@reqcmd, "-new", "-config", $Uconf, |
191 | "-out", $Dreq, "-key", $Dkey], | |
5beb63c4 RL |
192 | stdout => "err.ss")), |
193 | "make a DSA user cert request"); | |
194 | skip 'failure', 2 unless | |
195 | ok(run(app([@x509cmd, "-CAcreateserial", | |
196 | "-in", $Dreq, | |
197 | "-days", "30", | |
198 | "-req", | |
199 | "-out", $Dcert, | |
200 | "-CA", $CAcert, "-CAkey", $CAkey, | |
201 | "-CAserial", $CAserial, | |
202 | "-extfile", $Uconf, | |
203 | "-extensions", "v3_ee_dsa"], | |
204 | stdout => "err.ss")), | |
205 | "sign DSA user cert request"); | |
206 | skip 'failure', 1 unless | |
207 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), | |
208 | "verify DSA user cert"); | |
209 | skip 'failure', 0 unless | |
210 | ok(run(app([@x509cmd, | |
211 | "-subject", "-issuer", | |
212 | "-startdate", "-enddate", "-noout", | |
213 | "-in", $Dcert])), | |
214 | "DSA Certificate details"); | |
215 | } | |
216 | }; | |
217 | ||
218 | skip 'failure', 6 unless | |
219 | subtest 'ECDSA/ECDH certificate creation' => sub { | |
220 | plan skip_all => "skipping ECDSA/ECDH certificate creation" | |
340166a9 | 221 | if $no_ec; |
5beb63c4 RL |
222 | |
223 | plan tests => 5; | |
224 | ||
225 | SKIP: { | |
226 | $ENV{CN2} = "ECDSA Certificate"; | |
227 | skip 'failure', 4 unless | |
228 | ok(run(app(["openssl", "ecparam", "-name", "P-256", | |
229 | "-out", "ecp.ss"])), | |
230 | "make EC parameters"); | |
231 | skip 'failure', 3 unless | |
232 | ok(run(app([@reqcmd, "-config", $Uconf, | |
233 | "-out", $Ereq, "-keyout", $Ekey, | |
234 | "-newkey", "ec:ecp.ss"], | |
235 | stdout => "err.ss")), | |
236 | "make a ECDSA/ECDH user cert request"); | |
237 | skip 'failure', 2 unless | |
238 | ok(run(app([@x509cmd, "-CAcreateserial", | |
239 | "-in", $Ereq, | |
240 | "-days", "30", | |
241 | "-req", | |
242 | "-out", $Ecert, | |
243 | "-CA", $CAcert, "-CAkey", $CAkey, | |
244 | "-CAserial", $CAserial, | |
245 | "-extfile", $Uconf, | |
246 | "-extensions", "v3_ee_ec"], | |
247 | stdout => "err.ss")), | |
248 | "sign ECDSA/ECDH user cert request"); | |
249 | skip 'failure', 1 unless | |
250 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), | |
251 | "verify ECDSA/ECDH user cert"); | |
252 | skip 'failure', 0 unless | |
253 | ok(run(app([@x509cmd, | |
254 | "-subject", "-issuer", | |
255 | "-startdate", "-enddate", "-noout", | |
256 | "-in", $Ecert])), | |
257 | "ECDSA Certificate details"); | |
258 | } | |
259 | }; | |
88b8a527 RL |
260 | |
261 | skip 'failure', 5 unless | |
262 | ok(run(app([@reqcmd, "-config", $P1conf, | |
263 | "-out", $P1req, "-keyout", $P1key, @req_new], | |
264 | stdout => "err.ss")), | |
265 | 'make a proxy cert request'); | |
266 | ||
267 | ||
268 | skip 'failure', 4 unless | |
269 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", | |
270 | "-req", "-out", $P1cert, | |
271 | "-CA", $Ucert, "-CAkey", $Ukey, | |
272 | "-extfile", $P1conf, "-extensions", "v3_proxy"], | |
273 | stdout => "err.ss")), | |
274 | 'sign proxy with user cert'); | |
275 | ||
276 | copy($Ucert, $P1intermediate); | |
277 | run(app([@verifycmd, "-CAfile", $CAcert, | |
278 | "-untrusted", $P1intermediate, $P1cert])); | |
279 | ok(run(app([@x509cmd, | |
280 | "-subject", "-issuer", "-startdate", "-enddate", | |
281 | "-noout", "-in", $P1cert])), | |
282 | 'Certificate details'); | |
283 | ||
284 | skip 'failure', 2 unless | |
285 | ok(run(app([@reqcmd, "-config", $P2conf, | |
286 | "-out", $P2req, "-keyout", $P2key, | |
287 | @req_new], | |
288 | stdout => "err.ss")), | |
289 | 'make another proxy cert request'); | |
290 | ||
291 | ||
292 | skip 'failure', 1 unless | |
293 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", | |
294 | "-req", "-out", $P2cert, | |
295 | "-CA", $P1cert, "-CAkey", $P1key, | |
296 | "-extfile", $P2conf, "-extensions", "v3_proxy"], | |
297 | stdout => "err.ss")), | |
298 | 'sign second proxy cert request with the first proxy cert'); | |
299 | ||
300 | ||
301 | open OUT, ">", $P2intermediate; | |
302 | copy($Ucert, \*OUT); copy($P1cert, \*OUT); | |
303 | close OUT; | |
304 | run(app([@verifycmd, "-CAfile", $CAcert, | |
305 | "-untrusted", $P2intermediate, $P2cert])); | |
306 | ok(run(app([@x509cmd, | |
307 | "-subject", "-issuer", "-startdate", "-enddate", | |
308 | "-noout", "-in", $P2cert])), | |
309 | 'Certificate details'); | |
310 | } | |
311 | } | |
312 | ||
313 | sub testssl { | |
63936115 | 314 | my ($key, $cert, $CAtmp) = @_; |
42e0ccdf | 315 | my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); |
88b8a527 | 316 | |
69853045 | 317 | my @ssltest = ("ssltest_old", |
5beb63c4 | 318 | "-s_key", $key, "-s_cert", $cert, |
88b8a527 RL |
319 | "-c_key", $key, "-c_cert", $cert); |
320 | ||
42e0ccdf | 321 | my $serverinfo = srctop_file("test","serverinfo.pem"); |
88b8a527 RL |
322 | |
323 | my $dsa_cert = 0; | |
324 | if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert, | |
325 | "-text", "-noout"]), capture => 1)) { | |
326 | $dsa_cert = 1; | |
327 | } | |
328 | ||
329 | ||
dd696a55 | 330 | # plan tests => 11; |
88b8a527 RL |
331 | |
332 | subtest 'standard SSL tests' => sub { | |
333 | ###################################################################### | |
49619ab0 | 334 | plan tests => 13; |
88b8a527 | 335 | |
3ea75c63 RL |
336 | SKIP: { |
337 | skip "SSLv3 is not supported by this OpenSSL build", 4 | |
338 | if disabled("ssl3"); | |
339 | ||
63936115 | 340 | ok(run(test([@ssltest, "-bio_pair", "-ssl3"])), |
3ea75c63 | 341 | 'test sslv3 via BIO pair'); |
63936115 | 342 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])), |
3ea75c63 | 343 | 'test sslv3 with server authentication via BIO pair'); |
63936115 | 344 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])), |
3ea75c63 | 345 | 'test sslv3 with client authentication via BIO pair'); |
63936115 | 346 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])), |
3ea75c63 RL |
347 | 'test sslv3 with both server and client authentication via BIO pair'); |
348 | } | |
349 | ||
350 | SKIP: { | |
351 | skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1 | |
352 | if $no_anytls; | |
353 | ||
63936115 | 354 | ok(run(test([@ssltest, "-bio_pair"])), |
3ea75c63 RL |
355 | 'test sslv2/sslv3 via BIO pair'); |
356 | } | |
357 | ||
3ea75c63 | 358 | SKIP: { |
75d5bd4e | 359 | skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 |
3ea75c63 RL |
360 | if $no_anytls; |
361 | ||
362 | SKIP: { | |
363 | skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; | |
364 | ||
63936115 | 365 | ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])), |
3ea75c63 RL |
366 | 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); |
367 | } | |
368 | ||
63936115 | 369 | ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), |
3ea75c63 | 370 | 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); |
63936115 | 371 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), |
3ea75c63 | 372 | 'test sslv2/sslv3 with server authentication'); |
63936115 | 373 | ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), |
3ea75c63 | 374 | 'test sslv2/sslv3 with client authentication via BIO pair'); |
63936115 | 375 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])), |
3ea75c63 | 376 | 'test sslv2/sslv3 with both client and server authentication via BIO pair'); |
63936115 | 377 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), |
3ea75c63 | 378 | 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); |
75d5bd4e | 379 | |
b7be6d22 RL |
380 | SKIP: { |
381 | skip "No IPv4 available on this machine", 1 | |
f9e55034 | 382 | unless !disabled("sock") && have_IPv4(); |
63936115 | 383 | ok(run(test([@ssltest, "-ipv4"])), |
b7be6d22 RL |
384 | 'test TLS via IPv4'); |
385 | } | |
69853045 | 386 | |
b7be6d22 RL |
387 | SKIP: { |
388 | skip "No IPv6 available on this machine", 1 | |
f9e55034 | 389 | unless !disabled("sock") && have_IPv6(); |
63936115 | 390 | ok(run(test([@ssltest, "-ipv6"])), |
b7be6d22 RL |
391 | 'test TLS via IPv6'); |
392 | } | |
393 | } | |
88b8a527 RL |
394 | }; |
395 | ||
396 | subtest "Testing ciphersuites" => sub { | |
397 | ||
5beb63c4 RL |
398 | my @exkeys = (); |
399 | my $ciphers = "-EXP:-PSK:-SRP:-kDH:-kECDHe"; | |
400 | ||
340166a9 | 401 | if ($no_dh) { |
5beb63c4 RL |
402 | note "skipping DHE tests\n"; |
403 | $ciphers .= ":-kDHE"; | |
404 | } | |
340166a9 | 405 | if ($no_dsa) { |
5beb63c4 RL |
406 | note "skipping DSA tests\n"; |
407 | $ciphers .= ":-aDSA"; | |
408 | } else { | |
409 | push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss"; | |
410 | } | |
411 | ||
340166a9 | 412 | if ($no_ec) { |
5beb63c4 RL |
413 | note "skipping EC tests\n"; |
414 | $ciphers .= ":!aECDSA:!kECDH"; | |
415 | } else { | |
416 | push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; | |
417 | } | |
88b8a527 | 418 | |
6b01bed2 | 419 | my @protocols = (); |
9ea6d56d RL |
420 | # We only use the flags that ssltest_old understands |
421 | push @protocols, "-tls1_3" unless $no_tls1_3; | |
422 | push @protocols, "-tls1_2" unless $no_tls1_2; | |
423 | push @protocols, "-tls1" unless $no_tls1; | |
424 | push @protocols, "-ssl3" unless $no_ssl3; | |
425 | my $protocolciphersuitecount = 0; | |
426 | my %ciphersuites = (); | |
427 | foreach my $protocol (@protocols) { | |
428 | $ciphersuites{$protocol} = | |
429 | [ map { s|\R||; split(/:/, $_) } | |
430 | run(app(["openssl", "ciphers", "-s", $protocol, | |
431 | "ALL:$ciphers"]), capture => 1) ]; | |
432 | $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; | |
433 | } | |
88b8a527 | 434 | |
49dc5404 | 435 | plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build" |
9ea6d56d | 436 | if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0; |
49dc5404 | 437 | |
5beb63c4 RL |
438 | # The count of protocols is because in addition to the ciphersuits |
439 | # we got above, we're running a weak DH test for each protocol | |
9ea6d56d | 440 | plan tests => $protocolciphersuitecount + scalar(keys %ciphersuites); |
582a17d6 | 441 | |
9ea6d56d | 442 | foreach my $protocol (sort keys %ciphersuites) { |
582a17d6 | 443 | note "Testing ciphersuites for $protocol"; |
9ea6d56d RL |
444 | # ssltest_old doesn't know -tls1_3, but that's fine, since that's |
445 | # the default choice if TLSv1.3 enabled | |
446 | my $flag = $protocol eq "-tls1_3" ? "" : $protocol; | |
582a17d6 | 447 | foreach my $cipher (@{$ciphersuites{$protocol}}) { |
9ea6d56d | 448 | if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { |
4f326dd8 RS |
449 | note "*****SKIPPING $protocol $cipher"; |
450 | ok(1); | |
451 | } else { | |
452 | ok(run(test([@ssltest, @exkeys, "-cipher", $cipher, $flag])), | |
453 | "Testing $cipher"); | |
454 | } | |
582a17d6 | 455 | } |
5beb63c4 RL |
456 | is(run(test([@ssltest, |
457 | "-s_cipher", "EDH", | |
458 | "-c_cipher", 'EDH:@SECLEVEL=1', | |
459 | "-dhe512", | |
460 | $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0, | |
461 | "testing connection with weak DH, expecting failure"); | |
582a17d6 | 462 | } |
88b8a527 RL |
463 | }; |
464 | ||
465 | subtest 'RSA/(EC)DHE/PSK tests' => sub { | |
466 | ###################################################################### | |
467 | ||
468 | plan tests => 5; | |
469 | ||
3ea75c63 RL |
470 | SKIP: { |
471 | skip "TLSv1.0 is not supported by this OpenSSL build", 5 | |
472 | if $no_tls1; | |
88b8a527 | 473 | |
3ea75c63 RL |
474 | SKIP: { |
475 | skip "skipping anonymous DH tests", 1 | |
476 | if ($no_dh); | |
88b8a527 | 477 | |
63936115 | 478 | ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])), |
3ea75c63 RL |
479 | 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); |
480 | } | |
88b8a527 | 481 | |
3ea75c63 RL |
482 | SKIP: { |
483 | skip "skipping RSA tests", 2 | |
484 | if $no_rsa; | |
88b8a527 | 485 | |
63936115 | 486 | ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])), |
3ea75c63 | 487 | 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); |
88b8a527 | 488 | |
3ea75c63 RL |
489 | skip "skipping RSA+DHE tests", 1 |
490 | if $no_dh; | |
491 | ||
63936115 | 492 | ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])), |
3ea75c63 RL |
493 | 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); |
494 | } | |
495 | ||
496 | SKIP: { | |
497 | skip "skipping PSK tests", 2 | |
71a64af3 DSH |
498 | if ($no_psk); |
499 | ||
63936115 | 500 | ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])), |
3ea75c63 | 501 | 'test tls1 with PSK'); |
71a64af3 | 502 | |
63936115 | 503 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), |
3ea75c63 RL |
504 | 'test tls1 with PSK via BIO pair'); |
505 | } | |
506 | } | |
88b8a527 | 507 | |
88b8a527 RL |
508 | }; |
509 | ||
88b8a527 RL |
510 | subtest 'Custom Extension tests' => sub { |
511 | ###################################################################### | |
512 | ||
513 | plan tests => 1; | |
514 | ||
3ea75c63 | 515 | SKIP: { |
f006217b | 516 | skip "TLSv1.0 is not supported by this OpenSSL build", 1 |
3ea75c63 RL |
517 | if $no_tls1; |
518 | ||
519 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])), | |
520 | 'test tls1 with custom extensions'); | |
521 | } | |
88b8a527 RL |
522 | }; |
523 | ||
524 | subtest 'Serverinfo tests' => sub { | |
525 | ###################################################################### | |
526 | ||
527 | plan tests => 5; | |
528 | ||
3ea75c63 RL |
529 | SKIP: { |
530 | skip "TLSv1.0 is not supported by this OpenSSL build", 5 | |
531 | if $no_tls1; | |
532 | ||
533 | note('echo test tls1 with serverinfo'); | |
534 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo]))); | |
535 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))); | |
536 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"]))); | |
537 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); | |
538 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); | |
539 | } | |
88b8a527 | 540 | }; |
88b8a527 | 541 | } |
c9d24373 RL |
542 | |
543 | unlink $CAkey; | |
544 | unlink $CAcert; | |
545 | unlink $CAserial; | |
546 | unlink $CAreq; | |
547 | unlink $CAreq2; | |
548 | ||
549 | unlink $Ukey; | |
550 | unlink $Ureq; | |
551 | unlink $Ucert; | |
552 | unlink basename($Ucert, '.ss').'.srl'; | |
553 | ||
554 | unlink $Dkey; | |
555 | unlink $Dreq; | |
556 | unlink $Dcert; | |
557 | ||
558 | unlink $Ekey; | |
559 | unlink $Ereq; | |
560 | unlink $Ecert; | |
561 | ||
562 | unlink $P1key; | |
563 | unlink $P1req; | |
564 | unlink $P1cert; | |
565 | unlink basename($P1cert, '.ss').'.srl'; | |
566 | unlink $P1intermediate; | |
567 | unlink "intP1.ss"; | |
568 | ||
569 | unlink $P2key; | |
570 | unlink $P2req; | |
571 | unlink $P2cert; | |
572 | unlink $P2intermediate; | |
573 | unlink "intP2.ss"; | |
574 | ||
575 | unlink "ecp.ss"; | |
576 | unlink "err.ss"; | |
577 | ||
578 | unlink $server_sess; | |
579 | unlink $client_sess; |