]>
Commit | Line | Data |
---|---|---|
596d6b7e RS |
1 | #! /usr/bin/env perl |
2 | # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the OpenSSL license (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
c9d24373 | 14 | use File::Basename; |
88b8a527 | 15 | use File::Copy; |
42e0ccdf | 16 | use OpenSSL::Test qw/:DEFAULT with bldtop_file srctop_file cmdstr/; |
340166a9 | 17 | use OpenSSL::Test::Utils; |
88b8a527 RL |
18 | |
19 | setup("test_ssl"); | |
20 | ||
ad87a3dc MC |
21 | $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); |
22 | ||
ea1ecd98 | 23 | my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, |
582a17d6 | 24 | $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3, |
dd696a55 | 25 | $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) = |
ea1ecd98 | 26 | anydisabled qw/rsa dsa dh ec psk |
582a17d6 | 27 | ssl3 tls1 tls1_1 tls1_2 tls1_3 |
dd696a55 | 28 | dtls dtls1 dtls1_2 ct/; |
90d48e5e RL |
29 | my $no_anytls = alldisabled(available_protocols("tls")); |
30 | my $no_anydtls = alldisabled(available_protocols("dtls")); | |
3ea75c63 RL |
31 | |
32 | plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build" | |
33 | if $no_anytls && $no_anydtls; | |
340166a9 | 34 | |
88b8a527 RL |
35 | my $digest = "-sha1"; |
36 | my @reqcmd = ("openssl", "req"); | |
37 | my @x509cmd = ("openssl", "x509", $digest); | |
38 | my @verifycmd = ("openssl", "verify"); | |
46ac07f5 | 39 | my @gendsacmd = ("openssl", "gendsa"); |
42e0ccdf | 40 | my $dummycnf = srctop_file("apps", "openssl.cnf"); |
88b8a527 RL |
41 | |
42 | my $CAkey = "keyCA.ss"; | |
43 | my $CAcert="certCA.ss"; | |
44 | my $CAserial="certCA.srl"; | |
45 | my $CAreq="reqCA.ss"; | |
42e0ccdf | 46 | my $CAconf=srctop_file("test","CAss.cnf"); |
88b8a527 RL |
47 | my $CAreq2="req2CA.ss"; # temp |
48 | ||
42e0ccdf | 49 | my $Uconf=srctop_file("test","Uss.cnf"); |
88b8a527 RL |
50 | my $Ukey="keyU.ss"; |
51 | my $Ureq="reqU.ss"; | |
52 | my $Ucert="certU.ss"; | |
53 | ||
5beb63c4 RL |
54 | my $Dkey="keyD.ss"; |
55 | my $Dreq="reqD.ss"; | |
56 | my $Dcert="certD.ss"; | |
57 | ||
58 | my $Ekey="keyE.ss"; | |
59 | my $Ereq="reqE.ss"; | |
60 | my $Ecert="certE.ss"; | |
61 | ||
42e0ccdf | 62 | my $P1conf=srctop_file("test","P1ss.cnf"); |
88b8a527 RL |
63 | my $P1key="keyP1.ss"; |
64 | my $P1req="reqP1.ss"; | |
65 | my $P1cert="certP1.ss"; | |
66 | my $P1intermediate="tmp_intP1.ss"; | |
67 | ||
42e0ccdf | 68 | my $P2conf=srctop_file("test","P2ss.cnf"); |
88b8a527 RL |
69 | my $P2key="keyP2.ss"; |
70 | my $P2req="reqP2.ss"; | |
71 | my $P2cert="certP2.ss"; | |
72 | my $P2intermediate="tmp_intP2.ss"; | |
73 | ||
b7dffce0 KR |
74 | my $server_sess="server.ss"; |
75 | my $client_sess="client.ss"; | |
76 | ||
69853045 | 77 | # ssltest_old.c is deprecated in favour of the new framework in ssl_test.c |
453dfd8d EK |
78 | # If you're adding tests here, you probably want to convert them to the |
79 | # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. | |
88b8a527 RL |
80 | plan tests => |
81 | 1 # For testss | |
ea1ecd98 | 82 | +5 # For the first testssl |
88b8a527 RL |
83 | ; |
84 | ||
85 | subtest 'test_ss' => sub { | |
86 | if (testss()) { | |
87 | open OUT, ">", "intP1.ss"; | |
88 | copy($CAcert, \*OUT); copy($Ucert, \*OUT); | |
89 | close OUT; | |
90 | ||
91 | open OUT, ">", "intP2.ss"; | |
92 | copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT); | |
93 | close OUT; | |
94 | } | |
95 | }; | |
96 | ||
5a22cf96 EK |
97 | note('test_ssl -- key U'); |
98 | testssl("keyU.ss", $Ucert, $CAcert); | |
88b8a527 | 99 | |
88b8a527 RL |
100 | # ----------- |
101 | # subtest functions | |
102 | sub testss { | |
103 | open RND, ">>", ".rnd"; | |
f367ac2b | 104 | print RND "string to make the random number generator think it has randomness"; |
88b8a527 RL |
105 | close RND; |
106 | ||
5beb63c4 | 107 | my @req_dsa = ("-newkey", |
42e0ccdf | 108 | "dsa:".srctop_file("apps", "dsa1024.pem")); |
46ac07f5 | 109 | my $dsaparams = srctop_file("apps", "dsa1024.pem"); |
88b8a527 | 110 | my @req_new; |
340166a9 | 111 | if ($no_rsa) { |
5beb63c4 | 112 | @req_new = @req_dsa; |
88b8a527 RL |
113 | } else { |
114 | @req_new = ("-new"); | |
115 | } | |
116 | ||
5beb63c4 | 117 | plan tests => 17; |
88b8a527 RL |
118 | |
119 | SKIP: { | |
5beb63c4 | 120 | skip 'failure', 16 unless |
88b8a527 RL |
121 | ok(run(app([@reqcmd, "-config", $CAconf, |
122 | "-out", $CAreq, "-keyout", $CAkey, | |
123 | @req_new])), | |
124 | 'make cert request'); | |
125 | ||
5beb63c4 | 126 | skip 'failure', 15 unless |
88b8a527 RL |
127 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", |
128 | "-req", "-out", $CAcert, "-signkey", $CAkey, | |
129 | "-extfile", $CAconf, "-extensions", "v3_ca"], | |
130 | stdout => "err.ss")), | |
131 | 'convert request into self-signed cert'); | |
132 | ||
5beb63c4 | 133 | skip 'failure', 14 unless |
88b8a527 RL |
134 | ok(run(app([@x509cmd, "-in", $CAcert, |
135 | "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], | |
136 | stdout => "err.ss")), | |
137 | 'convert cert into a cert request'); | |
138 | ||
5beb63c4 | 139 | skip 'failure', 13 unless |
88b8a527 RL |
140 | ok(run(app([@reqcmd, "-config", $dummycnf, |
141 | "-verify", "-in", $CAreq, "-noout"])), | |
142 | 'verify request 1'); | |
143 | ||
144 | ||
5beb63c4 | 145 | skip 'failure', 12 unless |
88b8a527 RL |
146 | ok(run(app([@reqcmd, "-config", $dummycnf, |
147 | "-verify", "-in", $CAreq2, "-noout"])), | |
148 | 'verify request 2'); | |
149 | ||
5beb63c4 | 150 | skip 'failure', 11 unless |
88b8a527 RL |
151 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), |
152 | 'verify signature'); | |
153 | ||
5beb63c4 | 154 | skip 'failure', 10 unless |
88b8a527 RL |
155 | ok(run(app([@reqcmd, "-config", $Uconf, |
156 | "-out", $Ureq, "-keyout", $Ukey, @req_new], | |
157 | stdout => "err.ss")), | |
158 | 'make a user cert request'); | |
159 | ||
5beb63c4 | 160 | skip 'failure', 9 unless |
88b8a527 RL |
161 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", |
162 | "-req", "-out", $Ucert, | |
163 | "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, | |
164 | "-extfile", $Uconf, "-extensions", "v3_ee"], | |
165 | stdout => "err.ss")) | |
166 | && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), | |
167 | 'sign user cert request'); | |
168 | ||
5beb63c4 | 169 | skip 'failure', 8 unless |
88b8a527 RL |
170 | ok(run(app([@x509cmd, |
171 | "-subject", "-issuer", "-startdate", "-enddate", | |
172 | "-noout", "-in", $Ucert])), | |
173 | 'Certificate details'); | |
174 | ||
5beb63c4 RL |
175 | skip 'failure', 7 unless |
176 | subtest 'DSA certificate creation' => sub { | |
177 | plan skip_all => "skipping DSA certificate creation" | |
340166a9 | 178 | if $no_dsa; |
5beb63c4 | 179 | |
46ac07f5 | 180 | plan tests => 5; |
5beb63c4 RL |
181 | |
182 | SKIP: { | |
183 | $ENV{CN2} = "DSA Certificate"; | |
46ac07f5 MC |
184 | skip 'failure', 4 unless |
185 | ok(run(app([@gendsacmd, "-out", $Dkey, | |
186 | $dsaparams], | |
187 | stdout => "err.ss")), | |
188 | "make a DSA key"); | |
5beb63c4 | 189 | skip 'failure', 3 unless |
46ac07f5 MC |
190 | ok(run(app([@reqcmd, "-new", "-config", $Uconf, |
191 | "-out", $Dreq, "-key", $Dkey], | |
5beb63c4 RL |
192 | stdout => "err.ss")), |
193 | "make a DSA user cert request"); | |
194 | skip 'failure', 2 unless | |
195 | ok(run(app([@x509cmd, "-CAcreateserial", | |
196 | "-in", $Dreq, | |
197 | "-days", "30", | |
198 | "-req", | |
199 | "-out", $Dcert, | |
200 | "-CA", $CAcert, "-CAkey", $CAkey, | |
201 | "-CAserial", $CAserial, | |
202 | "-extfile", $Uconf, | |
203 | "-extensions", "v3_ee_dsa"], | |
204 | stdout => "err.ss")), | |
205 | "sign DSA user cert request"); | |
206 | skip 'failure', 1 unless | |
207 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), | |
208 | "verify DSA user cert"); | |
209 | skip 'failure', 0 unless | |
210 | ok(run(app([@x509cmd, | |
211 | "-subject", "-issuer", | |
212 | "-startdate", "-enddate", "-noout", | |
213 | "-in", $Dcert])), | |
214 | "DSA Certificate details"); | |
215 | } | |
216 | }; | |
217 | ||
218 | skip 'failure', 6 unless | |
219 | subtest 'ECDSA/ECDH certificate creation' => sub { | |
220 | plan skip_all => "skipping ECDSA/ECDH certificate creation" | |
340166a9 | 221 | if $no_ec; |
5beb63c4 RL |
222 | |
223 | plan tests => 5; | |
224 | ||
225 | SKIP: { | |
226 | $ENV{CN2} = "ECDSA Certificate"; | |
227 | skip 'failure', 4 unless | |
228 | ok(run(app(["openssl", "ecparam", "-name", "P-256", | |
229 | "-out", "ecp.ss"])), | |
230 | "make EC parameters"); | |
231 | skip 'failure', 3 unless | |
232 | ok(run(app([@reqcmd, "-config", $Uconf, | |
233 | "-out", $Ereq, "-keyout", $Ekey, | |
234 | "-newkey", "ec:ecp.ss"], | |
235 | stdout => "err.ss")), | |
236 | "make a ECDSA/ECDH user cert request"); | |
237 | skip 'failure', 2 unless | |
238 | ok(run(app([@x509cmd, "-CAcreateserial", | |
239 | "-in", $Ereq, | |
240 | "-days", "30", | |
241 | "-req", | |
242 | "-out", $Ecert, | |
243 | "-CA", $CAcert, "-CAkey", $CAkey, | |
244 | "-CAserial", $CAserial, | |
245 | "-extfile", $Uconf, | |
246 | "-extensions", "v3_ee_ec"], | |
247 | stdout => "err.ss")), | |
248 | "sign ECDSA/ECDH user cert request"); | |
249 | skip 'failure', 1 unless | |
250 | ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), | |
251 | "verify ECDSA/ECDH user cert"); | |
252 | skip 'failure', 0 unless | |
253 | ok(run(app([@x509cmd, | |
254 | "-subject", "-issuer", | |
255 | "-startdate", "-enddate", "-noout", | |
256 | "-in", $Ecert])), | |
257 | "ECDSA Certificate details"); | |
258 | } | |
259 | }; | |
88b8a527 RL |
260 | |
261 | skip 'failure', 5 unless | |
262 | ok(run(app([@reqcmd, "-config", $P1conf, | |
263 | "-out", $P1req, "-keyout", $P1key, @req_new], | |
264 | stdout => "err.ss")), | |
265 | 'make a proxy cert request'); | |
266 | ||
267 | ||
268 | skip 'failure', 4 unless | |
269 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", | |
270 | "-req", "-out", $P1cert, | |
271 | "-CA", $Ucert, "-CAkey", $Ukey, | |
272 | "-extfile", $P1conf, "-extensions", "v3_proxy"], | |
273 | stdout => "err.ss")), | |
274 | 'sign proxy with user cert'); | |
275 | ||
276 | copy($Ucert, $P1intermediate); | |
277 | run(app([@verifycmd, "-CAfile", $CAcert, | |
278 | "-untrusted", $P1intermediate, $P1cert])); | |
279 | ok(run(app([@x509cmd, | |
280 | "-subject", "-issuer", "-startdate", "-enddate", | |
281 | "-noout", "-in", $P1cert])), | |
282 | 'Certificate details'); | |
283 | ||
284 | skip 'failure', 2 unless | |
285 | ok(run(app([@reqcmd, "-config", $P2conf, | |
286 | "-out", $P2req, "-keyout", $P2key, | |
287 | @req_new], | |
288 | stdout => "err.ss")), | |
289 | 'make another proxy cert request'); | |
290 | ||
291 | ||
292 | skip 'failure', 1 unless | |
293 | ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", | |
294 | "-req", "-out", $P2cert, | |
295 | "-CA", $P1cert, "-CAkey", $P1key, | |
296 | "-extfile", $P2conf, "-extensions", "v3_proxy"], | |
297 | stdout => "err.ss")), | |
298 | 'sign second proxy cert request with the first proxy cert'); | |
299 | ||
300 | ||
301 | open OUT, ">", $P2intermediate; | |
302 | copy($Ucert, \*OUT); copy($P1cert, \*OUT); | |
303 | close OUT; | |
304 | run(app([@verifycmd, "-CAfile", $CAcert, | |
305 | "-untrusted", $P2intermediate, $P2cert])); | |
306 | ok(run(app([@x509cmd, | |
307 | "-subject", "-issuer", "-startdate", "-enddate", | |
308 | "-noout", "-in", $P2cert])), | |
309 | 'Certificate details'); | |
310 | } | |
311 | } | |
312 | ||
313 | sub testssl { | |
63936115 | 314 | my ($key, $cert, $CAtmp) = @_; |
42e0ccdf | 315 | my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); |
88b8a527 | 316 | |
69853045 | 317 | my @ssltest = ("ssltest_old", |
5beb63c4 | 318 | "-s_key", $key, "-s_cert", $cert, |
88b8a527 RL |
319 | "-c_key", $key, "-c_cert", $cert); |
320 | ||
42e0ccdf | 321 | my $serverinfo = srctop_file("test","serverinfo.pem"); |
88b8a527 RL |
322 | |
323 | my $dsa_cert = 0; | |
324 | if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert, | |
325 | "-text", "-noout"]), capture => 1)) { | |
326 | $dsa_cert = 1; | |
327 | } | |
328 | ||
329 | ||
dd696a55 | 330 | # plan tests => 11; |
88b8a527 RL |
331 | |
332 | subtest 'standard SSL tests' => sub { | |
333 | ###################################################################### | |
49619ab0 | 334 | plan tests => 13; |
88b8a527 | 335 | |
3ea75c63 RL |
336 | SKIP: { |
337 | skip "SSLv3 is not supported by this OpenSSL build", 4 | |
338 | if disabled("ssl3"); | |
339 | ||
63936115 | 340 | ok(run(test([@ssltest, "-bio_pair", "-ssl3"])), |
3ea75c63 | 341 | 'test sslv3 via BIO pair'); |
63936115 | 342 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])), |
3ea75c63 | 343 | 'test sslv3 with server authentication via BIO pair'); |
63936115 | 344 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])), |
3ea75c63 | 345 | 'test sslv3 with client authentication via BIO pair'); |
63936115 | 346 | ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])), |
3ea75c63 RL |
347 | 'test sslv3 with both server and client authentication via BIO pair'); |
348 | } | |
349 | ||
350 | SKIP: { | |
351 | skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1 | |
352 | if $no_anytls; | |
353 | ||
63936115 | 354 | ok(run(test([@ssltest, "-bio_pair"])), |
3ea75c63 RL |
355 | 'test sslv2/sslv3 via BIO pair'); |
356 | } | |
357 | ||
3ea75c63 | 358 | SKIP: { |
75d5bd4e | 359 | skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 |
3ea75c63 RL |
360 | if $no_anytls; |
361 | ||
362 | SKIP: { | |
363 | skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; | |
364 | ||
63936115 | 365 | ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])), |
3ea75c63 RL |
366 | 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); |
367 | } | |
368 | ||
63936115 | 369 | ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), |
3ea75c63 | 370 | 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); |
63936115 | 371 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), |
3ea75c63 | 372 | 'test sslv2/sslv3 with server authentication'); |
63936115 | 373 | ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), |
3ea75c63 | 374 | 'test sslv2/sslv3 with client authentication via BIO pair'); |
63936115 | 375 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])), |
3ea75c63 | 376 | 'test sslv2/sslv3 with both client and server authentication via BIO pair'); |
63936115 | 377 | ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), |
3ea75c63 | 378 | 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); |
75d5bd4e | 379 | |
b7be6d22 RL |
380 | SKIP: { |
381 | skip "No IPv4 available on this machine", 1 | |
f9e55034 | 382 | unless !disabled("sock") && have_IPv4(); |
63936115 | 383 | ok(run(test([@ssltest, "-ipv4"])), |
b7be6d22 RL |
384 | 'test TLS via IPv4'); |
385 | } | |
69853045 | 386 | |
b7be6d22 RL |
387 | SKIP: { |
388 | skip "No IPv6 available on this machine", 1 | |
f9e55034 | 389 | unless !disabled("sock") && have_IPv6(); |
63936115 | 390 | ok(run(test([@ssltest, "-ipv6"])), |
b7be6d22 RL |
391 | 'test TLS via IPv6'); |
392 | } | |
393 | } | |
88b8a527 RL |
394 | }; |
395 | ||
396 | subtest "Testing ciphersuites" => sub { | |
397 | ||
5beb63c4 RL |
398 | my @exkeys = (); |
399 | my $ciphers = "-EXP:-PSK:-SRP:-kDH:-kECDHe"; | |
400 | ||
340166a9 | 401 | if ($no_dh) { |
5beb63c4 RL |
402 | note "skipping DHE tests\n"; |
403 | $ciphers .= ":-kDHE"; | |
404 | } | |
340166a9 | 405 | if ($no_dsa) { |
5beb63c4 RL |
406 | note "skipping DSA tests\n"; |
407 | $ciphers .= ":-aDSA"; | |
408 | } else { | |
409 | push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss"; | |
410 | } | |
411 | ||
340166a9 | 412 | if ($no_ec) { |
5beb63c4 RL |
413 | note "skipping EC tests\n"; |
414 | $ciphers .= ":!aECDSA:!kECDH"; | |
415 | } else { | |
416 | push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; | |
417 | } | |
88b8a527 | 418 | |
6b01bed2 | 419 | my @protocols = (); |
9ea6d56d RL |
420 | # We only use the flags that ssltest_old understands |
421 | push @protocols, "-tls1_3" unless $no_tls1_3; | |
422 | push @protocols, "-tls1_2" unless $no_tls1_2; | |
423 | push @protocols, "-tls1" unless $no_tls1; | |
424 | push @protocols, "-ssl3" unless $no_ssl3; | |
425 | my $protocolciphersuitecount = 0; | |
426 | my %ciphersuites = (); | |
7e46e56a | 427 | my %ciphersstatus = (); |
9ea6d56d | 428 | foreach my $protocol (@protocols) { |
7e46e56a RL |
429 | my $ciphersstatus = undef; |
430 | my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol, | |
431 | "ALL:$ciphers"]), | |
432 | capture => 1, statusvar => \$ciphersstatus); | |
433 | $ciphersstatus{$protocol} = $ciphersstatus; | |
434 | if ($ciphersstatus) { | |
435 | $ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) } | |
436 | @ciphers ]; | |
e8763c69 | 437 | $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; |
7e46e56a | 438 | } |
9ea6d56d | 439 | } |
88b8a527 | 440 | |
49dc5404 | 441 | plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build" |
9ea6d56d | 442 | if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0; |
49dc5404 | 443 | |
46f4e1be | 444 | # The count of protocols is because in addition to the ciphersuites |
5beb63c4 | 445 | # we got above, we're running a weak DH test for each protocol |
7e46e56a RL |
446 | plan tests => scalar(@protocols) + $protocolciphersuitecount |
447 | + scalar(keys %ciphersuites); | |
448 | ||
449 | foreach my $protocol (@protocols) { | |
450 | ok($ciphersstatus{$protocol}, "Getting ciphers for $protocol"); | |
451 | } | |
582a17d6 | 452 | |
9ea6d56d | 453 | foreach my $protocol (sort keys %ciphersuites) { |
582a17d6 | 454 | note "Testing ciphersuites for $protocol"; |
9ea6d56d RL |
455 | # ssltest_old doesn't know -tls1_3, but that's fine, since that's |
456 | # the default choice if TLSv1.3 enabled | |
457 | my $flag = $protocol eq "-tls1_3" ? "" : $protocol; | |
582a17d6 | 458 | foreach my $cipher (@{$ciphersuites{$protocol}}) { |
9ea6d56d | 459 | if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { |
4f326dd8 RS |
460 | note "*****SKIPPING $protocol $cipher"; |
461 | ok(1); | |
462 | } else { | |
463 | ok(run(test([@ssltest, @exkeys, "-cipher", $cipher, $flag])), | |
464 | "Testing $cipher"); | |
465 | } | |
582a17d6 | 466 | } |
5beb63c4 RL |
467 | is(run(test([@ssltest, |
468 | "-s_cipher", "EDH", | |
469 | "-c_cipher", 'EDH:@SECLEVEL=1', | |
470 | "-dhe512", | |
471 | $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0, | |
472 | "testing connection with weak DH, expecting failure"); | |
582a17d6 | 473 | } |
88b8a527 RL |
474 | }; |
475 | ||
476 | subtest 'RSA/(EC)DHE/PSK tests' => sub { | |
477 | ###################################################################### | |
478 | ||
479 | plan tests => 5; | |
480 | ||
3ea75c63 RL |
481 | SKIP: { |
482 | skip "TLSv1.0 is not supported by this OpenSSL build", 5 | |
483 | if $no_tls1; | |
88b8a527 | 484 | |
3ea75c63 RL |
485 | SKIP: { |
486 | skip "skipping anonymous DH tests", 1 | |
487 | if ($no_dh); | |
88b8a527 | 488 | |
63936115 | 489 | ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])), |
3ea75c63 RL |
490 | 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); |
491 | } | |
88b8a527 | 492 | |
3ea75c63 RL |
493 | SKIP: { |
494 | skip "skipping RSA tests", 2 | |
495 | if $no_rsa; | |
88b8a527 | 496 | |
63936115 | 497 | ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])), |
3ea75c63 | 498 | 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); |
88b8a527 | 499 | |
3ea75c63 RL |
500 | skip "skipping RSA+DHE tests", 1 |
501 | if $no_dh; | |
502 | ||
63936115 | 503 | ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])), |
3ea75c63 RL |
504 | 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); |
505 | } | |
506 | ||
507 | SKIP: { | |
508 | skip "skipping PSK tests", 2 | |
71a64af3 DSH |
509 | if ($no_psk); |
510 | ||
63936115 | 511 | ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])), |
3ea75c63 | 512 | 'test tls1 with PSK'); |
71a64af3 | 513 | |
63936115 | 514 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), |
3ea75c63 RL |
515 | 'test tls1 with PSK via BIO pair'); |
516 | } | |
517 | } | |
88b8a527 | 518 | |
88b8a527 RL |
519 | }; |
520 | ||
88b8a527 RL |
521 | subtest 'Custom Extension tests' => sub { |
522 | ###################################################################### | |
523 | ||
524 | plan tests => 1; | |
525 | ||
3ea75c63 | 526 | SKIP: { |
f006217b | 527 | skip "TLSv1.0 is not supported by this OpenSSL build", 1 |
3ea75c63 RL |
528 | if $no_tls1; |
529 | ||
530 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])), | |
531 | 'test tls1 with custom extensions'); | |
532 | } | |
88b8a527 RL |
533 | }; |
534 | ||
535 | subtest 'Serverinfo tests' => sub { | |
536 | ###################################################################### | |
537 | ||
538 | plan tests => 5; | |
539 | ||
3ea75c63 RL |
540 | SKIP: { |
541 | skip "TLSv1.0 is not supported by this OpenSSL build", 5 | |
542 | if $no_tls1; | |
543 | ||
544 | note('echo test tls1 with serverinfo'); | |
545 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo]))); | |
546 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))); | |
547 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"]))); | |
548 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); | |
549 | ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); | |
550 | } | |
88b8a527 | 551 | }; |
88b8a527 | 552 | } |
c9d24373 RL |
553 | |
554 | unlink $CAkey; | |
555 | unlink $CAcert; | |
556 | unlink $CAserial; | |
557 | unlink $CAreq; | |
558 | unlink $CAreq2; | |
559 | ||
560 | unlink $Ukey; | |
561 | unlink $Ureq; | |
562 | unlink $Ucert; | |
563 | unlink basename($Ucert, '.ss').'.srl'; | |
564 | ||
565 | unlink $Dkey; | |
566 | unlink $Dreq; | |
567 | unlink $Dcert; | |
568 | ||
569 | unlink $Ekey; | |
570 | unlink $Ereq; | |
571 | unlink $Ecert; | |
572 | ||
573 | unlink $P1key; | |
574 | unlink $P1req; | |
575 | unlink $P1cert; | |
576 | unlink basename($P1cert, '.ss').'.srl'; | |
577 | unlink $P1intermediate; | |
578 | unlink "intP1.ss"; | |
579 | ||
580 | unlink $P2key; | |
581 | unlink $P2req; | |
582 | unlink $P2cert; | |
583 | unlink $P2intermediate; | |
584 | unlink "intP2.ss"; | |
585 | ||
586 | unlink "ecp.ss"; | |
587 | unlink "err.ss"; | |
588 | ||
589 | unlink $server_sess; | |
590 | unlink $client_sess; |