test/recipes/80-test_ssl.t

   1 #! /usr/bin/perl
   2
   3 use strict;
   4 use warnings;
   5
   6 use POSIX;
   7 use File::Spec;
   8 use File::Copy;
   9 use OpenSSL::Test qw/:DEFAULT with top_file cmdstr/;
  10 use OpenSSL::Test::Utils;
  11
  12 setup("test_ssl");
  13
  14 my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,
  15     $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2,
  16     $no_dtls, $no_dtls1, $no_dtls1_2) =
  17     disabled qw/rsa dsa dh ec srp psk
  18                 ssl3 tls1 tls1_1 tls1_2
  19                 dtls dtls1 dtls1_2/;
  20
  21 my $digest = "-sha1";
  22 my @reqcmd = ("openssl", "req");
  23 my @x509cmd = ("openssl", "x509", $digest);
  24 my @verifycmd = ("openssl", "verify");
  25 my $dummycnf = top_file("apps", "openssl.cnf");
  26
  27 my $CAkey = "keyCA.ss";
  28 my $CAcert="certCA.ss";
  29 my $CAserial="certCA.srl";
  30 my $CAreq="reqCA.ss";
  31 my $CAconf=top_file("test","CAss.cnf");
  32 my $CAreq2="req2CA.ss"; # temp
  33
  34 my $Uconf=top_file("test","Uss.cnf");
  35 my $Ukey="keyU.ss";
  36 my $Ureq="reqU.ss";
  37 my $Ucert="certU.ss";
  38
  39 my $Dkey="keyD.ss";
  40 my $Dreq="reqD.ss";
  41 my $Dcert="certD.ss";
  42
  43 my $Ekey="keyE.ss";
  44 my $Ereq="reqE.ss";
  45 my $Ecert="certE.ss";
  46
  47 my $P1conf=top_file("test","P1ss.cnf");
  48 my $P1key="keyP1.ss";
  49 my $P1req="reqP1.ss";
  50 my $P1cert="certP1.ss";
  51 my $P1intermediate="tmp_intP1.ss";
  52
  53 my $P2conf=top_file("test","P2ss.cnf");
  54 my $P2key="keyP2.ss";
  55 my $P2req="reqP2.ss";
  56 my $P2cert="certP2.ss";
  57 my $P2intermediate="tmp_intP2.ss";
  58
  59 plan tests =>
  60     1                           # For testss
  61     + 1                         # For ssltest -test_cipherlist
  62     + 10                        # For the first testssl
  63     + 16                        # For the first testsslproxy
  64     + 16                        # For the second testsslproxy
  65     ;
  66
  67 subtest 'test_ss' => sub {
  68     if (testss()) {
  69         open OUT, ">", "intP1.ss";
  70         copy($CAcert, \*OUT); copy($Ucert, \*OUT);
  71         close OUT;
  72
  73         open OUT, ">", "intP2.ss";
  74         copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT);
  75         close OUT;
  76     }
  77 };
  78
  79 my $check = ok(run(test(["ssltest","-test_cipherlist"])), "running ssltest");
  80
  81   SKIP: {
  82       skip "ssltest ended with error, skipping the rest", 3
  83           if !$check;
  84
  85       note('test_ssl -- key U');
  86       testssl("keyU.ss", $Ucert, $CAcert);
  87
  88       note('test_ssl -- key P1');
  89       testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss", "AB");
  90
  91       note('test_ssl -- key P2');
  92       testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss", "BC");
  93     }
  94
  95 # -----------
  96 # subtest functions
  97 sub testss {
  98     open RND, ">>", ".rnd";
  99     print RND "string to make the random number generator think it has entropy";
 100     close RND;
 101
 102     my @req_dsa = ("-newkey",
 103                    "dsa:".File::Spec->catfile("..", "apps", "dsa1024.pem"));;
 104     my @req_new;
 105     if ($no_rsa) {
 106         @req_new = @req_dsa;
 107     } else {
 108         @req_new = ("-new");
 109     }
 110
 111     plan tests => 17;
 112
 113   SKIP: {
 114       skip 'failure', 16 unless
 115           ok(run(app([@reqcmd, "-config", $CAconf,
 116                       "-out", $CAreq, "-keyout", $CAkey,
 117                       @req_new])),
 118              'make cert request');
 119
 120       skip 'failure', 15 unless
 121           ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
 122                       "-req", "-out", $CAcert, "-signkey", $CAkey,
 123                       "-extfile", $CAconf, "-extensions", "v3_ca"],
 124                      stdout => "err.ss")),
 125              'convert request into self-signed cert');
 126
 127       skip 'failure', 14 unless
 128           ok(run(app([@x509cmd, "-in", $CAcert,
 129                       "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2],
 130                      stdout => "err.ss")),
 131              'convert cert into a cert request');
 132
 133       skip 'failure', 13 unless
 134           ok(run(app([@reqcmd, "-config", $dummycnf,
 135                       "-verify", "-in", $CAreq, "-noout"])),
 136              'verify request 1');
 137
 138
 139       skip 'failure', 12 unless
 140           ok(run(app([@reqcmd, "-config", $dummycnf,
 141                       "-verify", "-in", $CAreq2, "-noout"])),
 142              'verify request 2');
 143
 144       skip 'failure', 11 unless
 145           ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])),
 146              'verify signature');
 147
 148       skip 'failure', 10 unless
 149           ok(run(app([@reqcmd, "-config", $Uconf,
 150                       "-out", $Ureq, "-keyout", $Ukey, @req_new],
 151                      stdout => "err.ss")),
 152              'make a user cert request');
 153
 154       skip 'failure', 9 unless
 155           ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
 156                       "-req", "-out", $Ucert,
 157                       "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
 158                       "-extfile", $Uconf, "-extensions", "v3_ee"],
 159                      stdout => "err.ss"))
 160              && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
 161              'sign user cert request');
 162
 163       skip 'failure', 8 unless
 164           ok(run(app([@x509cmd,
 165                       "-subject", "-issuer", "-startdate", "-enddate",
 166                       "-noout", "-in", $Ucert])),
 167              'Certificate details');
 168
 169       skip 'failure', 7 unless
 170           subtest 'DSA certificate creation' => sub {
 171               plan skip_all => "skipping DSA certificate creation"
 172                   if $no_dsa;
 173
 174               plan tests => 4;
 175
 176             SKIP: {
 177                 $ENV{CN2} = "DSA Certificate";
 178                 skip 'failure', 3 unless
 179                     ok(run(app([@reqcmd, "-config", $Uconf,
 180                                 "-out", $Dreq, "-keyout", $Dkey,
 181                                 @req_dsa],
 182                                stdout => "err.ss")),
 183                        "make a DSA user cert request");
 184                 skip 'failure', 2 unless
 185                     ok(run(app([@x509cmd, "-CAcreateserial",
 186                                 "-in", $Dreq,
 187                                 "-days", "30",
 188                                 "-req",
 189                                 "-out", $Dcert,
 190                                 "-CA", $CAcert, "-CAkey", $CAkey,
 191                                 "-CAserial", $CAserial,
 192                                 "-extfile", $Uconf,
 193                                 "-extensions", "v3_ee_dsa"],
 194                                stdout => "err.ss")),
 195                        "sign DSA user cert request");
 196                 skip 'failure', 1 unless
 197                     ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])),
 198                        "verify DSA user cert");
 199                 skip 'failure', 0 unless
 200                     ok(run(app([@x509cmd,
 201                                 "-subject", "-issuer",
 202                                 "-startdate", "-enddate", "-noout",
 203                                 "-in", $Dcert])),
 204                        "DSA Certificate details");
 205               }
 206       };
 207
 208       skip 'failure', 6 unless
 209           subtest 'ECDSA/ECDH certificate creation' => sub {
 210               plan skip_all => "skipping ECDSA/ECDH certificate creation"
 211                   if $no_ec;
 212
 213               plan tests => 5;
 214
 215             SKIP: {
 216                 $ENV{CN2} = "ECDSA Certificate";
 217                 skip 'failure', 4 unless
 218                     ok(run(app(["openssl", "ecparam", "-name", "P-256",
 219                                 "-out", "ecp.ss"])),
 220                        "make EC parameters");
 221                 skip 'failure', 3 unless
 222                     ok(run(app([@reqcmd, "-config", $Uconf,
 223                                 "-out", $Ereq, "-keyout", $Ekey,
 224                                 "-newkey", "ec:ecp.ss"],
 225                                stdout => "err.ss")),
 226                        "make a ECDSA/ECDH user cert request");
 227                 skip 'failure', 2 unless
 228                     ok(run(app([@x509cmd, "-CAcreateserial",
 229                                 "-in", $Ereq,
 230                                 "-days", "30",
 231                                 "-req",
 232                                 "-out", $Ecert,
 233                                 "-CA", $CAcert, "-CAkey", $CAkey,
 234                                 "-CAserial", $CAserial,
 235                                 "-extfile", $Uconf,
 236                                 "-extensions", "v3_ee_ec"],
 237                                stdout => "err.ss")),
 238                        "sign ECDSA/ECDH user cert request");
 239                 skip 'failure', 1 unless
 240                     ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])),
 241                        "verify ECDSA/ECDH user cert");
 242                 skip 'failure', 0 unless
 243                     ok(run(app([@x509cmd,
 244                                 "-subject", "-issuer",
 245                                 "-startdate", "-enddate", "-noout",
 246                                 "-in", $Ecert])),
 247                        "ECDSA Certificate details");
 248               }
 249       };
 250
 251       skip 'failure', 5 unless
 252           ok(run(app([@reqcmd, "-config", $P1conf,
 253                       "-out", $P1req, "-keyout", $P1key, @req_new],
 254                      stdout => "err.ss")),
 255              'make a proxy cert request');
 256
 257
 258       skip 'failure', 4 unless
 259           ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
 260                       "-req", "-out", $P1cert,
 261                       "-CA", $Ucert, "-CAkey", $Ukey,
 262                       "-extfile", $P1conf, "-extensions", "v3_proxy"],
 263                      stdout => "err.ss")),
 264              'sign proxy with user cert');
 265
 266       copy($Ucert, $P1intermediate);
 267       run(app([@verifycmd, "-CAfile", $CAcert,
 268                "-untrusted", $P1intermediate, $P1cert]));
 269       ok(run(app([@x509cmd,
 270                   "-subject", "-issuer", "-startdate", "-enddate",
 271                   "-noout", "-in", $P1cert])),
 272          'Certificate details');
 273
 274       skip 'failure', 2 unless
 275           ok(run(app([@reqcmd, "-config", $P2conf,
 276                       "-out", $P2req, "-keyout", $P2key,
 277                       @req_new],
 278                      stdout => "err.ss")),
 279              'make another proxy cert request');
 280
 281
 282       skip 'failure', 1 unless
 283           ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
 284                       "-req", "-out", $P2cert,
 285                       "-CA", $P1cert, "-CAkey", $P1key,
 286                       "-extfile", $P2conf, "-extensions", "v3_proxy"],
 287                      stdout => "err.ss")),
 288              'sign second proxy cert request with the first proxy cert');
 289
 290
 291       open OUT, ">", $P2intermediate;
 292       copy($Ucert, \*OUT); copy($P1cert, \*OUT);
 293       close OUT;
 294       run(app([@verifycmd, "-CAfile", $CAcert,
 295                "-untrusted", $P2intermediate, $P2cert]));
 296       ok(run(app([@x509cmd,
 297                   "-subject", "-issuer", "-startdate", "-enddate",
 298                   "-noout", "-in", $P2cert])),
 299          'Certificate details');
 300     }
 301 }
 302
 303 sub testssl {
 304     my $key = shift || top_file("apps","server.pem");
 305     my $cert = shift || top_file("apps","server.pem");
 306     my $CAtmp = shift;
 307     my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs"));
 308     my @extra = @_;
 309
 310     my @ssltest = ("ssltest",
 311                    "-s_key", $key, "-s_cert", $cert,
 312                    "-c_key", $key, "-c_cert", $cert);
 313
 314     my $serverinfo = top_file("test","serverinfo.pem");
 315
 316     my $dsa_cert = 0;
 317     if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert,
 318                                         "-text", "-noout"]), capture => 1)) {
 319         $dsa_cert = 1;
 320     }
 321
 322
 323     # plan tests => 10;
 324
 325     subtest 'standard SSL tests' => sub {
 326         ######################################################################
 327         plan tests => 27;
 328
 329         ok(run(test([@ssltest, "-ssl3", @extra])),
 330            'test sslv3');
 331         ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])),
 332            'test sslv3 with server authentication');
 333         ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])),
 334            'test sslv3 with client authentication');
 335         ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
 336            'test sslv3 with both server and client authentication');
 337         ok(run(test([@ssltest, @extra])),
 338            'test sslv2/sslv3');
 339         ok(run(test([@ssltest, "-server_auth", @CA, @extra])),
 340            'test sslv2/sslv3 with server authentication');
 341         ok(run(test([@ssltest, "-client_auth", @CA, @extra])),
 342            'test sslv2/sslv3 with client authentication');
 343         ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])),
 344            'test sslv2/sslv3 with both server and client authentication');
 345         ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])),
 346            'test sslv3 via BIO pair');
 347         ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])),
 348            'test sslv3 with server authentication via BIO pair');
 349         ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])),
 350            'test sslv3 with client authentication via BIO pair');
 351         ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
 352            'test sslv3 with both server and client authentication via BIO pair');
 353         ok(run(test([@ssltest, "-bio_pair", @extra])),
 354            'test sslv2/sslv3 via BIO pair');
 355         ok(run(test([@ssltest, "-dtls1", @extra])),
 356            'test dtlsv1');
 357         ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])),
 358            'test dtlsv1 with server authentication');
 359         ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])),
 360            'test dtlsv1 with client authentication');
 361         ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])),
 362            'test dtlsv1 with both server and client authentication');
 363         ok(run(test([@ssltest, "-dtls12", @extra])),
 364            'test dtlsv1.2');
 365         ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])),
 366            'test dtlsv1.2 with server authentication');
 367         ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])),
 368            'test dtlsv1.2 with client authentication');
 369         ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])),
 370            'test dtlsv1.2 with both server and client authentication');
 371         {
 372           SKIP: {
 373               skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
 374
 375               ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])),
 376                  'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
 377             }
 378         }
 379         ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])),
 380            'test sslv2/sslv3 with 1024bit DHE via BIO pair');
 381         ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])),
 382            'test sslv2/sslv3 with server authentication');
 383         ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])),
 384            'test sslv2/sslv3 with client authentication via BIO pair');
 385         ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])),
 386            'test sslv2/sslv3 with both client and server authentication via BIO pair');
 387         ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])),
 388            'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
 389     };
 390
 391     subtest "Testing ciphersuites" => sub {
 392
 393         my @exkeys = ();
 394         my $ciphers = "-EXP:-PSK:-SRP:-kDH:-kECDHe";
 395
 396         if ($no_dh) {
 397             note "skipping DHE tests\n";
 398             $ciphers .= ":-kDHE";
 399         }
 400         if ($no_dsa) {
 401             note "skipping DSA tests\n";
 402             $ciphers .= ":-aDSA";
 403         } else {
 404             push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
 405         }
 406
 407         if ($no_ec) {
 408             note "skipping EC tests\n";
 409             $ciphers .= ":!aECDSA:!kECDH";
 410         } else {
 411             push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss";
 412         }
 413
 414         my @protocols = ();
 415         push(@protocols, "TLSv1.2") unless $no_tls1_2;
 416         push(@protocols, "SSLv3") unless $no_ssl3;
 417         my $protocolciphersuitcount = 0;
 418         my %ciphersuites =
 419             map { my @c =
 420                       map { split(/:/, $_) }
 421                       run(app(["openssl", "ciphers", "${_}:$ciphers"]),
 422                           capture => 1);
 423                   map { s/\R//; } @c;  # chomp @c;
 424                   $protocolciphersuitcount += scalar @c;
 425                   $_ => [ @c ] } @protocols;
 426
 427         # The count of protocols is because in addition to the ciphersuits
 428         # we got above, we're running a weak DH test for each protocol
 429         plan tests => $protocolciphersuitcount + scalar(@protocols);
 430
 431         foreach my $protocol (@protocols) {
 432             note "Testing ciphersuites for $protocol";
 433             foreach my $cipher (@{$ciphersuites{$protocol}}) {
 434                 ok(run(test([@ssltest, @exkeys, "-cipher", $cipher,
 435                              $protocol eq "SSLv3" ? ("-ssl3") : ()])),
 436                    "Testing $cipher");
 437             }
 438             is(run(test([@ssltest,
 439                          "-s_cipher", "EDH",
 440                          "-c_cipher", 'EDH:@SECLEVEL=1',
 441                          "-dhe512",
 442                          $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0,
 443                "testing connection with weak DH, expecting failure");
 444         }
 445     };
 446
 447     subtest 'RSA/(EC)DHE/PSK tests' => sub {
 448         ######################################################################
 449
 450         plan tests => 5;
 451
 452         {
 453           SKIP: {
 454               skip "skipping anonymous DH tests", 1
 455                   if ($no_dh);
 456
 457               ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
 458                  'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
 459             }
 460         }
 461
 462         {
 463           SKIP: {
 464               skip "skipping RSA tests", 2
 465                   if $no_rsa;
 466
 467               ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
 468                  'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
 469
 470               skip "skipping RSA+DHE tests", 1
 471                   if $no_dh;
 472
 473               ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
 474                  'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
 475             }
 476         }
 477     {
 478         SKIP: {
 479                 skip "skipping PSK tests", 2
 480                 if ($no_psk);
 481
 482                 ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
 483                 'test tls1 with PSK');
 484
 485                 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
 486                 'test tls1 with PSK via BIO pair');
 487         }
 488     }
 489
 490     };
 491
 492     subtest 'Next Protocol Negotiation Tests' => sub {
 493         ######################################################################
 494
 495         plan tests => 7;
 496
 497         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client"])));
 498         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server"])));
 499         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server_reject"])));
 500         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server_reject"])));
 501         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server"])));
 502         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2"])));
 503         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2", "-reuse"])));
 504     };
 505
 506     subtest 'Custom Extension tests' => sub {
 507         ######################################################################
 508
 509         plan tests => 1;
 510
 511         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])),
 512            'test tls1 with custom extensions');
 513     };
 514
 515     subtest 'Serverinfo tests' => sub {
 516         ######################################################################
 517
 518         plan tests => 5;
 519
 520         note('echo test tls1 with serverinfo');
 521         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo])));
 522         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"])));
 523         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"])));
 524         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
 525         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
 526     };
 527
 528     subtest 'ALPN tests' => sub {
 529         ######################################################################
 530
 531         plan tests => 12;
 532
 533         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "bar"])));
 534         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "foo", "-alpn_expected", "foo"])));
 535         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "foo", "-alpn_expected", "foo"])));
 536         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo", "-alpn_expected", "foo"])));
 537         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo,bar", "-alpn_expected", "foo"])));
 538         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "bar,foo", "-alpn_expected", "bar"])));
 539         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "bar,foo", "-alpn_expected", "bar"])));
 540         ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "baz", "-alpn_server", "bar,foo"])));
 541
 542         {
 543           SKIP: {
 544               skip "skipping SRP tests", 4
 545                   if $no_srp;
 546
 547               ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
 548                  'test tls1 with SRP');
 549
 550               ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
 551                  'test tls1 with SRP via BIO pair');
 552
 553               ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
 554                  'test tls1 with SRP auth');
 555
 556               ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
 557                  'test tls1 with SRP auth via BIO pair');
 558             }
 559         }
 560     };
 561
 562     subtest 'Multi-buffer tests' => sub {
 563         ######################################################################
 564
 565         plan tests => 2;
 566
 567         {
 568           SKIP: {
 569               skip "skipping multi-buffer tests", 2
 570                   if @extra || (POSIX::uname())[4] ne "x86_64";
 571               ok(run(test([@ssltest, "-cipher", "AES128-SHA",    "-bytes", "8m"])));
 572               ok(run(test([@ssltest, "-cipher", "AES128-SHA256", "-bytes", "8m"])));
 573             }
 574         }
 575     };
 576
 577     subtest 'TLS Version min/max tests' => sub {
 578         my @protos;
 579         push(@protos, "ssl3") unless $no_ssl3;
 580         push(@protos, "tls1") unless $no_tls1;
 581         push(@protos, "tls1.1") unless $no_tls1_1;
 582         push(@protos, "tls1.2") unless $no_tls1_2;
 583         my @minprotos = (undef, @protos);
 584         my @maxprotos = (@protos, undef);
 585         my @shdprotos = (@protos, $protos[$#protos]);
 586         my $n = ((@protos+2) * (@protos+3))/2 - 2;
 587         my $ntests = $n * $n;
 588         plan tests => $ntests;
 589         skip "TLS disabled", 1 if $ntests == 1;
 590
 591         my $should;
 592         for (my $smin = 0; $smin < @minprotos; ++$smin) {
 593         for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) {
 594         for (my $cmin = 0; $cmin < @minprotos; ++$cmin) {
 595         for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) {
 596             if ($cmax < $smin-1) {
 597                 $should = "fail-server";
 598             } elsif ($smax < $cmin-1) {
 599                 $should = "fail-client";
 600             } elsif ($cmax > $smax) {
 601                 $should = $shdprotos[$smax];
 602             } else {
 603                 $should = $shdprotos[$cmax];
 604             }
 605
 606             my @args = @ssltest;
 607             push(@args, "-should_negotiate", $should);
 608             push(@args, "-server_min_proto", $minprotos[$smin])
 609                 if (defined($minprotos[$smin]));
 610             push(@args, "-server_max_proto", $maxprotos[$smax])
 611                 if (defined($maxprotos[$smax]));
 612             push(@args, "-client_min_proto", $minprotos[$cmin])
 613                 if (defined($minprotos[$cmin]));
 614             push(@args, "-client_max_proto", $maxprotos[$cmax])
 615                 if (defined($maxprotos[$cmax]));
 616             my $ok = run(test[@args]);
 617             if (! $ok) {
 618                 print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n";
 619                 print STDERR "\nFailed: @args\n";
 620             }
 621             ok($ok);
 622         }}}}
 623     };
 624
 625     subtest 'DTLS Version min/max tests' => sub {
 626         my @protos;
 627         push(@protos, "dtls1") unless ($no_dtls1 || $no_dtls);
 628         push(@protos, "dtls1.2") unless ($no_dtls1_2 || $no_dtls);
 629         my @minprotos = (undef, @protos);
 630         my @maxprotos = (@protos, undef);
 631         my @shdprotos = (@protos, $protos[$#protos]);
 632         my $n = ((@protos+2) * (@protos+3))/2 - 2;
 633         my $ntests = $n * $n;
 634         plan tests => $ntests;
 635         skip "DTLS disabled", 1 if $ntests == 1;
 636
 637         my $should;
 638         for (my $smin = 0; $smin < @minprotos; ++$smin) {
 639         for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) {
 640         for (my $cmin = 0; $cmin < @minprotos; ++$cmin) {
 641         for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) {
 642             if ($cmax < $smin-1) {
 643                 $should = "fail-server";
 644             } elsif ($smax < $cmin-1) {
 645                 $should = "fail-client";
 646             } elsif ($cmax > $smax) {
 647                 $should = $shdprotos[$smax];
 648             } else {
 649                 $should = $shdprotos[$cmax];
 650             }
 651
 652             my @args = (@ssltest, "-dtls");
 653             push(@args, "-should_negotiate", $should);
 654             push(@args, "-server_min_proto", $minprotos[$smin])
 655                 if (defined($minprotos[$smin]));
 656             push(@args, "-server_max_proto", $maxprotos[$smax])
 657                 if (defined($maxprotos[$smax]));
 658             push(@args, "-client_min_proto", $minprotos[$cmin])
 659                 if (defined($minprotos[$cmin]));
 660             push(@args, "-client_max_proto", $maxprotos[$cmax])
 661                 if (defined($maxprotos[$cmax]));
 662             my $ok = run(test[@args]);
 663             if (! $ok) {
 664                 print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n";
 665                 print STDERR "\nFailed: @args\n";
 666             }
 667             ok($ok);
 668         }}}}
 669     };
 670 }
 671
 672 sub testsslproxy {
 673     my $key = shift || top_file("apps","server.pem");
 674     my $cert = shift || top_file("apps","server.pem");
 675     my $CAtmp = shift;
 676     my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs"));
 677     my @extra = @_;
 678
 679     my @ssltest = ("ssltest",
 680                    "-s_key", $key, "-s_cert", $cert,
 681                    "-c_key", $key, "-c_cert", $cert);
 682
 683     # plan tests => 16;
 684
 685     note('Testing a lot of proxy conditions.');
 686
 687     # We happen to know that certP1.ss has policy letters "AB" and
 688     # certP2.ss has policy letters "BC".  However, because certP2.ss
 689     # has certP1.ss as issuer, when it's used, both their policy
 690     # letters get combined into just "B".
 691     # The policy letter(s) then get filtered with the given auth letter
 692     # in the table below, and the result gets tested with the given
 693     # condition.  For details, read ssltest.c
 694     #
 695     # certfilename => [ [ auth, cond, expected result ] ... ]
 696     my %expected = ( "certP1.ss" => [ [ [ 'A',  'A'      ], 1 ],
 697                                       [ [ 'A',  'B'      ], 0 ],
 698                                       [ [ 'A',  'C'      ], 0 ],
 699                                       [ [ 'A',  'A|B&!C' ], 1 ],
 700                                       [ [ 'B',  'A'      ], 0 ],
 701                                       [ [ 'B',  'B'      ], 1 ],
 702                                       [ [ 'B',  'C'      ], 0 ],
 703                                       [ [ 'B',  'A|B&!C' ], 1 ],
 704                                       [ [ 'C',  'A'      ], 0 ],
 705                                       [ [ 'C',  'B'      ], 0 ],
 706                                       [ [ 'C',  'C'      ], 0 ],
 707                                       [ [ 'C',  'A|B&!C' ], 0 ],
 708                                       [ [ 'BC', 'A'      ], 0 ],
 709                                       [ [ 'BC', 'B'      ], 1 ],
 710                                       [ [ 'BC', 'C'      ], 0 ],
 711                                       [ [ 'BC', 'A|B&!C' ], 1 ] ],
 712                      "certP2.ss" => [ [ [ 'A',  'A'      ], 0 ],
 713                                       [ [ 'A',  'B'      ], 0 ],
 714                                       [ [ 'A',  'C'      ], 0 ],
 715                                       [ [ 'A',  'A|B&!C' ], 0 ],
 716                                       [ [ 'B',  'A'      ], 0 ],
 717                                       [ [ 'B',  'B'      ], 1 ],
 718                                       [ [ 'B',  'C'      ], 0 ],
 719                                       [ [ 'B',  'A|B&!C' ], 1 ],
 720                                       [ [ 'C',  'A'      ], 0 ],
 721                                       [ [ 'C',  'B'      ], 0 ],
 722                                       [ [ 'C',  'C'      ], 0 ],
 723                                       [ [ 'C',  'A|B&!C' ], 0 ],
 724                                       [ [ 'BC', 'A'      ], 0 ],
 725                                       [ [ 'BC', 'B'      ], 1 ],
 726                                       [ [ 'BC', 'C'      ], 0 ],
 727                                       [ [ 'BC', 'A|B&!C' ], 1 ] ] );
 728
 729     foreach (@{$expected{$cert}}) {
 730         my $auth = $_->[0]->[0];
 731         my $cond = $_->[0]->[1];
 732         my $res  = $_->[1];
 733         is(run(test([@ssltest, "-server_auth", @CA,
 734                      "-proxy", "-proxy_auth", $auth,
 735                      "-proxy_cond", $cond])), $res,
 736            "test tlsv1, server auth, proxy auth $auth and cond $cond (expect "
 737            .($res ? "success" : "failure").")");
 738     }
 739 }