use File::Spec;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with top_file cmdstr/;
+use OpenSSL::Test::Utils;
setup("test_ssl");
+my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk) =
+ disabled qw/rsa dsa dh ec srp psk/;
+
my $digest = "-sha1";
my @reqcmd = ("openssl", "req");
my @x509cmd = ("openssl", "x509", $digest);
1 # For testss
+ 1 # For ssltest -test_cipherlist
+ 8 # For the first testssl
- + 8 * 4 * 4 # For the first testsslproxy (16 times testssl)
- + 8 * 4 * 4 # For the second testsslproxy (16 times testssl)
+ + 16 # For the first testsslproxy
+ + 16 # For the second testsslproxy
;
subtest 'test_ss' => sub {
testssl("keyU.ss", $Ucert, $CAcert);
note('test_ssl -- key P1');
- testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss");
+ testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss", "AB");
note('test_ssl -- key P2');
- testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss");
+ testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss", "BC");
}
# -----------
my @req_dsa = ("-newkey",
"dsa:".File::Spec->catfile("..", "apps", "dsa1024.pem"));;
my @req_new;
- if (run(app(["openssl", "no-rsa"], stdout => undef))) {
+ if ($no_rsa) {
@req_new = @req_dsa;
} else {
@req_new = ("-new");
skip 'failure', 7 unless
subtest 'DSA certificate creation' => sub {
plan skip_all => "skipping DSA certificate creation"
- if run(app(["openssl", "no-dsa"], stdout => undef));
+ if $no_dsa;
plan tests => 4;
skip 'failure', 6 unless
subtest 'ECDSA/ECDH certificate creation' => sub {
plan skip_all => "skipping ECDSA/ECDH certificate creation"
- if run(app(["openssl", "no-ec"], stdout => undef));
+ if $no_ec;
plan tests => 5;
my @exkeys = ();
my $ciphers = "-EXP:-PSK:-SRP:-kDH:-kECDHe";
- if (run(app(["openssl", "no-dhparam"], stdout => undef))) {
+ if ($no_dh) {
note "skipping DHE tests\n";
$ciphers .= ":-kDHE";
}
- if (run(app(["openssl", "no-dsa"], stdout => undef))) {
+ if ($no_dsa) {
note "skipping DSA tests\n";
$ciphers .= ":-aDSA";
} else {
push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
}
- if (run(app(["openssl", "no-ec"], stdout => undef))) {
+ if ($no_ec) {
note "skipping EC tests\n";
$ciphers .= ":!aECDSA:!kECDH";
} else {
{
SKIP: {
skip "skipping anonymous DH tests", 1
- if (run(app(["openssl", "no-dhparam"], stdout => undef)));
+ if ($no_dh);
ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
{
SKIP: {
skip "skipping RSA tests", 2
- if (run(app(["openssl", "no-rsa"], stdout => undef)));
+ if $no_rsa;
ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
skip "skipping RSA+DHE tests", 1
- if (run(app(["openssl", "no-dhparam"], stdout => undef)));
+ if $no_dh;
ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
{
SKIP: {
skip "skipping SRP tests", 4
- if run(app(["openssl", "no-srp"], stdout => undef));
+ if $no_srp;
ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP');
}
sub testsslproxy {
- my ($a1, $a2, $a3, @rest) = @_;
+ my $key = shift || top_file("apps","server.pem");
+ my $cert = shift || top_file("apps","server.pem");
+ my $CAtmp = shift;
+ my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs"));
+ my @extra = @_;
+
+ my @ssltest = ("ssltest",
+ "-s_key", $key, "-s_cert", $cert,
+ "-c_key", $key, "-c_cert", $cert);
# plan tests => 16;
note('Testing a lot of proxy conditions.');
- note('Some of them may turn out being invalid, which is fine.');
- foreach my $auth (('A', 'B', 'C', 'BC')) {
- foreach my $cond (('A', 'B', 'C', 'A|B&!C')) {
- # Exit code 3 is when ssltest couldn't parse the condition
- with({ exit_checker => sub { my $x = shift;
- return
- ($x == 1 || $x == 3) ? 0 : 1; } },
- sub {
- testssl($a1, $a2, $a3,
- "-proxy", "-proxy_auth", $auth,
- "-proxy_cond", $cond);
- });
- }
+
+ # We happen to know that certP1.ss has policy letters "AB" and
+ # certP2.ss has policy letters "BC". However, because certP2.ss
+ # has certP1.ss as issuer, when it's used, both their policy
+ # letters get combined into just "B".
+ # The policy letter(s) then get filtered with the given auth letter
+ # in the table below, and the result gets tested with the given
+ # condition. For details, read ssltest.c
+ #
+ # certfilename => [ [ auth, cond, expected result ] ... ]
+ my %expected = ( "certP1.ss" => [ [ [ 'A', 'A' ], 1 ],
+ [ [ 'A', 'B' ], 0 ],
+ [ [ 'A', 'C' ], 0 ],
+ [ [ 'A', 'A|B&!C' ], 1 ],
+ [ [ 'B', 'A' ], 0 ],
+ [ [ 'B', 'B' ], 1 ],
+ [ [ 'B', 'C' ], 0 ],
+ [ [ 'B', 'A|B&!C' ], 1 ],
+ [ [ 'C', 'A' ], 0 ],
+ [ [ 'C', 'B' ], 0 ],
+ [ [ 'C', 'C' ], 0 ],
+ [ [ 'C', 'A|B&!C' ], 0 ],
+ [ [ 'BC', 'A' ], 0 ],
+ [ [ 'BC', 'B' ], 1 ],
+ [ [ 'BC', 'C' ], 0 ],
+ [ [ 'BC', 'A|B&!C' ], 1 ] ],
+ "certP2.ss" => [ [ [ 'A', 'A' ], 0 ],
+ [ [ 'A', 'B' ], 0 ],
+ [ [ 'A', 'C' ], 0 ],
+ [ [ 'A', 'A|B&!C' ], 0 ],
+ [ [ 'B', 'A' ], 0 ],
+ [ [ 'B', 'B' ], 1 ],
+ [ [ 'B', 'C' ], 0 ],
+ [ [ 'B', 'A|B&!C' ], 1 ],
+ [ [ 'C', 'A' ], 0 ],
+ [ [ 'C', 'B' ], 0 ],
+ [ [ 'C', 'C' ], 0 ],
+ [ [ 'C', 'A|B&!C' ], 0 ],
+ [ [ 'BC', 'A' ], 0 ],
+ [ [ 'BC', 'B' ], 1 ],
+ [ [ 'BC', 'C' ], 0 ],
+ [ [ 'BC', 'A|B&!C' ], 1 ] ] );
+
+ foreach (@{$expected{$cert}}) {
+ my $auth = $_->[0]->[0];
+ my $cond = $_->[0]->[1];
+ my $res = $_->[1];
+ is(run(test([@ssltest, "-ssl3", "-server_auth", @CA,
+ "-proxy", "-proxy_auth", $auth,
+ "-proxy_cond", $cond])), $res,
+ "test tlsv1, server auth, proxy auth $auth and cond $cond (expect "
+ .($res ? "success" : "failure").")");
}
}