test/recipes/80-test_ssl.t

   1 #! /usr/bin/perl
   2
   3 use strict;
   4 use warnings;
   5
   6 use POSIX;
   7 use File::Spec;
   8 use File::Copy;
   9 use OpenSSL::Test qw/:DEFAULT with top_file cmdstr/;
  10 use OpenSSL::Test::Utils;
  11
  12 setup("test_ssl");
  13
  14 my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,
  15     $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2,
  16     $no_dtls, $no_dtls1, $no_dtls1_2) =
  17     anydisabled qw/rsa dsa dh ec srp psk
  18                    ssl3 tls1 tls1_1 tls1_2
  19                    dtls dtls1 dtls1_2/;
  20 my $no_anytls = alldisabled(available_protocols("tls"));
  21 my $no_anydtls = alldisabled(available_protocols("dtls"));
  22
  23 plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build"
  24     if $no_anytls && $no_anydtls;
  25
  26 my $digest = "-sha1";
  27 my @reqcmd = ("openssl", "req");
  28 my @x509cmd = ("openssl", "x509", $digest);
  29 my @verifycmd = ("openssl", "verify");
  30 my $dummycnf = top_file("apps", "openssl.cnf");
  31
  32 my $CAkey = "keyCA.ss";
  33 my $CAcert="certCA.ss";
  34 my $CAserial="certCA.srl";
  35 my $CAreq="reqCA.ss";
  36 my $CAconf=top_file("test","CAss.cnf");
  37 my $CAreq2="req2CA.ss"; # temp
  38
  39 my $Uconf=top_file("test","Uss.cnf");
  40 my $Ukey="keyU.ss";
  41 my $Ureq="reqU.ss";
  42 my $Ucert="certU.ss";
  43
  44 my $Dkey="keyD.ss";
  45 my $Dreq="reqD.ss";
  46 my $Dcert="certD.ss";
  47
  48 my $Ekey="keyE.ss";
  49 my $Ereq="reqE.ss";
  50 my $Ecert="certE.ss";
  51
  52 my $P1conf=top_file("test","P1ss.cnf");
  53 my $P1key="keyP1.ss";
  54 my $P1req="reqP1.ss";
  55 my $P1cert="certP1.ss";
  56 my $P1intermediate="tmp_intP1.ss";
  57
  58 my $P2conf=top_file("test","P2ss.cnf");
  59 my $P2key="keyP2.ss";
  60 my $P2req="reqP2.ss";
  61 my $P2cert="certP2.ss";
  62 my $P2intermediate="tmp_intP2.ss";
  63
  64 plan tests =>
  65     1                           # For testss
  66     + 1                         # For ssltest -test_cipherlist
  67     + 10                        # For the first testssl
  68     + 16                        # For the first testsslproxy
  69     + 16                        # For the second testsslproxy
  70     ;
  71
  72 subtest 'test_ss' => sub {
  73     if (testss()) {
  74         open OUT, ">", "intP1.ss";
  75         copy($CAcert, \*OUT); copy($Ucert, \*OUT);
  76         close OUT;
  77
  78         open OUT, ">", "intP2.ss";
  79         copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT);
  80         close OUT;
  81     }
  82 };
  83
  84 my $check = ok(run(test(["ssltest","-test_cipherlist"])), "running ssltest");
  85
  86   SKIP: {
  87       skip "ssltest ended with error, skipping the rest", 3
  88           if !$check;
  89
  90       note('test_ssl -- key U');
  91       testssl("keyU.ss", $Ucert, $CAcert);
  92
  93       note('test_ssl -- key P1');
  94       testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss", "AB");
  95
  96       note('test_ssl -- key P2');
  97       testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss", "BC");
  98     }
  99
 100 # -----------
 101 # subtest functions
 102 sub testss {
 103     open RND, ">>", ".rnd";
 104     print RND "string to make the random number generator think it has entropy";
 105     close RND;
 106
 107     my @req_dsa = ("-newkey",
 108                    "dsa:".File::Spec->catfile("..", "apps", "dsa1024.pem"));;
 109     my @req_new;
 110     if ($no_rsa) {
 111         @req_new = @req_dsa;
 112     } else {
 113         @req_new = ("-new");
 114     }
 115
 116     plan tests => 17;
 117
 118   SKIP: {
 119       skip 'failure', 16 unless
 120           ok(run(app([@reqcmd, "-config", $CAconf,
 121                       "-out", $CAreq, "-keyout", $CAkey,
 122                       @req_new])),
 123              'make cert request');
 124
 125       skip 'failure', 15 unless
 126           ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
 127                       "-req", "-out", $CAcert, "-signkey", $CAkey,
 128                       "-extfile", $CAconf, "-extensions", "v3_ca"],
 129                      stdout => "err.ss")),
 130              'convert request into self-signed cert');
 131
 132       skip 'failure', 14 unless
 133           ok(run(app([@x509cmd, "-in", $CAcert,
 134                       "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2],
 135                      stdout => "err.ss")),
 136              'convert cert into a cert request');
 137
 138       skip 'failure', 13 unless
 139           ok(run(app([@reqcmd, "-config", $dummycnf,
 140                       "-verify", "-in", $CAreq, "-noout"])),
 141              'verify request 1');
 142
 143
 144       skip 'failure', 12 unless
 145           ok(run(app([@reqcmd, "-config", $dummycnf,
 146                       "-verify", "-in", $CAreq2, "-noout"])),
 147              'verify request 2');
 148
 149       skip 'failure', 11 unless
 150           ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])),
 151              'verify signature');
 152
 153       skip 'failure', 10 unless
 154           ok(run(app([@reqcmd, "-config", $Uconf,
 155                       "-out", $Ureq, "-keyout", $Ukey, @req_new],
 156                      stdout => "err.ss")),
 157              'make a user cert request');
 158
 159       skip 'failure', 9 unless
 160           ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
 161                       "-req", "-out", $Ucert,
 162                       "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
 163                       "-extfile", $Uconf, "-extensions", "v3_ee"],
 164                      stdout => "err.ss"))
 165              && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
 166              'sign user cert request');
 167
 168       skip 'failure', 8 unless
 169           ok(run(app([@x509cmd,
 170                       "-subject", "-issuer", "-startdate", "-enddate",
 171                       "-noout", "-in", $Ucert])),
 172              'Certificate details');
 173
 174       skip 'failure', 7 unless
 175           subtest 'DSA certificate creation' => sub {
 176               plan skip_all => "skipping DSA certificate creation"
 177                   if $no_dsa;
 178
 179               plan tests => 4;
 180
 181             SKIP: {
 182                 $ENV{CN2} = "DSA Certificate";
 183                 skip 'failure', 3 unless
 184                     ok(run(app([@reqcmd, "-config", $Uconf,
 185                                 "-out", $Dreq, "-keyout", $Dkey,
 186                                 @req_dsa],
 187                                stdout => "err.ss")),
 188                        "make a DSA user cert request");
 189                 skip 'failure', 2 unless
 190                     ok(run(app([@x509cmd, "-CAcreateserial",
 191                                 "-in", $Dreq,
 192                                 "-days", "30",
 193                                 "-req",
 194                                 "-out", $Dcert,
 195                                 "-CA", $CAcert, "-CAkey", $CAkey,
 196                                 "-CAserial", $CAserial,
 197                                 "-extfile", $Uconf,
 198                                 "-extensions", "v3_ee_dsa"],
 199                                stdout => "err.ss")),
 200                        "sign DSA user cert request");
 201                 skip 'failure', 1 unless
 202                     ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])),
 203                        "verify DSA user cert");
 204                 skip 'failure', 0 unless
 205                     ok(run(app([@x509cmd,
 206                                 "-subject", "-issuer",
 207                                 "-startdate", "-enddate", "-noout",
 208                                 "-in", $Dcert])),
 209                        "DSA Certificate details");
 210               }
 211       };
 212
 213       skip 'failure', 6 unless
 214           subtest 'ECDSA/ECDH certificate creation' => sub {
 215               plan skip_all => "skipping ECDSA/ECDH certificate creation"
 216                   if $no_ec;
 217
 218               plan tests => 5;
 219
 220             SKIP: {
 221                 $ENV{CN2} = "ECDSA Certificate";
 222                 skip 'failure', 4 unless
 223                     ok(run(app(["openssl", "ecparam", "-name", "P-256",
 224                                 "-out", "ecp.ss"])),
 225                        "make EC parameters");
 226                 skip 'failure', 3 unless
 227                     ok(run(app([@reqcmd, "-config", $Uconf,
 228                                 "-out", $Ereq, "-keyout", $Ekey,
 229                                 "-newkey", "ec:ecp.ss"],
 230                                stdout => "err.ss")),
 231                        "make a ECDSA/ECDH user cert request");
 232                 skip 'failure', 2 unless
 233                     ok(run(app([@x509cmd, "-CAcreateserial",
 234                                 "-in", $Ereq,
 235                                 "-days", "30",
 236                                 "-req",
 237                                 "-out", $Ecert,
 238                                 "-CA", $CAcert, "-CAkey", $CAkey,
 239                                 "-CAserial", $CAserial,
 240                                 "-extfile", $Uconf,
 241                                 "-extensions", "v3_ee_ec"],
 242                                stdout => "err.ss")),
 243                        "sign ECDSA/ECDH user cert request");
 244                 skip 'failure', 1 unless
 245                     ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])),
 246                        "verify ECDSA/ECDH user cert");
 247                 skip 'failure', 0 unless
 248                     ok(run(app([@x509cmd,
 249                                 "-subject", "-issuer",
 250                                 "-startdate", "-enddate", "-noout",
 251                                 "-in", $Ecert])),
 252                        "ECDSA Certificate details");
 253               }
 254       };
 255
 256       skip 'failure', 5 unless
 257           ok(run(app([@reqcmd, "-config", $P1conf,
 258                       "-out", $P1req, "-keyout", $P1key, @req_new],
 259                      stdout => "err.ss")),
 260              'make a proxy cert request');
 261
 262
 263       skip 'failure', 4 unless
 264           ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
 265                       "-req", "-out", $P1cert,
 266                       "-CA", $Ucert, "-CAkey", $Ukey,
 267                       "-extfile", $P1conf, "-extensions", "v3_proxy"],
 268                      stdout => "err.ss")),
 269              'sign proxy with user cert');
 270
 271       copy($Ucert, $P1intermediate);
 272       run(app([@verifycmd, "-CAfile", $CAcert,
 273                "-untrusted", $P1intermediate, $P1cert]));
 274       ok(run(app([@x509cmd,
 275                   "-subject", "-issuer", "-startdate", "-enddate",
 276                   "-noout", "-in", $P1cert])),
 277          'Certificate details');
 278
 279       skip 'failure', 2 unless
 280           ok(run(app([@reqcmd, "-config", $P2conf,
 281                       "-out", $P2req, "-keyout", $P2key,
 282                       @req_new],
 283                      stdout => "err.ss")),
 284              'make another proxy cert request');
 285
 286
 287       skip 'failure', 1 unless
 288           ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
 289                       "-req", "-out", $P2cert,
 290                       "-CA", $P1cert, "-CAkey", $P1key,
 291                       "-extfile", $P2conf, "-extensions", "v3_proxy"],
 292                      stdout => "err.ss")),
 293              'sign second proxy cert request with the first proxy cert');
 294
 295
 296       open OUT, ">", $P2intermediate;
 297       copy($Ucert, \*OUT); copy($P1cert, \*OUT);
 298       close OUT;
 299       run(app([@verifycmd, "-CAfile", $CAcert,
 300                "-untrusted", $P2intermediate, $P2cert]));
 301       ok(run(app([@x509cmd,
 302                   "-subject", "-issuer", "-startdate", "-enddate",
 303                   "-noout", "-in", $P2cert])),
 304          'Certificate details');
 305     }
 306 }
 307
 308 sub testssl {
 309     my $key = shift || top_file("apps","server.pem");
 310     my $cert = shift || top_file("apps","server.pem");
 311     my $CAtmp = shift;
 312     my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs"));
 313     my @extra = @_;
 314
 315     my @ssltest = ("ssltest",
 316                    "-s_key", $key, "-s_cert", $cert,
 317                    "-c_key", $key, "-c_cert", $cert);
 318
 319     my $serverinfo = top_file("test","serverinfo.pem");
 320
 321     my $dsa_cert = 0;
 322     if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert,
 323                                         "-text", "-noout"]), capture => 1)) {
 324         $dsa_cert = 1;
 325     }
 326
 327
 328     # plan tests => 10;
 329
 330     subtest 'standard SSL tests' => sub {
 331         ######################################################################
 332         plan tests => 29;
 333
 334       SKIP: {
 335           skip "SSLv3 is not supported by this OpenSSL build", 4
 336               if disabled("ssl3");
 337
 338           ok(run(test([@ssltest, "-ssl3", @extra])),
 339              'test sslv3');
 340           ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])),
 341              'test sslv3 with server authentication');
 342           ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])),
 343              'test sslv3 with client authentication');
 344           ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
 345              'test sslv3 with both server and client authentication');
 346         }
 347
 348       SKIP: {
 349           skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 4
 350               if $no_anytls;
 351
 352           ok(run(test([@ssltest, @extra])),
 353              'test sslv2/sslv3');
 354           ok(run(test([@ssltest, "-server_auth", @CA, @extra])),
 355              'test sslv2/sslv3 with server authentication');
 356           ok(run(test([@ssltest, "-client_auth", @CA, @extra])),
 357              'test sslv2/sslv3 with client authentication');
 358           ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])),
 359              'test sslv2/sslv3 with both server and client authentication');
 360         }
 361
 362       SKIP: {
 363           skip "SSLv3 is not supported by this OpenSSL build", 4
 364               if disabled("ssl3");
 365
 366           ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])),
 367              'test sslv3 via BIO pair');
 368           ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])),
 369              'test sslv3 with server authentication via BIO pair');
 370           ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])),
 371              'test sslv3 with client authentication via BIO pair');
 372           ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
 373              'test sslv3 with both server and client authentication via BIO pair');
 374         }
 375
 376       SKIP: {
 377           skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
 378               if $no_anytls;
 379
 380           ok(run(test([@ssltest, "-bio_pair", @extra])),
 381              'test sslv2/sslv3 via BIO pair');
 382         }
 383
 384       SKIP: {
 385           skip "DTLSv1 is not supported by this OpenSSL build", 4
 386               if disabled("dtls1");
 387
 388           ok(run(test([@ssltest, "-dtls1", @extra])),
 389              'test dtlsv1');
 390           ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])),
 391            'test dtlsv1 with server authentication');
 392           ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])),
 393              'test dtlsv1 with client authentication');
 394           ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])),
 395              'test dtlsv1 with both server and client authentication');
 396         }
 397
 398       SKIP: {
 399           skip "DTLSv1.2 is not supported by this OpenSSL build", 4
 400               if disabled("dtls1_2");
 401
 402           ok(run(test([@ssltest, "-dtls12", @extra])),
 403              'test dtlsv1.2');
 404           ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])),
 405              'test dtlsv1.2 with server authentication');
 406           ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])),
 407              'test dtlsv1.2 with client authentication');
 408           ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])),
 409              'test dtlsv1.2 with both server and client authentication');
 410         }
 411
 412       SKIP: {
 413           skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8
 414               if $no_anytls;
 415
 416         SKIP: {
 417             skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
 418
 419             ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])),
 420                'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
 421           }
 422
 423           ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])),
 424              'test sslv2/sslv3 with 1024bit DHE via BIO pair');
 425           ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])),
 426              'test sslv2/sslv3 with server authentication');
 427           ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])),
 428              'test sslv2/sslv3 with client authentication via BIO pair');
 429           ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])),
 430              'test sslv2/sslv3 with both client and server authentication via BIO pair');
 431           ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])),
 432              'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
 433
 434         SKIP: {
 435             skip "No IPv4 available on this machine", 1
 436                 unless have_IPv4();
 437             ok(run(test([@ssltest, "-ipv4", @extra])),
 438                'test TLS via IPv4');
 439           }
 440
 441         SKIP: {
 442             skip "No IPv6 available on this machine", 1
 443                 unless have_IPv6();
 444             ok(run(test([@ssltest, "-ipv6", @extra])),
 445                'test TLS via IPv6');
 446           }
 447         }
 448     };
 449
 450     subtest "Testing ciphersuites" => sub {
 451
 452         my @exkeys = ();
 453         my $ciphers = "-EXP:-PSK:-SRP:-kDH:-kECDHe";
 454
 455         if ($no_dh) {
 456             note "skipping DHE tests\n";
 457             $ciphers .= ":-kDHE";
 458         }
 459         if ($no_dsa) {
 460             note "skipping DSA tests\n";
 461             $ciphers .= ":-aDSA";
 462         } else {
 463             push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
 464         }
 465
 466         if ($no_ec) {
 467             note "skipping EC tests\n";
 468             $ciphers .= ":!aECDSA:!kECDH";
 469         } else {
 470             push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss";
 471         }
 472
 473         my @protocols = ();
 474         # FIXME: I feel unsure about the following line, is that really just TLSv1.2, or is it all of the SSLv3/TLS protocols?
 475         push(@protocols, "TLSv1.2") unless $no_tls1_2;
 476         push(@protocols, "SSLv3") unless $no_ssl3;
 477         my $protocolciphersuitcount = 0;
 478         my %ciphersuites =
 479             map { my @c =
 480                       map { split(/:/, $_) }
 481                       run(app(["openssl", "ciphers", "${_}:$ciphers"]),
 482                           capture => 1);
 483                   map { s/\R//; } @c;  # chomp @c;
 484                   $protocolciphersuitcount += scalar @c;
 485                   $_ => [ @c ] } @protocols;
 486
 487         plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build"
 488             if $protocolciphersuitcount + scalar(@protocols) == 0;
 489
 490         # The count of protocols is because in addition to the ciphersuits
 491         # we got above, we're running a weak DH test for each protocol
 492         plan tests => $protocolciphersuitcount + scalar(@protocols);
 493
 494         foreach my $protocol (@protocols) {
 495             note "Testing ciphersuites for $protocol";
 496             foreach my $cipher (@{$ciphersuites{$protocol}}) {
 497                 ok(run(test([@ssltest, @exkeys, "-cipher", $cipher,
 498                              $protocol eq "SSLv3" ? ("-ssl3") : ()])),
 499                    "Testing $cipher");
 500             }
 501             is(run(test([@ssltest,
 502                          "-s_cipher", "EDH",
 503                          "-c_cipher", 'EDH:@SECLEVEL=1',
 504                          "-dhe512",
 505                          $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0,
 506                "testing connection with weak DH, expecting failure");
 507         }
 508     };
 509
 510     subtest 'RSA/(EC)DHE/PSK tests' => sub {
 511         ######################################################################
 512
 513         plan tests => 5;
 514
 515       SKIP: {
 516           skip "TLSv1.0 is not supported by this OpenSSL build", 5
 517               if $no_tls1;
 518
 519         SKIP: {
 520             skip "skipping anonymous DH tests", 1
 521               if ($no_dh);
 522
 523             ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
 524                'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
 525           }
 526
 527         SKIP: {
 528             skip "skipping RSA tests", 2
 529                 if $no_rsa;
 530
 531             ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
 532                'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
 533
 534             skip "skipping RSA+DHE tests", 1
 535                 if $no_dh;
 536
 537             ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
 538                'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
 539           }
 540
 541         SKIP: {
 542             skip "skipping PSK tests", 2
 543                 if ($no_psk);
 544
 545             ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
 546                'test tls1 with PSK');
 547
 548             ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
 549                'test tls1 with PSK via BIO pair');
 550           }
 551         }
 552
 553     };
 554
 555     subtest 'Next Protocol Negotiation Tests' => sub {
 556         ######################################################################
 557
 558         plan tests => 7;
 559
 560       SKIP: {
 561           skip "TLSv1.0 is not supported by this OpenSSL build", 7
 562               if $no_tls1;
 563
 564           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client"])));
 565           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server"])));
 566           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server_reject"])));
 567           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server_reject"])));
 568           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server"])));
 569           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2"])));
 570           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2", "-reuse"])));
 571         }
 572     };
 573
 574     subtest 'Custom Extension tests' => sub {
 575         ######################################################################
 576
 577         plan tests => 1;
 578
 579       SKIP: {
 580           skip "TLSv1.0 is not supported by this OpenSSL build", 1
 581               if $no_tls1;
 582
 583           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])),
 584              'test tls1 with custom extensions');
 585         }
 586     };
 587
 588     subtest 'Serverinfo tests' => sub {
 589         ######################################################################
 590
 591         plan tests => 5;
 592
 593       SKIP: {
 594           skip "TLSv1.0 is not supported by this OpenSSL build", 5
 595               if $no_tls1;
 596
 597           note('echo test tls1 with serverinfo');
 598           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo])));
 599           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"])));
 600           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"])));
 601           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
 602           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
 603         }
 604     };
 605
 606     subtest 'ALPN tests' => sub {
 607         ######################################################################
 608
 609         plan tests => 12;
 610
 611       SKIP: {
 612           skip "TLSv1.0 is not supported by this OpenSSL build", 12
 613               if $no_tls1;
 614
 615           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "bar"])));
 616           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "foo", "-alpn_expected", "foo"])));
 617           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "foo", "-alpn_expected", "foo"])));
 618           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo", "-alpn_expected", "foo"])));
 619           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo,bar", "-alpn_expected", "foo"])));
 620           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "bar,foo", "-alpn_expected", "bar"])));
 621           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "bar,foo", "-alpn_expected", "bar"])));
 622           ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "baz", "-alpn_server", "bar,foo"])));
 623
 624         SKIP: {
 625             skip "skipping SRP tests", 4
 626                 if $no_srp;
 627
 628             ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
 629                'test tls1 with SRP');
 630
 631             ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
 632                'test tls1 with SRP via BIO pair');
 633
 634             ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
 635                  'test tls1 with SRP auth');
 636
 637             ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
 638                'test tls1 with SRP auth via BIO pair');
 639           }
 640         }
 641     };
 642
 643     subtest 'Multi-buffer tests' => sub {
 644         ######################################################################
 645
 646         plan tests => 2;
 647
 648       SKIP: {
 649           skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 2
 650               if $no_anytls;
 651
 652           skip "skipping multi-buffer tests", 2
 653               if @extra || (POSIX::uname())[4] ne "x86_64";
 654
 655           ok(run(test([@ssltest, "-cipher", "AES128-SHA",    "-bytes", "8m"])));
 656
 657           # We happen to know that AES128-SHA256 is TLSv1.2 only... for now.
 658           skip "TLSv1.2 is not supported by this OpenSSL configuration", 1
 659               if $no_tls1_2;
 660
 661           ok(run(test([@ssltest, "-cipher", "AES128-SHA256", "-bytes", "8m"])));
 662         }
 663     };
 664
 665     subtest 'TLS Version min/max tests' => sub {
 666         my @protos;
 667         push(@protos, "ssl3") unless $no_ssl3;
 668         push(@protos, "tls1") unless $no_tls1;
 669         push(@protos, "tls1.1") unless $no_tls1_1;
 670         push(@protos, "tls1.2") unless $no_tls1_2;
 671         my @minprotos = (undef, @protos);
 672         my @maxprotos = (@protos, undef);
 673         my @shdprotos = (@protos, $protos[$#protos]);
 674         my $n = ((@protos+2) * (@protos+3))/2 - 2;
 675         my $ntests = $n * $n;
 676         plan tests => $ntests;
 677       SKIP: {
 678         skip "TLS disabled", 1 if $ntests == 1;
 679
 680         my $should;
 681         for (my $smin = 0; $smin < @minprotos; ++$smin) {
 682         for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) {
 683         for (my $cmin = 0; $cmin < @minprotos; ++$cmin) {
 684         for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) {
 685             if ($cmax < $smin-1) {
 686                 $should = "fail-server";
 687             } elsif ($smax < $cmin-1) {
 688                 $should = "fail-client";
 689             } elsif ($cmax > $smax) {
 690                 $should = $shdprotos[$smax];
 691             } else {
 692                 $should = $shdprotos[$cmax];
 693             }
 694
 695             my @args = @ssltest;
 696             push(@args, "-should_negotiate", $should);
 697             push(@args, "-server_min_proto", $minprotos[$smin])
 698                 if (defined($minprotos[$smin]));
 699             push(@args, "-server_max_proto", $maxprotos[$smax])
 700                 if (defined($maxprotos[$smax]));
 701             push(@args, "-client_min_proto", $minprotos[$cmin])
 702                 if (defined($minprotos[$cmin]));
 703             push(@args, "-client_max_proto", $maxprotos[$cmax])
 704                 if (defined($maxprotos[$cmax]));
 705             my $ok = run(test[@args]);
 706             if (! $ok) {
 707                 print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n";
 708                 print STDERR "\nFailed: @args\n";
 709             }
 710             ok($ok);
 711         }}}}}
 712     };
 713
 714     subtest 'DTLS Version min/max tests' => sub {
 715         my @protos;
 716         push(@protos, "dtls1") unless ($no_dtls1 || $no_dtls);
 717         push(@protos, "dtls1.2") unless ($no_dtls1_2 || $no_dtls);
 718         my @minprotos = (undef, @protos);
 719         my @maxprotos = (@protos, undef);
 720         my @shdprotos = (@protos, $protos[$#protos]);
 721         my $n = ((@protos+2) * (@protos+3))/2 - 2;
 722         my $ntests = $n * $n;
 723         plan tests => $ntests;
 724       SKIP: {
 725         skip "DTLS disabled", 1 if $ntests == 1;
 726
 727         my $should;
 728         for (my $smin = 0; $smin < @minprotos; ++$smin) {
 729         for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) {
 730         for (my $cmin = 0; $cmin < @minprotos; ++$cmin) {
 731         for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) {
 732             if ($cmax < $smin-1) {
 733                 $should = "fail-server";
 734             } elsif ($smax < $cmin-1) {
 735                 $should = "fail-client";
 736             } elsif ($cmax > $smax) {
 737                 $should = $shdprotos[$smax];
 738             } else {
 739                 $should = $shdprotos[$cmax];
 740             }
 741
 742             my @args = (@ssltest, "-dtls");
 743             push(@args, "-should_negotiate", $should);
 744             push(@args, "-server_min_proto", $minprotos[$smin])
 745                 if (defined($minprotos[$smin]));
 746             push(@args, "-server_max_proto", $maxprotos[$smax])
 747                 if (defined($maxprotos[$smax]));
 748             push(@args, "-client_min_proto", $minprotos[$cmin])
 749                 if (defined($minprotos[$cmin]));
 750             push(@args, "-client_max_proto", $maxprotos[$cmax])
 751                 if (defined($maxprotos[$cmax]));
 752             my $ok = run(test[@args]);
 753             if (! $ok) {
 754                 print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n";
 755                 print STDERR "\nFailed: @args\n";
 756             }
 757             ok($ok);
 758         }}}}}
 759     };
 760 }
 761
 762 sub testsslproxy {
 763     my $key = shift || top_file("apps","server.pem");
 764     my $cert = shift || top_file("apps","server.pem");
 765     my $CAtmp = shift;
 766     my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs"));
 767     my @extra = @_;
 768
 769     my @ssltest = ("ssltest",
 770                    "-s_key", $key, "-s_cert", $cert,
 771                    "-c_key", $key, "-c_cert", $cert);
 772
 773     # plan tests => 16;
 774
 775     note('Testing a lot of proxy conditions.');
 776
 777     # We happen to know that certP1.ss has policy letters "AB" and
 778     # certP2.ss has policy letters "BC".  However, because certP2.ss
 779     # has certP1.ss as issuer, when it's used, both their policy
 780     # letters get combined into just "B".
 781     # The policy letter(s) then get filtered with the given auth letter
 782     # in the table below, and the result gets tested with the given
 783     # condition.  For details, read ssltest.c
 784     #
 785     # certfilename => [ [ auth, cond, expected result ] ... ]
 786     my %expected = ( "certP1.ss" => [ [ [ 'A',  'A'      ], 1 ],
 787                                       [ [ 'A',  'B'      ], 0 ],
 788                                       [ [ 'A',  'C'      ], 0 ],
 789                                       [ [ 'A',  'A|B&!C' ], 1 ],
 790                                       [ [ 'B',  'A'      ], 0 ],
 791                                       [ [ 'B',  'B'      ], 1 ],
 792                                       [ [ 'B',  'C'      ], 0 ],
 793                                       [ [ 'B',  'A|B&!C' ], 1 ],
 794                                       [ [ 'C',  'A'      ], 0 ],
 795                                       [ [ 'C',  'B'      ], 0 ],
 796                                       [ [ 'C',  'C'      ], 0 ],
 797                                       [ [ 'C',  'A|B&!C' ], 0 ],
 798                                       [ [ 'BC', 'A'      ], 0 ],
 799                                       [ [ 'BC', 'B'      ], 1 ],
 800                                       [ [ 'BC', 'C'      ], 0 ],
 801                                       [ [ 'BC', 'A|B&!C' ], 1 ] ],
 802                      "certP2.ss" => [ [ [ 'A',  'A'      ], 0 ],
 803                                       [ [ 'A',  'B'      ], 0 ],
 804                                       [ [ 'A',  'C'      ], 0 ],
 805                                       [ [ 'A',  'A|B&!C' ], 0 ],
 806                                       [ [ 'B',  'A'      ], 0 ],
 807                                       [ [ 'B',  'B'      ], 1 ],
 808                                       [ [ 'B',  'C'      ], 0 ],
 809                                       [ [ 'B',  'A|B&!C' ], 1 ],
 810                                       [ [ 'C',  'A'      ], 0 ],
 811                                       [ [ 'C',  'B'      ], 0 ],
 812                                       [ [ 'C',  'C'      ], 0 ],
 813                                       [ [ 'C',  'A|B&!C' ], 0 ],
 814                                       [ [ 'BC', 'A'      ], 0 ],
 815                                       [ [ 'BC', 'B'      ], 1 ],
 816                                       [ [ 'BC', 'C'      ], 0 ],
 817                                       [ [ 'BC', 'A|B&!C' ], 1 ] ] );
 818
 819   SKIP: {
 820       skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", scalar(@{$expected{$cert}})
 821           if $no_anytls;
 822
 823       foreach (@{$expected{$cert}}) {
 824           my $auth = $_->[0]->[0];
 825           my $cond = $_->[0]->[1];
 826           my $res  = $_->[1];
 827           is(run(test([@ssltest, "-server_auth", @CA,
 828                        "-proxy", "-proxy_auth", $auth,
 829                        "-proxy_cond", $cond])), $res,
 830              "test tlsv1, server auth, proxy auth $auth and cond $cond (expect "
 831              .($res ? "success" : "failure").")");
 832       }
 833     }
 834 }