X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2FREADME.ssltest.md;h=3b4bb564f11e6d7a168c7fe9d7a91392ec9ce130;hp=4e9c0e1fb309412ee02ba83c52e389795f56d22a;hb=2c9def25b1948f5f231b1acc15c060d9c2264816;hpb=dd8e5a573272d369cb6dd21592e2b1b1d3941939 diff --git a/test/README.ssltest.md b/test/README.ssltest.md index 4e9c0e1fb3..3b4bb564f1 100644 --- a/test/README.ssltest.md +++ b/test/README.ssltest.md @@ -10,23 +10,7 @@ harness generates the output files on the fly. However, for verification, we also include checked-in configuration outputs corresponding to the default configuration. These testcases live in -`test/ssl-tests/*.conf` files. Therefore, whenever you're adding or updating a -generated test, you should run - -``` -$ ./config -$ cd test -$ TOP=.. perl -I testlib/ generate_ssl_tests.pl ssl-tests/my.conf.in \ - > ssl-tests/my.conf -``` - -where `my.conf.in` is your test input file. - -For example, to generate the test cases in `ssl-tests/01-simple.conf.in`, do - -``` -$ TOP=.. perl generate_ssl_tests.pl ssl-tests/01-simple.conf.in > ssl-tests/01-simple.conf -``` +`test/ssl-tests/*.conf` files. For more details, see `ssl-tests/01-simple.conf.in` for an example. @@ -54,7 +38,8 @@ The test section supports the following options * HandshakeMode - which handshake flavour to test: - Simple - plain handshake (default) - Resume - test resumption - - (Renegotiate - test renegotiation, not yet implemented) + - RenegotiateServer - test server initiated renegotiation + - RenegotiateClient - test client initiated renegotiation When HandshakeMode is Resume or Renegotiate, the original handshake is expected to succeed. All configured test expectations are verified against the second @@ -96,12 +81,36 @@ handshake. - Yes - a session ticket is expected - No - a session ticket is not expected +* SessionIdExpected - whether or not a session id is expected + - Ignore - do not check for a session id (default) + - Yes - a session id is expected + - No - a session id is not expected + * ResumptionExpected - whether or not resumption is expected (Resume mode only) - Yes - resumed handshake - No - full handshake (default) * ExpectedNPNProtocol, ExpectedALPNProtocol - NPN and ALPN expectations. +* ExpectedTmpKeyType - the expected algorithm or curve of server temp key + +* ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or + curve of server or client certificate + +* ExpectedServerSignHash, ExpectedClientSignHash - the expected + signing hash used by server or client certificate + +* ExpectedServerSignType, ExpectedClientSignType - the expected + signature type used by server or client when signing messages + +* ExpectedClientCANames - for client auth list of CA names the server must + send. If this is "empty" the list is expected to be empty otherwise it + is a file of certificates whose subject names form the list. + +* ExpectedServerCANames - list of CA names the client must send, TLS 1.3 only. + If this is "empty" the list is expected to be empty otherwise it is a file + of certificates whose subject names form the list. + ## Configuring the client and server The client and server configurations can be any valid `SSL_CTX` @@ -183,6 +192,9 @@ client => { protocols can be specified as a comma-separated list, and a callback with the recommended behaviour will be installed automatically. +* SRPUser, SRPPassword - SRP settings. For client, this is the SRP user to + connect as; for server, this is a known SRP user. + ### Default server and client configurations The default server certificate and CA files are added to the configurations @@ -206,7 +218,44 @@ client => { ## Adding a test to the test harness -Add your configuration file to `test/recipes/80-test_ssl_new.t`. +1. Add a new test configuration to `test/ssl-tests`, following the examples of + existing `*.conf.in` files (for example, `01-simple.conf.in`). + +2. Generate the generated `*.conf` test input file. You can do so by running + `generate_ssl_tests.pl`: + +``` +$ ./config +$ cd test +$ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl ssl-tests/my.conf.in \ + > ssl-tests/my.conf +``` + +where `my.conf.in` is your test input file. + +For example, to generate the test cases in `ssl-tests/01-simple.conf.in`, do + +``` +$ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl ssl-tests/01-simple.conf.in > ssl-tests/01-simple.conf +``` + +Alternatively (hackish but simple), you can comment out + +``` +unlink glob $tmp_file; +``` + +in `test/recipes/80-test_ssl_new.t` and run + +``` +$ make TESTS=test_ssl_new test +``` + +This will save the generated output in a `*.tmp` file in the build directory. + +3. Update the number of tests planned in `test/recipes/80-test_ssl_new.t`. If + the test suite has any skip conditions, update those too (see + `test/recipes/80-test_ssl_new.t` for details). ## Running the tests with the test harness @@ -224,20 +273,17 @@ environment variable to point to the location of the certs. E.g., from the root OpenSSL directory, do ``` -$ TEST_CERTS_DIR=test/certs test/ssl_test test/ssl-tests/01-simple.conf +$ CTLOG_FILE=test/ct/log_list.conf TEST_CERTS_DIR=test/certs test/ssl_test \ + test/ssl-tests/01-simple.conf ``` or for shared builds ``` -$ TEST_CERTS_DIR=test/certs util/shlib_wrap.sh test/ssl_test \ - test/ssl-tests/01-simple.conf +$ CTLOG_FILE=test/ct/log_list.conf TEST_CERTS_DIR=test/certs \ + util/shlib_wrap.sh test/ssl_test test/ssl-tests/01-simple.conf ``` -Some tests also need additional environment variables; for example, Certificate -Transparency tests need a `CTLOG_FILE`. See `test/recipes/80-test_ssl_new.t` for -details. - Note that the test expectations sometimes depend on the Configure settings. For example, the negotiated protocol depends on the set of available (enabled) protocols: a build with `enable-ssl3` has different test expectations than a