X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2Frecipes%2F80-test_ssl.t;h=84cdf6ce04b3e8b9b084517f90f7ccc934e51709;hp=246994421f302ab8b86c02a624c195483cdd8ffc;hb=6b01bed206156dbcb1ab150f618c8b24c01fb0d0;hpb=fd99c6b599a8ed87b726caaa6d88c6915a60e0f4 diff --git a/test/recipes/80-test_ssl.t b/test/recipes/80-test_ssl.t index 246994421f..84cdf6ce04 100644 --- a/test/recipes/80-test_ssl.t +++ b/test/recipes/80-test_ssl.t @@ -6,10 +6,18 @@ use warnings; use POSIX; use File::Spec; use File::Copy; -use OpenSSL::Test qw/:DEFAULT with top_file/; +use OpenSSL::Test qw/:DEFAULT with top_file cmdstr/; +use OpenSSL::Test::Utils; setup("test_ssl"); +my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk, + $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, + $no_dtls, $no_dtls1, $no_dtls1_2) = + disabled qw/rsa dsa dh ec srp psk + ssl3 tls1 tls1_1 tls1_2 + dtls dtls1 dtls1_2/; + my $digest = "-sha1"; my @reqcmd = ("openssl", "req"); my @x509cmd = ("openssl", "x509", $digest); @@ -28,6 +36,14 @@ my $Ukey="keyU.ss"; my $Ureq="reqU.ss"; my $Ucert="certU.ss"; +my $Dkey="keyD.ss"; +my $Dreq="reqD.ss"; +my $Dcert="certD.ss"; + +my $Ekey="keyE.ss"; +my $Ereq="reqE.ss"; +my $Ecert="certE.ss"; + my $P1conf=top_file("test","P1ss.cnf"); my $P1key="keyP1.ss"; my $P1req="reqP1.ss"; @@ -43,9 +59,9 @@ my $P2intermediate="tmp_intP2.ss"; plan tests => 1 # For testss + 1 # For ssltest -test_cipherlist - + 8 # For the first testssl - + 8 * 4 * 4 # For the first testsslproxy (16 times testssl) - + 8 * 4 * 4 # For the second testsslproxy (16 times testssl) + + 10 # For the first testssl + + 16 # For the first testsslproxy + + 16 # For the second testsslproxy ; subtest 'test_ss' => sub { @@ -70,10 +86,10 @@ my $check = ok(run(test(["ssltest","-test_cipherlist"])), "running ssltest"); testssl("keyU.ss", $Ucert, $CAcert); note('test_ssl -- key P1'); - testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss"); + testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss", "AB"); note('test_ssl -- key P2'); - testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss"); + testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss", "BC"); } # ----------- @@ -83,58 +99,59 @@ sub testss { print RND "string to make the random number generator think it has entropy"; close RND; + my @req_dsa = ("-newkey", + "dsa:".File::Spec->catfile("..", "apps", "dsa1024.pem"));; my @req_new; - if (run(app(["openssl", "no-rsa"], stdout => undef))) { - @req_new = ("-newkey", - "dsa:".File::Spec->catfile("..", "apps", "dsa512.pem")); + if ($no_rsa) { + @req_new = @req_dsa; } else { @req_new = ("-new"); } - plan tests => 15; + plan tests => 17; SKIP: { - skip 'failure', 14 unless + skip 'failure', 16 unless ok(run(app([@reqcmd, "-config", $CAconf, "-out", $CAreq, "-keyout", $CAkey, @req_new])), 'make cert request'); - skip 'failure', 13 unless + skip 'failure', 15 unless ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", "-req", "-out", $CAcert, "-signkey", $CAkey, "-extfile", $CAconf, "-extensions", "v3_ca"], stdout => "err.ss")), 'convert request into self-signed cert'); - skip 'failure', 12 unless + skip 'failure', 14 unless ok(run(app([@x509cmd, "-in", $CAcert, "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], stdout => "err.ss")), 'convert cert into a cert request'); - skip 'failure', 11 unless + skip 'failure', 13 unless ok(run(app([@reqcmd, "-config", $dummycnf, "-verify", "-in", $CAreq, "-noout"])), 'verify request 1'); - skip 'failure', 10 unless + skip 'failure', 12 unless ok(run(app([@reqcmd, "-config", $dummycnf, "-verify", "-in", $CAreq2, "-noout"])), 'verify request 2'); - skip 'failure', 9 unless + skip 'failure', 11 unless ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), 'verify signature'); - skip 'failure', 8 unless + skip 'failure', 10 unless ok(run(app([@reqcmd, "-config", $Uconf, "-out", $Ureq, "-keyout", $Ukey, @req_new], stdout => "err.ss")), 'make a user cert request'); - skip 'failure', 7 unless + skip 'failure', 9 unless ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", "-req", "-out", $Ucert, "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, @@ -143,12 +160,93 @@ sub testss { && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), 'sign user cert request'); - skip 'failure', 6 unless + skip 'failure', 8 unless ok(run(app([@x509cmd, "-subject", "-issuer", "-startdate", "-enddate", "-noout", "-in", $Ucert])), 'Certificate details'); + skip 'failure', 7 unless + subtest 'DSA certificate creation' => sub { + plan skip_all => "skipping DSA certificate creation" + if $no_dsa; + + plan tests => 4; + + SKIP: { + $ENV{CN2} = "DSA Certificate"; + skip 'failure', 3 unless + ok(run(app([@reqcmd, "-config", $Uconf, + "-out", $Dreq, "-keyout", $Dkey, + @req_dsa], + stdout => "err.ss")), + "make a DSA user cert request"); + skip 'failure', 2 unless + ok(run(app([@x509cmd, "-CAcreateserial", + "-in", $Dreq, + "-days", "30", + "-req", + "-out", $Dcert, + "-CA", $CAcert, "-CAkey", $CAkey, + "-CAserial", $CAserial, + "-extfile", $Uconf, + "-extensions", "v3_ee_dsa"], + stdout => "err.ss")), + "sign DSA user cert request"); + skip 'failure', 1 unless + ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), + "verify DSA user cert"); + skip 'failure', 0 unless + ok(run(app([@x509cmd, + "-subject", "-issuer", + "-startdate", "-enddate", "-noout", + "-in", $Dcert])), + "DSA Certificate details"); + } + }; + + skip 'failure', 6 unless + subtest 'ECDSA/ECDH certificate creation' => sub { + plan skip_all => "skipping ECDSA/ECDH certificate creation" + if $no_ec; + + plan tests => 5; + + SKIP: { + $ENV{CN2} = "ECDSA Certificate"; + skip 'failure', 4 unless + ok(run(app(["openssl", "ecparam", "-name", "P-256", + "-out", "ecp.ss"])), + "make EC parameters"); + skip 'failure', 3 unless + ok(run(app([@reqcmd, "-config", $Uconf, + "-out", $Ereq, "-keyout", $Ekey, + "-newkey", "ec:ecp.ss"], + stdout => "err.ss")), + "make a ECDSA/ECDH user cert request"); + skip 'failure', 2 unless + ok(run(app([@x509cmd, "-CAcreateserial", + "-in", $Ereq, + "-days", "30", + "-req", + "-out", $Ecert, + "-CA", $CAcert, "-CAkey", $CAkey, + "-CAserial", $CAserial, + "-extfile", $Uconf, + "-extensions", "v3_ee_ec"], + stdout => "err.ss")), + "sign ECDSA/ECDH user cert request"); + skip 'failure', 1 unless + ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), + "verify ECDSA/ECDH user cert"); + skip 'failure', 0 unless + ok(run(app([@x509cmd, + "-subject", "-issuer", + "-startdate", "-enddate", "-noout", + "-in", $Ecert])), + "ECDSA Certificate details"); + } + }; skip 'failure', 5 unless ok(run(app([@reqcmd, "-config", $P1conf, @@ -210,7 +308,7 @@ sub testssl { my @extra = @_; my @ssltest = ("ssltest", - "-key", $key, "-cert", $cert, + "-s_key", $key, "-s_cert", $cert, "-c_key", $key, "-c_cert", $cert); my $serverinfo = top_file("test","serverinfo.pem"); @@ -222,7 +320,7 @@ sub testssl { } - # plan tests => 7; + # plan tests => 10; subtest 'standard SSL tests' => sub { ###################################################################### @@ -292,42 +390,57 @@ sub testssl { subtest "Testing ciphersuites" => sub { - my $no_dh = run(app(["openssl", "no-dhparam"], stdout => undef)); - my $no_ec = run(app(["openssl", "no-ec"], stdout => undef)); - - my @protocols = ("TLSv1.2", "SSLv3"); + my @exkeys = (); + my $ciphers = "-EXP:-PSK:-SRP:-kDH:-kECDHe"; + + if ($no_dh) { + note "skipping DHE tests\n"; + $ciphers .= ":-kDHE"; + } + if ($no_dsa) { + note "skipping DSA tests\n"; + $ciphers .= ":-aDSA"; + } else { + push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss"; + } + + if ($no_ec) { + note "skipping EC tests\n"; + $ciphers .= ":!aECDSA:!kECDH"; + } else { + push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; + } + + my @protocols = (); + push(@protocols, "TLSv1.2") unless $no_tls1_2; + push(@protocols, "SSLv3") unless $no_ssl3; my $protocolciphersuitcount = 0; my %ciphersuites = map { my @c = map { split(/:/, $_) } - map { run(app(["openssl", - "ciphers", "$_"]), - capture => 1); - } - ( "RSA+$_", - $no_dh ? () : "EDH+aRSA+$_:-EXP", - $no_ec ? () : "EECDH+aRSA+$_:-EXP" ); - chomp @c; + run(app(["openssl", "ciphers", "${_}:$ciphers"]), + capture => 1); + map { s/\R//; } @c; # chomp @c; $protocolciphersuitcount += scalar @c; $_ => [ @c ] } @protocols; - plan tests => $protocolciphersuitcount + ($no_dh ? 0 : 2); + # The count of protocols is because in addition to the ciphersuits + # we got above, we're running a weak DH test for each protocol + plan tests => $protocolciphersuitcount + scalar(@protocols); foreach my $protocol (@protocols) { note "Testing ciphersuites for $protocol"; foreach my $cipher (@{$ciphersuites{$protocol}}) { - ok(run(test([@ssltest, "-cipher", $cipher, + ok(run(test([@ssltest, @exkeys, "-cipher", $cipher, $protocol eq "SSLv3" ? ("-ssl3") : ()])), "Testing $cipher"); } - if (!$no_dh) { - is(run(test([@ssltest, - "-s_cipher", "EDH", - "-c_cipher", 'EDH:@SECLEVEL=1', - "-dhe512", - $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0, - "testing connection with weak DH, expecting failure"); - } + is(run(test([@ssltest, + "-s_cipher", "EDH", + "-c_cipher", 'EDH:@SECLEVEL=1', + "-dhe512", + $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0, + "testing connection with weak DH, expecting failure"); } }; @@ -339,7 +452,7 @@ sub testssl { { SKIP: { skip "skipping anonymous DH tests", 1 - if (run(app(["openssl", "no-dhparam"], stdout => undef))); + if ($no_dh); ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); @@ -349,23 +462,31 @@ sub testssl { { SKIP: { skip "skipping RSA tests", 2 - if (run(app(["openssl", "no-rsa"], stdout => undef))); + if $no_rsa; - ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-cert", top_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])), + ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])), 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); skip "skipping RSA+DHE tests", 1 - if (run(app(["openssl", "no-dhparam"], stdout => undef))); + if $no_dh; - ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-cert", top_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), + ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); } } - ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])), - 'test tls1 with PSK'); + { + SKIP: { + skip "skipping PSK tests", 2 + if ($no_psk); + + ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])), + 'test tls1 with PSK'); + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])), + 'test tls1 with PSK via BIO pair'); + } + } - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])), - 'test tls1 with PSK via BIO pair'); }; subtest 'Next Protocol Negotiation Tests' => sub { @@ -421,7 +542,7 @@ sub testssl { { SKIP: { skip "skipping SRP tests", 4 - if run(app(["openssl", "no-srp"], stdout => undef)); + if $no_srp; ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])), 'test tls1 with SRP'); @@ -452,24 +573,167 @@ sub testssl { } } }; + + subtest 'TLS Version min/max tests' => sub { + my @protos; + push(@protos, "ssl3") unless $no_ssl3; + push(@protos, "tls1") unless $no_tls1; + push(@protos, "tls1.1") unless $no_tls1_1; + push(@protos, "tls1.2") unless $no_tls1_2; + my @minprotos = (undef, @protos); + my @maxprotos = (@protos, undef); + my @shdprotos = (@protos, $protos[$#protos]); + my $n = ((@protos+2) * (@protos+3))/2 - 2; + my $ntests = $n * $n; + plan tests => $ntests; + skip "TLS disabled", 1 if $ntests == 1; + + my $should; + for (my $smin = 0; $smin < @minprotos; ++$smin) { + for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) { + for (my $cmin = 0; $cmin < @minprotos; ++$cmin) { + for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) { + if ($cmax < $smin-1) { + $should = "fail-server"; + } elsif ($smax < $cmin-1) { + $should = "fail-client"; + } elsif ($cmax > $smax) { + $should = $shdprotos[$smax]; + } else { + $should = $shdprotos[$cmax]; + } + + my @args = @ssltest; + push(@args, "-should_negotiate", $should); + push(@args, "-server_min_proto", $minprotos[$smin]) + if (defined($minprotos[$smin])); + push(@args, "-server_max_proto", $maxprotos[$smax]) + if (defined($maxprotos[$smax])); + push(@args, "-client_min_proto", $minprotos[$cmin]) + if (defined($minprotos[$cmin])); + push(@args, "-client_max_proto", $maxprotos[$cmax]) + if (defined($maxprotos[$cmax])); + my $ok = run(test[@args]); + if (! $ok) { + print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n"; + print STDERR "\nFailed: @args\n"; + } + ok($ok); + }}}} + }; + + subtest 'DTLS Version min/max tests' => sub { + my @protos; + push(@protos, "dtls1") unless ($no_dtls1 || $no_dtls); + push(@protos, "dtls1.2") unless ($no_dtls1_2 || $no_dtls); + my @minprotos = (undef, @protos); + my @maxprotos = (@protos, undef); + my @shdprotos = (@protos, $protos[$#protos]); + my $n = ((@protos+2) * (@protos+3))/2 - 2; + my $ntests = $n * $n; + plan tests => $ntests; + skip "DTLS disabled", 1 if $ntests == 1; + + my $should; + for (my $smin = 0; $smin < @minprotos; ++$smin) { + for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) { + for (my $cmin = 0; $cmin < @minprotos; ++$cmin) { + for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) { + if ($cmax < $smin-1) { + $should = "fail-server"; + } elsif ($smax < $cmin-1) { + $should = "fail-client"; + } elsif ($cmax > $smax) { + $should = $shdprotos[$smax]; + } else { + $should = $shdprotos[$cmax]; + } + + my @args = (@ssltest, "-dtls"); + push(@args, "-should_negotiate", $should); + push(@args, "-server_min_proto", $minprotos[$smin]) + if (defined($minprotos[$smin])); + push(@args, "-server_max_proto", $maxprotos[$smax]) + if (defined($maxprotos[$smax])); + push(@args, "-client_min_proto", $minprotos[$cmin]) + if (defined($minprotos[$cmin])); + push(@args, "-client_max_proto", $maxprotos[$cmax]) + if (defined($maxprotos[$cmax])); + my $ok = run(test[@args]); + if (! $ok) { + print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n"; + print STDERR "\nFailed: @args\n"; + } + ok($ok); + }}}} + }; } sub testsslproxy { - my ($a1, $a2, $a3, @rest) = @_; + my $key = shift || top_file("apps","server.pem"); + my $cert = shift || top_file("apps","server.pem"); + my $CAtmp = shift; + my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs")); + my @extra = @_; + + my @ssltest = ("ssltest", + "-s_key", $key, "-s_cert", $cert, + "-c_key", $key, "-c_cert", $cert); # plan tests => 16; note('Testing a lot of proxy conditions.'); - note('Some of them may turn out being invalid, which is fine.'); - foreach my $auth (('A', 'B', 'C', 'BC')) { - foreach my $cond (('A', 'B', 'C', 'A|B&!C')) { - # Exit code 3 is when ssltest couldn't parse the condition - with({ exit_checker => sub { return shift == 3 ? 0 : 1; } }, - sub { - testssl($a1, $a2, $a3, - "-proxy", "-proxy_auth", $auth, - "-proxy_cond", $cond); - }); - } + + # We happen to know that certP1.ss has policy letters "AB" and + # certP2.ss has policy letters "BC". However, because certP2.ss + # has certP1.ss as issuer, when it's used, both their policy + # letters get combined into just "B". + # The policy letter(s) then get filtered with the given auth letter + # in the table below, and the result gets tested with the given + # condition. For details, read ssltest.c + # + # certfilename => [ [ auth, cond, expected result ] ... ] + my %expected = ( "certP1.ss" => [ [ [ 'A', 'A' ], 1 ], + [ [ 'A', 'B' ], 0 ], + [ [ 'A', 'C' ], 0 ], + [ [ 'A', 'A|B&!C' ], 1 ], + [ [ 'B', 'A' ], 0 ], + [ [ 'B', 'B' ], 1 ], + [ [ 'B', 'C' ], 0 ], + [ [ 'B', 'A|B&!C' ], 1 ], + [ [ 'C', 'A' ], 0 ], + [ [ 'C', 'B' ], 0 ], + [ [ 'C', 'C' ], 0 ], + [ [ 'C', 'A|B&!C' ], 0 ], + [ [ 'BC', 'A' ], 0 ], + [ [ 'BC', 'B' ], 1 ], + [ [ 'BC', 'C' ], 0 ], + [ [ 'BC', 'A|B&!C' ], 1 ] ], + "certP2.ss" => [ [ [ 'A', 'A' ], 0 ], + [ [ 'A', 'B' ], 0 ], + [ [ 'A', 'C' ], 0 ], + [ [ 'A', 'A|B&!C' ], 0 ], + [ [ 'B', 'A' ], 0 ], + [ [ 'B', 'B' ], 1 ], + [ [ 'B', 'C' ], 0 ], + [ [ 'B', 'A|B&!C' ], 1 ], + [ [ 'C', 'A' ], 0 ], + [ [ 'C', 'B' ], 0 ], + [ [ 'C', 'C' ], 0 ], + [ [ 'C', 'A|B&!C' ], 0 ], + [ [ 'BC', 'A' ], 0 ], + [ [ 'BC', 'B' ], 1 ], + [ [ 'BC', 'C' ], 0 ], + [ [ 'BC', 'A|B&!C' ], 1 ] ] ); + + foreach (@{$expected{$cert}}) { + my $auth = $_->[0]->[0]; + my $cond = $_->[0]->[1]; + my $res = $_->[1]; + is(run(test([@ssltest, "-server_auth", @CA, + "-proxy", "-proxy_auth", $auth, + "-proxy_cond", $cond])), $res, + "test tlsv1, server auth, proxy auth $auth and cond $cond (expect " + .($res ? "success" : "failure").")"); } }