Halaman utama Jelajahi Bantuan
Masuk
OWEALs
/
openssl
cermin dari git://git.openssl.org/openssl.git
2
0
Fork 0
Berkas Masalah 1 Wiki
Pohon: 1f76076095
Ranting Tag
openssl
/
test
/
recipes
/
80-test_ssl_old.t

80-test_ssl_old.t 19 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. 

  10. use strict;
    11. 

  11. use warnings;
    12. 

  12. 

  13. use POSIX;
    14. 

  14. use File::Basename;
    15. 

  15. use File::Copy;
    16. 

  16. use OpenSSL::Test qw/:DEFAULT with bldtop_file srctop_file cmdstr/;
    17. 

  17. use OpenSSL::Test::Utils;
    18. 

  18. 

  19. setup("test_ssl");
    20. 

  20. 

  21. $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
    22. 

  22. 

  23. my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk,
    24. 

  24.     $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3,
    25. 

  25.     $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) =
    26. 

  26.     anydisabled qw/rsa dsa dh ec psk
    27. 

  27.                    ssl3 tls1 tls1_1 tls1_2 tls1_3
    28. 

  28.                    dtls dtls1 dtls1_2 ct/;
    29. 

  29. my $no_anytls = alldisabled(available_protocols("tls"));
    30. 

  30. my $no_anydtls = alldisabled(available_protocols("dtls"));
    31. 

  31. 

  32. plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build"
    33. 

  33.     if $no_anytls && $no_anydtls;
    34. 

  34. 

  35. my $digest = "-sha1";
    36. 

  36. my @reqcmd = ("openssl", "req");
    37. 

  37. my @x509cmd = ("openssl", "x509", $digest);
    38. 

  38. my @verifycmd = ("openssl", "verify");
    39. 

  39. my @gendsacmd = ("openssl", "gendsa");
    40. 

  40. my $dummycnf = srctop_file("apps", "openssl.cnf");
    41. 

  41. 

  42. my $CAkey = "keyCA.ss";
    43. 

  43. my $CAcert="certCA.ss";
    44. 

  44. my $CAserial="certCA.srl";
    45. 

  45. my $CAreq="reqCA.ss";
    46. 

  46. my $CAconf=srctop_file("test","CAss.cnf");
    47. 

  47. my $CAreq2="req2CA.ss";	# temp
    48. 

  48. 

  49. my $Uconf=srctop_file("test","Uss.cnf");
    50. 

  50. my $Ukey="keyU.ss";
    51. 

  51. my $Ureq="reqU.ss";
    52. 

  52. my $Ucert="certU.ss";
    53. 

  53. 

  54. my $Dkey="keyD.ss";
    55. 

  55. my $Dreq="reqD.ss";
    56. 

  56. my $Dcert="certD.ss";
    57. 

  57. 

  58. my $Ekey="keyE.ss";
    59. 

  59. my $Ereq="reqE.ss";
    60. 

  60. my $Ecert="certE.ss";
    61. 

  61. 

  62. my $P1conf=srctop_file("test","P1ss.cnf");
    63. 

  63. my $P1key="keyP1.ss";
    64. 

  64. my $P1req="reqP1.ss";
    65. 

  65. my $P1cert="certP1.ss";
    66. 

  66. my $P1intermediate="tmp_intP1.ss";
    67. 

  67. 

  68. my $P2conf=srctop_file("test","P2ss.cnf");
    69. 

  69. my $P2key="keyP2.ss";
    70. 

  70. my $P2req="reqP2.ss";
    71. 

  71. my $P2cert="certP2.ss";
    72. 

  72. my $P2intermediate="tmp_intP2.ss";
    73. 

  73. 

  74. my $server_sess="server.ss";
    75. 

  75. my $client_sess="client.ss";
    76. 

  76. 

  77. # ssltest_old.c is deprecated in favour of the new framework in ssl_test.c
    78. 

  78. # If you're adding tests here, you probably want to convert them to the
    79. 

  79. # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.
    80. 

  80. plan tests =>
    81. 

  81.     1				# For testss
    82. 

  82.     +5  			# For the first testssl
    83. 

  83.     ;
    84. 

  84. 

  85. subtest 'test_ss' => sub {
    86. 

  86.     if (testss()) {
    87. 

  87. 	open OUT, ">", "intP1.ss";
    88. 

  88. 	copy($CAcert, \*OUT); copy($Ucert, \*OUT);
    89. 

  89. 	close OUT;
    90. 

  90. 

  91. 	open OUT, ">", "intP2.ss";
    92. 

  92. 	copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT);
    93. 

  93. 	close OUT;
    94. 

  94.     }
    95. 

  95. };
    96. 

  96. 

  97. note('test_ssl -- key U');
    98. 

  98. testssl("keyU.ss", $Ucert, $CAcert);
    99. 

  99. 

  100. # -----------
    101. 

  101. # subtest functions
    102. 

  102. sub testss {
    103. 

  103.     open RND, ">>", ".rnd";
    104. 

  104.     print RND "string to make the random number generator think it has randomness";
    105. 

  105.     close RND;
    106. 

  106. 

  107.     my @req_dsa = ("-newkey",
    108. 

  108.                    "dsa:".srctop_file("apps", "dsa1024.pem"));
    109. 

  109.     my $dsaparams = srctop_file("apps", "dsa1024.pem");
    110. 

  110.     my @req_new;
    111. 

  111.     if ($no_rsa) {
    112. 

  112. 	@req_new = @req_dsa;
    113. 

  113.     } else {
    114. 

  114. 	@req_new = ("-new");
    115. 

  115.     }
    116. 

  116. 

  117.     plan tests => 17;
    118. 

  118. 

  119.   SKIP: {
    120. 

  120.       skip 'failure', 16 unless
    121. 

  121. 	  ok(run(app([@reqcmd, "-config", $CAconf,
    122. 

  122. 		      "-out", $CAreq, "-keyout", $CAkey,
    123. 

  123. 		      @req_new])),
    124. 

  124. 	     'make cert request');
    125. 

  125. 

  126.       skip 'failure', 15 unless
    127. 

  127. 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
    128. 

  128. 		      "-req", "-out", $CAcert, "-signkey", $CAkey,
    129. 

  129. 		      "-extfile", $CAconf, "-extensions", "v3_ca"],
    130. 

  130. 		     stdout => "err.ss")),
    131. 

  131. 	     'convert request into self-signed cert');
    132. 

  132. 

  133.       skip 'failure', 14 unless
    134. 

  134. 	  ok(run(app([@x509cmd, "-in", $CAcert,
    135. 

  135. 		      "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2],
    136. 

  136. 		     stdout => "err.ss")),
    137. 

  137. 	     'convert cert into a cert request');
    138. 

  138. 

  139.       skip 'failure', 13 unless
    140. 

  140. 	  ok(run(app([@reqcmd, "-config", $dummycnf,
    141. 

  141. 		      "-verify", "-in", $CAreq, "-noout"])),
    142. 

  142. 	     'verify request 1');
    143. 

  143. 

  144. 

  145.       skip 'failure', 12 unless
    146. 

  146. 	  ok(run(app([@reqcmd, "-config", $dummycnf,
    147. 

  147. 		      "-verify", "-in", $CAreq2, "-noout"])),
    148. 

  148. 	     'verify request 2');
    149. 

  149. 

  150.       skip 'failure', 11 unless
    151. 

  151. 	  ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])),
    152. 

  152. 	     'verify signature');
    153. 

  153. 

  154.       skip 'failure', 10 unless
    155. 

  155. 	  ok(run(app([@reqcmd, "-config", $Uconf,
    156. 

  156. 		      "-out", $Ureq, "-keyout", $Ukey, @req_new],
    157. 

  157. 		     stdout => "err.ss")),
    158. 

  158. 	     'make a user cert request');
    159. 

  159. 

  160.       skip 'failure', 9 unless
    161. 

  161. 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
    162. 

  162. 		      "-req", "-out", $Ucert,
    163. 

  163. 		      "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
    164. 

  164. 		      "-extfile", $Uconf, "-extensions", "v3_ee"],
    165. 

  165. 		     stdout => "err.ss"))
    166. 

  166. 	     && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
    167. 

  167. 	     'sign user cert request');
    168. 

  168. 

  169.       skip 'failure', 8 unless
    170. 

  170. 	  ok(run(app([@x509cmd,
    171. 

  171. 		      "-subject", "-issuer", "-startdate", "-enddate",
    172. 

  172. 		      "-noout", "-in", $Ucert])),
    173. 

  173. 	     'Certificate details');
    174. 

  174. 

  175.       skip 'failure', 7 unless
    176. 

  176.           subtest 'DSA certificate creation' => sub {
    177. 

  177.               plan skip_all => "skipping DSA certificate creation"
    178. 

  178.                   if $no_dsa;
    179. 

  179. 

  180.               plan tests => 5;
    181. 

  181. 

  182.             SKIP: {
    183. 

  183.                 $ENV{CN2} = "DSA Certificate";
    184. 

  184.                 skip 'failure', 4 unless
    185. 

  185.                     ok(run(app([@gendsacmd, "-out", $Dkey,
    186. 

  186.                                 $dsaparams],
    187. 

  187.                                stdout => "err.ss")),
    188. 

  188.                        "make a DSA key");
    189. 

  189.                 skip 'failure', 3 unless
    190. 

  190.                     ok(run(app([@reqcmd, "-new", "-config", $Uconf,
    191. 

  191.                                 "-out", $Dreq, "-key", $Dkey],
    192. 

  192.                                stdout => "err.ss")),
    193. 

  193.                        "make a DSA user cert request");
    194. 

  194.                 skip 'failure', 2 unless
    195. 

  195.                     ok(run(app([@x509cmd, "-CAcreateserial",
    196. 

  196.                                 "-in", $Dreq,
    197. 

  197.                                 "-days", "30",
    198. 

  198.                                 "-req",
    199. 

  199.                                 "-out", $Dcert,
    200. 

  200.                                 "-CA", $CAcert, "-CAkey", $CAkey,
    201. 

  201.                                 "-CAserial", $CAserial,
    202. 

  202.                                 "-extfile", $Uconf,
    203. 

  203.                                 "-extensions", "v3_ee_dsa"],
    204. 

  204.                                stdout => "err.ss")),
    205. 

  205.                        "sign DSA user cert request");
    206. 

  206.                 skip 'failure', 1 unless
    207. 

  207.                     ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])),
    208. 

  208.                        "verify DSA user cert");
    209. 

  209.                 skip 'failure', 0 unless
    210. 

  210.                     ok(run(app([@x509cmd,
    211. 

  211.                                 "-subject", "-issuer",
    212. 

  212.                                 "-startdate", "-enddate", "-noout",
    213. 

  213.                                 "-in", $Dcert])),
    214. 

  214.                        "DSA Certificate details");
    215. 

  215.               }
    216. 

  216.       };
    217. 

  217. 

  218.       skip 'failure', 6 unless
    219. 

  219.           subtest 'ECDSA/ECDH certificate creation' => sub {
    220. 

  220.               plan skip_all => "skipping ECDSA/ECDH certificate creation"
    221. 

  221.                   if $no_ec;
    222. 

  222. 

  223.               plan tests => 5;
    224. 

  224. 

  225.             SKIP: {
    226. 

  226.                 $ENV{CN2} = "ECDSA Certificate";
    227. 

  227.                 skip 'failure', 4 unless
    228. 

  228.                     ok(run(app(["openssl", "ecparam", "-name", "P-256",
    229. 

  229.                                 "-out", "ecp.ss"])),
    230. 

  230.                        "make EC parameters");
    231. 

  231.                 skip 'failure', 3 unless
    232. 

  232.                     ok(run(app([@reqcmd, "-config", $Uconf,
    233. 

  233.                                 "-out", $Ereq, "-keyout", $Ekey,
    234. 

  234.                                 "-newkey", "ec:ecp.ss"],
    235. 

  235.                                stdout => "err.ss")),
    236. 

  236.                        "make a ECDSA/ECDH user cert request");
    237. 

  237.                 skip 'failure', 2 unless
    238. 

  238.                     ok(run(app([@x509cmd, "-CAcreateserial",
    239. 

  239.                                 "-in", $Ereq,
    240. 

  240.                                 "-days", "30",
    241. 

  241.                                 "-req",
    242. 

  242.                                 "-out", $Ecert,
    243. 

  243.                                 "-CA", $CAcert, "-CAkey", $CAkey,
    244. 

  244.                                 "-CAserial", $CAserial,
    245. 

  245.                                 "-extfile", $Uconf,
    246. 

  246.                                 "-extensions", "v3_ee_ec"],
    247. 

  247.                                stdout => "err.ss")),
    248. 

  248.                        "sign ECDSA/ECDH user cert request");
    249. 

  249.                 skip 'failure', 1 unless
    250. 

  250.                     ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])),
    251. 

  251.                        "verify ECDSA/ECDH user cert");
    252. 

  252.                 skip 'failure', 0 unless
    253. 

  253.                     ok(run(app([@x509cmd,
    254. 

  254.                                 "-subject", "-issuer",
    255. 

  255.                                 "-startdate", "-enddate", "-noout",
    256. 

  256.                                 "-in", $Ecert])),
    257. 

  257.                        "ECDSA Certificate details");
    258. 

  258.               }
    259. 

  259.       };
    260. 

  260. 

  261.       skip 'failure', 5 unless
    262. 

  262. 	  ok(run(app([@reqcmd, "-config", $P1conf,
    263. 

  263. 		      "-out", $P1req, "-keyout", $P1key, @req_new],
    264. 

  264. 		     stdout => "err.ss")),
    265. 

  265. 	     'make a proxy cert request');
    266. 

  266. 

  267. 

  268.       skip 'failure', 4 unless
    269. 

  269. 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
    270. 

  270. 		      "-req", "-out", $P1cert,
    271. 

  271. 		      "-CA", $Ucert, "-CAkey", $Ukey,
    272. 

  272. 		      "-extfile", $P1conf, "-extensions", "v3_proxy"],
    273. 

  273. 		     stdout => "err.ss")),
    274. 

  274. 	     'sign proxy with user cert');
    275. 

  275. 

  276.       copy($Ucert, $P1intermediate);
    277. 

  277.       run(app([@verifycmd, "-CAfile", $CAcert,
    278. 

  278. 	       "-untrusted", $P1intermediate, $P1cert]));
    279. 

  279.       ok(run(app([@x509cmd,
    280. 

  280. 		  "-subject", "-issuer", "-startdate", "-enddate",
    281. 

  281. 		  "-noout", "-in", $P1cert])),
    282. 

  282. 	 'Certificate details');
    283. 

  283. 

  284.       skip 'failure', 2 unless
    285. 

  285. 	  ok(run(app([@reqcmd, "-config", $P2conf,
    286. 

  286. 		      "-out", $P2req, "-keyout", $P2key,
    287. 

  287. 		      @req_new],
    288. 

  288. 		     stdout => "err.ss")),
    289. 

  289. 	     'make another proxy cert request');
    290. 

  290. 

  291. 

  292.       skip 'failure', 1 unless
    293. 

  293. 	  ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
    294. 

  294. 		      "-req", "-out", $P2cert,
    295. 

  295. 		      "-CA", $P1cert, "-CAkey", $P1key,
    296. 

  296. 		      "-extfile", $P2conf, "-extensions", "v3_proxy"],
    297. 

  297. 		     stdout => "err.ss")),
    298. 

  298. 	     'sign second proxy cert request with the first proxy cert');
    299. 

  299. 

  300. 

  301.       open OUT, ">", $P2intermediate;
    302. 

  302.       copy($Ucert, \*OUT); copy($P1cert, \*OUT);
    303. 

  303.       close OUT;
    304. 

  304.       run(app([@verifycmd, "-CAfile", $CAcert,
    305. 

  305. 	       "-untrusted", $P2intermediate, $P2cert]));
    306. 

  306.       ok(run(app([@x509cmd,
    307. 

  307. 		  "-subject", "-issuer", "-startdate", "-enddate",
    308. 

  308. 		  "-noout", "-in", $P2cert])),
    309. 

  309. 	 'Certificate details');
    310. 

  310.     }
    311. 

  311. }
    312. 

  312. 

  313. sub testssl {
    314. 

  314.     my ($key, $cert, $CAtmp) = @_;
    315. 

  315.     my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
    316. 

  316. 

  317.     my @ssltest = ("ssltest_old",
    318. 

  318. 		   "-s_key", $key, "-s_cert", $cert,
    319. 

  319. 		   "-c_key", $key, "-c_cert", $cert);
    320. 

  320. 

  321.     my $serverinfo = srctop_file("test","serverinfo.pem");
    322. 

  322. 

  323.     my $dsa_cert = 0;
    324. 

  324.     if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert,
    325. 

  325. 					"-text", "-noout"]), capture => 1)) {
    326. 

  326. 	$dsa_cert = 1;
    327. 

  327.     }
    328. 

  328. 

  329. 

  330.     # plan tests => 11;
    331. 

  331. 

  332.     subtest 'standard SSL tests' => sub {
    333. 

  333. 	######################################################################
    334. 

  334.       plan tests => 13;
    335. 

  335. 

  336.       SKIP: {
    337. 

  337. 	  skip "SSLv3 is not supported by this OpenSSL build", 4
    338. 

  338. 	      if disabled("ssl3");
    339. 

  339. 

  340. 	  ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
    341. 

  341. 	     'test sslv3 via BIO pair');
    342. 

  342. 	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
    343. 

  343. 	     'test sslv3 with server authentication via BIO pair');
    344. 

  344. 	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
    345. 

  345. 	     'test sslv3 with client authentication via BIO pair');
    346. 

  346. 	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
    347. 

  347. 	     'test sslv3 with both server and client authentication via BIO pair');
    348. 

  348. 	}
    349. 

  349. 

  350.       SKIP: {
    351. 

  351. 	  skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
    352. 

  352. 	      if $no_anytls;
    353. 

  353. 

  354. 	  ok(run(test([@ssltest, "-bio_pair"])),
    355. 

  355. 	     'test sslv2/sslv3 via BIO pair');
    356. 

  356. 	}
    357. 

  357. 

  358.       SKIP: {
    359. 

  359. 	  skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8
    360. 

  360. 	      if $no_anytls;
    361. 

  361. 

  362. 	SKIP: {
    363. 

  363. 	    skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
    364. 

  364. 

  365. 	    ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
    366. 

  366. 	       'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
    367. 

  367. 	  }
    368. 

  368. 

  369. 	  ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
    370. 

  370. 	     'test sslv2/sslv3 with 1024bit DHE via BIO pair');
    371. 

  371. 	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
    372. 

  372. 	     'test sslv2/sslv3 with server authentication');
    373. 

  373. 	  ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
    374. 

  374. 	     'test sslv2/sslv3 with client authentication via BIO pair');
    375. 

  375. 	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
    376. 

  376. 	     'test sslv2/sslv3 with both client and server authentication via BIO pair');
    377. 

  377. 	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
    378. 

  378. 	     'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
    379. 

  379. 

  380.         SKIP: {
    381. 

  381.             skip "No IPv4 available on this machine", 1
    382. 

  382.                 unless !disabled("sock") && have_IPv4();
    383. 

  383.             ok(run(test([@ssltest, "-ipv4"])),
    384. 

  384.                'test TLS via IPv4');
    385. 

  385.           }
    386. 

  386. 

  387.         SKIP: {
    388. 

  388.             skip "No IPv6 available on this machine", 1
    389. 

  389.                 unless !disabled("sock") && have_IPv6();
    390. 

  390.             ok(run(test([@ssltest, "-ipv6"])),
    391. 

  391.                'test TLS via IPv6');
    392. 

  392.           }
    393. 

  393.         }
    394. 

  394.     };
    395. 

  395. 

  396.     subtest "Testing ciphersuites" => sub {
    397. 

  397. 

  398.         my @exkeys = ();
    399. 

  399.         my $ciphers = "-PSK:-SRP";
    400. 

  400. 

  401.         if (!$no_dsa) {
    402. 

  402.             push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
    403. 

  403.         }
    404. 

  404. 

  405.         if (!$no_ec) {
    406. 

  406.             push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss";
    407. 

  407.         }
    408. 

  408. 

  409. 	my @protocols = ();
    410. 

  410. 	# We only use the flags that ssltest_old understands
    411. 

  411. 	push @protocols, "-tls1_3" unless $no_tls1_3;
    412. 

  412. 	push @protocols, "-tls1_2" unless $no_tls1_2;
    413. 

  413. 	push @protocols, "-tls1" unless $no_tls1;
    414. 

  414. 	push @protocols, "-ssl3" unless $no_ssl3;
    415. 

  415. 	my $protocolciphersuitecount = 0;
    416. 

  416. 	my %ciphersuites = ();
    417. 

  417. 	my %ciphersstatus = ();
    418. 

  418. 	foreach my $protocol (@protocols) {
    419. 

  419. 	    my $ciphersstatus = undef;
    420. 

  420. 	    my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol,
    421. 

  421. 				   "ALL:$ciphers"]),
    422. 

  422. 			      capture => 1, statusvar => \$ciphersstatus);
    423. 

  423. 	    $ciphersstatus{$protocol} = $ciphersstatus;
    424. 

  424. 	    if ($ciphersstatus) {
    425. 

  425. 		$ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) }
    426. 

  426. 					     @ciphers ];
    427. 

  427. 		$protocolciphersuitecount += scalar @{$ciphersuites{$protocol}};
    428. 

  428. 	    }
    429. 

  429. 	}
    430. 

  430. 

  431.         plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build"
    432. 

  432.             if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0;
    433. 

  433. 

  434.         # The count of protocols is because in addition to the ciphersuites
    435. 

  435.         # we got above, we're running a weak DH test for each protocol (except
    436. 

  436.         # TLSv1.3)
    437. 

  437.         my $testcount = scalar(@protocols) + $protocolciphersuitecount
    438. 

  438.                         + scalar(keys %ciphersuites);
    439. 

  439.         $testcount-- unless $no_tls1_3;
    440. 

  440.         plan tests => $testcount;
    441. 

  441. 

  442.         foreach my $protocol (@protocols) {
    443. 

  443.             ok($ciphersstatus{$protocol}, "Getting ciphers for $protocol");
    444. 

  444.         }
    445. 

  445. 

  446.         foreach my $protocol (sort keys %ciphersuites) {
    447. 

  447.             note "Testing ciphersuites for $protocol";
    448. 

  448.             # ssltest_old doesn't know -tls1_3, but that's fine, since that's
    449. 

  449.             # the default choice if TLSv1.3 enabled
    450. 

  450.             my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
    451. 

  451.             my $ciphersuites = "";
    452. 

  452.             foreach my $cipher (@{$ciphersuites{$protocol}}) {
    453. 

  453.                 if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
    454. 

  454.                     note "*****SKIPPING $protocol $cipher";
    455. 

  455.                     ok(1);
    456. 

  456.                 } else {
    457. 

  457.                     if ($protocol eq "-tls1_3") {
    458. 

  458.                         $ciphersuites = $cipher;
    459. 

  459.                         $cipher = "";
    460. 

  460.                     }
    461. 

  461.                     ok(run(test([@ssltest, @exkeys, "-cipher", $cipher,
    462. 

  462.                                  "-ciphersuites", $ciphersuites, $flag || ()])),
    463. 

  463.                        "Testing $cipher");
    464. 

  464.                 }
    465. 

  465.             }
    466. 

  466.             next if $protocol eq "-tls1_3";
    467. 

  467.             is(run(test([@ssltest,
    468. 

  468.                          "-s_cipher", "EDH",
    469. 

  469.                          "-c_cipher", 'EDH:@SECLEVEL=1',
    470. 

  470.                          "-dhe512",
    471. 

  471.                          $protocol])), 0,
    472. 

  472.                "testing connection with weak DH, expecting failure");
    473. 

  473.         }
    474. 

  474.     };
    475. 

  475. 

  476.     subtest 'RSA/(EC)DHE/PSK tests' => sub {
    477. 

  477. 	######################################################################
    478. 

  478. 

  479. 	plan tests => 5;
    480. 

  480. 

  481.       SKIP: {
    482. 

  482. 	  skip "TLSv1.0 is not supported by this OpenSSL build", 5
    483. 

  483. 	      if $no_tls1;
    484. 

  484. 

  485. 	SKIP: {
    486. 

  486. 	    skip "skipping anonymous DH tests", 1
    487. 

  487. 	      if ($no_dh);
    488. 

  488. 

  489. 	    ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
    490. 

  490. 	       'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
    491. 

  491. 	  }
    492. 

  492. 

  493. 	SKIP: {
    494. 

  494. 	    skip "skipping RSA tests", 2
    495. 

  495. 		if $no_rsa;
    496. 

  496. 

  497. 	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
    498. 

  498. 	       'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
    499. 

  499. 

  500. 	    skip "skipping RSA+DHE tests", 1
    501. 

  501. 		if $no_dh;
    502. 

  502. 

  503. 	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
    504. 

  504. 	       'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
    505. 

  505. 	  }
    506. 

  506. 

  507. 	SKIP: {
    508. 

  508. 	    skip "skipping PSK tests", 2
    509. 

  509. 	        if ($no_psk);
    510. 

  510. 

  511. 	    ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
    512. 

  512. 	       'test tls1 with PSK');
    513. 

  513. 

  514. 	    ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
    515. 

  515. 	       'test tls1 with PSK via BIO pair');
    516. 

  516. 	  }
    517. 

  517. 	}
    518. 

  518. 

  519.     };
    520. 

  520. 

  521.     subtest 'Custom Extension tests' => sub {
    522. 

  522. 	######################################################################
    523. 

  523. 

  524. 	plan tests => 1;
    525. 

  525. 

  526.       SKIP: {
    527. 

  527. 	  skip "TLSv1.0 is not supported by this OpenSSL build", 1
    528. 

  528. 	      if $no_tls1;
    529. 

  529. 

  530. 	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])),
    531. 

  531. 	     'test tls1 with custom extensions');
    532. 

  532. 	}
    533. 

  533.     };
    534. 

  534. 

  535.     subtest 'Serverinfo tests' => sub {
    536. 

  536. 	######################################################################
    537. 

  537. 

  538. 	plan tests => 5;
    539. 

  539. 

  540.       SKIP: {
    541. 

  541. 	  skip "TLSv1.0 is not supported by this OpenSSL build", 5
    542. 

  542. 	      if $no_tls1;
    543. 

  543. 

  544. 	  note('echo test tls1 with serverinfo');
    545. 

  545. 	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo])));
    546. 

  546. 	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"])));
    547. 

  547. 	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"])));
    548. 

  548. 	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
    549. 

  549. 	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
    550. 

  550. 	}
    551. 

  551.     };
    552. 

  552. }
    553. 

  553. 

  554. unlink $CAkey;
    555. 

  555. unlink $CAcert;
    556. 

  556. unlink $CAserial;
    557. 

  557. unlink $CAreq;
    558. 

  558. unlink $CAreq2;
    559. 

  559. 

  560. unlink $Ukey;
    561. 

  561. unlink $Ureq;
    562. 

  562. unlink $Ucert;
    563. 

  563. unlink basename($Ucert, '.ss').'.srl';
    564. 

  564. 

  565. unlink $Dkey;
    566. 

  566. unlink $Dreq;
    567. 

  567. unlink $Dcert;
    568. 

  568. 

  569. unlink $Ekey;
    570. 

  570. unlink $Ereq;
    571. 

  571. unlink $Ecert;
    572. 

  572. 

  573. unlink $P1key;
    574. 

  574. unlink $P1req;
    575. 

  575. unlink $P1cert;
    576. 

  576. unlink basename($P1cert, '.ss').'.srl';
    577. 

  577. unlink $P1intermediate;
    578. 

  578. unlink "intP1.ss";
    579. 

  579. 

  580. unlink $P2key;
    581. 

  581. unlink $P2req;
    582. 

  582. unlink $P2cert;
    583. 

  583. unlink $P2intermediate;
    584. 

  584. unlink "intP2.ss";
    585. 

  585. 

  586. unlink "ecp.ss";
    587. 

  587. unlink "err.ss";
    588. 

  588. 

  589. unlink $server_sess;
    590. 

  590. unlink $client_sess;
    591.