xref: /openssl/test/recipes/80-test_ssl_new.t (revision 7ed6de99) 
1#! /usr/bin/env perl
2# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9# For manually running these tests, set specific environment variables like this:
10# CTLOG_FILE=test/ct/log_list.cnf
11# TEST_CERTS_DIR=test/certs
12# For details on the environment variables needed, see test/README.ssltest.md
13
14use strict;
15use warnings;
16
17use File::Basename;
18use File::Compare qw/compare_text/;
19use OpenSSL::Glob;
20use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
21use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
22
23BEGIN {
24setup("test_ssl_new");
25}
26
27use lib srctop_dir('Configurations');
28use lib bldtop_dir('.');
29
30my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
31my $dsaallow = '1';
32
33$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
34
35my @conf_srcs = ();
36if (defined $ENV{SSL_TESTS}) {
37    my @conf_list = split(' ', $ENV{SSL_TESTS});
38    foreach my $conf_file (@conf_list) {
39        push (@conf_srcs, glob(srctop_file("test", "ssl-tests", $conf_file)));
40    }
41    plan tests => scalar @conf_srcs;
42} else {
43    @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.cnf.in"));
44    # We hard-code the number of tests to double-check that the globbing above
45    # finds all files as expected.
46    plan tests => 31;
47}
48map { s/;.*// } @conf_srcs if $^O eq "VMS";
49my @conf_files = map { basename($_, ".in") } @conf_srcs;
50map { s/\^// } @conf_files if $^O eq "VMS";
51
52unless ($no_fips) {
53    my $provconf = srctop_file("test", "fips-and-base.cnf");
54    run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]),
55              capture => 1, statusvar => \$dsaallow);
56}
57
58# Some test results depend on the configuration of enabled protocols. We only
59# verify generated sources in the default configuration.
60my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
61                      !disabled("tls1_1") && !disabled("tls1_2") &&
62                      !disabled("tls1_3") && (!disabled("ec") || !disabled("dh")));
63
64my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
65
66my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
67my $no_tls = alldisabled(available_protocols("tls"));
68my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3"));
69if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) {
70  $no_tls = 1;
71}
72my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
73my $no_dtls = alldisabled(available_protocols("dtls"));
74my $no_npn = disabled("nextprotoneg");
75my $no_ct = disabled("ct");
76my $no_ec = disabled("ec");
77my $no_ecx = disabled("ecx");
78my $no_dh = disabled("dh");
79my $no_dsa = disabled("dsa");
80my $no_ec2m = disabled("ec2m");
81my $no_ocsp = disabled("ocsp");
82
83# Add your test here if the test conf.in generates test cases and/or
84# expectations dynamically based on the OpenSSL compile-time config.
85my %conf_dependent_tests = (
86  "02-protocol-version.cnf" => !$is_default_tls,
87  "04-client_auth.cnf" => !$is_default_tls || !$is_default_dtls
88                           || !disabled("sctp"),
89  "05-sni.cnf" => disabled("tls1_1"),
90  "07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"),
91  "10-resumption.cnf" => !$is_default_tls || $no_ec,
92  "11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"),
93  "16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"),
94  "17-renegotiate.cnf" => disabled("tls1_2"),
95  "18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"),
96  "19-mac-then-encrypt.cnf" => !$is_default_tls,
97  "20-cert-select.cnf" => !$is_default_tls || $no_dh || $no_dsa,
98  "22-compression.cnf" => !$is_default_tls,
99  "25-cipher.cnf" => disabled("poly1305") || disabled("chacha"),
100  "27-ticket-appdata.cnf" => !$is_default_tls,
101  "28-seclevel.cnf" => disabled("tls1_2") || $no_ecx,
102  "30-extended-master-secret.cnf" => disabled("tls1_2"),
103  "32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"),
104);
105
106# Add your test here if it should be skipped for some compile-time
107# configurations. Default is $no_tls but some tests have different skip
108# conditions.
109my %skip = (
110  "06-sni-ticket.cnf" => $no_tls_below1_3,
111  "07-dtls-protocol-version.cnf" => $no_dtls,
112  "08-npn.cnf" => (disabled("tls1") && disabled("tls1_1")
113                    && disabled("tls1_2")) || $no_npn,
114  "10-resumption.cnf" => disabled("tls1_1") || disabled("tls1_2"),
115  "11-dtls_resumption.cnf" => disabled("dtls1") || disabled("dtls1_2"),
116  "12-ct.cnf" => $no_tls || $no_ct || $no_ec,
117  # We could run some of these tests without TLS 1.2 if we had a per-test
118  # disable instruction but that's a bizarre configuration not worth
119  # special-casing for.
120  # TODO(TLS 1.3): We should review this once we have TLS 1.3.
121  "13-fragmentation.cnf" => disabled("tls1_2"),
122  "14-curves.cnf" => disabled("tls1_2") || disabled("tls1_3")
123                     || $no_ec2m || $no_ecx || $no_dh,
124  "15-certstatus.cnf" => $no_tls || $no_ocsp,
125  "16-dtls-certstatus.cnf" => $no_dtls || $no_ocsp,
126  "17-renegotiate.cnf" => $no_tls_below1_3,
127  "18-dtls-renegotiate.cnf" => $no_dtls,
128  "19-mac-then-encrypt.cnf" => $no_pre_tls1_3,
129  "20-cert-select.cnf" => disabled("tls1_2") || $no_ecx,
130  "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
131  "22-compression.cnf" => disabled("zlib") || $no_tls,
132  "23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1")
133                    && disabled("tls1_2")) || disabled("srp"),
134  "24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
135  "25-cipher.cnf" => disabled("ec") || disabled("tls1_2"),
136  "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
137  "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
138  "32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"),
139);
140
141foreach my $conf (@conf_files) {
142    subtest "Test configuration $conf" => sub {
143        plan tests => 6 + ($no_fips ? 0 : 3);
144        test_conf($conf,
145                  $conf_dependent_tests{$conf} || $^O eq "VMS" ?  0 : 1,
146                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
147                  "none");
148        test_conf($conf,
149                  0,
150                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
151                  "default");
152        test_conf($conf,
153                  0,
154                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
155                  "fips") unless $no_fips;
156    }
157}
158
159sub test_conf {
160    my ($conf, $check_source, $skip, $provider) = @_;
161
162    my $conf_file = srctop_file("test", "ssl-tests", $conf);
163    my $input_file = $conf_file . ".in";
164    my $output_file = $conf . "." . $provider;
165    my $run_test = 1;
166
167  SKIP: {
168      # "Test" 1. Generate the source.
169      skip 'failure', 2 unless
170        ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider],
171                        interpreter_args => [ "-I", srctop_dir("util", "perl")],
172                        stdout => $output_file)),
173           "Getting output from generate_ssl_tests.pl.");
174
175    SKIP: {
176        # Test 2. Compare against existing output in test/ssl-tests/
177        skip "Skipping generated source test for $conf", 1
178          if !$check_source;
179
180        $run_test = is(cmp_text($output_file, $conf_file), 0,
181                       "Comparing generated $output_file with $conf_file.");
182      }
183
184      # Test 3. Run the test.
185      skip "No tests available; skipping tests", 1 if $skip;
186      skip "Stale sources; skipping tests", 1 if !$run_test;
187      skip "Dsa not allowed in FIPS 140-3 provider", 1 if ($provider eq "fips") && ($dsaallow eq '0');
188
189      my $msg = "running CTLOG_FILE=test/ct/log_list.cnf". # $ENV{CTLOG_FILE}.
190          " TEST_CERTS_DIR=test/certs". # $ENV{TEST_CERTS_DIR}.
191          " test/ssl_test test/ssl-tests/$conf $provider";
192      if ($provider eq "fips") {
193          ok(run(test(["ssl_test", $output_file, $provider,
194                       srctop_file("test", "fips-and-base.cnf")])), $msg);
195      } else {
196          ok(run(test(["ssl_test", $output_file, $provider])), $msg);
197      }
198    }
199}
200
201sub cmp_text {
202    return compare_text(@_, sub {
203        $_[0] =~ s/\R//g;
204        $_[1] =~ s/\R//g;
205        return $_[0] ne $_[1];
206    });
207}
208