1#! /usr/bin/env perl 2# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use POSIX; 14use File::Basename; 15use File::Copy; 16use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file result_dir result_file/; 17use OpenSSL::Test::Utils; 18 19BEGIN { 20setup("test_ssl_old"); 21} 22 23use lib srctop_dir('Configurations'); 24use lib bldtop_dir('.'); 25 26my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); 27my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, 28 $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3, 29 $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) = 30 anydisabled qw/rsa dsa dh ec psk 31 ssl3 tls1 tls1_1 tls1_2 tls1_3 32 dtls dtls1 dtls1_2 ct/; 33#If ec and dh are disabled then don't use TLSv1.3 34$no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh); 35my $no_anytls = alldisabled(available_protocols("tls")); 36my $no_anydtls = alldisabled(available_protocols("dtls")); 37 38plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build" 39 if $no_anytls && $no_anydtls; 40 41my $dsaallow = '1'; 42my $digest = "-sha1"; 43my @reqcmd = ("openssl", "req"); 44my @x509cmd = ("openssl", "x509", $digest); 45my @verifycmd = ("openssl", "verify"); 46my @genpkeycmd = ("openssl", "genpkey"); 47my $dummycnf = srctop_file("apps", "openssl.cnf"); 48 49my $cnf = srctop_file("test", "ca-and-certs.cnf"); 50my $CAkey = srctop_file("test", "certs", "ca-key.pem"); # "keyCA.ss" 51my $CAcert="certCA.ss"; 52my $CAserial="certCA.srl"; 53my $CAreq="reqCA.ss"; 54my $CAreq2="req2CA.ss"; # temp 55my $Ukey = srctop_file("test", "certs", "ee-key.pem"); # "keyU.ss"; 56my $Ureq="reqU.ss"; 57my $Ucert="certU.ss"; 58my $Dkey="keyD.ss"; 59my $Dreq="reqD.ss"; 60my $Dcert="certD.ss"; 61my $Ekey="keyE.ss"; 62my $Ereq="reqE.ss"; 63my $Ecert="certE.ss"; 64 65my $proxycnf=srctop_file("test", "proxy.cnf"); 66my $P1key= srctop_file("test", "certs", "alt1-key.pem"); # "keyP1.ss"; 67my $P1req="reqP1.ss"; 68my $P1cert="certP1.ss"; 69my $P1intermediate="tmp_intP1.ss"; 70my $P2key= srctop_file("test", "certs", "alt2-key.pem"); # "keyP2.ss"; 71my $P2req="reqP2.ss"; 72my $P2cert="certP2.ss"; 73my $P2intermediate="tmp_intP2.ss"; 74 75my $server_sess="server.ss"; 76my $client_sess="client.ss"; 77 78# ssl_old_test.c is deprecated in favour of the new framework in ssl_test.c 79# If you're adding tests here, you probably want to convert them to the 80# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. 81plan tests => 82 ($no_fips ? 0 : 7) # testssl with fips provider 83 + 1 # For testss 84 + 5 # For the testssl with default provider 85 + 1 # For security level 0 failure tests 86 ; 87 88subtest 'test_ss' => sub { 89 if (testss()) { 90 open OUT, ">", "intP1.ss"; 91 copy($CAcert, \*OUT); copy($Ucert, \*OUT); 92 close OUT; 93 94 open OUT, ">", "intP2.ss"; 95 copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT); 96 close OUT; 97 } 98}; 99 100note('test_ssl_old -- key U'); 101my $configfile = srctop_file("test","default-and-legacy.cnf"); 102if (disabled("legacy")) { 103 $configfile = srctop_file("test","default.cnf"); 104} 105 106testssl($Ukey, $Ucert, $CAcert, "default", $configfile); 107unless ($no_fips) { 108 # Read in a text $infile and replace the regular expression in $srch with the 109 # value in $repl and output to a new file $outfile. 110 sub replace_line_file_internal { 111 112 my ($infile, $srch, $repl, $outfile) = @_; 113 my $msg; 114 115 open(my $in, "<", $infile) or return 0; 116 read($in, $msg, 1024); 117 close $in; 118 119 $msg =~ s/$srch/$repl/; 120 121 open(my $fh, ">", $outfile) or return 0; 122 print $fh $msg; 123 close $fh; 124 return 1; 125 } 126 127 # Read in the text input file $infile 128 # and replace a single Key = Value line with a new value in $value. 129 # OR remove the Key = Value line if the passed in $value is empty. 130 # and then output a new file $outfile. 131 # $key is the Key to find 132 sub replace_kv_file { 133 my ($infile, $key, $value, $outfile) = @_; 134 my $srch = qr/$key\s*=\s*\S*\n/; 135 my $rep; 136 if ($value eq "") { 137 $rep = ""; 138 } else { 139 $rep = "$key = $value\n"; 140 } 141 return replace_line_file_internal($infile, $srch, $rep, $outfile); 142 } 143 144 # Read in the text $input file 145 # and search for the $key and replace with $newkey 146 # and then output a new file $outfile. 147 sub replace_line_file { 148 my ($infile, $key, $newkey, $outfile) = @_; 149 my $srch = qr/$key/; 150 my $rep = "$newkey"; 151 return replace_line_file_internal($infile, 152 $srch, $rep, $outfile); 153 } 154 155 # Rewrite the module configuration to all PKCS#1 v1.5 padding 156 my $fipsmodcfg_filename = "fipsmodule.cnf"; 157 my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); 158 my $provconf = srctop_file("test", "fips-and-base.cnf"); 159 my $provconfnew = result_file("fips-and-base-temp.cnf"); 160 my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf"; 161 my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename); 162 $ENV{OPENSSL_CONF_INCLUDE} = result_dir(); 163 ok(replace_kv_file($fipsmodcfg, 164 'rsa-pkcs15-pad-disabled', '0', 165 $fipsmodcfgnew) 166 && replace_line_file($provconf, 167 $fipsmodcfg_filename, $fipsmodcfgnew_filename, 168 $provconfnew)); 169 170 testssl($Ukey, $Ucert, $CAcert, "fips", $provconfnew); 171} 172 173# ----------- 174# subtest functions 175sub testss { 176 my @req_dsa = ("-newkey", 177 "dsa:".data_file("dsa2048.pem")); 178 my $dsaparams = data_file("dsa2048.pem"); 179 my @req_new; 180 if ($no_rsa) { 181 @req_new = @req_dsa; 182 } else { 183 @req_new = ("-new"); 184 } 185 186 plan tests => 17; 187 188 SKIP: { 189 skip 'failure', 16 unless 190 ok(run(app([@reqcmd, "-config", $cnf, 191 "-out", $CAreq, "-key", $CAkey, 192 @req_new])), 193 'make cert request'); 194 195 skip 'failure', 15 unless 196 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", 197 "-req", "-out", $CAcert, "-signkey", $CAkey, 198 "-extfile", $cnf, "-extensions", "v3_ca"], 199 stdout => "err.ss")), 200 'convert request into self-signed cert'); 201 202 skip 'failure', 14 unless 203 ok(run(app([@x509cmd, "-in", $CAcert, 204 "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], 205 stdout => "err.ss")), 206 'convert cert into a cert request'); 207 208 skip 'failure', 13 unless 209 ok(run(app([@reqcmd, "-config", $dummycnf, 210 "-verify", "-in", $CAreq, "-noout"])), 211 'verify request 1'); 212 213 214 skip 'failure', 12 unless 215 ok(run(app([@reqcmd, "-config", $dummycnf, 216 "-verify", "-in", $CAreq2, "-noout"])), 217 'verify request 2'); 218 219 skip 'failure', 11 unless 220 ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), 221 'verify signature'); 222 223 skip 'failure', 10 unless 224 ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq", 225 "-out", $Ureq, "-key", $Ukey, @req_new], 226 stdout => "err.ss")), 227 'make a user cert request'); 228 229 skip 'failure', 9 unless 230 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", 231 "-req", "-out", $Ucert, 232 "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, 233 "-extfile", $cnf, "-extensions", "v3_ee"], 234 stdout => "err.ss")) 235 && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), 236 'sign user cert request'); 237 238 skip 'failure', 8 unless 239 ok(run(app([@x509cmd, 240 "-subject", "-issuer", "-startdate", "-enddate", 241 "-noout", "-in", $Ucert])), 242 'Certificate details'); 243 244 skip 'failure', 7 unless 245 subtest 'DSA certificate creation' => sub { 246 plan skip_all => "skipping DSA certificate creation" 247 if $no_dsa; 248 249 plan tests => 5; 250 251 SKIP: { 252 $ENV{CN2} = "DSA Certificate"; 253 skip 'failure', 4 unless 254 ok(run(app([@genpkeycmd, "-out", $Dkey, 255 "-paramfile", $dsaparams], 256 stdout => "err.ss")), 257 "make a DSA key"); 258 skip 'failure', 3 unless 259 ok(run(app([@reqcmd, "-new", "-config", $cnf, 260 "-section", "userreq", 261 "-out", $Dreq, "-key", $Dkey], 262 stdout => "err.ss")), 263 "make a DSA user cert request"); 264 skip 'failure', 2 unless 265 ok(run(app([@x509cmd, "-CAcreateserial", 266 "-in", $Dreq, 267 "-days", "30", 268 "-req", 269 "-out", $Dcert, 270 "-CA", $CAcert, "-CAkey", $CAkey, 271 "-CAserial", $CAserial, 272 "-extfile", $cnf, 273 "-extensions", "v3_ee_dsa"], 274 stdout => "err.ss")), 275 "sign DSA user cert request"); 276 skip 'failure', 1 unless 277 ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), 278 "verify DSA user cert"); 279 skip 'failure', 0 unless 280 ok(run(app([@x509cmd, 281 "-subject", "-issuer", 282 "-startdate", "-enddate", "-noout", 283 "-in", $Dcert])), 284 "DSA Certificate details"); 285 } 286 }; 287 288 skip 'failure', 6 unless 289 subtest 'ECDSA/ECDH certificate creation' => sub { 290 plan skip_all => "skipping ECDSA/ECDH certificate creation" 291 if $no_ec; 292 293 plan tests => 5; 294 295 SKIP: { 296 $ENV{CN2} = "ECDSA Certificate"; 297 skip 'failure', 4 unless 298 ok(run(app(["openssl", "genpkey", "-genparam", 299 "-algorithm", "EC", 300 "-pkeyopt", "ec_paramgen_curve:P-256", 301 "-pkeyopt", "ec_param_enc:named_curve", 302 "-out", "ecp.ss"])), 303 "make EC parameters"); 304 skip 'failure', 3 unless 305 ok(run(app([@reqcmd, "-config", $cnf, 306 "-section", "userreq", 307 "-out", $Ereq, "-keyout", $Ekey, 308 "-newkey", "ec:ecp.ss"], 309 stdout => "err.ss")), 310 "make a ECDSA/ECDH user cert request"); 311 skip 'failure', 2 unless 312 ok(run(app([@x509cmd, "-CAcreateserial", 313 "-in", $Ereq, 314 "-days", "30", 315 "-req", 316 "-out", $Ecert, 317 "-CA", $CAcert, "-CAkey", $CAkey, 318 "-CAserial", $CAserial, 319 "-extfile", $cnf, 320 "-extensions", "v3_ee_ec"], 321 stdout => "err.ss")), 322 "sign ECDSA/ECDH user cert request"); 323 skip 'failure', 1 unless 324 ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), 325 "verify ECDSA/ECDH user cert"); 326 skip 'failure', 0 unless 327 ok(run(app([@x509cmd, 328 "-subject", "-issuer", 329 "-startdate", "-enddate", "-noout", 330 "-in", $Ecert])), 331 "ECDSA Certificate details"); 332 } 333 }; 334 335 skip 'failure', 5 unless 336 ok(run(app([@reqcmd, "-config", $proxycnf, 337 "-out", $P1req, "-key", $P1key, @req_new], 338 stdout => "err.ss")), 339 'make a proxy cert request'); 340 341 342 skip 'failure', 4 unless 343 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", 344 "-req", "-out", $P1cert, 345 "-CA", $Ucert, "-CAkey", $Ukey, 346 "-extfile", $proxycnf, "-extensions", "proxy"], 347 stdout => "err.ss")), 348 'sign proxy with user cert'); 349 350 copy($Ucert, $P1intermediate); 351 run(app([@verifycmd, "-CAfile", $CAcert, 352 "-untrusted", $P1intermediate, $P1cert])); 353 ok(run(app([@x509cmd, 354 "-subject", "-issuer", "-startdate", "-enddate", 355 "-noout", "-in", $P1cert])), 356 'Certificate details'); 357 358 skip 'failure', 2 unless 359 ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req", 360 "-out", $P2req, "-key", $P2key, 361 @req_new], 362 stdout => "err.ss")), 363 'make another proxy cert request'); 364 365 366 skip 'failure', 1 unless 367 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", 368 "-req", "-out", $P2cert, 369 "-CA", $P1cert, "-CAkey", $P1key, 370 "-extfile", $proxycnf, "-extensions", "proxy_2"], 371 stdout => "err.ss")), 372 'sign second proxy cert request with the first proxy cert'); 373 374 375 open OUT, ">", $P2intermediate; 376 copy($Ucert, \*OUT); copy($P1cert, \*OUT); 377 close OUT; 378 run(app([@verifycmd, "-CAfile", $CAcert, 379 "-untrusted", $P2intermediate, $P2cert])); 380 ok(run(app([@x509cmd, 381 "-subject", "-issuer", "-startdate", "-enddate", 382 "-noout", "-in", $P2cert])), 383 'Certificate details'); 384 } 385} 386 387sub testssl { 388 my ($key, $cert, $CAtmp, $provider, $configfile) = @_; 389 my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); 390 my @providerflags = ("-provider", $provider); 391 392 if ($provider eq "default" && !disabled("legacy")) { 393 push @providerflags, "-provider", "legacy"; 394 } 395 396 $dsaallow = '1'; 397 if ($provider eq "fips") { 398 run(test(["fips_version_test", "-config", $configfile, "<3.4.0"]), 399 capture => 1, statusvar => \$dsaallow); 400 } 401 402 my @ssltest = ("ssl_old_test", 403 "-s_key", $key, "-s_cert", $cert, 404 "-c_key", $key, "-c_cert", $cert, 405 "-config", $configfile, 406 @providerflags); 407 408 409 my $serverinfo = srctop_file("test","serverinfo.pem"); 410 411 my $dsa_cert = 0; 412 if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert, 413 "-text", "-noout"]), capture => 1)) { 414 $dsa_cert = 1; 415 } 416 417 subtest 'standard SSL tests' => sub { 418 ###################################################################### 419 plan tests => 19; 420 421 SKIP: { 422 skip "SSLv3 is not supported by this OpenSSL build", 4 423 if disabled("ssl3"); 424 425 skip "SSLv3 is not supported by the FIPS provider", 4 426 if $provider eq "fips"; 427 428 ok(run(test([@ssltest, "-bio_pair", "-ssl3"])), 429 'test sslv3 via BIO pair'); 430 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])), 431 'test sslv3 with server authentication via BIO pair'); 432 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])), 433 'test sslv3 with client authentication via BIO pair'); 434 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])), 435 'test sslv3 with both server and client authentication via BIO pair'); 436 } 437 438 SKIP: { 439 skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1 440 if $no_anytls; 441 442 ok(run(test([@ssltest, "-bio_pair"])), 443 'test sslv2/sslv3 via BIO pair'); 444 } 445 446 SKIP: { 447 skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 14 448 if $no_anytls; 449 450 SKIP: { 451 skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; 452 453 ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])), 454 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); 455 } 456 457 SKIP: { 458 skip "skipping dhe1024dsa test", 1 459 if ($no_dh); 460 461 ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), 462 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); 463 } 464 465 ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), 466 'test sslv2/sslv3 with server authentication'); 467 ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), 468 'test sslv2/sslv3 with client authentication via BIO pair'); 469 ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])), 470 'test sslv2/sslv3 with both client and server authentication via BIO pair'); 471 ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), 472 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); 473 474 SKIP: { 475 skip "No IPv4 available on this machine", 4 476 unless !disabled("sock") && have_IPv4(); 477 ok(run(test([@ssltest, "-ipv4"])), 478 'test TLS via IPv4'); 479 ok(run(test([@ssltest, "-ipv4", "-client_ktls"])), 480 'test TLS via IPv4 + ktls(client)'); 481 ok(run(test([@ssltest, "-ipv4", "-server_ktls"])), 482 'test TLS via IPv4 + ktls(server)'); 483 ok(run(test([@ssltest, "-ipv4", "-client_ktls", "-server_ktls"])), 484 'test TLS via IPv4 + ktls'); 485 } 486 487 SKIP: { 488 skip "No IPv6 available on this machine", 4 489 unless !disabled("sock") && have_IPv6(); 490 ok(run(test([@ssltest, "-ipv6"])), 491 'test TLS via IPv6'); 492 ok(run(test([@ssltest, "-ipv6", "-client_ktls"])), 493 'test TLS via IPv6 + ktls(client)'); 494 ok(run(test([@ssltest, "-ipv6", "-server_ktls"])), 495 'test TLS via IPv6 + ktls(client)'); 496 ok(run(test([@ssltest, "-ipv6", "-client_ktls", "-server_ktls"])), 497 'test TLS via IPv6 + ktls'); 498 } 499 } 500 }; 501 502 subtest "Testing ciphersuites" => sub { 503 504 my @exkeys = (); 505 my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; 506 507 if (!$no_dsa && $dsaallow == '1') { 508 push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; 509 } 510 511 if (!$no_ec) { 512 push @exkeys, "-s_cert", "certE.ss", "-s_key", $Ekey; 513 } 514 515 my @protocols = (); 516 # We only use the flags that ssl_old_test understands 517 push @protocols, "-tls1_3" unless $no_tls1_3; 518 push @protocols, "-tls1_2" unless $no_tls1_2; 519 push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips"; 520 push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips"; 521 my $protocolciphersuitecount = 0; 522 my %ciphersuites = (); 523 my %ciphersstatus = (); 524 #There's no "-config" option to the ciphers command so we set the 525 #environment variable instead 526 my $opensslconf = $ENV{OPENSSL_CONF}; 527 $ENV{OPENSSL_CONF} = $configfile; 528 foreach my $protocol (@protocols) { 529 my $ciphersstatus = undef; 530 my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol, 531 @providerflags, 532 "ALL:$ciphers"]), 533 capture => 1, statusvar => \$ciphersstatus); 534 $ciphersstatus{$protocol} = $ciphersstatus; 535 if ($ciphersstatus) { 536 $ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) } 537 @ciphers ]; 538 $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; 539 } 540 } 541 $ENV{OPENSSL_CONF} = $opensslconf; 542 543 plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build" 544 if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0; 545 546 # The count of protocols is because in addition to the ciphersuites 547 # we got above, we're running a weak DH test for each protocol (except 548 # TLSv1.3) 549 my $testcount = scalar(@protocols) + $protocolciphersuitecount 550 + scalar(keys %ciphersuites); 551 $testcount-- unless $no_tls1_3; 552 plan tests => $testcount; 553 554 foreach my $protocol (@protocols) { 555 ok($ciphersstatus{$protocol}, "Getting ciphers for $protocol"); 556 } 557 558 foreach my $protocol (sort keys %ciphersuites) { 559 note "Testing ciphersuites for $protocol"; 560 # ssl_old_test doesn't know -tls1_3, but that's fine, since that's 561 # the default choice if TLSv1.3 enabled 562 my $flag = $protocol eq "-tls1_3" ? "" : $protocol; 563 my $ciphersuites = ""; 564 foreach my $cipher (@{$ciphersuites{$protocol}}) { 565 if ($dsaallow == '0' && index($cipher, "DSS") != -1) { 566 # DSA is not allowed in FIPS 140-3 567 note "*****SKIPPING $protocol $cipher"; 568 ok(1); 569 } elsif ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { 570 note "*****SKIPPING $protocol $cipher"; 571 ok(1); 572 } else { 573 if ($protocol eq "-tls1_3") { 574 $ciphersuites = $cipher; 575 $cipher = ""; 576 } else { 577 $cipher = $cipher.':@SECLEVEL=0'; 578 } 579 ok(run(test([@ssltest, @exkeys, "-cipher", 580 $cipher, 581 "-ciphersuites", $ciphersuites, 582 $flag || ()])), 583 "Testing $cipher"); 584 } 585 } 586 next if $protocol eq "-tls1_3"; 587 588 SKIP: { 589 skip "skipping dhe512 test", 1 590 if ($no_dh); 591 592 is(run(test([@ssltest, 593 "-s_cipher", "EDH", 594 "-c_cipher", 'EDH:@SECLEVEL=1', 595 "-dhe512", 596 $protocol])), 0, 597 "testing connection with weak DH, expecting failure"); 598 } 599 } 600 }; 601 602 subtest 'SSL security level failure tests' => sub { 603 ###################################################################### 604 plan tests => 3; 605 606 SKIP: { 607 skip "SSLv3 is not supported by this OpenSSL build", 1 608 if disabled("ssl3"); 609 610 skip "SSLv3 is not supported by the FIPS provider", 1 611 if $provider eq "fips"; 612 613 is(run(test([@ssltest, "-bio_pair", "-ssl3", "-cipher", '@SECLEVEL=1'])), 614 0, "test sslv3 fails at security level 1, expecting failure"); 615 } 616 617 SKIP: { 618 skip "TLSv1.0 is not supported by this OpenSSL build", 1 619 if $no_tls1; 620 621 skip "TLSv1.0 is not supported by the FIPS provider", 1 622 if $provider eq "fips"; 623 624 is(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", '@SECLEVEL=1'])), 625 0, 'test tls1 fails at security level 1, expecting failure'); 626 } 627 628 SKIP: { 629 skip "TLSv1.1 is not supported by this OpenSSL build", 1 630 if $no_tls1_1; 631 632 skip "TLSv1.1 is not supported by the FIPS provider", 1 633 if $provider eq "fips"; 634 635 is(run(test([@ssltest, "-bio_pair", "-tls1_1", "-cipher", '@SECLEVEL=1'])), 636 0, 'test tls1.1 fails at security level 1, expecting failure'); 637 } 638 }; 639 640 subtest 'RSA/(EC)DHE/PSK tests' => sub { 641 ###################################################################### 642 643 plan tests => 10; 644 645 SKIP: { 646 skip "TLSv1.0 is not supported by this OpenSSL build", 6 647 if $no_tls1 || $provider eq "fips"; 648 649 SKIP: { 650 skip "skipping anonymous DH tests", 1 651 if ($no_dh); 652 653 ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])), 654 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); 655 } 656 657 SKIP: { 658 skip "skipping RSA tests", 2 659 if $no_rsa; 660 661 ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])), 662 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); 663 664 skip "skipping RSA+DHE tests", 1 665 if $no_dh; 666 667 ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])), 668 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); 669 } 670 671 SKIP: { 672 skip "skipping PSK tests", 2 673 if ($no_psk); 674 675 ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 676 'test tls1 with PSK'); 677 678 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 679 'test tls1 with PSK via BIO pair'); 680 } 681 682 SKIP: { 683 skip "skipping auto DH PSK tests", 1 684 if ($no_dh || $no_psk); 685 686 ok(run(test(['ssl_old_test', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])), 687 'test auto DH meets security strength'); 688 } 689 } 690 691 SKIP: { 692 skip "TLSv1.2 is not supported by this OpenSSL build", 4 693 if $no_tls1_2; 694 695 SKIP: { 696 skip "skipping auto DHE PSK test at SECLEVEL 3", 1 697 if ($no_dh || $no_psk); 698 699 ok(run(test(['ssl_old_test', '-tls1_2', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])), 700 'test auto DHE PSK meets security strength'); 701 } 702 703 SKIP: { 704 skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1 705 if ($no_ec || $no_psk); 706 707 ok(run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])), 708 'test auto ECDHE PSK meets security strength'); 709 } 710 711 SKIP: { 712 skip "skipping no RSA PSK at SECLEVEL 3 test", 1 713 if ($no_rsa || $no_psk); 714 715 ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])), 716 'test auto RSA PSK does not meet security level 3 requirements (PFS)'); 717 } 718 719 SKIP: { 720 skip "skipping no PSK at SECLEVEL 3 test", 1 721 if ($no_psk); 722 723 ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])), 724 'test auto PSK does not meet security level 3 requirements (PFS)'); 725 } 726 } 727 728 }; 729 730 subtest 'Custom Extension tests' => sub { 731 ###################################################################### 732 733 plan tests => 1; 734 735 SKIP: { 736 skip "TLSv1.0 is not supported by this OpenSSL build", 1 737 if $no_tls1 || $provider eq "fips"; 738 739 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])), 740 'test tls1 with custom extensions'); 741 } 742 }; 743 744 subtest 'Serverinfo tests' => sub { 745 ###################################################################### 746 747 plan tests => 5; 748 749 SKIP: { 750 skip "TLSv1.0 is not supported by this OpenSSL build", 5 751 if $no_tls1 || $provider eq "fips"; 752 753 note('echo test tls1 with serverinfo'); 754 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo]))); 755 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))); 756 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"]))); 757 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); 758 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); 759 } 760 }; 761} 762
